Malicious Javascript from MYOB Email Attack

Monitored Processes

Behavior Information - Sequential View

Process #1: cscript.exe

(Host: 258, Network: 6)

Information	Value
ID	#1
File Name	c:\windows\system32\cscript.exe
Command Line	"C:\Windows\System32\CScript.exe" "C:\Users\5P5NRG~1\Desktop\MYOBSU~1.JS"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:10, Reason: Analysis Target
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:10:03

OS Process Information

Information	Value
PID	0x9a8
Parent PID	0x55c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9AC 0x 9C0 0x 9C4 0x 9C8 0x 9CC 0x 9D0 0x 9D4 0x 9D8 0x 9E8 0x 9EC 0x 9F8 0x A10 0x A14 0x AA0 0x AA4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00046fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cscript.exe.mui	0x00060000	0x00062fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x00200000	0x0027cfff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x00200000	0x0027cfff	Memory Mapped File	Readable	Region Actions
cscript.exe	0x00200000	0x00213fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00241fff	Pagefile Backed Memory	Readable	Region Actions
rsaenh.dll	0x00240000	0x00284fff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00240000	0x00284fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000250000	0x00250000	0x00251fff	Pagefile Backed Memory	Readable	Region Actions
tzres.dll	0x00250000	0x00250fff	Memory Mapped File	Readable	Region Actions
wshom.ocx	0x00250000	0x00263fff	Memory Mapped File	Readable	Region Actions
msxml3r.dll	0x00270000	0x00270fff	Memory Mapped File	Readable	Region Actions
msxml3.dll	0x00280000	0x0029afff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002bffff	Private Memory	Readable, Writable	Region Actions Download Dump
windowsshell.manifest	0x002c0000	0x002c0fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d1fff	Pagefile Backed Memory	Readable	Region Actions
index.dat	0x002e0000	0x002ebfff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x002f0000	0x002f7fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00300000	0x0030ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0032ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x00330fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000450000	0x00450000	0x0054ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000550000	0x00550000	0x006d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x00860fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000870000	0x00870000	0x01c6ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c70000	0x01c70000	0x01e5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001c70000	0x01c70000	0x01d4efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d50000	0x01d50000	0x01daffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d80000	0x01d80000	0x01d8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001da0000	0x01da0000	0x01daffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001de0000	0x01de0000	0x01e5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001e60000	0x01e60000	0x01f5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f80000	0x01f80000	0x0207ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x02080000	0x0234efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002350000	0x02350000	0x023fffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000002400000	0x02400000	0x024fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002510000	0x02510000	0x0260ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002610000	0x02610000	0x0360ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000003640000	0x03640000	0x0373ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003740000	0x03740000	0x0392ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003740000	0x03740000	0x0383ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003840000	0x03840000	0x038fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003920000	0x03920000	0x0392ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000039e0000	0x039e0000	0x03adffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003af0000	0x03af0000	0x03beffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x03bf0000	0x03caffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003cc0000	0x03cc0000	0x03dbffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000003dc0000	0x03dc0000	0x041b2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000041c0000	0x041c0000	0x043bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000043c0000	0x043c0000	0x047bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000047c0000	0x047c0000	0x049bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000049c0000	0x049c0000	0x04ac0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004b10000	0x04b10000	0x0530ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005310000	0x05310000	0x0570ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005710000	0x05710000	0x0595ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005710000	0x05710000	0x0584ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000058e0000	0x058e0000	0x0595ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000059a0000	0x059a0000	0x0696ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006970000	0x06970000	0x0716ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000007170000	0x07170000	0x0731ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000007170000	0x07170000	0x0727ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000072a0000	0x072a0000	0x0731ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000007320000	0x07320000	0x0757ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000007320000	0x07320000	0x0747ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000007500000	0x07500000	0x0757ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000007580000	0x07580000	0x0767ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000007680000	0x07680000	0x0864ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008650000	0x08650000	0x09050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009060000	0x09060000	0x0a02ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000000a030000	0x0a030000	0x0affffff	Private Memory	Readable, Writable	Region Actions
private_0x000000000b000000	0x0b000000	0x0b3fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000000b400000	0x0b400000	0x0b742fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000000b750000	0x0b750000	0x0b8effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000b7b0000	0x0b7b0000	0x0b8affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000b900000	0x0b900000	0x0b9fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000ba00000	0x0ba00000	0x0bbeffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000baa0000	0x0baa0000	0x0bb1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000bbe0000	0x0bbe0000	0x0bbeffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000bbf0000	0x0bbf0000	0x0bceffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000bdb0000	0x0bdb0000	0x0beaffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000beb0000	0x0beb0000	0x0bfaffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000bfd0000	0x0bfd0000	0x0c0cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000c0d0000	0x0c0d0000	0x0c1cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000c1d0000	0x0c1d0000	0x0c3cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000c3d0000	0x0c3d0000	0x0c4cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000c4d0000	0x0c4d0000	0x0c5cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000c6f0000	0x0c6f0000	0x0c7effff	Private Memory	Readable, Writable	Region Actions Download Dump
user32.dll	0x76b70000	0x76c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c70000	0x76d8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
cscript.exe	0xffa20000	0xffa48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
jscript.dll	0x7fef2fe0000	0x7fef30c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml3.dll	0x7fef3650000	0x7fef3823fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scrobj.dll	0x7fef3a00000	0x7fef3a3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fef3a40000	0x7fef3adffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scrrun.dll	0x7fef3b40000	0x7fef3b73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x7fef4f10000	0x7fef4f71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshom.ocx	0x7fef73f0000	0x7fef7417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshext.dll	0x7fef7420000	0x7fef743cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msisip.dll	0x7fef74e0000	0x7fef74eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x7fef9be0000	0x7fef9bf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefa710000	0x7fefa727fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefaaf0000	0x7fefab45fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb360000	0x7fefb36afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7fefb370000	0x7fefb396fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefb5f0000	0x7fefb7e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbcd0000	0x7fefbcfcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefbea0000	0x7fefbeabfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc2d0000	0x7fefc316fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefc3f0000	0x7fefc44afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc5d0000	0x7fefc5e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefcba0000	0x7fefcbc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefcbd0000	0x7fefcbdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefcbe0000	0x7fefcc70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefccc0000	0x7fefccd3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefcce0000	0x7fefcceefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefcd80000	0x7fefcd8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefce30000	0x7fefce69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefce90000	0x7fefcff6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd000000	0x7fefd06afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefd0b0000	0x7fefd227fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x7fefd230000	0x7fefd2c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd350000	0x7fefd3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefd3f0000	0x7fefd441fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefd450000	0x7fefe1d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7fefe1e0000	0x7fefe438fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe440000	0x7fefe56cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe570000	0x7fefe772fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefe860000	0x7fefe968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe970000	0x7fefea0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefea10000	0x7fefeae6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefeaf0000	0x7fefeafdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefeb00000	0x7fefeb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefeb70000	0x7fefebe0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefec10000	0x7fefecd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefeec0000	0x7fefeeedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefeef0000	0x7fefeef7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefef00000	0x7fefef1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefef20000	0x7feff049fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff050000	0x7feff09cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff0b0000	0x7feff0b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 52 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\5p5nrg~1\appdata\local\temp\pst790mv.exe	505.50 KB (517632 bytes)	MD5: 39dbb6858f88f7059a28700384c4d0f3 SHA1: fabec36aedbccf2c7a5b0c0e7e8ec7ea64a6a505 SHA256: dc83d603a4589aa8397aba960b132fc7cae24cd7bca4d252616aac2c11beb6f6		File Actions Show Properties Download

