Obfuscated AutoIt Malware Injects Executables to Steal Passwords and Browser Data

Involved Hosts

Hostname	IP Addresses	Country	City	Protocols	Has Blacklisted URL
jluxi.dynu.com	185.62.188.68	NL		DNS, TCP

Monitored Processes

Behavior Information - Sequential View

Process #1: 9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe

(Host: 4170, Network: 0)

Information	Value
ID	#1
File Name	c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe
Command Line	"C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe"
Initial Working Directory	C:\Users\EEBsYm5\Desktop\
Monitor	Start Time: 00:00:10, Reason: Analysis Target
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:02:01

OS Process Information

Information	Value
PID	0xa00
Parent PID	0x658 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A04 0x A0C 0x A14 0x A18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00142fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000160000	0x00160000	0x00166fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00171fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x002b0000	0x00316fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000320000	0x00320000	0x003e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f0fff	Pagefile Backed Memory	Readable	Region Actions
9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	0x00400000	0x00432fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000440000	0x00440000	0x00540fff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x00550000	0x005abfff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x00550000	0x005abfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x005fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000550000	0x00550000	0x00550fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x00561fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000570000	0x00570000	0x00571fff	Pagefile Backed Memory	Readable	Region Actions
msctf.dll.mui	0x00570000	0x00570fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00581fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00580fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.1.db	0x00590000	0x00593fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x00590000	0x00593fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x005a0000	0x005b4fff	Memory Mapped File	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000600000	0x00600000	0x0060ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000610000	0x00610000	0x0120ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001210000	0x01210000	0x012eefff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x012f0000	0x015befff	Memory Mapped File	Readable	Region Actions
private_0x00000000015c0000	0x015c0000	0x0163ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000015c0000	0x015c0000	0x015c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db	0x015d0000	0x015fffff	Memory Mapped File	Readable	Region Actions
private_0x0000000001600000	0x01600000	0x0163ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001640000	0x01640000	0x01a32fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001a40000	0x01a40000	0x01abffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ac0000	0x01ac0000	0x01bc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
staticcache.dat	0x01ac0000	0x023effff	Memory Mapped File	Readable	Region Actions
private_0x00000000023f0000	0x023f0000	0x024f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023f0000	0x023f0000	0x027f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023f0000	0x023f0000	0x027f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
cversions.2.db	0x023f0000	0x023f3fff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x02400000	0x02465fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002470000	0x02470000	0x0256ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002570000	0x02570000	0x0266ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002670000	0x02670000	0x02670fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002680000	0x02680000	0x0277ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002800000	0x02800000	0x02900fff	Private Memory	Readable, Writable	Region Actions Download Dump
riched20.dll	0x6d740000	0x6d7b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tiptsf.dll	0x6e5a0000	0x6e5f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x6ec20000	0x6ec4dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x70f80000	0x70fcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
riched32.dll	0x72980000	0x72985fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x73e40000	0x73e60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x73ed0000	0x73fc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x758a0000	0x75922fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x75930000	0x75974fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	Actions
c:\users\eebsym5\appdata\local\temp\60484525\__tmp_rar_sfx_access_check_18052931	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\eebsym5\appdata\local\temp\60484525\hin.ppt	753.11 KB (771181 bytes)	MD5: b4069d0c0e00f8266018f1263d28314a SHA1: da9e1711e225aa694f28ac81677f0a8840acbd56 SHA256: 017a11f2c47b3329116d74da098437fef15a0283fd7df5b5cf16e167a74bf4bf	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cvn-nhc	2.88 MB (3022508 bytes)	MD5: de1a6fbf02c16cacd54d414ed4e6f73e SHA1: 645a49fb10d04c18348e6614c3640cb2d732d7e2 SHA256: f0b7de110217d22b745eb45ad6c808974c667bb77dabdf824c7a439bb254d49d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	732.73 KB (750320 bytes)	MD5: 71d8f6d5dc35517275bc38ebcc815f9f SHA1: cae4e8c730de5a01d30aabeb3e5cb2136090ed8d SHA256: fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jdl.jpg	0.58 KB (593 bytes)	MD5: 4cf50661adbe97e9144a1ae14e0cc2d4 SHA1: 6cfecd4625e5cac62f73cd766c0695545615a80e SHA256: 01da59d2d9a62cc31d8a28f02e58762f775783d072dc92cd4882472991c6c489	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\vqm.xl	0.51 KB (525 bytes)	MD5: 39f5c28a7805e6993c878e2445b6de4f SHA1: b1a4702db810d76ca9dab4a40b464161447a8485 SHA256: 2fb689a6de68f133a7baab6c6f6458fae38c6dae4d90f62da2b90641a048fc2a	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\bcu.mp4	0.51 KB (521 bytes)	MD5: e800b240b278b15f7e04a9aa5aad5a94 SHA1: 5c57cfd08c138ecb8aaf08638ff708ed0fc11e9c SHA256: d4c33eed67247dbddc3dcd7400bd24fd7209a597f468978f014568c2ee0a7fd1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\rnr.mp3	0.54 KB (556 bytes)	MD5: a1c50816b65f30e2260479114d0bcab6 SHA1: 74c73a920cbd9ef1057d4d8d7589363d14e4a55b SHA256: c18f5a54575e9b56f95bbeb353318cba41fefbadc7f101589d5fc0df3fd56141	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cvg.mp4	0.49 KB (505 bytes)	MD5: da230cfbc8a80e350c87d894eebb76b9 SHA1: ea6d7ae1dc826a9344c00a01d47e92ee60bd6d61 SHA256: bdfc89fb5460d262442882b76f31f9853370abd79e86be034afb53e2be694118	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\chm.docx	0.60 KB (614 bytes)	MD5: 84d55a12fc2416df5c1553ee17ad0992 SHA1: b402fc11ff5ef3552be26235e9fd016c7fe912b2 SHA256: 918778adbeba224f4b9dd8910b717cf706563c35e06fbe0d04dfb00ced8678ee	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\vua.jpg	0.50 KB (509 bytes)	MD5: 6dd73a9654139bb6529a72207ddfde0f SHA1: bd67f636d12ed1c4cff28f6a9a84e28b97d7f1a5 SHA256: 42220eec08a393cd359ec79cb610d2a845926b8d8119eb505276564aa25698c9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\oxl.ico	0.51 KB (520 bytes)	MD5: 22c528e901375639d3a014f6fe12ed43 SHA1: 74f6a3c188759980c3e7dc9de94642f86a18fb59 SHA256: 1af85ae13aa9aa6114ec4c03cfd840fb8222eeceb611aac530411979bd9bede9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fun.mp4	0.62 KB (633 bytes)	MD5: 41db425bddeb6edff3829ede53e4b059 SHA1: 8355713e8ff5b27cc72f2a784d597be7d02e3c26 SHA256: 668dff85c71ac5142e3105426be365b7834e1dd8e3e0043674a272af26138f35	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fqv.xl	0.55 KB (567 bytes)	MD5: 2a8d81d0726edc11e6e4f75207fee58c SHA1: 041b9554b7a23b86240e82c0c18e0c34cfdd4ae1 SHA256: bc2d0c9ff398b2883465e9c5963d0a8933b034ae43f6002481f674b5ade6c839	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\hgu.ico	0.56 KB (569 bytes)	MD5: e9a2566e0a5296cf122c7089e0558baf SHA1: e7d3001b6b6ebf6928e942f4c8343f4f551e0284 SHA256: 418946d3f5ab5a04d537045108c4e8db6dcb48bb465e2d0a01f91723b7948e49	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\brh.ppt	0.58 KB (597 bytes)	MD5: fda5e079dbe06cc05c59ba4e27fa48c2 SHA1: 88181205ec8323e457d5bcd4e7a03cea28ad47c7 SHA256: 75cfe292e1d9d6bd3bdadfe1ce6bef7a57bfc2a6bb7ce6fecd497bf4ec583c37	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\xqa.mp4	0.54 KB (551 bytes)	MD5: d46dd879f8205faa467df9c9a0019a9d SHA1: 25631b0a07e69d1dc8e93e5e51946a27f98d2b17 SHA256: aa93b72e74034ed72878672e776fbe7fa55e93f78e485a337cbeae4bd18f4917	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jub.bmp	0.56 KB (574 bytes)	MD5: 81932b74d719d9feaee98fd12634ac5b SHA1: a7283637bc88dacb689b39cebfc28a91e32f1e03 SHA256: 1c9ccc3a409e293eadbb70410de3c3405da55ceb47d36a639054b6f5c10a3c91	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jgu.bmp	0.52 KB (532 bytes)	MD5: 2a84b8aefabec88301c0f50f7cfb46f6 SHA1: e4b2c15448b6dace8cfa8227784b3f9396a2f498 SHA256: ef754e4a3efc638823684023ef2ddbbcdaf1354c290e4c33ef394df4c2a8d2ca	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\tik.icm	0.54 KB (550 bytes)	MD5: 74efb6a98e74a829daafef9945004dca SHA1: c5102cd3b0d7602f51099a27657b37a3bf787561 SHA256: bf1ab35f7bd5d5fc365d2c176bb5c5374e578b8424ed0fde82f55d1eae1d350d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wjv.pdf	0.53 KB (539 bytes)	MD5: 1474405a725bc37f9fea9479c11a78bf SHA1: b57f9f373b5323f3b701bf350fd98cf8a827b3ff SHA256: d83ec42f0ff63cf14851f789e85f2dc33d76cb4c2409e1488f7474df2086033f	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nvl.xl	0.51 KB (526 bytes)	MD5: 90ca387ad342c41ae796173d560ccf84 SHA1: eb03b500bbf683a889c4758d228b55cedddd4c30 SHA256: 0ecf3eb5d0f794e7e32a941580da8641bff3bf248a68df43a35ae16d77eda192	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\xfg.dat	0.51 KB (520 bytes)	MD5: c82da2a4e862c90a2d961098b1d64956 SHA1: 7edf516e6c807d8fa5aa912e23d9460721769207 SHA256: db7f2a223fef17affd13a518ac21c7675942bd475bc416dd78c7c6c186548b64	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\aqa.bmp	0.54 KB (557 bytes)	MD5: f8b9deca33aba33d64623f47e7c88855 SHA1: a70b7a6327133486d04d4d3c57bd8930a3e3a698 SHA256: 449952af1c2bd2a2e1878b3a81044793305185a7d27f0066521645906a5040c7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\rnj.mp3	0.53 KB (547 bytes)	MD5: 6effc77853a885dd155870e04545880b SHA1: 98ebfdb5b3ef2c2db538a290a0a26bc6cf885916 SHA256: 89b82044c02980606c7d6b39aa2cf08b66ca0db7e1b5ad23a7c0d64e056340d2	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\eff.icm	0.51 KB (522 bytes)	MD5: c2f588f89c85d3c2c97e128f27234f2c SHA1: b2b64e8b77e831f3a16fdd1da61f8f64f514b19e SHA256: 1e8e0cc104f8c880f3a6d312f6bdc99c5f3f4fd3ee081eee7e2534ed511209fd	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\isi.xl	0.50 KB (507 bytes)	MD5: 469067bf5a94e9002cf154a81f397c6a SHA1: 737b86b50e3998052920f02bde3ad487743f1a6a SHA256: 6b418ce9673895fb76b32b67faf05073e577444d82bf42ff21733e1f057c3d60	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\upe.mp3	0.56 KB (578 bytes)	MD5: 62bd082578b0e38bc2b6b731b4a5ec49 SHA1: 3f6c8024888bf3caa19e6ad7db4a8f29859bdaa9 SHA256: 00a79f22f8ed82f6ea362254d04578bfa498dfed0d2ab8f733e6fbace1c2c078	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fpo.xl	0.57 KB (581 bytes)	MD5: ff594e995d9f6268a047cc2e269eb2b9 SHA1: a0a8692e4560d122d0dd359157544b32fdc57cd0 SHA256: 6cc6a2d2a8196b938e5e332df30d025374d6c98a18c5e707021141966203d7e1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wlk.pdf	0.52 KB (536 bytes)	MD5: 747d40f9300dbb3ba36d7310b5ee40da SHA1: 90d715455eb32004107a92bf810df71371ed4047 SHA256: cef051d14bcbc14e12f9d130f71e8b285b37117cd20c23678419b9ab8659300d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nlb.pdf	0.53 KB (541 bytes)	MD5: a49efa6c9f872faad2232a4b6a2394a7 SHA1: c8dff7972de40ab025314a8c74b5bb8e1552170e SHA256: 97b1b6f6884f0f92342576a9667c5cb3c1b61fabc8a0b1b23d1f57582b0624d3	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\emv.bmp	0.50 KB (511 bytes)	MD5: 04f1e686525064abfdb4bfd7ff29a0b5 SHA1: 47748ea5978245b49c8136d9e147059afeb06ffe SHA256: 8e3de8ce80c00091cb1aaa93f590226c7ac53a509926cdd815301237dd8e9e1b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\raq.jpg	0.50 KB (514 bytes)	MD5: e5d188010c3203e2d37d4225d6cae53b SHA1: 430d4c308efdb225a74e10d3facefa8e44252be1 SHA256: 93846c06cef1c5515a1f78e95c040be5c75d3b6c78bf6438cf12fd7345d3c1c8	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nep.mp4	0.58 KB (589 bytes)	MD5: 498138dfbfbe52214e73e9c1141aa981 SHA1: bc7166b6abe72bb216d77d48185330668186bb88 SHA256: b1b69fb21d93d6bae3fbcf8338aa66ee2791362ec5f918bd9dc45c1c14d4749c	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\neo.ico	0.54 KB (551 bytes)	MD5: a128399da3f11bda3f2164a97cb2b531 SHA1: 0d00f9e17e6445805ef34c8fdb68fe8e38ab4868 SHA256: dcf09d4181263a2a3b0787085f7b8dc8913245c0d6ac535e16f8a77ba17ecc91	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wxv.mp4	0.51 KB (526 bytes)	MD5: 924bdfca849290fd510d72a39da75d43 SHA1: b5c18c00e3596b8a87d068f67e59f46aba6509da SHA256: b32f0a65698effe8c62e482bf9b6aec6f5fd496d52da525dca2078988956d3d9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\beb.ppt	0.52 KB (530 bytes)	MD5: afcc6587b4839826588ae54512851ef8 SHA1: e55525356075eba71766e12d7db9d67ef4cdd8cc SHA256: 5fdfa5c8afbda02553bbf95969ca4434c57456b4e51a56330fddd770d9f84277	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\als.txt	0.50 KB (512 bytes)	MD5: a81eeaae706a9e8ab123d3ed140d837e SHA1: 3f0feac929dd6f1f5776298da84a14298f12cb10 SHA256: 169b9a0889e98c8e239c472e3041fccb2433c668f269782b28c74648c5135ba7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jkg.txt	0.57 KB (588 bytes)	MD5: 0f7278aeb0c194405013a9963334e38c SHA1: 2b7dab89793af056f56e84b9a1040c2c3e01f5a9 SHA256: 0c9293277fd0325971a2cf297d88460ad8df83d40f09f947fb36a50c59ad9c31	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\idv.xl	0.54 KB (550 bytes)	MD5: 307fe5bd3f52c0aefb503401e2b08505 SHA1: 67ef51104877c6e6ca67e868b2a5d589e415a255 SHA256: 79bb5d0d7e6e403335b863935f832da481a550f7174e77f56a112d5a1f7bff8f	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\erk.ico	0.56 KB (576 bytes)	MD5: 0a5b38cbc77ff6bfd9ca434eb372e88e SHA1: a093894e555294518d98937f61e1eac26298539b SHA256: a3cc42516891627a6ff9dcc5dcca3a4deaefbbf2f9a5411a644a34242b57f6f7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jfo.dat	0.54 KB (556 bytes)	MD5: faf4d8efca05d9b305d0970a8417274c SHA1: 847aff73ea3889518231b2a8e5aa2befd843f48b SHA256: 4f081e6dfab65d9c1910303f41fafac0e3652e2af3713140d8cc30d79aed912e	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\pac.ppt	0.55 KB (564 bytes)	MD5: bc062df0b1cf65138efbd74028d417ee SHA1: 4e3254580fc0eea7fcd2daa270b5e94e7fca7560 SHA256: b007b3703bec0526df06de06a88e97f706f09554ac2eb930cad38a80a3c663f7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\okk.pdf	0.53 KB (538 bytes)	MD5: 7c65637227835e997638cdbbdda237db SHA1: ddd80c708a202210df0c6bab2d53fad31510c77a SHA256: 26f1259b8d53d6b4a43da7ebf431f4aff6617bbad13a188e9b4f534e21fd94b5	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\dxj.docx	0.64 KB (651 bytes)	MD5: 1690024ca4904bc8664deb3b5c046a09 SHA1: d78d488168c4a91dfb4883107bb0b344e47f6103 SHA256: dc2a1291b72a6b56d6acf1a4d52278ff82a9ac18d20f650d7bf1c1527a0675d1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\tob.ico	0.56 KB (575 bytes)	MD5: 5d4a58ea600887506e113f87226108a7 SHA1: 6fd6c6d7b08df98858f8cd8bab2a8ddbaef39b78 SHA256: f6b0188a75c7fa2bcc06eb7d5de15a84facab9b2e2cc8d54aa7708833888d49b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\guv.xl	0.54 KB (550 bytes)	MD5: df21088736f29414e1aeacbea6dd4adb SHA1: 2444bd270127ae12148eaf048fe82021f5580952 SHA256: 0bb6caa082e474fd47bdb620aa88536820e95f84cef92dcbda4fb686f29b3c3a	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\hjd.mp4	0.53 KB (543 bytes)	MD5: ce4596068d05d9436fa2512cfe90a81a SHA1: 4e209aede4adcee82bb4a8008291069a3a558f5c SHA256: 54f750492edac60c64348bf5131e7ec5c2e60aa796d80194b673b9e632c9c9cd	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\ain.icm	0.52 KB (532 bytes)	MD5: d997ac87e2adca0fe86fb0ba4a628299 SHA1: 14cae556c130ac9c5fa65168e9680893a4c73899 SHA256: c4a221aabd4c8dbc1ba62bd28e79af98b2e7a2c5d624c5f5c889352499bb47af	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\ugv.icm	0.54 KB (549 bytes)	MD5: a8ca3dd1e20cbeba4c51df819b7bb68e SHA1: 36d2b3b494d42d9958553cad17fa04819dfa2883 SHA256: d7820ee70bff4ff3f6922ab56d97c88aa79eb8591311d3a6c58b33c1c289d14a	File Actions Show Properties Download