Threads

Thread 0x9ac

(Host: 181, Network: 6)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-01-20 17:42:50 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 79170	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0xffa20000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76c70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76c86d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 1, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76c70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x76c8c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\cscript.exe, process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 108	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.JS	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.JS, data = JSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\JSFile\ScriptEngine, data = JScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 1627-01-20 17:42:50 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 79482	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7fefe780000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegisterTraceGuidsA, address_out = 0x76daf570	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x7fefe79b5f0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7fefe79c480	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7fefe7a0710	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefe570000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObjectContext, address_out = 0x7fefe58c920	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefe570000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefe597490	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 79498	2	Fn
File	Create	filename = C:\Users\5P5NRG~1\Desktop\MYOBSU~1.JS, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\5P5NRG~1\Desktop\MYOBSU~1.JS, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\5P5NRG~1\Desktop\MYOBSU~1.JS, filename = C:\Users\5P5NRG~1\Desktop\MYOBSU~1.JS, protection = PAGE_READONLY, maximum_size = 7318	1	Fn
Module	Map	C:\Users\5P5NRG~1\Desktop\MYOBSU~1.JS, process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Unmap	process_name = c:\windows\system32\cscript.exe	1	Fn
System	Get Info	type = System Directory	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7fefe780000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7fefe79e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7fefe79f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7fefe79f660	1	Fn
System	Get Time	type = System Time, time = 1627-01-20 17:42:50 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 79685	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\5P5NRG~1\Desktop\MYOBSU~1.JS, type = size	1	Fn
File	Read	filename = C:\Users\5P5NRG~1\Desktop\MYOBSU~1.JS, size = 7318, size_out = 7318	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 1627-01-20 17:42:50 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 79700	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:20 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 79794	1	Fn
System	Get Time	type = Ticks, time = 79810	35	Fn
System	Get Time	type = Ticks, time = 79825	11	Fn
System	Get Time	type = Ticks, time = 79841	6	Fn
System	Get Time	type = Ticks, time = 79856	5	Fn
System	Get Time	type = Ticks, time = 79872	2	Fn
System	Get Time	type = Ticks, time = 79888	4	Fn
System	Get Time	type = Ticks, time = 79903	2	Fn
System	Get Time	type = Ticks, time = 79919	4	Fn
System	Get Time	type = Ticks, time = 79934	2	Fn
System	Get Time	type = Ticks, time = 79950	2	Fn
System	Get Time	type = Ticks, time = 79966	1	Fn
System	Get Time	type = Ticks, time = 79981	3	Fn
System	Get Time	type = Ticks, time = 79997	1	Fn
System	Get Time	type = Ticks, time = 80012	3	Fn
System	Get Time	type = Ticks, time = 80028	3	Fn
System	Get Time	type = Ticks, time = 80044	3	Fn
System	Get Time	type = Ticks, time = 80075	2	Fn
System	Get Time	type = Ticks, time = 80106	2	Fn
System	Get Time	type = Ticks, time = 80122	1	Fn
System	Get Time	type = Ticks, time = 80137	1	Fn
System	Get Time	type = Ticks, time = 80153	1	Fn
System	Get Time	type = Ticks, time = 80168	1	Fn
System	Get Time	type = Ticks, time = 80184	1	Fn
System	Get Time	type = Ticks, time = 80215	1	Fn
System	Get Time	type = Ticks, time = 80231	1	Fn
System	Get Time	type = Ticks, time = 80246	2	Fn
System	Get Time	type = Ticks, time = 80262	2	Fn
System	Get Time	type = Ticks, time = 80278	1	Fn
System	Get Time	type = Ticks, time = 80324	1	Fn
System	Get Time	type = Ticks, time = 80356	1	Fn
System	Get Time	type = Ticks, time = 80387	1	Fn
System	Get Time	type = Ticks, time = 80418	1	Fn
System	Get Time	type = Ticks, time = 80449	1	Fn
System	Get Time	type = Ticks, time = 80480	1	Fn
System	Get Time	type = Ticks, time = 80512	1	Fn
System	Get Time	type = Ticks, time = 80543	1	Fn
System	Get Time	type = Ticks, time = 80574	1	Fn
System	Get Time	type = Ticks, time = 80605	1	Fn
System	Get Time	type = Ticks, time = 80636	1	Fn
System	Get Time	type = Ticks, time = 80683	1	Fn
System	Get Time	type = Ticks, time = 80714	1	Fn
System	Get Time	type = Ticks, time = 80761	1	Fn
System	Get Time	type = Ticks, time = 80808	1	Fn
System	Get Time	type = Ticks, time = 80839	1	Fn
System	Get Time	type = Ticks, time = 80948	1	Fn
System	Get Time	type = Ticks, time = 81089	1	Fn
System	Get Time	type = Ticks, time = 81182	1	Fn
System	Get Time	type = Ticks, time = 81260	1	Fn
System	Get Time	type = Ticks, time = 81354	1	Fn
System	Get Time	type = Ticks, time = 81416	1	Fn
System	Get Time	type = Ticks, time = 81479	1	Fn
System	Get Time	type = Ticks, time = 81557	1	Fn
System	Get Time	type = Ticks, time = 81619	1	Fn
System	Get Time	type = Ticks, time = 81697	1	Fn
System	Get Time	type = Ticks, time = 81760	1	Fn
System	Get Time	type = Ticks, time = 81838	1	Fn
System	Get Time	type = Ticks, time = 81916	1	Fn
System	Get Time	type = Ticks, time = 81978	1	Fn
System	Get Time	type = Ticks, time = 82056	1	Fn
System	Get Time	type = Ticks, time = 82134	1	Fn
System	Get Time	type = Ticks, time = 82228	1	Fn
System	Get Time	type = Ticks, time = 82462	1	Fn
System	Get Time	type = Ticks, time = 82618	1	Fn
System	Get Time	type = Ticks, time = 82789	1	Fn
System	Get Time	type = Ticks, time = 82961	1	Fn
System	Get Time	type = Ticks, time = 83210	1	Fn
System	Get Time	type = Ticks, time = 83382	1	Fn
System	Get Time	type = Ticks, time = 83460	1	Fn
System	Get Time	type = Ticks, time = 83491	1	Fn
System	Get Time	type = Ticks, time = 83507	1	Fn
System	Get Time	type = Ticks, time = 83522	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefe570000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefe58a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefe5a2e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 1627-01-20 17:42:54 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 83585	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0xffa20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\cscript.exe, function = 1, address_out = 0xffa21a60	1	Fn
COM	Get Class ID	cls_id = F6D90F16-9C73-11D3-B32E-00C04F990BB4, prog_id = MSXML2.XMLHTTP	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = https, server_name = moranaccountants-my.sharepoint.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /personal/lily_moranaccountants_com_au/_layouts/15/guestaccess.aspx	1	Fn
Inet	Send HTTP Request	url = https://moranaccountants-my.sharepoint.com/personal/lily_moranaccountants_com_au/_layouts/15/guestaccess.aspx?docid=03559bd7bd473450fab4c679cae4be913&authkey=AXWiRPNRVvwj9BsVKKyrAsc&e=259ca72ab9534857b5c3964310916b09	1	Fn
System	Get Time	type = Ticks, time = 99606	1	Fn
Inet	Read Response	size_out = 3, data = MZ	1	Fn
System	Get Time	type = Ticks, time = 99653	1	Fn
COM	Get Class ID	cls_id = 00000566-0000-0010-8000-00AA006D2EA4, prog_id = ADODB.Stream	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = Ticks, time = 99731	1	Fn
Inet	Read Response	size_out = 517632	1	Fn Data
System	Get Time	type = Ticks, time = 99762	1	Fn
File	Create	filename = C:\Users\5P5NRG~1\AppData\Local\Temp/pST790mv.exe	1	Fn
File	Write	filename = C:\Users\5P5NRG~1\AppData\Local\Temp/pST790mv.exe, size = 517632	1	Fn Data
Module	Load	module_name = shell32.dll, base_address = 0x7fefd450000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x7fefd477c70	1	Fn
Process	Create	process_name = C:\Users\5P5NRG~1\AppData\Local\Temp/pST790mv.exe, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x9c4

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 2840848		1	Fn

Process #3: pst790mv.exe

(Host: 1857, Network: 145)

Information	Value
ID	#3
File Name	c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pST790mv.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:35, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:09:38

OS Process Information

Information	Value
PID	0xaa8
Parent PID	0x9a8 (c:\windows\system32\cscript.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AAC 0x AB4 0x AB8 0x ABC 0x AC0 0x AC4 0x AC8 0x ACC 0x AD0 0x AD4 0x AD8 0x ADC 0x 5B0 0x 834

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000002b0000	0x002b0000	0x002b6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
oleaccrc.dll	0x002d0000	0x002d0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002e1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002f0000	0x002f0000	0x002f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000300000	0x00300000	0x00300fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000310000	0x00310000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003d0000	0x003d0000	0x00557fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000560000	0x00560000	0x00560fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000560000	0x00560000	0x00560fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000570000	0x00570000	0x0066ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000670000	0x00670000	0x007f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000800000	0x00800000	0x01bfffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01c3ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x01c40000	0x01c7bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x01c40000	0x01c7bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001c40000	0x01c40000	0x01c40fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001c50000	0x01c50000	0x01c8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c90000	0x01c90000	0x01c9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c90000	0x01c90000	0x01c98fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001c90000	0x01c90000	0x01c99fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001cb0000	0x01cb0000	0x01ceffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001cf0000	0x01cf0000	0x020e2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000020f0000	0x020f0000	0x021bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000020f0000	0x020f0000	0x02170fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002180000	0x02180000	0x021bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000021c0000	0x021c0000	0x021fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002210000	0x02210000	0x0221ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002220000	0x02220000	0x022fefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002300000	0x02300000	0x023fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002400000	0x02400000	0x024fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002500000	0x02500000	0x025fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002600000	0x02600000	0x026fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002700000	0x02700000	0x02790fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000027b0000	0x027b0000	0x02881fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
sortdefault.nls	0x02890000	0x02b5efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002b60000	0x02b60000	0x02c5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002c60000	0x02c60000	0x02e5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002e60000	0x02e60000	0x02fe8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ff0000	0x02ff0000	0x043f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004400000	0x04400000	0x04500fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004510000	0x04510000	0x04600fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004610000	0x04610000	0x04720fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004730000	0x04730000	0x048b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000048c0000	0x048c0000	0x049c0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000049d0000	0x049d0000	0x04dcffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004dd0000	0x04dd0000	0x04e45fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000004e50000	0x04e50000	0x0506ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004e50000	0x04e50000	0x04ec5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004ed0000	0x04ed0000	0x04fcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004fd0000	0x04fd0000	0x0501ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004fe0000	0x04fe0000	0x0501ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005030000	0x05030000	0x0506ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005070000	0x05070000	0x0516ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005170000	0x05170000	0x051affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000051b0000	0x051b0000	0x052affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000052b0000	0x052b0000	0x052effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000052f0000	0x052f0000	0x053effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005870000	0x05870000	0x058affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000058c0000	0x058c0000	0x058fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005900000	0x05900000	0x059fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005a00000	0x05a00000	0x05bfffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005c00000	0x05c00000	0x05c80fff	Private Memory	Readable, Writable	Region Actions Download Dump
pst790mv.exe	0x10000000	0x10082fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x740d0000	0x740d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x740e0000	0x7411bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74120000	0x74138fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74140000	0x74150fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x74160000	0x742effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x742f0000	0x7433efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x74340000	0x74397fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x743a0000	0x743e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x743f0000	0x74402fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74410000	0x7448ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74550000	0x7458afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74590000	0x745a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x745b0000	0x745b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x745c0000	0x745cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x745d0000	0x745defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
davhlpr.dll	0x745e0000	0x745e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
davclnt.dll	0x745f0000	0x74606fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntlanman.dll	0x74610000	0x74623fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x74630000	0x74658fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
drprov.dll	0x74660000	0x74667fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74670000	0x74676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74680000	0x7469bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
traffic.dll	0x746a0000	0x746aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x746b0000	0x746bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleacc.dll	0x746c0000	0x746fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dciman32.dll	0x74700000	0x74705fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ddraw.dll	0x74710000	0x747f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
glu32.dll	0x74800000	0x74821fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
opengl32.dll	0x74830000	0x748f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pdh.dll	0x74900000	0x7493bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x74940000	0x74971fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x74980000	0x74993fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x749a0000	0x749b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x74c90000	0x74c94fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74f40000	0x75b89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75fe0000	0x7606efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x760d0000	0x761ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x762d0000	0x762e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x762f0000	0x76324fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x763c0000	0x763e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x768a0000	0x76a3cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76f40000	0x76f4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef38000	0x7ef38000	0x7ef3afff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef38000	0x7ef38000	0x7ef3afff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef3b000	0x7ef3b000	0x7ef3dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef3e000	0x7ef3e000	0x7ef40fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef41000	0x7ef41000	0x7ef43fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef44000	0x7ef44000	0x7ef46fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef47000	0x7ef47000	0x7ef49fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef4a000	0x7ef4a000	0x7ef4cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef4d000	0x7ef4d000	0x7ef4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ef50000	0x7ef50000	0x7efaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 24 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp	0.33 KB (336 bytes)	MD5: 7c71ee83af910dec760c54b96ae19f9a SHA1: ebd9fd4c6cb4c2a99fd486a0f2ce01daa256e5c8 SHA256: 33f1cf8ae4f821e1688f8de8463bae342c550cbd6eb667b370bab71bc22f9282	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.33 KB (336 bytes)	MD5: 7c71ee83af910dec760c54b96ae19f9a SHA1: ebd9fd4c6cb4c2a99fd486a0f2ce01daa256e5c8 SHA256: 33f1cf8ae4f821e1688f8de8463bae342c550cbd6eb667b370bab71bc22f9282	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp	0.38 KB (384 bytes)	MD5: f7b1337a85bf965b4b8ab67d65ec26c3 SHA1: 79670586cdfc33f738677af4da640abcbc308743 SHA256: 80428142e41c382f97a47b5a2366e158d40942112cd017a9ce3a1b74fc9ffd93	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.38 KB (384 bytes)	MD5: f7b1337a85bf965b4b8ab67d65ec26c3 SHA1: 79670586cdfc33f738677af4da640abcbc308743 SHA256: 80428142e41c382f97a47b5a2366e158d40942112cd017a9ce3a1b74fc9ffd93	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp	0.36 KB (368 bytes)	MD5: 39b7c9d83ee86f07436876987f6bf5b3 SHA1: 1892bd53396dbf427c13c63c22be20630d7c614f SHA256: 376c27701b84ccb518346deb5217c61516c42dd3c2a6280787f6d8756750e8aa	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.36 KB (368 bytes)	MD5: 39b7c9d83ee86f07436876987f6bf5b3 SHA1: 1892bd53396dbf427c13c63c22be20630d7c614f SHA256: 376c27701b84ccb518346deb5217c61516c42dd3c2a6280787f6d8756750e8aa	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp	0.44 KB (448 bytes)	MD5: bbd299bace19431a912dceadba1d4683 SHA1: 99388285449acf2c01cde866d921270a0e708484 SHA256: 414946b215d6c2418bad7c558de09dd603f14c54c24447a6774e2e4a51d76a02	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.44 KB (448 bytes)	MD5: bbd299bace19431a912dceadba1d4683 SHA1: 99388285449acf2c01cde866d921270a0e708484 SHA256: 414946b215d6c2418bad7c558de09dd603f14c54c24447a6774e2e4a51d76a02	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp	0.58 KB (592 bytes)	MD5: 29040b560ca4c807bd187e4a070be64a SHA1: 558a339dacdce5b3c05e950712b856e57bc218e2 SHA256: bab2056daedad19db5a348dd37d32e97fda7261082808a9b5ceae04ec3b246a3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.58 KB (592 bytes)	MD5: 29040b560ca4c807bd187e4a070be64a SHA1: 558a339dacdce5b3c05e950712b856e57bc218e2 SHA256: bab2056daedad19db5a348dd37d32e97fda7261082808a9b5ceae04ec3b246a3	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp	0.61 KB (624 bytes)	MD5: 96de3dad77a9333b3941edcf97763093 SHA1: f89776d007f38a71ae967afa9006611704630e59 SHA256: a96413ba7afe34fa111e17ae8b01befe0cdb546be04904a02f92e113899b3ee0	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.61 KB (624 bytes)	MD5: 96de3dad77a9333b3941edcf97763093 SHA1: f89776d007f38a71ae967afa9006611704630e59 SHA256: a96413ba7afe34fa111e17ae8b01befe0cdb546be04904a02f92e113899b3ee0	File Actions Show Properties Download
c:\windows\tasks\407dad5a-b5c6-4985-9878-a37532f9a55f.job	0.49 KB (504 bytes)	MD5: 103b6c9ab3452427fab5839ea9ca1270 SHA1: afa53dd55fb041a1561da10d726663ba34f62ed8 SHA256: 912fc888e36f94b7be9216aacd71817489db4b37c44ba27ad64b08c0b7034e79	File Actions Show Properties Download
c:\programdata\252e9d6f-46f0-4cf5-8686-f2a673c579a2\1.dat	0.03 KB (32 bytes)	MD5: c18642c37123dd9520efa18db227cba1 SHA1: 961fe841ad06e3d18495ecd3c7c1f90250f4363a SHA256: 4d4c440ee23a5e4a5c03928c7085c8bcea0d3b8d78c53c9e03970152064c83ce	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.73 KB (752 bytes)	MD5: 4f1cd6376847e04626ed1f864b6d83c6 SHA1: 58bba1d3e7b4e9f751937b584c8869689f2bd76a SHA256: 2d4db92a8f4db77980ffc53b50440cfa158e237dcae23f758fbcadc1e813309d	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.75 KB (768 bytes)	MD5: 2124dedcce45e017b2b52ceea067f908 SHA1: b2ef626c65632a0e2cf8672e8a1b935970cfe9b5 SHA256: ff889ae413ec5a3f93750c59fd587b46849a1046ab401698507ff1fe2b9ffb0c	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.78 KB (800 bytes)	MD5: d2907d752b69c6654c839ea5186f8991 SHA1: 040859a0b7a8d960957057fb46de31ac1efbbf60 SHA256: 16d95ef314aa437c57296fb044c62b8866b1988883de2e061d2905e961fcd726	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.81 KB (832 bytes)	MD5: 00642690ded7bb60887302ae669d3594 SHA1: c7d1b92ee49ef4af1a217e3f714966d0e429feeb SHA256: e81d72ecc715998879b1c65bbc11852f4e2b36b5e409e301df146c5dfd46fe69	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.84 KB (864 bytes)	MD5: 2fcabfa8f45e908bdd322512d97af55c SHA1: bc870d783d89b1dfe87dfe83572cbbe0d9d51373 SHA256: 74a7a900be85839c0cca0a5afca690aaa0d3c359886e87983a4af890680effb7	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	0.86 KB (880 bytes)	MD5: 05d9c03b1d498b1ed988482850ce1d27 SHA1: 75a080f4c54005703fd524c4a6b4272941d3d110 SHA256: ea6250d4e68955c06ff481da3fa354653dbb4417867e338861f04fc439716849	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1.00 KB (1024 bytes)	MD5: 59b0194db8f7ab4b531fe53c5d318861 SHA1: 27b7876c04a3d91007cb6b2d127a66613ebdc1df SHA256: 832baecc09332b754abdb3b3d3a7f32e19bfb533ad6d2cca49b86a8092861b2e	File Actions Show Properties Download
c:\users\5p5nrgjn0js halpmcxz\appdata\local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1.06 KB (1088 bytes)	MD5: fc2d4c590d9c78b2f8bb25fb284ca97f SHA1: 591fe8f17424e2284e0c893f1d4e213c47a400a1 SHA256: 0e6a06ecd934e0c6a62c59e13dd5bee3f4cb279f6767c7d5488b14ce8f8ad4c4	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\programdata\252e9d6f-46f0-4cf5-8686-f2a673c579a2\af77746e-8a65-4302-8042-f6017918c669.dll	133.00 KB (136192 bytes)	MD5: ca98762b43ad6d6e4147089cae636fd5 SHA1: a8fb38628d6a0e3cbf3b593fdb16fba59ddbb04a SHA256: d36bca25ec22d09410b4432fcc65fca29ac1101953dabd8be67598e8bb603210		File Actions Show Properties Download