Threads

Thread 0xa04

(Host: 4145, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetDllDirectoryW, address_out = 0x76a6c7cf	1	Fn
File	Add Search Path		1	Fn
Environment	Set Environment String	name = sfxcmd, value = "C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe"	1	Fn
Module	Get Filename	process_name = c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 1024	1	Fn
Environment	Set Environment String	name = sfxname, value = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	1	Fn
Module	Get Handle	module_name = c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, base_address = 0x400000	1	Fn
Module	Load	module_name = riched32.dll, base_address = 0x72980000	1	Fn
Module	Load	module_name = riched20.dll, base_address = 0x6d740000	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 8192, size_out = 8192	12	Fn Data
Module	Get Handle	module_name = c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, base_address = 0x400000	1	Fn
Window	Find	window_name = 0, class_name = EDIT	1	Fn
File	Create	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 1048560, size_out = 934137	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	2	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 6, size_out = 6	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 28, size_out = 28	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 37, size_out = 37	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 28, size_out = 28	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 2708, size_out = 2708	1	Fn Data
System	Get Time	type = Ticks, time = 52868	2	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 52868	2	Fn
File	Create Directory	C:	1	Fn
File	Create Directory	C:\Users	1	Fn
File	Create Directory	C:\Users\EEBsYm5	1	Fn
File	Create Directory	C:\Users\EEBsYm5\AppData	1	Fn
File	Create Directory	C:\Users\EEBsYm5\AppData\Local	1	Fn
File	Create Directory	C:\Users\EEBsYm5\AppData\Local\Temp	1	Fn
File	Create Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525	1	Fn
System	Get Time	type = Ticks, time = 52931	1	Fn
File	Create	filename = __tmp_rar_sfx_access_check_18052931, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Delete	filename = __tmp_rar_sfx_access_check_18052931	1	Fn
Window	Set Attribute	index = 18446744073709551600, new_long = 1342341248	1	Fn
File	Create	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 1048560, size_out = 934137	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	2	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 6, size_out = 6	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 28, size_out = 28	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 37, size_out = 37	1	Fn Data
System	Get Time	type = System Time, time = 2017-10-04 02:23:35 (UTC)	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 28, size_out = 28	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 37, size_out = 37	1	Fn Data
File	Get Info	filename = hin.ppt, type = file_attributes	1	Fn
File	Create	filename = hin.ppt, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = hin.ppt, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32768, size_out = 32768	1	Fn Data
System	Get Time	type = Ticks, time = 53024	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53024	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53024	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53024	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 10894, size_out = 10894	1	Fn Data
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53040	1	Fn
File	Write	filename = hin.ppt, size = 771181	1	Fn Data
System	Get Time	type = Ticks, time = 53055	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 37, size_out = 37	1	Fn Data
File	Get Info	filename = cvn-nhc, type = file_attributes	1	Fn
File	Create	filename = cvn-nhc, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = cvn-nhc, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 9115, size_out = 9115	1	Fn Data
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53071	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53087	1	Fn
File	Write	filename = cvn-nhc, size = 3022508	1	Fn
System	Get Time	type = Ticks, time = 53149	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = cih.exe, type = file_attributes	1	Fn
File	Create	filename = cih.exe, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = cih.exe, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32768, size_out = 32768	1	Fn Data
System	Get Time	type = Ticks, time = 53196	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53196	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53196	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53196	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 32736, size_out = 32736	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 5087, size_out = 5087	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Write	filename = cih.exe, size = 65536	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Write	filename = cih.exe, size = 65536	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Write	filename = cih.exe, size = 65536	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Write	filename = cih.exe, size = 65536	1	Fn Data
System	Get Time	type = Ticks, time = 53211	1	Fn
File	Write	filename = cih.exe, size = 65536	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 65536	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 65536	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 65536	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 2560	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 1792	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 5888	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 768	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 37632	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 2560	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 8960	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 1536	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 256	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 1024	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 28672	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 1024	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 95232	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 1024	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 512	1	Fn Data
System	Get Time	type = Ticks, time = 53227	1	Fn
File	Write	filename = cih.exe, size = 7168	1	Fn Data
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Write	filename = cih.exe, size = 16896	1	Fn Data
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Write	filename = cih.exe, size = 4864	1	Fn Data
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Write	filename = cih.exe, size = 7664	1	Fn Data
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 37, size_out = 37	1	Fn Data
File	Get Info	filename = jdl.jpg, type = file_attributes	1	Fn
File	Create	filename = jdl.jpg, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = jdl.jpg, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 476, size_out = 476	1	Fn Data
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Write	filename = jdl.jpg, size = 593	1	Fn Data
System	Get Time	type = Ticks, time = 53243	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 36, size_out = 36	1	Fn Data
File	Get Info	filename = vqm.xl, type = file_attributes	1	Fn
File	Create	filename = vqm.xl, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = vqm.xl, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 427, size_out = 427	1	Fn Data
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Write	filename = vqm.xl, size = 525	1	Fn Data
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 37, size_out = 37	1	Fn Data
File	Get Info	filename = bcu.mp4, type = file_attributes	1	Fn
File	Create	filename = bcu.mp4, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = bcu.mp4, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 425, size_out = 425	1	Fn Data
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Write	filename = bcu.mp4, size = 521	1	Fn Data
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 37, size_out = 37	1	Fn Data
File	Get Info	filename = rnr.mp3, type = file_attributes	1	Fn
File	Create	filename = rnr.mp3, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = rnr.mp3, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 452, size_out = 452	1	Fn Data
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53258	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Write	filename = rnr.mp3, size = 556	1	Fn Data
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 7, size_out = 7	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 37, size_out = 37	1	Fn Data
File	Get Info	filename = cvg.mp4, type = file_attributes	1	Fn
File	Create	filename = cvg.mp4, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = cvg.mp4, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 411, size_out = 411	1	Fn Data
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Read	filename = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 0, size_out = 0	1	Fn
System	Get Time	type = Ticks, time = 53274	1	Fn
File	Write	filename = cvg.mp4, size = 505	1	Fn Data
System	Get Time	type = Ticks, time = 53274	1	Fn
For performance reasons, the remaining 3040 entries are omitted. The remaining entries can be found in glog.xml.

Process #2: cih.exe

(Host: 256, Network: 0)

Information	Value
ID	#2
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	"C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" cvn-nhc
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:16, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa20
Parent PID	0xa00 (c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A24 0x A28 0x A2C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000090000	0x00090000	0x0048ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00490000	0x004f6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x005c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x006aefff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x006b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x006c6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006d0000	0x006d0000	0x006dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006e0000	0x006e0000	0x007e0fff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x007f0000	0x0084bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x007f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000800000	0x00800000	0x00800fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000810000	0x00810000	0x0088ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000890000	0x00890000	0x0089ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000890000	0x00890000	0x00896fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000008a0000	0x008a0000	0x008a6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cih.exe	0x008b0000	0x0097bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000980000	0x00980000	0x00a7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000aa0000	0x00aa0000	0x00e9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000ea0000	0x00ea0000	0x01a9ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c10000	0x01c10000	0x01deffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01df0000	0x020befff	Memory Mapped File	Readable	Region Actions
private_0x00000000020e0000	0x020e0000	0x024dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000024e0000	0x024e0000	0x028d2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000029e0000	0x029e0000	0x02ddffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002de0000	0x02de0000	0x02ffffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002de0000	0x02de0000	0x02f9cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002fc0000	0x02fc0000	0x02ffffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003000000	0x03000000	0x031fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003310000	0x03310000	0x0341ffff	Private Memory	Readable, Writable	Region Actions Download Dump
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x718d0000	0x718e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72980000	0x72986fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74660000	0x74668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x747c0000	0x747d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\60484525\iwlwk	271.35 KB (277864 bytes)	MD5: 1ddc15ba0f5ad90873d42c41f4a2abc3 SHA1: 4cc438d56cd0317c3cd75f6630f2ce4ce4b31ca0 SHA256: c1492aca20af26af0c906dc391b808f2b227904a8948aa7b34caeddb70fc83cb		File Actions Show Properties Download