Threads

Thread 0xaac

(Host: 571, Network: 1)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 1627-01-20 17:43:11 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 101135	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76614f2b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76611252	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76614208	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7661359f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76600000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pST790mv.exe, size = 260	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Window	Set Attribute	index = 18446744073709551600, new_long = 18446744071562067968	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 128	1	Fn
Window	Create	window_name = Viewer, class_name = View, wndproc_parameter = 0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x76614a2d	1	Fn
File	Open	-	2	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	6	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	2	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	4	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	-	2	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	-	2	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	3	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Open	-	2	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	-	4	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	2	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	-	2	Fn
System	Get Info	type = Hardware Information	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	2	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Open	-	2	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	2	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	2	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	2	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	-	2	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Open	-	2	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Open	-	2	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
File	Open	-	2	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:41 (UTC)	1	Fn
File	Open	-	1	Fn
File	Get Info	type = time	1	Fn
File	Create Pipe	pipe_name = Anonymous read pipe, size = 0	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = Ticks, time = 101431	6	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x76f70000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x74ea0000	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76f9e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x76fb1f6e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x766114c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76611856	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x76fb0fcb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x7661e331	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushInstructionCache, address_out = 0x76614393	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x766114e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7663772f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76617a10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadProcessMemory, address_out = 0x7662cfcc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x766149ca	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76611809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76611222	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x766110ff	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76611245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7662d802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x7663d1c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x766187c9	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x74ea0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptHashData, address_out = 0x74eadf36	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptCreateHash, address_out = 0x74eadf4e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74eae124	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyHash, address_out = 0x74eadf66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74eadf14	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetHashParam, address_out = 0x74eadf7e	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76a40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strlen, address_out = 0x76a543d3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memset, address_out = 0x76a49790	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Get Handle	module_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, base_address = 0x10000000	11	Fn
System	Sleep	duration = 993 milliseconds (0.993 seconds)	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76fa9d35	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualQuery, address_out = 0x7661445a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x7661469b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileW, address_out = 0x7663830d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x766110ff	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetShortPathNameW, address_out = 0x7661d2f9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x76615223	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenEventW, address_out = 0x766115d6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetErrorMode, address_out = 0x76611b00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DuplicateHandle, address_out = 0x76611886	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76614950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x7661103d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryW, address_out = 0x766944cf	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenMutexA, address_out = 0x7662ec6f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x7661dd0e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x76615063	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x766143ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x7661328c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x76611b48	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexA, address_out = 0x76614c6b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x76614435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x766154ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76614442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RegisterWaitForSingleObject, address_out = 0x7663cb05	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnregisterWaitEx, address_out = 0x7663b921	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x7663735f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x76638baf	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7663896c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnregisterWait, address_out = 0x7669e6ab	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CancelIo, address_out = 0x7668bce9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x76612d3c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x7662d4dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameW, address_out = 0x7663d1b6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76611856	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x7661186e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 0x7662d9b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 0x7662d9e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetThreadContext, address_out = 0x766379d4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadContext, address_out = 0x76695393	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFreeEx, address_out = 0x7662d9c8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76611222	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76611809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessId, address_out = 0x7663cf04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x766153c6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x766111e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x766149ad	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x76613587	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateIoCompletionPort, address_out = 0x7662eef2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = PostQueuedCompletionStatus, address_out = 0x7662ef29	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7662d802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x766114fb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteTimerQueueTimer, address_out = 0x7662f7d3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateTimerQueueTimer, address_out = 0x7662f7eb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateNamedPipeA, address_out = 0x76691807	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ConnectNamedPipe, address_out = 0x766940fb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x76614259	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x7662174d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x76615558	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoA, address_out = 0x7662d5e5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x76615a96	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x7663d4c4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x7661192e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x76fe92b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoA, address_out = 0x7662f803	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76611245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76615a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x7662c860	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandle, address_out = 0x766153ae	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76f9e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x766114c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x766114e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x766187c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7663772f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x7663d1c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedCompareExchange, address_out = 0x76611484	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedExchange, address_out = 0x76611462	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x766133a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x766149d7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x766134c8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x766189b3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76611b18	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76611282	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x76fcd598	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x766117d1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76611986	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x766134b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x766111f8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLocalTime, address_out = 0x76615aa6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x766111c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x766149ca	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76617a10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x766116dd	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76f92270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x76f922b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76fa45f5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x76fa2c42	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x766116c5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x7661183e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76611450	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76613509	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x76615a7e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x76617a2f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76611136	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x766134d5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x7663b2b7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76611410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x7661110c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76613ed3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x7661196e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetQueuedCompletionStatus, address_out = 0x7662d3c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76613f5c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76611725	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x7661170d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryW, address_out = 0x7661492b	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x74ca0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetIconInfo, address_out = 0x74cc49ea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x74cc1218	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = DrawIcon, address_out = 0x74cc8deb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = ReleaseDC, address_out = 0x74cb7446	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetDesktopWindow, address_out = 0x74cc0a19	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetDC, address_out = 0x74cb72c4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x74cb7d2f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetLastInputInfo, address_out = 0x74ccb382	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CharLowerA, address_out = 0x74cc3e75	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowRect, address_out = 0x74cb7f34	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x74cb78e2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = PostMessageW, address_out = 0x74cc12a5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x74d0fd1e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxW, address_out = 0x74d0fd3f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = LoadImageA, address_out = 0x74cc8455	1	Fn
Module	Load	module_name = CRYPT32.dll, base_address = 0x760d0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptImportPublicKeyInfo, address_out = 0x760e6c0e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x76105d77	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptDecodeObjectEx, address_out = 0x760dd718	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x762f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x762f311b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 9, address_out = 0x762f2d8b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSASocketW, address_out = 0x762f3cd3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSASendTo, address_out = 0x7630b30c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 111, address_out = 0x762f37ad	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x762f3918	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecvFrom, address_out = 0x762fcba6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSAIoctl, address_out = 0x762f2fe7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 21, address_out = 0x762f41b6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x762f4582	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 12, address_out = 0x762fb131	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSASend, address_out = 0x762f4406	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 5, address_out = 0x762f7147	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x762f3ab2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecv, address_out = 0x762f7089	1	Fn
Module	Load	module_name = DNSAPI.dll, base_address = 0x743a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\dnsapi.dll, function = DnsWriteQuestionToBuffer_UTF8, address_out = 0x743cadbb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\dnsapi.dll, function = DnsExtractRecordsFromMessage_UTF8, address_out = 0x743caf44	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\dnsapi.dll, function = DnsFree, address_out = 0x743a436b	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x74c90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleBaseNameA, address_out = 0x74c915a4	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76710000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateGuid, address_out = 0x767515d5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x767509ad	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x74ea0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetHashParam, address_out = 0x74eadf7e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74eae124	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74eadf14	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptCreateHash, address_out = 0x74eadf4e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptHashData, address_out = 0x74eadf36	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74eb157a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74eb4620	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74eb415e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptVerifySignatureW, address_out = 0x74eac54a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x74eac51a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74eb4907	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74eb48ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74eb469d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74eb4304	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74eb431c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74eb0e0c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74eb0e24	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74eb40e6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74eadf04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74eb412e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyHash, address_out = 0x74eadf66	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x74f40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = CommandLineToArgvW, address_out = 0x74f59ee8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x74f61e46	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = SHGetFolderPathW, address_out = 0x74fc5708	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x76070000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathIsDirectoryW, address_out = 0x7607ff07	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = 12, address_out = 0x7608158a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathAppendW, address_out = 0x760881ef	1	Fn
Module	Load	module_name = WINHTTP.dll, base_address = 0x74340000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpGetIEProxyConfigForCurrentUser, address_out = 0x7435257e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpAddRequestHeaders, address_out = 0x74359dfb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpen, address_out = 0x743458b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpCloseHandle, address_out = 0x74342c01	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpConnect, address_out = 0x7434d9f5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpenRequest, address_out = 0x74344aea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetOption, address_out = 0x74343f6c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSendRequest, address_out = 0x743479bd	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReceiveResponse, address_out = 0x7434b262	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpWriteData, address_out = 0x7435abfd	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryHeaders, address_out = 0x7434ba51	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryDataAvailable, address_out = 0x7435c5dd	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReadData, address_out = 0x7434cb9e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetStatusCallback, address_out = 0x74345ebd	1	Fn
Module	Load	module_name = GDI32.dll, base_address = 0x763f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x764054f4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x76404f70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = BitBlt, address_out = 0x76405ea6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x764058b3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x76405689	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x76404de0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x76405f49	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x76f70000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlRandom, address_out = 0x770398c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryObject, address_out = 0x76f8f9e8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlImageNtHeader, address_out = 0x76fa3164	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQuerySystemInformation, address_out = 0x76f8fda0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x76f8fda0	1	Fn
Module	Load	module_name = gdiplus.dll, base_address = 0x74160000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdiplusStartup, address_out = 0x74185600	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdiplusShutdown, address_out = 0x741856be	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipAlloc, address_out = 0x741a2437	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipCreateBitmapFromHBITMAP, address_out = 0x74196671	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipGetImageEncodersSize, address_out = 0x741a2203	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipGetImageEncoders, address_out = 0x741a228c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipSaveImageToStream, address_out = 0x74194153	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipDisposeImage, address_out = 0x74194cc8	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipFree, address_out = 0x741a24b2	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipCloneImage, address_out = 0x74194bfa	1	Fn
Module	Load	module_name = NETAPI32.dll, base_address = 0x74140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x745b13d2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\netapi32.dll, function = NetWkstaGetInfo, address_out = 0x74145570	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76a40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x76a49cee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = vsprintf, address_out = 0x76ab7677	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x76a49894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76a4b0b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76a4b0c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memcpy, address_out = 0x76a49910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memmove, address_out = 0x76a49e5a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = puts, address_out = 0x76ab8d04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = abort, address_out = 0x76aa8e53	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memset, address_out = 0x76a49790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strlen, address_out = 0x76a543d3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcslen, address_out = 0x76a5d335	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = exit, address_out = 0x76a536aa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = realloc, address_out = 0x76a4b10d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strncmp, address_out = 0x76a4b443	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _strcmpi, address_out = 0x76a4db38	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _vsnwprintf, address_out = 0x76a4bbce	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _purecall, address_out = 0x76aa6ea9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = tolower, address_out = 0x76a4c4f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = atoi, address_out = 0x76a4dbe0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strcmp, address_out = 0x76a58b11	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = atol, address_out = 0x76a4ddf4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _wcsicmp, address_out = 0x76a4a9e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _snwprintf, address_out = 0x76a695d1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcscmp, address_out = 0x76a5d3b7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcsrchr, address_out = 0x76a4a73f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcscpy, address_out = 0x76a5d4f8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _errno, address_out = 0x76a4a5b8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcschr, address_out = 0x76a4aa61	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x76a4dbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _iob, address_out = 0x76ae2900	1	Fn
Environment	Set Environment String	name = bound, value = 941401012	1	Fn
System	Get Time	type = Ticks, time = 106595	1	Fn
Environment	Get Environment String	name = RESTARTED	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pST790mv.exe, size = 519	1	Fn
Environment	Get Environment String	name = SELF	1	Fn
Environment	Get Environment String	name = INJECTED	1	Fn
Mutex	Open	mutex_name = df7689e6-c49f-4a86-82e8-6809a406872a, desired_access = SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = df7689e6-c49f-4a86-82e8-6809a406872a	1	Fn
System	Get Info	type = SYSTEM_HANDLE_INFORMATION	1	Fn
System	Get Info	type = SYSTEM_HANDLE_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_DUP_HANDLE	249	Fn
System	Get Computer Name	result_out = XDUWTFONO	1	Fn
File	Create Directory	C:	1	Fn
File	Create Directory	C:\Users	1	Fn
File	Create Directory	C:\Users\5p5NrGJn0jS HALPmcxz	1	Fn
File	Create Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData	1	Fn
File	Create Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local	1	Fn
File	Create Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Environment	Get Environment String	name = bound, result_out = 941401012	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, size = 336	1	Fn Data
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, size = 384	1	Fn Data
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, size = 368	1	Fn Data
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, size = 448	1	Fn Data
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x74ca0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetProcessDpiAwarenessContext, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetProcessDpiAwareness, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetProcessDPIAware, address_out = 0x74cbfcb8	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pST790mv.exe, size = 519	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\crash_flag, type = file_attributes	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, size = 592	1	Fn Data
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1	Fn
File	Create Directory	C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\8054e6dc-e4db-4147-9938-ada26bf04150	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\8054e6dc-e4db-4147-9938-ada26bf04150\38e5d161-f6c8-43ba-9fe8-f1301b7b08b6, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn

Thread 0xac0

(Host: 74, Network: 126)

Category	Operation	Information	Count	Logfile
Socket	Bind	protocol = IPPROTO_TCP, local_address = 0x0, local_port = 0	1	Fn
Socket	Connect	remote_address = 192.99.181.10, remote_port = 443	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	3	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:48 (UTC)	6	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, size = 624	1	Fn Data
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\transport, type = file_attributes	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	2	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
File	Create	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pST790mv.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pST790mv.exe, type = size	1	Fn
File	Read	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pST790mv.exe, size = 517632, size_out = 517632	1	Fn Data
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Module	Get Handle	module_name = private_0x0000000004dd0000, base_address = 0x4dd0000	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = CurrentMajorVersionNumber, data = 0	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = CSDVersion, data = 83	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = CurrentBuildNumber, data = 55	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x7661195e	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x7661195e	1	Fn
System	Get Computer Name	result_out = XDUWTFONO	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = VendorIdentifier, data = 71	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ~MHz, data = 16	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Time	type = System Time, time = 2017-11-07 19:24:50 (UTC)	1	Fn
Module	Load	module_name = Wtsapi32.dll, base_address = 0x746b0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wtsapi32.dll, function = WTSQuerySessionInformationW, address_out = 0x746b253d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wtsapi32.dll, function = WTSFreeMemory, address_out = 0x746b1b65	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\wtsapi32.dll, function = WTSEnumerateSessionsW, address_out = 0x746b1d49	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	2	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Create Pipe	pipe_name = \device\namedpipe\d598dec5-4d80-43a6-a70a-9b525cd42b6e, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, max_instances = 1	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
File	Read	size = 4096	1	Fn
Socket	Send	flags = NO_FLAG_SET	2	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	4	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Create Pipe	pipe_name = \device\namedpipe\809be9fc-4888-4de2-b082-6bb25f3a1fee, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_FIRST_PIPE_INSTANCE, FILE_FLAG_OVERLAPPED, max_instances = 1	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
File	Read	size = 4096	1	Fn
Socket	Send	flags = NO_FLAG_SET	2	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	2	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
File	Read	size = 4096	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	4	Fn
Process	Create	process_name = C:\Windows\system32\dllhost.exe, os_pid = 0x474, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE	1	Fn
Memory	Allocate	process_name = C:\Windows\system32\dllhost.exe, address = 0x60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_READWRITE, size = 390	1	Fn
Memory	Write	process_name = C:\Windows\system32\dllhost.exe, address = 0x60000, size = 390	1	Fn Data
Memory	Allocate	process_name = C:\Windows\system32\dllhost.exe, address = 0x70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 483328	1	Fn
Memory	Write	process_name = C:\Windows\system32\dllhost.exe, address = 0x70000, size = 483328	1	Fn Data
Thread	Get Context	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, os_tid = 0xac0	1	Fn
Thread	Set Context	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, os_tid = 0xac0	1	Fn
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1	Fn
Thread	Resume	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, os_tid = 0xac0	1	Fn
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	2	Fn
Process	Terminate	exit_code = 10	1	Fn
Process	Create	process_name = C:\Windows\system32\dllhost.exe, os_pid = 0x4bc, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE	1	Fn
Memory	Allocate	process_name = C:\Windows\system32\dllhost.exe, address = 0x60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_READWRITE, size = 444	1	Fn
Memory	Write	process_name = C:\Windows\system32\dllhost.exe, address = 0x60000, size = 444	1	Fn Data
Memory	Allocate	process_name = C:\Windows\system32\dllhost.exe, address = 0x150000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 483328	1	Fn
Memory	Write	process_name = C:\Windows\system32\dllhost.exe, address = 0x150000, size = 483328	1	Fn Data
Thread	Get Context	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, os_tid = 0xac0	1	Fn
Thread	Set Context	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, os_tid = 0xac0	1	Fn
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	1	Fn
Thread	Resume	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, os_tid = 0xac0	1	Fn
File	Copy	source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat.tmp, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat	2	Fn
Socket	Send	flags = NO_FLAG_SET	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 0	1	Fn
Process	Terminate	exit_code = 10	1	Fn