Threads

Thread 0xa24

(Host: 154, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-04 02:23:36 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 54132	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76a3418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76a31e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76a376e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x76a31f61	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x76a24785	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Control Panel\Mouse	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48	1	Fn
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt	1	Fn
Module	Load	module_name = uxtheme.dll, base_address = 0x73dc0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\uxtheme.dll, function = IsThemeActive, address_out = 0x73dcf785	1	Fn
Debug	Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 65536	46	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 8772	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 53248, size_out = 0	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 20	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 61440, size_out = 0	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 65536	46	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 7852	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 0	1	Fn
Window	Create	window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0	1	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
Window	Create	window_name = 0, class_name = edit, wndproc_parameter = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = sK, data_out = 228	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = sN, data_out = rpi.qcn	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, size = 65536, size_out = 65536	12	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, size = 65536, size_out = 50285	1	Fn Data
System	Get Time	type = System Time, time = 2017-10-04 02:23:37 (UTC)	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CallWindowProc, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CallWindowProcA, address_out = 0x755d2bd3	1	Fn
File	Get Info	filename = ., type = file_attributes	1	Fn
File	Get Info	filename = ain.icm, type = file_attributes	1	Fn
File	Get Info	filename = als.txt, type = file_attributes	1	Fn
File	Get Info	filename = aqa.bmp, type = file_attributes	1	Fn
File	Get Info	filename = bcu.mp4, type = file_attributes	1	Fn
File	Get Info	filename = beb.ppt, type = file_attributes	1	Fn
File	Get Info	filename = brh.ppt, type = file_attributes	1	Fn
File	Get Info	filename = chm.docx, type = file_attributes	1	Fn
File	Get Info	filename = cih.exe, type = file_attributes	1	Fn
File	Get Info	filename = cvg.mp4, type = file_attributes	1	Fn
File	Get Info	filename = cvn-nhc, type = file_attributes	1	Fn
File	Get Info	filename = dxj.docx, type = file_attributes	1	Fn
File	Get Info	filename = eff.icm, type = file_attributes	1	Fn
File	Get Info	filename = emv.bmp, type = file_attributes	1	Fn
File	Get Info	filename = erk.ico, type = file_attributes	1	Fn
File	Get Info	filename = fpo.xl, type = file_attributes	1	Fn
File	Get Info	filename = fqv.xl, type = file_attributes	1	Fn
File	Get Info	filename = fun.mp4, type = file_attributes	1	Fn
File	Get Info	filename = guv.xl, type = file_attributes	1	Fn
File	Get Info	filename = hgu.ico, type = file_attributes	1	Fn
File	Get Info	filename = hin.ppt, type = file_attributes	1	Fn
File	Get Info	filename = hjd.mp4, type = file_attributes	1	Fn
File	Get Info	filename = idv.xl, type = file_attributes	1	Fn
File	Get Info	filename = isi.xl, type = file_attributes	1	Fn
File	Get Info	filename = jdl.jpg, type = file_attributes	1	Fn
File	Get Info	filename = jfo.dat, type = file_attributes	1	Fn
File	Get Info	filename = jgu.bmp, type = file_attributes	1	Fn
File	Get Info	filename = jkg.txt, type = file_attributes	1	Fn
File	Get Info	filename = jub.bmp, type = file_attributes	1	Fn
File	Get Info	filename = neo.ico, type = file_attributes	1	Fn
File	Get Info	filename = nep.mp4, type = file_attributes	1	Fn
File	Get Info	filename = nlb.pdf, type = file_attributes	1	Fn
File	Get Info	filename = nvl.xl, type = file_attributes	1	Fn
File	Get Info	filename = okk.pdf, type = file_attributes	1	Fn
File	Get Info	filename = oxl.ico, type = file_attributes	1	Fn
File	Get Info	filename = pac.ppt, type = file_attributes	1	Fn
File	Get Info	filename = raq.jpg, type = file_attributes	1	Fn
File	Get Info	filename = rnj.mp3, type = file_attributes	1	Fn
File	Get Info	filename = rnr.mp3, type = file_attributes	1	Fn
File	Get Info	filename = tik.icm, type = file_attributes	1	Fn
File	Get Info	filename = tob.ico, type = file_attributes	1	Fn
File	Get Info	filename = ugv.icm, type = file_attributes	1	Fn
File	Get Info	filename = upe.mp3, type = file_attributes	1	Fn
File	Get Info	filename = vqm.xl, type = file_attributes	1	Fn
File	Get Info	filename = vua.jpg, type = file_attributes	1	Fn
File	Get Info	filename = wjv.pdf, type = file_attributes	1	Fn
File	Get Info	filename = wlk.pdf, type = file_attributes	1	Fn
File	Get Info	filename = wxv.mp4, type = file_attributes	1	Fn
File	Get Info	filename = xfg.dat, type = file_attributes	1	Fn
File	Get Info	filename = xqa.mp4, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 65536, size_out = 0	1	Fn
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
Process	Create	process_name = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, os_pid = 0xa30, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL	1	Fn
Module	Get Handle	module_name = mscoree.dll, base_address = 0x0	1	Fn

Process #3: cih.exe

(Host: 371, Network: 0)

Information	Value
ID	#3
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:16, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa30
Parent PID	0xa20 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A34 0x A38 0x A3C 0x A40

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x006c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x006d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006e0000	0x006e0000	0x0077ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006e0000	0x006e0000	0x006e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x006f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00706fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00711fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000720000	0x00720000	0x00720fff	Private Memory	Readable, Writable	Region Actions
tzres.dll	0x00730000	0x00730fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x00730fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000740000	0x00740000	0x0077ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000780000	0x00780000	0x00780fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000790000	0x00790000	0x00790fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x0089efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000008a0000	0x008a0000	0x008a0fff	Private Memory	Readable, Writable, Executable	Region Actions
cih.exe	0x008b0000	0x0097bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x00980000	0x009dbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000980000	0x00980000	0x009fffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00a00000	0x00a3bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00a00000	0x00a3bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00a00fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000a40000	0x00a40000	0x00e3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e40000	0x00e40000	0x01a3ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01a40000	0x01d0efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e30000	0x01e30000	0x0222ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002230000	0x02230000	0x02622fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002630000	0x02630000	0x0273ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002740000	0x02740000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002940000	0x02940000	0x02afcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000029e0000	0x029e0000	0x02ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002de0000	0x02de0000	0x02f9cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ea0000	0x02ea0000	0x0329ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032a0000	0x032a0000	0x0345cfff	Private Memory	Readable, Writable	Region Actions Download Dump
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x718d0000	0x718e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72980000	0x72986fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74660000	0x74668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x747c0000	0x747d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x749b0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74c10000	0x74c25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Threads

Thread 0xa34

(Host: 134, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-04 02:23:37 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 54881	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x76a3418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76a31e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x76a376e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x76a31f61	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x76a24785	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Control Panel\Mouse	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48	1	Fn
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt	1	Fn
Module	Load	module_name = uxtheme.dll, base_address = 0x73dc0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\uxtheme.dll, function = IsThemeActive, address_out = 0x73dcf785	1	Fn
Debug	Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 65536, size_out = 65536	4	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 65536, size_out = 15800	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 49152, size_out = 0	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 65536, size_out = 20	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 61440, size_out = 0	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 65536, size_out = 65536	4	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 65536, size_out = 15720	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, size = 65536, size_out = 0	1	Fn
Window	Create	window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0	1	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
Window	Create	window_name = 0, class_name = edit, wndproc_parameter = 0	1	Fn
System	Get Time	type = System Time, time = 2017-10-04 02:23:37 (UTC)	2	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	7	Fn
File	Get Info	filename = 60484525, type = file_attributes	2	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	7	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = msg	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = _S0x20057179D673181B71D4593BFB2A0450	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = VM	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = SandBox	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = duac	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = drpt	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = btklr	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = taskmnrg	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = hSUps	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = StartUps, data_out = lju-0W23JhA138k76msH67J30	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Key, data_out = WindowsUpdate	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = AuEx, data_out = cvn-nhc	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = ExEc, data_out = cih.exe	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	21	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	47	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	49	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	11	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Down	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Net	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = eof	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = RP, data_out = qkr.xul	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\spd, type = file_attributes	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Keys, data_out = jom	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, size = 65536, size_out = 65536	12	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, size = 65536, size_out = 50285	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x769491dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7694df4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7694df36	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDeriveKey, address_out = 0x76983188	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7694df66	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDecrypt, address_out = 0x76983178	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	2	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = eof	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, type = file_attributes	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CallWindowProcW, address_out = 0x755b1b3c	1	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	6	Fn
Module	Load	module_name = ntdll, base_address = 0x76fc0000	2	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, os_pid = 0xa4c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Module	Load	module_name = ntdll, base_address = 0x76fc0000	1	Fn
Module	Unmap	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	1	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x400000, size = 4096	1	Fn Data
Module	Load	module_name = ntdll, base_address = 0x76fc0000	2	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x401000, size = 69632	1	Fn Data
Module	Load	module_name = ntdll, base_address = 0x76fc0000	1	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x412000, size = 24576	1	Fn Data
Module	Load	module_name = ntdll, base_address = 0x76fc0000	1	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x418000, size = 4096	1	Fn Data
Module	Load	module_name = ntdll, base_address = 0x76fc0000	1	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x419000, size = 4096	1	Fn Data
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Thread	Get Context	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, os_tid = 0xa34	1	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x7ffd3008, size = 4	1	Fn Data
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Thread	Set Context	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, os_tid = 0xa34	1	Fn
Module	Load	module_name = kernel32, base_address = 0x769e0000	1	Fn
Thread	Resume	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, os_tid = 0xa34	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = fb	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = btkl	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	5	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	38	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	24	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	10	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	1	Fn
Module	Get Handle	module_name = mscoree.dll, base_address = 0x0	1	Fn

Process #4: regsvcs.exe

(Host: 274, Network: 39)

Information	Value
ID	#4
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:19, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:52

OS Process Information

Information	Value
PID	0xa4c
Parent PID	0xa30 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A50 0x A54 0x A58 0x A5C 0x A60 0x A64 0x A68 0x A74 0x A80 0x A84 0x A88 0x A8C 0x AC8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x002b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x003c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000680000	0x00680000	0x0077ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x008dffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001580000	0x01580000	0x0167ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x017affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017b0000	0x017b0000	0x018affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001960000	0x01960000	0x01a5ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01a60000	0x01d2efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d30000	0x01d30000	0x01efffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d30000	0x01d30000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d30000	0x01d30000	0x01e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e90000	0x01e90000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f00000	0x01f00000	0x020fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f00000	0x01f00000	0x01feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ff0000	0x01ff0000	0x020effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020f0000	0x020f0000	0x020fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021c0000	0x021c0000	0x022bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002320000	0x02320000	0x0241ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002420000	0x02420000	0x0261ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002460000	0x02460000	0x0255ffff	Private Memory	Readable, Writable	Region Actions Download Dump
msvcp60.dll	0x6d750000	0x6d7b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x6de10000	0x6de17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x6de20000	0x6de31fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x6de50000	0x6de5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x714a0000	0x714a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x73310000	0x73347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x73670000	0x73676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x73690000	0x736abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x73890000	0x7389ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x73c30000	0x73dbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x746f0000	0x746f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74a90000	0x74ad3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74bd0000	0x74c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x401000, size = 69632	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x412000, size = 24576	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x418000, size = 4096	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x419000, size = 4096	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x7ffd3008, size = 4	1	Fn Data
Modify Control Flow	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	os_tid = 0xa50, address = 0x77007098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\roaming\chrome\logs.dat	0.02 KB (19 bytes)	MD5: 38182931074f70c4af328e12641acd51 SHA1: 96a8d3ad86aa0991ed7e8a0b89b1e3ea007d4327 SHA256: f05dd4eb5990bd9ca1497af17ab66595f92853535c1619748d316e09a4a1a126		File Actions Show Properties Download
c:\users\eebsym5\appdata\roaming\chrome\logs.dat	0.01 KB (13 bytes)	MD5: 4241be51b5abe777809dc6f32247a4a9 SHA1: 24df3e03dd8d4a0467a7887c9ce865f630f03725 SHA256: 6bf4b2ce4815a57a74e5314f7087bad520eeb4fadc849c3088b62e24ca7dea8c		File Actions Show Properties Download

Threads

Thread 0xa50

(Host: 38, Network: 11)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorInfo, address_out = 0x75604b31	1	Fn
Module	Load	module_name = User32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetLastInputInfo, address_out = 0x755b3834	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleWindow, address_out = 0x76a42787	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Mutex	Open	mutex_name = Remcos_Mutex_Inj, desired_access = SYNCHRONIZE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Mutex	Create	mutex_name = 34419-GRNPWA	1	Fn
Module	Load	module_name = Psapi.dll, base_address = 0x77100000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleFileNameExA, address_out = 0x771015bc	1	Fn
Module	Load	module_name = Psapi.dll, base_address = 0x77100000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleFileNameExW, address_out = 0x771013f0	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x76a18a2b	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x76a24785	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExW, address_out = 0x76a20f04	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75980000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = IsUserAnAdmin, address_out = 0x759d44f5	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetProcessDEPPolicy, address_out = 0x76a1602f	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = FR	1	Fn
System	Get Computer Name	result_out = cRh2YWu7, type = ComputerNameDnsHostname	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = jlux123.no-ip.biz	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = jluxi.dynu.com, address_out = 185.62.188.68	1	Fn
Socket	Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = name, data = 180	1	Fn
System	Get Time	type = Ticks, time = 58281	2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 485, size_out = 485	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 45	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 47	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000	1	Fn

Thread 0xa54

(Host: 8, Network: 0)

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Create Directory	C:\Users\EEBsYm5\AppData\Roaming\chrome	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, size = 19	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn

Thread 0xa58

(Host: 3, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000		1	Fn
Keyboard	Read	virtual_key_code = VK_CAPITAL, result_out = 0		5	Fn

Thread 0xa5c

(Host: 38, Network: 0)

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
System	Get Clipboard	format = 1	1	Fn
System	Get Time	type = Ticks, time = 58515	2	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 59607	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 60621	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 61635	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 62650	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 63664	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 64678	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 65692	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 66706	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 67720	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 68734	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 69748	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 70762	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 71776	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 72790	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 73804	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 74818	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 75988	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn

Thread 0xa60

(Host: 33, Network: 0)

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 1200000 milliseconds (1200.000 seconds)	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, value_name = Cookies, data = 37	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@ad13.adfarm1.adition[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adfarm1.adition[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adform[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adnxs[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adtech[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@advertising[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@api.bing[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@at.atwola[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bing[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.bing[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.msn[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@google[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@linkedin[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@msn[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@scorecardresearch[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@serving-sys[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@track.adform[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.bing[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.linkedin[1].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.msn[2].txt	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\index.dat	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\logins.json	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key3.db	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Cookies	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = FR, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Thread 0xa64