Thread 0xacc

(Host: 0, Network: 8)

Category	Operation	Information	Count	Logfile
Inet	Open Session	user_agent = Wget/1.11., access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = httpbin.org, server_port = 80	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /ip, accept_types = 0, flags = INTERNET_FLAG_FORMS_SUBMIT, INTERNET_FLAG_PRAGMA_NOCACHE	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = httpbin.org/ip	1	Fn
Inet	Read Response	size = 33, size_out = 33	1	Fn Data
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0xad8

(Host: 89, Network: 0)

Category	Operation	Information	Count	Logfile
File	Read	size = 4096	1	Fn
File	Write	size = 12	1	Fn
File	Read	size = 4096	6	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x76614259	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x7661170d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x7661192e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x76fe92b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoA, address_out = 0x7662f803	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76611245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76611222	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76611809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76615a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x76615063	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x7662c860	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandle, address_out = 0x766153ae	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x76614435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x766154ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76614442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryW, address_out = 0x766944cf	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x766189b3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x76f922b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76f92270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76613ed3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x7661183e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76611136	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x76fa2c42	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x766116c5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76f9e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x766114c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x766114e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7663772f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7662d802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x7661196e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76611282	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76613f5c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x7661110c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76611725	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76613509	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x76615a7e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x7663b2b7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x766111c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76611410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76fa45f5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x766153c6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x7663d1c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x766187c9	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76710000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateGuid, address_out = 0x767515d5	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x74ea0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74eadf04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74eb40e6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74eb0e24	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74eb0e0c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74eb431c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74eb4304	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x74eb46ad	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74eb469d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x74eb1481	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74eb4907	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74eb412e	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x76f70000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlRandom, address_out = 0x770398c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryObject, address_out = 0x76f8f9e8	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76a40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76a4b0b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memset, address_out = 0x76a49790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x76a49cee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x76a49894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strlen, address_out = 0x76a543d3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memcmp, address_out = 0x76a57975	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = puts, address_out = 0x76ab8d04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = abort, address_out = 0x76aa8e53	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memcpy, address_out = 0x76a49910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memmove, address_out = 0x76a49e5a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = vsprintf, address_out = 0x76ab7677	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = realloc, address_out = 0x76a4b10d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcslen, address_out = 0x76a5d335	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = exit, address_out = 0x76a536aa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _snprintf, address_out = 0x76a6fa7c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _vsnprintf, address_out = 0x76a4d1a8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x76a4dbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76a4b0c9	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 12	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 3924	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 8	1	Fn

Thread 0xadc

(Host: 437, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = \\.\NPF_NdisWanIp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayName, data = 65	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayName, data = 71	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217045FF}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217045FF}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217045FF}, value_name = DisplayName, data = 74	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}, value_name = DisplayName, data = 74	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}, value_name = DisplayName, data = 65	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x7661195e	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PRJPROR	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PRJPROR, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PRJPROR, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUSR	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUSR, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUSR, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.VISIOR	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.VISIOR, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.VISIOR, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC, value_name = DisplayName, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{0242505C-4E90-407F-9299-B5B275F50D86}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{0242505C-4E90-407F-9299-B5B275F50D86}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{0242505C-4E90-407F-9299-B5B275F50D86}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}_Office14.VISIOR_{0242505C-4E90-407F-9299-B5B275F50D86}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}_Office14.VISIOR_{0242505C-4E90-407F-9299-B5B275F50D86}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}_Office14.VISIOR_{0242505C-4E90-407F-9299-B5B275F50D86}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}_Office14.PROPLUSR_{B51389C8-2890-4633-81D8-47D2A7402274}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}_Office14.PROPLUSR_{B51389C8-2890-4633-81D8-47D2A7402274}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}_Office14.PROPLUSR_{B51389C8-2890-4633-81D8-47D2A7402274}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}_Office14.VISIOR_{B51389C8-2890-4633-81D8-47D2A7402274}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}_Office14.VISIOR_{B51389C8-2890-4633-81D8-47D2A7402274}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}_Office14.VISIOR_{B51389C8-2890-4633-81D8-47D2A7402274}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}_Office14.PROPLUSR_{1779650B-2E44-4A19-8DF6-3866D645764A}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}_Office14.PROPLUSR_{1779650B-2E44-4A19-8DF6-3866D645764A}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}_Office14.PROPLUSR_{1779650B-2E44-4A19-8DF6-3866D645764A}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}_Office14.VISIOR_{1779650B-2E44-4A19-8DF6-3866D645764A}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}_Office14.VISIOR_{1779650B-2E44-4A19-8DF6-3866D645764A}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}_Office14.VISIOR_{1779650B-2E44-4A19-8DF6-3866D645764A}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{270CA0B9-9881-44DB-BC3B-37C7E66A044A}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{270CA0B9-9881-44DB-BC3B-37C7E66A044A}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{270CA0B9-9881-44DB-BC3B-37C7E66A044A}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}_Office14.VISIOR_{270CA0B9-9881-44DB-BC3B-37C7E66A044A}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}_Office14.VISIOR_{270CA0B9-9881-44DB-BC3B-37C7E66A044A}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}_Office14.VISIOR_{270CA0B9-9881-44DB-BC3B-37C7E66A044A}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{E8B6D35B-0B6F-4DCE-9493-859BF3809A7F}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{E8B6D35B-0B6F-4DCE-9493-859BF3809A7F}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{E8B6D35B-0B6F-4DCE-9493-859BF3809A7F}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}_Office14.VISIOR_{E8B6D35B-0B6F-4DCE-9493-859BF3809A7F}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}_Office14.VISIOR_{E8B6D35B-0B6F-4DCE-9493-859BF3809A7F}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}_Office14.VISIOR_{E8B6D35B-0B6F-4DCE-9493-859BF3809A7F}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{FCD1C311-8B02-4DBD-BA46-1079C629577E}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{FCD1C311-8B02-4DBD-BA46-1079C629577E}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{FCD1C311-8B02-4DBD-BA46-1079C629577E}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}_Office14.VISIOR_{FCD1C311-8B02-4DBD-BA46-1079C629577E}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}_Office14.VISIOR_{FCD1C311-8B02-4DBD-BA46-1079C629577E}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}_Office14.VISIOR_{FCD1C311-8B02-4DBD-BA46-1079C629577E}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0054-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0054-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0054-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0054-0409-1000-0000000FF1CE}_Office14.VISIOR_{7DC2B20B-31B9-4C7C-B8DC-8492A9A3095E}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0054-0409-1000-0000000FF1CE}_Office14.VISIOR_{7DC2B20B-31B9-4C7C-B8DC-8492A9A3095E}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0054-0409-1000-0000000FF1CE}_Office14.VISIOR_{7DC2B20B-31B9-4C7C-B8DC-8492A9A3095E}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}_Office14.VISIOR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}_Office14.VISIOR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}_Office14.VISIOR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00B4-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00B4-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00B4-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00B4-0409-1000-0000000FF1CE}_Office14.PRJPROR_{316A864B-0547-40CE-B136-B02B4D18BF09}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00B4-0409-1000-0000000FF1CE}_Office14.PRJPROR_{316A864B-0547-40CE-B136-B02B4D18BF09}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00B4-0409-1000-0000000FF1CE}_Office14.PRJPROR_{316A864B-0547-40CE-B136-B02B4D18BF09}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}_Office14.VISIOR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}_Office14.VISIOR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}_Office14.VISIOR_{516CA4A9-98E6-4F77-A863-CBD8487368E4}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0011-0000-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0011-0000-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0011-0000-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-003B-0000-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-003B-0000-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-003B-0000-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-003B-0000-1000-0000000FF1CE}_Office14.PRJPROR_{E6F88893-86F0-4CFB-B7E0-733575D1DEB4}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-003B-0000-1000-0000000FF1CE}_Office14.PRJPROR_{E6F88893-86F0-4CFB-B7E0-733575D1DEB4}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-003B-0000-1000-0000000FF1CE}_Office14.PRJPROR_{E6F88893-86F0-4CFB-B7E0-733575D1DEB4}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0057-0000-1000-0000000FF1CE}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0057-0000-1000-0000000FF1CE}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0057-0000-1000-0000000FF1CE}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0057-0000-1000-0000000FF1CE}_Office14.VISIOR_{9081486B-B26D-42DB-8D31-81C525A9526A}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0057-0000-1000-0000000FF1CE}_Office14.VISIOR_{9081486B-B26D-42DB-8D31-81C525A9526A}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91140000-0057-0000-1000-0000000FF1CE}_Office14.VISIOR_{9081486B-B26D-42DB-8D31-81C525A9526A}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94A631D5-B30A-3DD8-B65C-1117C09DA73E}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94A631D5-B30A-3DD8-B65C-1117C09DA73E}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94A631D5-B30A-3DD8-B65C-1117C09DA73E}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}, value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}, value_name = DisplayName, data = 77	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	Fn