(Host: 20, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = WD, data = 2636, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Mutex	Open	mutex_name = Mutex_RemWatchdog, desired_access = SYNCHRONIZE	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x76fc0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x770069b8	1	Fn
Process	Create	process_name = C:\Windows\system32\svchost.exe, os_pid = 0xa6c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa64	1	Fn
Memory	Read	process_name = C:\Windows\system32\svchost.exe, address = 0x7ffd7008, size = 4	1	Fn Data
Memory	Allocate	process_name = C:\Windows\system32\svchost.exe, address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x400000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x401000, size = 69632	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x412000, size = 24576	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x418000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x419000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x7ffd7008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa64	1	Fn
Thread	Resume	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa64	1	Fn
System	Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
Process	Open	desired_access = SYNCHRONIZE	1	Fn

Thread 0xa68

(Host: 19, Network: 0)

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn

Thread 0xa80

(Host: 1, Network: 1)

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 58359		2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 78, size_out = 78		1	Fn Data

Thread 0xa84

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = 1000 milliseconds (1.000 seconds)		18	Fn

Thread 0xa88

(Host: 86, Network: 20)

Category	Operation	Information	Count	Logfile
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Socket	Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 42, size_out = 42	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 1000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 4808	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 3244	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 340	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 9052	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 3752	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 3508	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 2904	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 1452	2	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 1920	1	Fn Data
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x76fc0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x770069b8	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh", os_pid = 0xa90, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
Memory	Read	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh", address = 0x7ffdb008, size = 4	1	Fn Data
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 356352	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh", address = 0x400000, size = 512	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh", address = 0x401000, size = 172032	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh", address = 0x455000, size = 3584	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh", address = 0x456000, size = 2048	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh", address = 0x7ffdb008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
Thread	Resume	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x76fc0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x770069b8	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu", os_pid = 0xa98, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
Memory	Read	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu", address = 0x7ffdb008, size = 4	1	Fn Data
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 147456	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu", address = 0x400000, size = 512	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu", address = 0x401000, size = 54784	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu", address = 0x422000, size = 3584	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu", address = 0x423000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu", address = 0x7ffdb008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
Thread	Resume	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x76fc0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x770069b8	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl", os_pid = 0xaa0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
Memory	Read	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl", address = 0x7ffdb008, size = 4	1	Fn Data
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 122880	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl", address = 0x400000, size = 512	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl", address = 0x401000, size = 44032	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl", address = 0x41c000, size = 3584	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl", address = 0x41d000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl", address = 0x7ffdb008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
Thread	Resume	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0xa88	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, size = 0, size_out = 0	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, size = 2, size_out = 2	1	Fn Data
File	Delete	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 57, size_out = 57	1	Fn Data
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = -1	1	Fn

Thread 0xa8c

(Host: 1, Network: 5)

Category	Operation	Information	Count	Logfile
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Socket	Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 48, size_out = 48	1	Fn Data
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Close		1	Fn

Thread 0xac8

(Host: 1, Network: 1)

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 68156		2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 78, size_out = 78		1	Fn Data

Process #5: svchost.exe

(Host: 19, Network: 0)

Information	Value
ID	#5
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:51

OS Process Information

Information	Value
PID	0xa6c
Parent PID	0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A70

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
svchost.exe	0x002b0000	0x002b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x00387fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x0112ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001130000	0x01130000	0x0122ffff	Private Memory	Readable, Writable	Region Actions
msvcp60.dll	0x6d750000	0x6d7b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x73c30000	0x73dbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x401000, size = 69632	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x412000, size = 24576	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x418000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x419000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x7ffd7008, size = 4	1	Fn Data
Modify Control Flow	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	os_tid = 0xa70, address = 0x77007098	1	Fn

Threads

Thread 0xa70

(Host: 19, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorInfo, address_out = 0x75604b31	1	Fn
Module	Load	module_name = User32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetLastInputInfo, address_out = 0x755b3834	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleWindow, address_out = 0x76a42787	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = WD, data = 2636, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Delete Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = WD	1	Fn
Mutex	Create	mutex_name = Mutex_RemWatchdog	1	Fn
Module	Get Filename	process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, data = 169	1	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, type = size	1	Fn
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 45216, size_out = 45216	1	Fn Data
Process	Open	desired_access = SYNCHRONIZE	1	Fn

Process #6: regsvcs.exe

(Host: 1260, Network: 0)

Information	Value
ID	#6
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:51

OS Process Information

Information	Value
PID	0xa90
Parent PID	0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A94 0x AB0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x00287fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
rsaenh.dll	0x003c0000	0x003fbfff	Memory Mapped File	Readable	Region Actions
tzres.dll	0x003c0000	0x003c0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00456fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x00560fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000570000	0x00570000	0x005effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000640000	0x00640000	0x0064ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000650000	0x00650000	0x0074ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000750000	0x00750000	0x00850fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000750000	0x00750000	0x0081ffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x014f0000	0x017befff	Memory Mapped File	Readable	Region Actions
private_0x0000000001820000	0x01820000	0x0191ffff	Private Memory	Readable, Writable	Region Actions
nss3.dll	0x01920000	0x01ad1fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001920000	0x01920000	0x01a1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a20000	0x01a20000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b00000	0x01b00000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c00000	0x01c00000	0x01ff2fff	Pagefile Backed Memory	Readable	Region Actions
nss3.dll	0x6ce40000	0x6cff4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6d0a0000	0x6d0eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6d0b0000	0x6d0fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6d0f0000	0x6d116fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x6d100000	0x6d116fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6d120000	0x6d146fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x6d130000	0x6d146fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x6d150000	0x6d1b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x6d590000	0x6d5b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x6d5c0000	0x6d67dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x6d6c0000	0x6d743fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x6de40000	0x6de46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x6e640000	0x6e64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72970000	0x7297cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73840000	0x73853fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74660000	0x74668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x749b0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74c10000	0x74c25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x401000, size = 172032	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x455000, size = 3584	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x456000, size = 2048	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	os_tid = 0xa94, address = 0x77007098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	0.00 KB (2 bytes)	MD5: f3b25701fe362ec84616a93a45ce9998 SHA1: d62636d8caec13f04e28442a0a6fa1afeb024bbb SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209		File Actions Show Properties Download

Threads

Thread 0xa94

(Host: 1037, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtect, address_out = 0x76a22341	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x76d10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __setusermatherr, address_out = 0x76da77ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _adjust_fdiv, address_out = 0x76db32ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__commode, address_out = 0x76d227c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__fmode, address_out = 0x76d227ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcscat, address_out = 0x76d90ea6	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __set_app_type, address_out = 0x76d22804	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _controlfp, address_out = 0x76d1e1e1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = realloc, address_out = 0x76d1b10d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = qsort, address_out = 0x76d1d3e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _itow, address_out = 0x76d2019c	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcsupr, address_out = 0x76d1dac1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcslwr, address_out = 0x76d1fb25	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strchr, address_out = 0x76d1dbeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x76d1c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsncmp, address_out = 0x76d1b05e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memmove, address_out = 0x76d19e5a	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x76d19894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = modf, address_out = 0x76d27551	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _memicmp, address_out = 0x76d206c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcstoul, address_out = 0x76d1b319	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x76d19cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _XcptFilter, address_out = 0x76d3dc75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcpy, address_out = 0x76d28d6e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wtoi64, address_out = 0x76d2062e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcmp, address_out = 0x76d28b11	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsrchr, address_out = 0x76d1a73f	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __wgetmainargs, address_out = 0x76d24e7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcmdln, address_out = 0x76db04dc	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = exit, address_out = 0x76d236aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strlwr, address_out = 0x76d2ca0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _cexit, address_out = 0x76d237d4	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcsnicmp, address_out = 0x76d1aae3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcmp, address_out = 0x76d27975	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcscmp, address_out = 0x76d2d3b7	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = abs, address_out = 0x76d3eb1e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = log, address_out = 0x76d3de50	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _purecall, address_out = 0x76d76ea9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcslen, address_out = 0x76d2d335	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wtoi, address_out = 0x76d1c823	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcsicmp, address_out = 0x76d1a9e9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcschr, address_out = 0x76d1aa61	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcpy, address_out = 0x76d19910	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcscpy, address_out = 0x76d2d4f8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x76d19790	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strlen, address_out = 0x76d243d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsncat, address_out = 0x76d90ed9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snwprintf, address_out = 0x76d395d1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _except_handler3, address_out = 0x76d3d770	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _exit, address_out = 0x76d7b2c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _c_exit, address_out = 0x76d7b2db	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _onexit, address_out = 0x76d2112d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __dllonexit, address_out = 0x76d1f509	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memchr, address_out = 0x76d2e134	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _gmtime64, address_out = 0x76d92936	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strftime, address_out = 0x76d91fd5	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x6d6c0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 17, address_out = 0x6d6c1739	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_AddMasked, address_out = 0x6d6c8b75	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_SetImageCount, address_out = 0x6d726e17	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_Create, address_out = 0x6d6c908c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_ReplaceIcon, address_out = 0x6d726ea3	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = CreateToolbarEx, address_out = 0x6d6ea4d5	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = CreateStatusWindowW, address_out = 0x6d6ea10f	1	Fn
Module	Get Handle	module_name = c:\windows\system32\version.dll, base_address = 0x74660000	1	Fn
Module	Get Address	module_name = c:\windows\system32\version.dll, function = GetFileVersionInfoSizeW, address_out = 0x746619d9	1	Fn
Module	Get Address	module_name = c:\windows\system32\version.dll, function = GetFileVersionInfoW, address_out = 0x746619f4	1	Fn
Module	Get Address	module_name = c:\windows\system32\version.dll, function = VerQueryValueW, address_out = 0x74661b51	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wininet.dll, base_address = 0x76840000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindCloseUrlCache, address_out = 0x76888409	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindNextUrlCacheEntryW, address_out = 0x7687989c	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindFirstUrlCacheEntryW, address_out = 0x7687978a	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameA, address_out = 0x76a33735	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x76a247cb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x76a13530	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameW, address_out = 0x76a34543	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = AreFileApisANSI, address_out = 0x76a6f311	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x770077a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTime, address_out = 0x76a2ced8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockFileEx, address_out = 0x76a4692f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageA, address_out = 0x76a48868	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76a32fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnlockFileEx, address_out = 0x76a46947	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x76a2ba60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockFile, address_out = 0x76a4642f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x76a17f81	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x7701a149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x76a2cee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetDiskFreeSpaceA, address_out = 0x76a3d7d2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x76a2ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76a2cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x76a33891	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathA, address_out = 0x76a46a65	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnlockFile, address_out = 0x76a46417	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedCompareExchange, address_out = 0x76a2bb92	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77019ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesExW, address_out = 0x76a2273d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76a2bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesA, address_out = 0x76a31de6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77007760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetEndOfFile, address_out = 0x76a22319	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemInfo, address_out = 0x76a33728	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceTypesW, address_out = 0x76a42b37	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x76a2ca64	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x76a20273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x76a2cecb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76a2ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FileTimeToLocalFileTime, address_out = 0x76a32004	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileW, address_out = 0x76a20f62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileW, address_out = 0x76a167c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x76a2cc56	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CompareFileTime, address_out = 0x76a313f3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x76a2d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address_out = 0x76a33c01	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76a333d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76a2bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FileTimeToSystemTime, address_out = 0x76a31dfe	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointerEx, address_out = 0x76a1f5b2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentDirectoryW, address_out = 0x76a3c13a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x76a24680	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76a3450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76a3452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalLock, address_out = 0x76a29e05	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatW, address_out = 0x76a2afab	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileTime, address_out = 0x76a20f6f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageW, address_out = 0x76a254a3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameW, address_out = 0x76a16d1d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x76a23b1a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76a30e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileW, address_out = 0x76a353b2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x76a3374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatW, address_out = 0x76a2ac29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x76a2db36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesW, address_out = 0x76a364ff	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x76a204b6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x76a296fb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76a33c26	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76a31400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindResourceW, address_out = 0x76a23e61	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x76a1fd29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpyW, address_out = 0x76a18bfa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x76a2d9e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x76a2984d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SystemTimeToTzSpecificLocalTime, address_out = 0x76a1b149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExW, address_out = 0x76a24775	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x76a29ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalUnlock, address_out = 0x76a29d50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathW, address_out = 0x76a18b33	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileW, address_out = 0x76a2963a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SizeofResource, address_out = 0x76a23e7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileMappingW, address_out = 0x76a20a7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MapViewOfFile, address_out = 0x76a2899b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnmapViewOfFile, address_out = 0x76a2db13	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76a2cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DuplicateHandle, address_out = 0x76a2cdd9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76a2cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x76a259d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileStringW, address_out = 0x76a17d32	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WritePrivateProfileStringW, address_out = 0x76a180eb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileIntW, address_out = 0x76a1775f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceNamesW, address_out = 0x76a47e29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76a31e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetErrorMode, address_out = 0x76a34a51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x76a3214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x76a1c1ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryW, address_out = 0x76a37663	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32FirstW, address_out = 0x76a1fa35	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32NextW, address_out = 0x76a1faca	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x76a1f731	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DispatchMessageW, address_out = 0x755bcc61	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = BeginDeferWindowPos, address_out = 0x755aa6a6	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateMessage, address_out = 0x755b64c7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = IsDialogMessageW, address_out = 0x755b4104	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DrawTextExW, address_out = 0x755b5894	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMessageW, address_out = 0x755bcde8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostQuitMessage, address_out = 0x755ab308	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TrackPopupMenu, address_out = 0x755c2228	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterWindowMessageW, address_out = 0x755adf8d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetKeyState, address_out = 0x755b2b4d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDeferWindowPos, address_out = 0x755aa67a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DialogBoxParamW, address_out = 0x755c3b9b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ChildWindowFromPoint, address_out = 0x755eb6aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadCursorW, address_out = 0x755aed90	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetCursor, address_out = 0x755b3075	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColorBrush, address_out = 0x755af1ed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ShowWindow, address_out = 0x755af2a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowTextW, address_out = 0x755b612b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemInt, address_out = 0x755cec2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = UpdateWindow, address_out = 0x755affa8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemTextW, address_out = 0x755cebd4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemTextW, address_out = 0x755cecbc	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClientRect, address_out = 0x755b54dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x755b67cf	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DeferWindowPos, address_out = 0x755aa6c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateWindowExW, address_out = 0x755aec7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowRect, address_out = 0x755b558c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendDlgItemMessageW, address_out = 0x755c70d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemInt, address_out = 0x755ced56	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDialog, address_out = 0x755d3ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowLongW, address_out = 0x755b4449	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItem, address_out = 0x755d42bb	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = InvalidateRect, address_out = 0x755b566d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowPlacement, address_out = 0x755d69de	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadAcceleratorsW, address_out = 0x755a976d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DefWindowProcW, address_out = 0x755b507d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x755b5539	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostMessageW, address_out = 0x755b447b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterClassW, address_out = 0x755aed4a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MessageBoxW, address_out = 0x755fea5f	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateAcceleratorW, address_out = 0x755b667e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetMenu, address_out = 0x755d6b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowPlacement, address_out = 0x755a7f78	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadImageW, address_out = 0x755b12eb	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadIconW, address_out = 0x755af142	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowLongW, address_out = 0x755b61b8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetFocus, address_out = 0x755aabad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuStringW, address_out = 0x755d6528	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CheckMenuItem, address_out = 0x755cee7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemCount, address_out = 0x755aae39	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CheckMenuRadioItem, address_out = 0x755c25df	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseClipboard, address_out = 0x755d446c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorPos, address_out = 0x755aa4b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetClipboardData, address_out = 0x755c2962	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableWindow, address_out = 0x755a8d02	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColor, address_out = 0x755bdb7a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetParent, address_out = 0x755b6029	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MapWindowPoints, address_out = 0x755b5caa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenu, address_out = 0x755d6b68	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDC, address_out = 0x755b544c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSubMenu, address_out = 0x755a9c19	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EmptyClipboard, address_out = 0x755c290c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableMenuItem, address_out = 0x755d43bc	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ReleaseDC, address_out = 0x755b5421	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClassNameW, address_out = 0x755b2a29	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = OpenClipboard, address_out = 0x755d447e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MoveWindow, address_out = 0x755a8d29	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateDialogParamW, address_out = 0x755d5630	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumChildWindows, address_out = 0x755b2948	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadStringW, address_out = 0x755adfba	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyWindow, address_out = 0x755ab2f4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowPos, address_out = 0x755b1bc4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowTextW, address_out = 0x755ab8c5	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadMenuW, address_out = 0x755af214	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ModifyMenuW, address_out = 0x755d46c7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemInfoW, address_out = 0x755aaefa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgCtrlID, address_out = 0x755ab4e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyMenu, address_out = 0x755a87f7	1	Fn
Module	Get Handle	module_name = c:\windows\system32\gdi32.dll, base_address = 0x75550000	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkColor, address_out = 0x75556a3c	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SelectObject, address_out = 0x75556640	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetDeviceCaps, address_out = 0x75556f7f	1	Fn
Module	Get Handle	module_name = c:\windows\system32\comdlg32.dll, base_address = 0x77170000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75980000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x76680000	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x6d6c0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x6d6c6be6	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75980000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x759a0468	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini, type = file_attributes	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	18	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowInfoTip, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowTimeInGMT, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsIE, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsFirefox, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsChrome, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsOpera, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsSafari, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsYandex, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = UseChromeProfileFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = UseOperaPasswordFile, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = FirefoxProfileFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = FirefoxInstallFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ChromeProfileFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = OperaPasswordFile	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = SaveFileEncoeding, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	2	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	24	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	26	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	61	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 8, size_out = 8	92	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x769491dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7694e124	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7694df4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x7694df7e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7694df36	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7694df66	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x769871c1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7694b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76987941	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76987381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76987481	1	Fn
Module	Load	module_name = pstorec.dll, base_address = 0x72970000	1	Fn
Module	Get Address	module_name = c:\windows\system32\pstorec.dll, function = PStoreCreateInstance, address_out = 0x7297526c	1	Fn
Module	Load	module_name = vaultcli.dll, base_address = 0x6e640000	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultOpenVault, address_out = 0x6e6426a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultCloseVault, address_out = 0x6e642718	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x6e643099	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultFree, address_out = 0x6e644321	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultGetInformation, address_out = 0x6e6424c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultGetItem, address_out = 0x6e643242	2	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, type = time	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/h231daer.default	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = IsRelative, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = IsRelative, default_value = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Module	Get Handle	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x6ce40000	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x6cefd70b	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x6cefd13c	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x6ce93c51	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x6ce93333	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x6ce7cbc4	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6ce7d3ca	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x6ce900a7	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\logins.json, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\sqlite3.dll, type = file_attributes	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\mozsqlite3.dll, type = file_attributes	1	Fn
Module	Get Handle	module_name = c:\program files\mozilla firefox\nss3.dll, base_address = 0x6ce40000	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_open, address_out = 0x6cfa1ca0	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_prepare, address_out = 0x6cf2ce70	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_step, address_out = 0x6cf95200	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_text, address_out = 0x6cf4d400	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_int, address_out = 0x6cf4d3a0	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_column_int64, address_out = 0x6cf4d3d0	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_finalize, address_out = 0x6cf79f60	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_close, address_out = 0x6cf7bde0	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = sqlite3_exec, address_out = 0x6cf7a270	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Module	Get Handle	module_name = c:\program files\mozilla firefox\nss3.dll, base_address = 0x6ce40000	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x6cefd70b	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x6cefd13c	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x6ce93c51	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x6ce93333	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x6ce7cbc4	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6ce7d3ca	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x6ce900a7	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Load	module_name = psapi.dll, base_address = 0x77100000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleBaseNameW, address_out = 0x7710152c	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x77101408	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleFileNameExW, address_out = 0x771013f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcesses, address_out = 0x77101544	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleInformation, address_out = 0x77101420	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessTimes, address_out = 0x76a1f626	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\adobe\reader 10.0\reader\reader_sl.exe, file_name_orig = C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskeng.exe, file_name_orig = C:\Windows\system32\taskeng.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft analysis services\ind-licenses-manual-nickel.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\ind-licenses-manual-nickel.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\conhost.exe, file_name_orig = C:\Program Files\Windows Mail\handed.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows photo viewer\pokemon_limousines_alternate.exe, file_name_orig = C:\Program Files\Windows Photo Viewer\pokemon_limousines_alternate.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft visual studio 8\salvation_sure_perspective_ranges.exe, file_name_orig = C:\Program Files\Microsoft Visual Studio 8\salvation_sure_perspective_ranges.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft sync framework\possessionschooldeterminedgamma.exe, file_name_orig = C:\Program Files\Microsoft Sync Framework\possessionschooldeterminedgamma.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\common files\surfing.exe, file_name_orig = C:\Program Files\Common Files\surfing.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\uninstall information\fred_delays.exe, file_name_orig = C:\Program Files\Uninstall Information\fred_delays.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows portable devices\voice-moore-yemen.exe, file_name_orig = C:\Program Files\Windows Portable Devices\voice-moore-yemen.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\google\north comp.exe, file_name_orig = C:\Program Files\Google\north comp.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows journal\remote_costa_security.exe, file_name_orig = C:\Program Files\Windows Journal\remote_costa_security.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows sidebar\demonstrate-brandon-pa.exe, file_name_orig = C:\Program Files\Windows Sidebar\demonstrate-brandon-pa.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows mail\dsc_meaning.exe, file_name_orig = C:\Program Files\Windows Mail\dsc_meaning.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\mozilla maintenance service\medieval-ranges-san-delhi.exe, file_name_orig = C:\Program Files\Mozilla Maintenance Service\medieval-ranges-san-delhi.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows journal\genderwriters.exe, file_name_orig = C:\Program Files\Windows Journal\genderwriters.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\mozilla firefox\mileage-act.exe, file_name_orig = C:\Program Files\Mozilla Firefox\mileage-act.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows media player\variables except besides.exe, file_name_orig = C:\Program Files\Windows Media Player\variables except besides.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft sync framework\blind-ratio.exe, file_name_orig = C:\Program Files\Microsoft Sync Framework\blind-ratio.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\mobsync.exe, file_name_orig = C:\Windows\System32\mobsync.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe	1	Fn
File	Get Info	filename = C:\Program Files\Sea Monkey\nss3.dll, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_READ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 100, size_out = 100	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 2048, size_out = 2048	4	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 16, size_out = 16	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_READ	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
For performance reasons, the remaining 37 entries are omitted. The remaining entries can be found in glog.xml.

Process #7: regsvcs.exe

(Host: 340, Network: 0)

Information	Value
ID	#7
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:51

OS Process Information

Information	Value
PID	0xa98
Parent PID	0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A9C 0x AA8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x00397fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x003a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
tzres.dll	0x003b0000	0x003b0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00423fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x00530fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00680000	0x006bbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x0073ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000740000	0x00740000	0x0083ffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001500000	0x01500000	0x015fffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01600000	0x018cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000018d0000	0x018d0000	0x01aeffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000018d0000	0x018d0000	0x019cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001900000	0x01900000	0x019fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ab0000	0x01ab0000	0x01aeffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001af0000	0x01af0000	0x01ee2fff	Pagefile Backed Memory	Readable	Region Actions
msvcp100.dll	0x6ced0000	0x6cf38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x6cf40000	0x6cffdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x6d000000	0x6d1b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6d5b0000	0x6d5fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x6d600000	0x6d616fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6d620000	0x6d646fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x6d650000	0x6d671fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x6d6c0000	0x6d743fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72980000	0x72986fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x749b0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74c10000	0x74c25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x401000, size = 54784	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x422000, size = 3584	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x423000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	os_tid = 0xa9c, address = 0x77007098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\widfu	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties

Threads

Thread 0xa9c

(Host: 338, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtect, address_out = 0x76a22341	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x76d10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x76d19894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strlwr, address_out = 0x76d2ca0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strupr, address_out = 0x76d2d49e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcslwr, address_out = 0x76d1fb25	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = qsort, address_out = 0x76d1d3e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcsnicmp, address_out = 0x76d1aae3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncmp, address_out = 0x76d1b443	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __dllonexit, address_out = 0x76d1f509	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _onexit, address_out = 0x76d2112d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _c_exit, address_out = 0x76d7b2db	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _exit, address_out = 0x76d7b2c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _XcptFilter, address_out = 0x76d3dc75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _cexit, address_out = 0x76d237d4	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = exit, address_out = 0x76d236aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _acmdln, address_out = 0x76db04d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strrchr, address_out = 0x76d1dbae	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x76d1c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __setusermatherr, address_out = 0x76da77ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strchr, address_out = 0x76d1dbeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _ultoa, address_out = 0x76d61822	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x76d19cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _memicmp, address_out = 0x76d206c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcmp, address_out = 0x76d28b11	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsnbicmp, address_out = 0x76d73480	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsrchr, address_out = 0x76d28e5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snprintf, address_out = 0x76d3fa7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x76d19790	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strnicmp, address_out = 0x76d20578	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcschr, address_out = 0x76d1aa61	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsncmp, address_out = 0x76d1b05e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcslen, address_out = 0x76d2d335	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = abs, address_out = 0x76d3eb1e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = sprintf, address_out = 0x76d2d354	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = atoi, address_out = 0x76d1dbe0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcmp, address_out = 0x76d27975	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __getmainargs, address_out = 0x76d22bc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strcmpi, address_out = 0x76d1db38	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsicmp, address_out = 0x76d29238	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _purecall, address_out = 0x76d76ea9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = log, address_out = 0x76d3de50	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbscmp, address_out = 0x76d383c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strlen, address_out = 0x76d243d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _itoa, address_out = 0x76d34218	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcpy, address_out = 0x76d28d6e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strtoul, address_out = 0x76d2012e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcpy, address_out = 0x76d19910	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcscpy, address_out = 0x76d2d4f8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcat, address_out = 0x76d28d75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncat, address_out = 0x76d40909	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _adjust_fdiv, address_out = 0x76db32ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__commode, address_out = 0x76d227c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__fmode, address_out = 0x76d227ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __set_app_type, address_out = 0x76d22804	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _controlfp, address_out = 0x76d1e1e1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _except_handler3, address_out = 0x76d3d770	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x6d6c0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 6, address_out = 0x6d6ea14c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_Create, address_out = 0x6d6c908c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_ReplaceIcon, address_out = 0x6d726ea3	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 17, address_out = 0x6d6c1739	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_AddMasked, address_out = 0x6d6c8b75	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_SetImageCount, address_out = 0x6d726e17	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = CreateToolbarEx, address_out = 0x6d6ea4d5	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x76a2903d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x76a3214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76a2cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76a2cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CompareFileTime, address_out = 0x76a313f3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVolumeInformationA, address_out = 0x76a441aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76a31e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileStringA, address_out = 0x76a1d8d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileIntA, address_out = 0x76a1dc43	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceNamesA, address_out = 0x76a45a34	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WritePrivateProfileStringA, address_out = 0x76a3d763	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x76a16ba9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathA, address_out = 0x76a46a65	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemDirectoryA, address_out = 0x76a28fc5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetWindowsDirectoryA, address_out = 0x76a45d02	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateRemoteThread, address_out = 0x76a6f33b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindResourceA, address_out = 0x76a2a05b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceTypesA, address_out = 0x76a6cb42	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x76a1fd29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoA, address_out = 0x769e1e10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x76a247cb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x76a2984d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SizeofResource, address_out = 0x76a23e7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76a3450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76a333d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76a2cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x76a2d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76a3452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76a31400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x76a3395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x76a1c1ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x76a2ba90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76a2ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x76a2ca64	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteProcessMemory, address_out = 0x76a1c1de	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x76a20f1c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAllocEx, address_out = 0x76a1c1b6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x76a259d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x76a20273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualFreeEx, address_out = 0x76a1c1ee	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentDirectoryA, address_out = 0x76a1733c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x76a18a5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x76a29ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76a333f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalLock, address_out = 0x76a29e05	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalUnlock, address_out = 0x76a29d50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x76a2a187	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExA, address_out = 0x76a247fa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileA, address_out = 0x76a32d89	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x76a2cee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76a2bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileTime, address_out = 0x76a20f6f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x76a2db36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesA, address_out = 0x76a31de6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameA, address_out = 0x76a4695f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76a30e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExA, address_out = 0x76a33861	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageA, address_out = 0x76a48868	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x76a296fb	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CopyRect, address_out = 0x755b4ad9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DrawTextExA, address_out = 0x755cae60	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DispatchMessageA, address_out = 0x755b2e32	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMessageA, address_out = 0x755b1899	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = IsDialogMessageA, address_out = 0x755c2019	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DeferWindowPos, address_out = 0x755aa6c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateMessage, address_out = 0x755b64c7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = BeginDeferWindowPos, address_out = 0x755aa6a6	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostQuitMessage, address_out = 0x755ab308	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TrackPopupMenu, address_out = 0x755c2228	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDeferWindowPos, address_out = 0x755aa67a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetFocus, address_out = 0x755b3a34	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterWindowMessageA, address_out = 0x755ac091	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowTextA, address_out = 0x755a6eed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemInfoA, address_out = 0x755a856a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetCursor, address_out = 0x755b3075	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ChildWindowFromPoint, address_out = 0x755eb6aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColorBrush, address_out = 0x755af1ed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendMessageA, address_out = 0x755aad60	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadCursorA, address_out = 0x755a8328	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MessageBoxA, address_out = 0x755fea11	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemTextA, address_out = 0x755c707a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemTextA, address_out = 0x75603d14	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowTextA, address_out = 0x755d0c5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDialog, address_out = 0x755d3ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItem, address_out = 0x755d42bb	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateWindowExA, address_out = 0x755abf40	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowRect, address_out = 0x755b558c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterClassA, address_out = 0x755abc6a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = UpdateWindow, address_out = 0x755affa8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x755b67cf	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostMessageA, address_out = 0x755ab446	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetMenu, address_out = 0x755d6b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ShowWindow, address_out = 0x755af2a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadAcceleratorsA, address_out = 0x755cae02	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowPos, address_out = 0x755b1bc4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DefWindowProcA, address_out = 0x755abb1c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateAcceleratorA, address_out = 0x755d133f	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowPlacement, address_out = 0x755d69de	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadIconA, address_out = 0x755a64ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowLongA, address_out = 0x755aa95e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowLongA, address_out = 0x755a8ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = InvalidateRect, address_out = 0x755b566d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetFocus, address_out = 0x755aabad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MapDialogRect, address_out = 0x755d347a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetRect, address_out = 0x755b498b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = OpenClipboard, address_out = 0x755d447e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDC, address_out = 0x755b544c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EmptyClipboard, address_out = 0x755c290c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableMenuItem, address_out = 0x755d43bc	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ReleaseDC, address_out = 0x755b5421	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MoveWindow, address_out = 0x755a8d29	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemCount, address_out = 0x755aae39	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CheckMenuItem, address_out = 0x755cee7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClientRect, address_out = 0x755b54dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuStringA, address_out = 0x75603a16	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetClipboardData, address_out = 0x755c2962	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorPos, address_out = 0x755aa4b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClassNameA, address_out = 0x755d2445	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseClipboard, address_out = 0x755d446c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MapWindowPoints, address_out = 0x755b5caa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadImageA, address_out = 0x755c7779	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColor, address_out = 0x755bdb7a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenu, address_out = 0x755d6b68	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSubMenu, address_out = 0x755a9c19	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadMenuA, address_out = 0x755bf92c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetParent, address_out = 0x755b6029	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadStringA, address_out = 0x755a66a7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateDialogParamA, address_out = 0x755c1f42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ModifyMenuA, address_out = 0x75603ae0	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyWindow, address_out = 0x755ab2f4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DialogBoxParamA, address_out = 0x755ecf42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgCtrlID, address_out = 0x755ab4e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyMenu, address_out = 0x755a87f7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumChildWindows, address_out = 0x755b2948	1	Fn
Module	Get Handle	module_name = c:\windows\system32\gdi32.dll, base_address = 0x75550000	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SelectObject, address_out = 0x75556640	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetTextColor, address_out = 0x75556906	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = CreateFontIndirectA, address_out = 0x7555d22d	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkMode, address_out = 0x755569b1	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = DeleteObject, address_out = 0x75555f14	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetTextExtentPoint32A, address_out = 0x755607b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkColor, address_out = 0x75556a3c	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetDeviceCaps, address_out = 0x75556f7f	1	Fn
Module	Get Handle	module_name = c:\windows\system32\comdlg32.dll, base_address = 0x77170000	1	Fn
Module	Get Address	module_name = c:\windows\system32\comdlg32.dll, function = GetSaveFileNameA, address_out = 0x771aa353	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x76954907	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExA, address_out = 0x76951481	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x769548ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyA, address_out = 0x7696a299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x7695468d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegDeleteKeyA, address_out = 0x7696a8b7	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumValueA, address_out = 0x7694cf49	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7696a4b4	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumValueW, address_out = 0x769548cc	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7695469d	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75980000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetPathFromIDListA, address_out = 0x75aa1c24	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetMalloc, address_out = 0x759a0602	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHBrowseForFolderA, address_out = 0x75bcdc6a	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteA, address_out = 0x75bc7078	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x76680000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitialize, address_out = 0x7669b636	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x766c86d3	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x6d6c0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x6d6c6be6	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75980000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x75bcfb26	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = OpenProcessToken, address_out = 0x76954304	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x7695404a	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x7695418e	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, value_name = ProgramFilesDir, data = C:\Program Files, type = REG_SZ	1	Fn
File	Get Info	filename = trillian, type = file_attributes	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Trillian\users\global, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\.gaim, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\.purple, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Miranda, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Miranda	1	Fn
File	Get Info	type = file_attributes	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder2	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder3	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder4	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder5	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder6	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadW, address_out = 0x769872a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7694b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76987481	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x751c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x751f5a7f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService	2	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadW, address_out = 0x769872a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7694b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76987481	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76a23ea8	1	Fn
Debug	Check for Presence	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AIM\AIMPRO	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\NewOwners	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners	1	Fn
System	Get Computer Name	result_out = CRH2YWU7	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\MySpace\IM\users.txt, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Paltalk	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Digsby\digsby.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, type = time	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Module	Load	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x6d000000	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x6d0bd70b	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x6d0bd13c	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x6d053c51	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x6d053333	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6d03d3ca	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x6d0500a7	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.txt, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons2.txt, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons3.txt, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x769491dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7694e124	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7694df4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x7694df7e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7694df36	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7694df66	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\widfu, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn

Process #8: regsvcs.exe

(Host: 430, Network: 0)

Information	Value
ID	#8
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:51

OS Process Information

Information	Value
PID	0xaa0
Parent PID	0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AA4 0x AC4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0013ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x00337fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000400000	0x00400000	0x0041dfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000500000	0x00500000	0x005fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00700fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000007f0000	0x007f0000	0x007fffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000014f0000	0x014f0000	0x015effff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x015f0000	0x018befff	Memory Mapped File	Readable	Region Actions
private_0x0000000001a40000	0x01a40000	0x01b3ffff	Private Memory	Readable, Writable	Region Actions
comctl32.dll	0x6d6c0000	0x6d743fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72970000	0x7297cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73840000	0x73853fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x401000, size = 44032	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x41c000, size = 3584	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x41d000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	os_tid = 0xaa4, address = 0x77007098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\zljxukhl	0.46 KB (469 bytes)	MD5: b2912991f1be1bdf15ea7028328cc3bf SHA1: a18027ccd9e804696cac7dc581c58ce59b77e3c5 SHA256: 1035b4c326e3ee76f23a9532c2de82ba28071fb55ebfa27f99f48bb08f7c8114		File Actions Show Properties Download

Threads

Thread 0xaa4

(Host: 428, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtect, address_out = 0x76a22341	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x76d10000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memmove, address_out = 0x76d19e5a	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcschr, address_out = 0x76d1aa61	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcslen, address_out = 0x76d2d335	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsncmp, address_out = 0x76d1b05e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _itoa, address_out = 0x76d34218	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strlwr, address_out = 0x76d2ca0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = qsort, address_out = 0x76d1d3e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncmp, address_out = 0x76d1b443	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snprintf, address_out = 0x76d3fa7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsrchr, address_out = 0x76d28e5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsnbicmp, address_out = 0x76d73480	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __dllonexit, address_out = 0x76d1f509	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _onexit, address_out = 0x76d2112d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _c_exit, address_out = 0x76d7b2db	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _exit, address_out = 0x76d7b2c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _XcptFilter, address_out = 0x76d3dc75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _cexit, address_out = 0x76d237d4	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strnicmp, address_out = 0x76d20578	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _acmdln, address_out = 0x76db04d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __getmainargs, address_out = 0x76d22bc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x76d1c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _memicmp, address_out = 0x76d206c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x76d19cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strrchr, address_out = 0x76d1dbae	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _stricmp, address_out = 0x76d1db38	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x76d19894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = modf, address_out = 0x76d27551	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcmp, address_out = 0x76d27975	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strtoul, address_out = 0x76d2012e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcpy, address_out = 0x76d19910	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = sprintf, address_out = 0x76d2d354	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsicmp, address_out = 0x76d29238	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = atoi, address_out = 0x76d1dbe0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strcmpi, address_out = 0x76d1db38	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strlen, address_out = 0x76d243d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcmp, address_out = 0x76d28b11	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = exit, address_out = 0x76d236aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _adjust_fdiv, address_out = 0x76db32ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsstr, address_out = 0x76d1bf71	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = log, address_out = 0x76d3de50	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbscmp, address_out = 0x76d383c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strchr, address_out = 0x76d1dbeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _purecall, address_out = 0x76d76ea9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncat, address_out = 0x76d40909	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = abs, address_out = 0x76d3eb1e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcat, address_out = 0x76d28d75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _ultoa, address_out = 0x76d61822	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcpy, address_out = 0x76d28d6e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x76d19790	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__commode, address_out = 0x76d227c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__fmode, address_out = 0x76d227ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __set_app_type, address_out = 0x76d22804	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _controlfp, address_out = 0x76d1e1e1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _except_handler3, address_out = 0x76d3d770	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __setusermatherr, address_out = 0x76da77ad	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x6d6c0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = CreateToolbarEx, address_out = 0x6d6ea4d5	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_Create, address_out = 0x6d6c908c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_AddMasked, address_out = 0x6d6c8b75	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_SetImageCount, address_out = 0x6d726e17	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 17, address_out = 0x6d6c1739	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_ReplaceIcon, address_out = 0x6d726ea3	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 6, address_out = 0x6d6ea14c	1	Fn
Module	Get Handle	module_name = c:\windows\system32\rpcrt4.dll, base_address = 0x76ac0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\rpcrt4.dll, function = UuidFromStringA, address_out = 0x76ac7348	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x769e0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentDirectoryA, address_out = 0x76a1733c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x76a2cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x76a2903d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x76a2cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x76a3214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76a2cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x76a1c1ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x76a259d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76a31e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileIntA, address_out = 0x76a1dc43	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceNamesA, address_out = 0x76a45a34	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WritePrivateProfileStringA, address_out = 0x76a3d763	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x76a16ba9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x76a20273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x76a2cee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalUnlock, address_out = 0x76a29d50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalLock, address_out = 0x76a29e05	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathA, address_out = 0x76a46a65	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x76a29ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x76a2ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindResourceA, address_out = 0x76a2a05b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x76a2984d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceTypesA, address_out = 0x76a6cb42	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SizeofResource, address_out = 0x76a23e7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x76a1fd29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x76a247cb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoA, address_out = 0x769e1e10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileStringA, address_out = 0x76a1d8d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76a3452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76a3450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x76a18a5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x76a2ca64	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76a31400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileSectionA, address_out = 0x76a678ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x76a2d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x76a333d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x76a3395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76a333f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileA, address_out = 0x76a32d89	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x76a2a187	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x76a2db36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x76a2bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExA, address_out = 0x76a247fa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesA, address_out = 0x76a31de6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameA, address_out = 0x76a4695f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76a30e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageA, address_out = 0x76a48868	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetWindowsDirectoryA, address_out = 0x76a45d02	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x76a296fb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExA, address_out = 0x76a33861	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x755a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClassNameA, address_out = 0x755d2445	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMessageA, address_out = 0x755b1899	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateMessage, address_out = 0x755b64c7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterWindowMessageA, address_out = 0x755ac091	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostQuitMessage, address_out = 0x755ab308	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TrackPopupMenu, address_out = 0x755c2228	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostMessageA, address_out = 0x755ab446	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetFocus, address_out = 0x755b3a34	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DispatchMessageA, address_out = 0x755b2e32	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DrawTextExA, address_out = 0x755cae60	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = IsDialogMessageA, address_out = 0x755c2019	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowTextA, address_out = 0x755a6eed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemInfoA, address_out = 0x755a856a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumChildWindows, address_out = 0x755b2948	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyMenu, address_out = 0x755a87f7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgCtrlID, address_out = 0x755ab4e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DialogBoxParamA, address_out = 0x755ecf42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ShowWindow, address_out = 0x755af2a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetCursor, address_out = 0x755b3075	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadCursorA, address_out = 0x755a8328	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ChildWindowFromPoint, address_out = 0x755eb6aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColorBrush, address_out = 0x755af1ed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDialog, address_out = 0x755d3ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItem, address_out = 0x755d42bb	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateWindowExA, address_out = 0x755abf40	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = InvalidateRect, address_out = 0x755b566d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemInt, address_out = 0x755cec2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = BeginPaint, address_out = 0x755b5d14	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClientRect, address_out = 0x755b54dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindow, address_out = 0x755b2780	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemTextA, address_out = 0x755c707a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DrawFrameControl, address_out = 0x755cb4f9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemTextA, address_out = 0x75603d14	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendDlgItemMessageA, address_out = 0x755c7241	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowTextA, address_out = 0x755d0c5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowRect, address_out = 0x755b558c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x755b67cf	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemInt, address_out = 0x755ced56	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DeferWindowPos, address_out = 0x755aa6c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndPaint, address_out = 0x755b5d42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DefWindowProcA, address_out = 0x755abb1c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateAcceleratorA, address_out = 0x755d133f	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MessageBoxA, address_out = 0x755fea11	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowPlacement, address_out = 0x755d69de	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterClassA, address_out = 0x755abc6a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = UpdateWindow, address_out = 0x755affa8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetMenu, address_out = 0x755d6b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadAcceleratorsA, address_out = 0x755cae02	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowPos, address_out = 0x755b1bc4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendMessageA, address_out = 0x755aad60	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadIconA, address_out = 0x755a64ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowLongA, address_out = 0x755aa95e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowLongA, address_out = 0x755a8ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetFocus, address_out = 0x755aabad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = BeginDeferWindowPos, address_out = 0x755aa6a6	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDeferWindowPos, address_out = 0x755aa67a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CheckMenuItem, address_out = 0x755cee7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemCount, address_out = 0x755aae39	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetClipboardData, address_out = 0x755c2962	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuStringA, address_out = 0x75603a16	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableWindow, address_out = 0x755a8d02	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyWindow, address_out = 0x755ab2f4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorPos, address_out = 0x755aa4b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadImageA, address_out = 0x755c7779	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColor, address_out = 0x755bdb7a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MapWindowPoints, address_out = 0x755b5caa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenu, address_out = 0x755d6b68	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseClipboard, address_out = 0x755d446c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetParent, address_out = 0x755b6029	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = OpenClipboard, address_out = 0x755d447e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDC, address_out = 0x755b544c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EmptyClipboard, address_out = 0x755c290c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MoveWindow, address_out = 0x755a8d29	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSubMenu, address_out = 0x755a9c19	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableMenuItem, address_out = 0x755d43bc	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ReleaseDC, address_out = 0x755b5421	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadMenuA, address_out = 0x755bf92c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadStringA, address_out = 0x755a66a7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateDialogParamA, address_out = 0x755c1f42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ModifyMenuA, address_out = 0x75603ae0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\gdi32.dll, base_address = 0x75550000	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetDeviceCaps, address_out = 0x75556f7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetTextColor, address_out = 0x75556906	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = CreateFontIndirectA, address_out = 0x7555d22d	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkMode, address_out = 0x755569b1	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = DeleteObject, address_out = 0x75555f14	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetTextExtentPoint32A, address_out = 0x755607b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkColor, address_out = 0x75556a3c	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SelectObject, address_out = 0x75556640	1	Fn
Module	Get Handle	module_name = c:\windows\system32\comdlg32.dll, base_address = 0x77170000	1	Fn
Module	Get Address	module_name = c:\windows\system32\comdlg32.dll, function = GetOpenFileNameA, address_out = 0x771aa2a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\comdlg32.dll, function = GetSaveFileNameA, address_out = 0x771aa353	1	Fn
Module	Get Address	module_name = c:\windows\system32\comdlg32.dll, function = FindTextA, address_out = 0x771aacd6	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyA, address_out = 0x7696a299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExA, address_out = 0x76951481	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x769548ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x76954907	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegDeleteKeyA, address_out = 0x7696a8b7	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7696a4b4	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7695469d	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x75980000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHBrowseForFolderA, address_out = 0x75bcdc6a	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetPathFromIDListA, address_out = 0x75aa1c24	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetMalloc, address_out = 0x759a0602	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteA, address_out = 0x75bc7078	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x76680000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitialize, address_out = 0x7669b636	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoTaskMemFree, address_out = 0x766d6f41	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x766c86d3	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x6d6c0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x6d6c6be6	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75980000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x75bcfb26	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini, type = file_attributes	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Thunderbird\Profiles, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Thunderbird, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
Module	Load	module_name = pstorec.dll, base_address = 0x72970000	1	Fn
Module	Get Address	module_name = c:\windows\system32\pstorec.dll, function = PStoreCreateInstance, address_out = 0x7297526c	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x751c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x751f5a7f	1	Fn
System	Get Computer Name	result_out = CRH2YWU7	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x769871c1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7694b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76987941	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76987381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76987481	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}, value_name = Username, data = Main Identity, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Internet Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = POP3 User, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = IMAP User, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = HTTP User, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = SMTP User, data = 48, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP User, data = 48, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User, data = 48, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 User, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Server, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = Display Name, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = Email, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP Server, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Use SPA, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Password, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\IncrediMail\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Group Mail	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x769871c1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7694b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76987941	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76987381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76987481	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x751c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x751f5a7f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76940000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x769871c1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7694b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76987941	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76987381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76987481	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, size = 1734, size_out = 1734	1	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, size = 1506, size_out = 1506	1	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, size = 670, size_out = 670	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 50	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 2	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 30	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 52	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 35	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 27	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 22	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 24	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 26	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 27	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 22	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 29	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 22	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 25	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 22	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 50	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl, size = 2	2	Fn Data