Thread 0x5b0

(Host: 223, Network: 0)

Category	Operation	Information	Count	Logfile
File	Read	size = 4096	1	Fn
File	Write	size = 12	1	Fn
File	Read	size = 4096	6	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76611282	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76611410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x76614259	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x766111c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x7661170d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76611809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x76f922b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76f92270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x7661110c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x7661183e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76611136	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x76fa2c42	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x766116c5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7663772f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7662d802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x7663d1c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x766187c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76613f5c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76611725	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76613509	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76614442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76611b18	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x766154ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x76614435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x76615063	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76614950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x766111f8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76fa45f5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x76614173	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76710000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoInitialize, address_out = 0x7672b636	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateGuid, address_out = 0x767515d5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstance, address_out = 0x76759d0b	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x74f40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = SHGetFolderPathW, address_out = 0x74fc5708	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x76f70000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlRandom, address_out = 0x770398c3	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76a40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76a4b0c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76a4b0b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = puts, address_out = 0x76ab8d04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = exit, address_out = 0x76a536aa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = abort, address_out = 0x76aa8e53	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memset, address_out = 0x76a49790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcsrchr, address_out = 0x76a4a73f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memcpy, address_out = 0x76a49910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x76a49894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcslen, address_out = 0x76a5d335	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memmove, address_out = 0x76a49e5a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x76a49cee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = realloc, address_out = 0x76a4b10d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strlen, address_out = 0x76a543d3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _snprintf, address_out = 0x76a6fa7c	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 12	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 56	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 44	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 39	1	Fn
File	Read	size = 4096	118	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 159	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 62	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 65	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 66	1	Fn
File	Read	size = 4096	3	Fn
File	Write	size = 59	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 183	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Read	size = 4096	1	Fn
File	Write	size = 98	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 48	1	Fn
File	Read	size = 4096	2	Fn
File	Write	size = 43	1	Fn

Thread 0x834

(Host: 14, Network: 0)

Category	Operation	Information	Count	Logfile
File	Get Info	filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\454ae93e901dbdaa6732f2a7c8a0c95fc3e0c1b4\container.dat, type = file_attributes	1	Fn
System	Get Time	type = Ticks, time = 152194	1	Fn
File	Write	size = 1024	1	Fn Data
COM	Create	interface = 148BD527-A2AB-11CE-B11F-00AA00530503, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Module	Get Filename	process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\pST790mv.exe, size = 519	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
File	Create	filename = C:\ProgramData\252e9d6f-46f0-4cf5-8686-f2a673c579a2\1.dat, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = C:\ProgramData\252e9d6f-46f0-4cf5-8686-f2a673c579a2\1.dat, size = 32	1	Fn Data
File	Write	filename = C:\ProgramData\252e9d6f-46f0-4cf5-8686-f2a673c579a2\1.dat, size = 483328	1	Fn Data
File	Create	filename = C:\ProgramData\252e9d6f-46f0-4cf5-8686-f2a673c579a2\af77746e-8a65-4302-8042-f6017918c669.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = C:\ProgramData\252e9d6f-46f0-4cf5-8686-f2a673c579a2\af77746e-8a65-4302-8042-f6017918c669.dll, size = 136192	1	Fn Data
File	Write	filename = C:\ProgramData\252e9d6f-46f0-4cf5-8686-f2a673c579a2\af77746e-8a65-4302-8042-f6017918c669.dll, size = 8704	1	Fn Data
File	Write	filename = C:\ProgramData\252e9d6f-46f0-4cf5-8686-f2a673c579a2\af77746e-8a65-4302-8042-f6017918c669.dll, size = 178	1	Fn Data
System	Get Time	type = System Time, time = 2017-11-07 19:25:33 (UTC)	1	Fn

Process #4: dllhost.exe

Information	Value
ID	#4
File Name	c:\windows\syswow64\dllhost.exe
Command Line	"C:\Windows\system32\dllhost.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:29, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:08:44
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x474
Parent PID	0xaa8 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 5D4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000070000	0x00070000	0x000e5fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
dllhost.exe	0x00ab0000	0x00ab4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Success	Count	Logfile
Modify Memory	#3: c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe	0xac0	address = 0x60000, size = 390		1	Fn Data
Modify Control Flow	#3: c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe	0xac0	os_tid = 0x5d4, address = 0x76f801c4		1	Fn

Process #5: dllhost.exe

(Host: 265, Network: 0)

Information	Value
ID	#5
File Name	c:\windows\syswow64\dllhost.exe
Command Line	"C:\Windows\system32\dllhost.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:29, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:08:44

OS Process Information

Information	Value
PID	0x4bc
Parent PID	0xaa8 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 244

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x001c5fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
locale.nls	0x001d0000	0x00236fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000240000	0x00240000	0x002dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x0041ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000420000	0x00420000	0x0057ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005a0000	0x005a0000	0x005affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005f0000	0x005f0000	0x006effff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006f0000	0x006f0000	0x00877fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x00a00fff	Pagefile Backed Memory	Readable	Region Actions
dllhost.exe	0x00ab0000	0x00ab4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000ac0000	0x00ac0000	0x01ebffff	Pagefile Backed Memory	Readable	Region Actions
srvcli.dll	0x74120000	0x74138fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74140000	0x74150fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x74160000	0x742effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x742f0000	0x7433efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x74340000	0x74397fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x743a0000	0x743e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x745b0000	0x745b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x745d0000	0x745defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x74c90000	0x74c94fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74f40000	0x75b89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x760d0000	0x761ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x762f0000	0x76324fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76f40000	0x76f4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#3: c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe	0xac0	address = 0x60000, size = 444	1	Fn Data
Modify Memory	#3: c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe	0xac0	address = 0x150000, size = 483328	1	Fn Data
Modify Control Flow	#3: c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe	0xac0	os_tid = 0x244, address = 0x76f801c4	1	Fn