Process #9: cih.exe

(Host: 162, Network: 0)

Information	Value
ID	#9
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	"C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:55, Reason: Autostart
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:16

OS Process Information

Information	Value
PID	0x750
Parent PID	0x608 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 754 0x 7EC 0x 158

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0058ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00690fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006a0000	0x006a0000	0x006a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x006c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x006d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x006e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x006f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00706fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00711fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000720000	0x00720000	0x00720fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000730000	0x00730000	0x0073ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x00734fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x00744fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000760000	0x00760000	0x00b5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b60000	0x00b60000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000b60000	0x00b60000	0x00c3efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ca0000	0x00ca0000	0x00caffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00cb0000	0x00f7efff	Memory Mapped File	Readable	Region Actions
cih.exe	0x00fa0000	0x0106bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001070000	0x01070000	0x01c6ffff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x01c70000	0x01ccbfff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x01c70000	0x01ccbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001c70000	0x01c70000	0x01ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d50000	0x01d50000	0x0214ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002150000	0x02150000	0x02542fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002550000	0x02550000	0x025effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002610000	0x02610000	0x02a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a10000	0x02a10000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b10000	0x02b10000	0x02cccfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b10000	0x02b10000	0x02d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003280000	0x03280000	0x0338ffff	Private Memory	Readable, Writable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x6ed20000	0x6ed26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x71e70000	0x71e81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74370000	0x74382fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x746a0000	0x746dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74820000	0x749bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74d90000	0x74d98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74ef0000	0x74f06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75790000	0x7579bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75840000	0x7584afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x758c0000	0x758e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x758f0000	0x75901fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77410000	0x775acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77830000	0x77834fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\60484525\kqmao	271.35 KB (277864 bytes)	MD5: 1ddc15ba0f5ad90873d42c41f4a2abc3 SHA1: 4cc438d56cd0317c3cd75f6630f2ce4ce4b31ca0 SHA256: c1492aca20af26af0c906dc391b808f2b227904a8948aa7b34caeddb70fc83cb		File Actions Show Properties Download

Threads

Thread 0x754

(Host: 60, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-04 02:24:17 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 11965	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x75b9418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x75b91e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x75b976e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x75b91f61	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x75b84785	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Control Panel\Mouse	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48	1	Fn
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt	1	Fn
Module	Load	module_name = uxtheme.dll, base_address = 0x746a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\uxtheme.dll, function = IsThemeActive, address_out = 0x746af785	1	Fn
Debug	Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 65536	46	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 8772	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 53248, size_out = 0	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 20	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 61440, size_out = 0	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 65536	46	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 7852	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 65536, size_out = 0	1	Fn
Window	Create	window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0	1	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
Window	Create	window_name = 0, class_name = edit, wndproc_parameter = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = sK, data_out = 228	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = sN, data_out = rpi.qcn	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, size = 65536, size_out = 65536	12	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, size = 65536, size_out = 50285	1	Fn Data
System	Get Time	type = System Time, time = 2017-10-04 02:24:20 (UTC)	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CallWindowProc, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CallWindowProcA, address_out = 0x764e2bd3	1	Fn
File	Get Info	filename = ., type = file_attributes	1	Fn
File	Get Info	filename = 0409, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 65536, size_out = 0	1	Fn
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 277864	1	Fn Data
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
Process	Create	process_name = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, os_pid = 0x480, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL	1	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
Module	Get Handle	module_name = mscoree.dll, base_address = 0x0	1	Fn

Process #10: cih.exe

(Host: 353, Network: 0)

Information	Value
ID	#10
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:08

OS Process Information

Information	Value
PID	0x480
Parent PID	0x750 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 488 0x 61C 0x 6BC 0x 758

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable, Writable	Region Actions
rpcss.dll	0x00110000	0x0016bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00116fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	Readable, Writable	Region Actions
tzres.dll	0x00140000	0x00140fff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00140000	0x0017bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00140000	0x0017bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000180000	0x00180000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001f0000	0x001f0000	0x005effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x006b7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006c0000	0x006c0000	0x00abffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ac0000	0x00ac0000	0x00bc0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00caefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00cbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cc0000	0x00cc0000	0x00dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cc0000	0x00cc0000	0x00d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dc0000	0x00dc0000	0x00ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ec0000	0x00ec0000	0x00f3ffff	Private Memory	Readable, Writable	Region Actions
cih.exe	0x00fa0000	0x0106bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001070000	0x01070000	0x01c6ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01c70000	0x01f3efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001f40000	0x01f40000	0x0233ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002340000	0x02340000	0x02732fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002780000	0x02780000	0x02b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b80000	0x02b80000	0x02d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d80000	0x02d80000	0x02f3cfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e60000	0x02e60000	0x0325ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003260000	0x03260000	0x0341cfff	Private Memory	Readable, Writable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x6ed20000	0x6ed26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x71e70000	0x71e81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74370000	0x74382fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x746a0000	0x746dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74820000	0x749bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74d90000	0x74d98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74ef0000	0x74f06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x750b0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75310000	0x75325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75790000	0x7579bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75840000	0x7584afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x758c0000	0x758e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x758f0000	0x75901fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77410000	0x775acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77830000	0x77834fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Threads

Thread 0x488

(Host: 136, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-04 02:24:20 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 15490	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x75b9418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x75b91e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x75b976e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x75b91f61	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x75b84785	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Control Panel\Mouse	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Mouse, value_name = SwapMouseButtons, data = 48	1	Fn
Module	Get Filename	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt	1	Fn
Module	Load	module_name = uxtheme.dll, base_address = 0x746a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\uxtheme.dll, function = IsThemeActive, address_out = 0x746af785	1	Fn
Debug	Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, type = file_type	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 65536, size_out = 65536	4	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 65536, size_out = 15800	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 49152, size_out = 0	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 65536, size_out = 20	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 61440, size_out = 0	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 65536, size_out = 65536	4	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 65536, size_out = 15720	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, size = 65536, size_out = 0	1	Fn
Window	Create	window_name = AutoIt v3, class_name = AutoIt v3, wndproc_parameter = 0	1	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
Window	Create	window_name = 0, class_name = edit, wndproc_parameter = 0	1	Fn
System	Get Time	type = System Time, time = 2017-10-04 02:24:21 (UTC)	2	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	3	Fn
File	Get Info	filename = 60484525, type = file_attributes	2	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	5	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = msg	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = _S0x20057179D673181B71D4593BFB2A0450	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = VM	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = SandBox	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = duac	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = drpt	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = btklr	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = taskmnrg	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = hSUps	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = StartUps, data_out = lju-0W23JhA138k76msH67J30	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Key, data_out = WindowsUpdate	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = AuEx, data_out = cvn-nhc	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = ExEc, data_out = cih.exe	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	1	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	41	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	23	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	13	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Down	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Net	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = eof	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = RP, data_out = qkr.xul	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\spd, type = file_attributes	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = Keys, data_out = jom	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, size = 65536, size_out = 65536	12	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, size = 65536, size_out = 50285	1	Fn Data
Module	Load	module_name = Advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContext, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x760091dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7600df4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7600df36	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDeriveKey, address_out = 0x76043188	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7600df66	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDecrypt, address_out = 0x76043178	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	2	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = eof	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, type = file_attributes	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CallWindowProcW, address_out = 0x764c1b3c	1	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	6	Fn
Module	Load	module_name = ntdll, base_address = 0x776f0000	2	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, os_pid = 0x328, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Module	Load	module_name = ntdll, base_address = 0x776f0000	1	Fn
Module	Unmap	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	1	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x400000, size = 4096	1	Fn Data
Module	Load	module_name = ntdll, base_address = 0x776f0000	2	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x401000, size = 69632	1	Fn Data
Module	Load	module_name = ntdll, base_address = 0x776f0000	1	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x412000, size = 24576	1	Fn Data
Module	Load	module_name = ntdll, base_address = 0x776f0000	1	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x418000, size = 4096	1	Fn Data
Module	Load	module_name = ntdll, base_address = 0x776f0000	1	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x419000, size = 4096	1	Fn Data
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Thread	Get Context	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, os_tid = 0x488	1	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, address = 0x7ffdb008, size = 4	1	Fn Data
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Thread	Set Context	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, os_tid = 0x488	1	Fn
Module	Load	module_name = kernel32, base_address = 0x75b40000	1	Fn
Thread	Resume	process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, os_tid = 0x488	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = fb	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt, section_name = Setting, key_name = btkl	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	2	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	42	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	61	Fn
System	Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
System	Sleep	duration = 10 milliseconds (0.010 seconds)	8	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	1	Fn
Module	Get Handle	module_name = mscoree.dll, base_address = 0x0	1	Fn

Process #11: regsvcs.exe

(Host: 432, Network: 41)

Information	Value
ID	#11
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:07, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:04