Threads

Thread 0x244

(Host: 265, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = KERNEL32.dll, base_address = 0x76600000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x76fa9d35	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualQuery, address_out = 0x7661445a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x7661469b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileW, address_out = 0x7663830d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x766110ff	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetShortPathNameW, address_out = 0x7661d2f9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x76615223	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenEventW, address_out = 0x766115d6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetErrorMode, address_out = 0x76611b00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DuplicateHandle, address_out = 0x76611886	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76614950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x7661103d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryW, address_out = 0x766944cf	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenMutexA, address_out = 0x7662ec6f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x7661dd0e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x76615063	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x766143ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x7661328c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x76611b48	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexA, address_out = 0x76614c6b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x76614435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x766154ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76614442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RegisterWaitForSingleObject, address_out = 0x7663cb05	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnregisterWaitEx, address_out = 0x7663b921	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x7663735f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x76638baf	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x7663896c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnregisterWait, address_out = 0x7669e6ab	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CancelIo, address_out = 0x7668bce9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x76612d3c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x7662d4dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameW, address_out = 0x7663d1b6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76611856	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x7661186e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 0x7662d9b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 0x7662d9e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetThreadContext, address_out = 0x766379d4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadContext, address_out = 0x76695393	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFreeEx, address_out = 0x7662d9c8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76611222	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76611809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessId, address_out = 0x7663cf04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x766153c6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x766111e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x766149ad	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x76613587	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateIoCompletionPort, address_out = 0x7662eef2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = PostQueuedCompletionStatus, address_out = 0x7662ef29	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x7662d802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x766114fb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteTimerQueueTimer, address_out = 0x7662f7d3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateTimerQueueTimer, address_out = 0x7662f7eb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateNamedPipeA, address_out = 0x76691807	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ConnectNamedPipe, address_out = 0x766940fb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x76614259	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address_out = 0x7662174d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x76615558	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoA, address_out = 0x7662d5e5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTime, address_out = 0x76615a96	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x7663d4c4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x7661192e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x76fe92b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoA, address_out = 0x7662f803	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76611245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76615a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x7662c860	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandle, address_out = 0x766153ae	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76f9e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x766114c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x766114e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x766187c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7663772f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x7663d1c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedCompareExchange, address_out = 0x76611484	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedExchange, address_out = 0x76611462	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableA, address_out = 0x766133a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x766149d7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x766134c8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x766189b3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76611b18	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76611282	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x76fcd598	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x766117d1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76611986	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x766134b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x766111f8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLocalTime, address_out = 0x76615aa6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x766111c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemInfo, address_out = 0x766149ca	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76617a10	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x766116dd	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x76f92270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x76f922b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x76fa45f5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x76fa2c42	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x766116c5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventW, address_out = 0x7661183e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76611450	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76613509	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x76615a7e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x76617a2f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76611136	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x766134d5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringA, address_out = 0x7663b2b7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76611410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x7661110c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76613ed3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x7661196e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetQueuedCompletionStatus, address_out = 0x7662d3c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76613f5c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76611725	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x7661170d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryW, address_out = 0x7661492b	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x74ca0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetIconInfo, address_out = 0x74cc49ea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x74cc1218	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = DrawIcon, address_out = 0x74cc8deb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = ReleaseDC, address_out = 0x74cb7446	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetDesktopWindow, address_out = 0x74cc0a19	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetDC, address_out = 0x74cb72c4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x74cb7d2f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetLastInputInfo, address_out = 0x74ccb382	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CharLowerA, address_out = 0x74cc3e75	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetWindowRect, address_out = 0x74cb7f34	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x74cb78e2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = PostMessageW, address_out = 0x74cc12a5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x74d0fd1e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxW, address_out = 0x74d0fd3f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = LoadImageA, address_out = 0x74cc8455	1	Fn
Module	Load	module_name = CRYPT32.dll, base_address = 0x760d0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptImportPublicKeyInfo, address_out = 0x760e6c0e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x76105d77	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptDecodeObjectEx, address_out = 0x760dd718	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x762f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address_out = 0x762f311b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 9, address_out = 0x762f2d8b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSASocketW, address_out = 0x762f3cd3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSASendTo, address_out = 0x7630b30c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 111, address_out = 0x762f37ad	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address_out = 0x762f3918	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecvFrom, address_out = 0x762fcba6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSAIoctl, address_out = 0x762f2fe7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 21, address_out = 0x762f41b6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 2, address_out = 0x762f4582	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 12, address_out = 0x762fb131	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSASend, address_out = 0x762f4406	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 5, address_out = 0x762f7147	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address_out = 0x762f3ab2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSARecv, address_out = 0x762f7089	1	Fn
Module	Load	module_name = DNSAPI.dll, base_address = 0x743a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\dnsapi.dll, function = DnsWriteQuestionToBuffer_UTF8, address_out = 0x743cadbb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\dnsapi.dll, function = DnsExtractRecordsFromMessage_UTF8, address_out = 0x743caf44	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\dnsapi.dll, function = DnsFree, address_out = 0x743a436b	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x74c90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleBaseNameA, address_out = 0x74c915a4	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76710000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateGuid, address_out = 0x767515d5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x767509ad	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x74ea0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetHashParam, address_out = 0x74eadf7e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x74eae124	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x74eadf14	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptCreateHash, address_out = 0x74eadf4e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptHashData, address_out = 0x74eadf36	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x74eb157a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x74eb4620	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x74eb415e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptVerifySignatureW, address_out = 0x74eac54a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x74eac51a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x74eb4907	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x74eb48ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x74eb469d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x74eb4304	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x74eb431c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x74eb0e0c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x74eb0e24	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x74eb40e6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x74eadf04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x74eb412e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyHash, address_out = 0x74eadf66	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x74f40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = CommandLineToArgvW, address_out = 0x74f59ee8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x74f61e46	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = SHGetFolderPathW, address_out = 0x74fc5708	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x76070000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathIsDirectoryW, address_out = 0x7607ff07	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = 12, address_out = 0x7608158a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathAppendW, address_out = 0x760881ef	1	Fn
Module	Load	module_name = WINHTTP.dll, base_address = 0x74340000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpGetIEProxyConfigForCurrentUser, address_out = 0x7435257e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpAddRequestHeaders, address_out = 0x74359dfb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpen, address_out = 0x743458b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpCloseHandle, address_out = 0x74342c01	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpConnect, address_out = 0x7434d9f5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpOpenRequest, address_out = 0x74344aea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetOption, address_out = 0x74343f6c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSendRequest, address_out = 0x743479bd	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReceiveResponse, address_out = 0x7434b262	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpWriteData, address_out = 0x7435abfd	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryHeaders, address_out = 0x7434ba51	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpQueryDataAvailable, address_out = 0x7435c5dd	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpReadData, address_out = 0x7434cb9e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\winhttp.dll, function = WinHttpSetStatusCallback, address_out = 0x74345ebd	1	Fn
Module	Load	module_name = GDI32.dll, base_address = 0x763f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x764054f4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x76404f70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = BitBlt, address_out = 0x76405ea6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x764058b3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x76405689	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x76404de0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x76405f49	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x76f70000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlRandom, address_out = 0x770398c3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryObject, address_out = 0x76f8f9e8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlImageNtHeader, address_out = 0x76fa3164	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQuerySystemInformation, address_out = 0x76f8fda0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x76f8fda0	1	Fn
Module	Load	module_name = gdiplus.dll, base_address = 0x74160000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdiplusStartup, address_out = 0x74185600	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdiplusShutdown, address_out = 0x741856be	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipAlloc, address_out = 0x741a2437	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipCreateBitmapFromHBITMAP, address_out = 0x74196671	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipGetImageEncodersSize, address_out = 0x741a2203	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipGetImageEncoders, address_out = 0x741a228c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipSaveImageToStream, address_out = 0x74194153	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipDisposeImage, address_out = 0x74194cc8	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipFree, address_out = 0x741a24b2	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, function = GdipCloneImage, address_out = 0x74194bfa	1	Fn
Module	Load	module_name = NETAPI32.dll, base_address = 0x74140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\netapi32.dll, function = NetApiBufferFree, address_out = 0x745b13d2	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\netapi32.dll, function = NetWkstaGetInfo, address_out = 0x74145570	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76a40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x76a49cee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = vsprintf, address_out = 0x76ab7677	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x76a49894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76a4b0b9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76a4b0c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memcpy, address_out = 0x76a49910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memmove, address_out = 0x76a49e5a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = puts, address_out = 0x76ab8d04	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = abort, address_out = 0x76aa8e53	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = memset, address_out = 0x76a49790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strlen, address_out = 0x76a543d3	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcslen, address_out = 0x76a5d335	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = exit, address_out = 0x76a536aa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = realloc, address_out = 0x76a4b10d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strncmp, address_out = 0x76a4b443	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _strcmpi, address_out = 0x76a4db38	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _vsnwprintf, address_out = 0x76a4bbce	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _purecall, address_out = 0x76aa6ea9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = tolower, address_out = 0x76a4c4f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = atoi, address_out = 0x76a4dbe0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strcmp, address_out = 0x76a58b11	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = atol, address_out = 0x76a4ddf4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _wcsicmp, address_out = 0x76a4a9e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _snwprintf, address_out = 0x76a695d1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcscmp, address_out = 0x76a5d3b7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcsrchr, address_out = 0x76a4a73f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcscpy, address_out = 0x76a5d4f8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _errno, address_out = 0x76a4a5b8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = wcschr, address_out = 0x76a4aa61	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x76a4dbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = _iob, address_out = 0x76ae2900	1	Fn