OS Process Information

Information	Value
PID	0x328
Parent PID	0x480 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 4D8 0x 7E4 0x 340 0x 324 0x 320 0x 12C 0x 334 0x 360 0x 428 0x 530 0x 43C 0x 518 0x 750 0x 7A4 0x 150 0x 624 0x 69C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x002b0000	0x00316fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000320000	0x00320000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x004e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000600000	0x00600000	0x006fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000700000	0x00700000	0x007fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000810000	0x00810000	0x0090ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000950000	0x00950000	0x00a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a50000	0x00a50000	0x00b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a50000	0x00a50000	0x00b4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b60000	0x00b60000	0x00b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00cfffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x00d30000	0x00d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001990000	0x01990000	0x01a8ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01a90000	0x01d5efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ee0000	0x01ee0000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f40000	0x01f40000	0x0203ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002120000	0x02120000	0x0221ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002220000	0x02220000	0x0241ffff	Private Memory	Readable, Writable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x6f7a0000	0x6f7a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp60.dll	0x72440000	0x724a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x730a0000	0x730a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x730b0000	0x730c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x73940000	0x73977fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x73a80000	0x73a86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x73a90000	0x73aabfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x73bb0000	0x73bbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x73ef0000	0x73efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x74510000	0x7469ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x74e20000	0x74e24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x75190000	0x751d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x752d0000	0x7530bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75770000	0x7578afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77830000	0x77834fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x401000, size = 69632	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x412000, size = 24576	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x418000, size = 4096	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x419000, size = 4096	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	os_tid = 0x4d8, address = 0x77737098	1	Fn

Threads

Thread 0x4d8

(Host: 42, Network: 11)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorInfo, address_out = 0x76514b31	1	Fn
Module	Load	module_name = User32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetLastInputInfo, address_out = 0x764c3834	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleWindow, address_out = 0x75ba2787	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = WD, data = 0, type = REG_NONE	1	Fn
Mutex	Open	mutex_name = Remcos_Mutex_Inj, desired_access = SYNCHRONIZE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = Inj, data = 0, type = REG_NONE	1	Fn
Mutex	Create	mutex_name = 34419-GRNPWA	1	Fn
Module	Load	module_name = Psapi.dll, base_address = 0x77830000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleFileNameExA, address_out = 0x778315bc	1	Fn
Module	Load	module_name = Psapi.dll, base_address = 0x77830000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleFileNameExW, address_out = 0x778313f0	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalMemoryStatusEx, address_out = 0x75b78a2b	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x75b84785	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameExW, address_out = 0x75b80f04	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x767c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = IsUserAnAdmin, address_out = 0x768144f5	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetProcessDEPPolicy, address_out = 0x75b7602f	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = FR	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = FR, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
System	Get Computer Name	result_out = cRh2YWu7, type = ComputerNameDnsHostname	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = jlux123.no-ip.biz	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = jluxi.dynu.com, address_out = 185.62.188.68	1	Fn
Socket	Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = name, data = 108	1	Fn
System	Get Time	type = Ticks, time = 20092	2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 473, size_out = 473	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 92	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 27	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	3	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000	1	Fn

Thread 0x7e4

(Host: 8, Network: 0)

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
File	Create Directory	C:\Users\EEBsYm5\AppData\Roaming\chrome	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, size = 13	1	Fn Data
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	6	Fn

Thread 0x340

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000		1	Fn

Thread 0x324

(Host: 128, Network: 0)

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
System	Get Clipboard	format = 1	1	Fn
System	Get Time	type = Ticks, time = 19468	2	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 20482	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 21496	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 22510	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 23524	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 24538	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 25552	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 26644	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 27658	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 28672	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 29686	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 30700	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 31715	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 32729	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 33743	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 34757	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 35771	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 36785	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 37799	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 38813	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 39827	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 40841	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 41855	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 42869	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 43883	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 44897	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 45911	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 46925	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 47939	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 48953	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 49967	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 50981	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 51995	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 53009	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 54023	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 55037	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 56051	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 57065	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 58079	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 59093	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 60107	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 61121	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 62135	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 63149	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 64163	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 65177	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 66191	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 67205	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 68219	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 69233	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 70247	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 71261	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 72275	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 73289	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 74303	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 75317	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 76331	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 77345	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 78359	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 79373	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 80387	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 81401	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 82415	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn

Thread 0x320

(Host: 20, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = WD, data = 808, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Mutex	Open	mutex_name = Mutex_RemWatchdog, desired_access = SYNCHRONIZE	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x776f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x777369b8	1	Fn
Process	Create	process_name = C:\Windows\system32\svchost.exe, os_pid = 0x318, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x320	1	Fn
Memory	Read	process_name = C:\Windows\system32\svchost.exe, address = 0x7ffde008, size = 4	1	Fn Data
Memory	Allocate	process_name = C:\Windows\system32\svchost.exe, address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x400000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x401000, size = 69632	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x412000, size = 24576	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x418000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x419000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\system32\svchost.exe, address = 0x7ffde008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x320	1	Fn
Thread	Resume	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x320	1	Fn
System	Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
Process	Open	desired_access = SYNCHRONIZE	1	Fn

Thread 0x12c

(Host: 64, Network: 0)

Category	Operation	Information	Count	Logfile
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
System	Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn

Thread 0x360

(Host: 1, Network: 1)

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 20155		2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 66, size_out = 66		1	Fn Data

Thread 0x428

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = 1000 milliseconds (1.000 seconds)		62	Fn

Thread 0x530

(Host: 86, Network: 19)

Category	Operation	Information	Count	Logfile
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Socket	Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 42, size_out = 42	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1000, size_out = 1000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 4808	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 9052	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 3752	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 604	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 340	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 340	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 340	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = 13196	1	Fn Data
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x776f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x777369b8	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt", os_pid = 0x520, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
Memory	Read	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt", address = 0x7ffda008, size = 4	1	Fn Data
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 356352	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt", address = 0x400000, size = 512	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt", address = 0x401000, size = 172032	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt", address = 0x455000, size = 3584	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt", address = 0x456000, size = 2048	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt", address = 0x7ffda008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
Thread	Resume	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x776f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x777369b8	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv", os_pid = 0x514, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
Memory	Read	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv", address = 0x7ffd8008, size = 4	1	Fn Data
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 147456	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv", address = 0x400000, size = 512	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv", address = 0x401000, size = 54784	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv", address = 0x422000, size = 3584	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv", address = 0x423000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv", address = 0x7ffd8008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
Thread	Resume	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x776f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x777369b8	1	Fn
Process	Create	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel", os_pid = 0x36c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
Memory	Read	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel", address = 0x7ffd9008, size = 4	1	Fn Data
Memory	Allocate	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 122880	1	Fn
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel", address = 0x400000, size = 512	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel", address = 0x401000, size = 44032	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel", address = 0x41c000, size = 3584	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel", address = 0x41d000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel", address = 0x7ffd9008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
Thread	Resume	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, os_tid = 0x530	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, size = 0, size_out = 0	1	Fn
File	Delete	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, size = 2, size_out = 2	1	Fn Data
File	Delete	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 57, size_out = 57	1	Fn Data
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 65000, size_out = -1	1	Fn

Thread 0x43c

(Host: 3, Network: 5)

Category	Operation	Information	Count	Logfile
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Socket	Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat, size = 19, size_out = 19	1	Fn Data
Socket	Send	flags = NO_FLAG_SET, size = 67, size_out = 67	1	Fn Data
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Close		1	Fn

Thread 0x518

(Host: 2, Network: 0)

Category	Operation	Information	Success	Count	Logfile
File	Delete	filename = C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat		1	Fn
File	Delete Directory	directory = C:\Users\EEBsYm5\AppData\Roaming\chrome		1	Fn

Thread 0x750

(Host: 1, Network: 1)

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 21886		2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 66, size_out = 66		1	Fn Data

Thread 0x7a4

(Host: 1, Network: 1)

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 42245		2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 66, size_out = 66		1	Fn Data

Thread 0x69c

(Host: 1, Network: 1)

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 62431		2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 66, size_out = 66		1	Fn Data

Process #12: svchost.exe

(Host: 19, Network: 0)

Information	Value
ID	#12
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:07, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:04

OS Process Information

Information	Value
PID	0x318
Parent PID	0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 330

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x00327fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000530000	0x00530000	0x0062ffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x00940000	0x00947fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000950000	0x00950000	0x0154ffff	Pagefile Backed Memory	Readable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp60.dll	0x72440000	0x724a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x74510000	0x7469ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x401000, size = 69632	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x412000, size = 24576	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x418000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x419000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x7ffde008, size = 4	1	Fn Data
Modify Control Flow	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	os_tid = 0x330, address = 0x77737098	1	Fn

Threads

Thread 0x330

(Host: 19, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorInfo, address_out = 0x76514b31	1	Fn
Module	Load	module_name = User32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetLastInputInfo, address_out = 0x764c3834	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetConsoleWindow, address_out = 0x75ba2787	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = WD, data = 808, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Delete Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = WD	1	Fn
Mutex	Create	mutex_name = Mutex_RemWatchdog	1	Fn
Module	Get Filename	process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\34419-GRNPWA\, value_name = EXEpath, data = 169	1	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, type = size	1	Fn
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 45216, size_out = 45216	1	Fn Data
Process	Open	desired_access = SYNCHRONIZE	1	Fn

Process #13: regsvcs.exe

(Host: 1184, Network: 0)

Information	Value
ID	#13
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:02

OS Process Information

Information	Value
PID	0x520
Parent PID	0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 528 0x 754

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
tzres.dll	0x000e0000	0x000e0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e4fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00210000	0x0024bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x00214fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00357fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000360000	0x00360000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00456fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x00560fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006a0000	0x006a0000	0x0079ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x007a0000	0x00a6efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00b70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00b8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x00d30000	0x00d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	Readable	Region Actions
nss3.dll	0x01940000	0x01af1fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001940000	0x01940000	0x01a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a40000	0x01a40000	0x01b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b00000	0x01b00000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c00000	0x01c00000	0x01ff2fff	Pagefile Backed Memory	Readable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6f030000	0x6f07efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x72220000	0x722a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x723c0000	0x723cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72430000	0x7243cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x73170000	0x731d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x731e0000	0x7329dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x732a0000	0x73454fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73b60000	0x73b73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x73f00000	0x73f26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x73f30000	0x73f51fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x73fd0000	0x73fe6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x73ff0000	0x73ff6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74d90000	0x74d98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x750b0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75310000	0x75325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75790000	0x7579bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77830000	0x77834fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x401000, size = 172032	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x455000, size = 3584	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x456000, size = 2048	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x7ffda008, size = 4	1	Fn Data
Modify Control Flow	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	os_tid = 0x528, address = 0x77737098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\mwixlzwnapdxngrlcvznt	0.00 KB (2 bytes)	MD5: f3b25701fe362ec84616a93a45ce9998 SHA1: d62636d8caec13f04e28442a0a6fa1afeb024bbb SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209		File Actions Show Properties Download

Threads

Thread 0x528

(Host: 961, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtect, address_out = 0x75b82341	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x75d20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __setusermatherr, address_out = 0x75db77ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _adjust_fdiv, address_out = 0x75dc32ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__commode, address_out = 0x75d327c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__fmode, address_out = 0x75d327ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcscat, address_out = 0x75da0ea6	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __set_app_type, address_out = 0x75d32804	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _controlfp, address_out = 0x75d2e1e1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = realloc, address_out = 0x75d2b10d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = qsort, address_out = 0x75d2d3e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _itow, address_out = 0x75d3019c	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcsupr, address_out = 0x75d2dac1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcslwr, address_out = 0x75d2fb25	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strchr, address_out = 0x75d2dbeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x75d2c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsncmp, address_out = 0x75d2b05e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memmove, address_out = 0x75d29e5a	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x75d29894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = modf, address_out = 0x75d37551	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _memicmp, address_out = 0x75d306c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcstoul, address_out = 0x75d2b319	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x75d29cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _XcptFilter, address_out = 0x75d4dc75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcpy, address_out = 0x75d38d6e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wtoi64, address_out = 0x75d3062e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcmp, address_out = 0x75d38b11	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsrchr, address_out = 0x75d2a73f	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __wgetmainargs, address_out = 0x75d34e7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcmdln, address_out = 0x75dc04dc	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = exit, address_out = 0x75d336aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strlwr, address_out = 0x75d3ca0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _cexit, address_out = 0x75d337d4	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcsnicmp, address_out = 0x75d2aae3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcmp, address_out = 0x75d37975	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcscmp, address_out = 0x75d3d3b7	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = abs, address_out = 0x75d4eb1e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = log, address_out = 0x75d4de50	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _purecall, address_out = 0x75d86ea9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcslen, address_out = 0x75d3d335	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wtoi, address_out = 0x75d2c823	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcsicmp, address_out = 0x75d2a9e9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcschr, address_out = 0x75d2aa61	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcpy, address_out = 0x75d29910	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcscpy, address_out = 0x75d3d4f8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x75d29790	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strlen, address_out = 0x75d343d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsncat, address_out = 0x75da0ed9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snwprintf, address_out = 0x75d495d1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _except_handler3, address_out = 0x75d4d770	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _exit, address_out = 0x75d8b2c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _c_exit, address_out = 0x75d8b2db	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _onexit, address_out = 0x75d3112d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __dllonexit, address_out = 0x75d2f509	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memchr, address_out = 0x75d3e134	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _gmtime64, address_out = 0x75da2936	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strftime, address_out = 0x75da1fd5	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x72220000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 17, address_out = 0x72221739	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_AddMasked, address_out = 0x72228b75	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_SetImageCount, address_out = 0x72286e17	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_Create, address_out = 0x7222908c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_ReplaceIcon, address_out = 0x72286ea3	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = CreateToolbarEx, address_out = 0x7224a4d5	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = CreateStatusWindowW, address_out = 0x7224a10f	1	Fn
Module	Get Handle	module_name = c:\windows\system32\version.dll, base_address = 0x74d90000	1	Fn
Module	Get Address	module_name = c:\windows\system32\version.dll, function = GetFileVersionInfoSizeW, address_out = 0x74d919d9	1	Fn
Module	Get Address	module_name = c:\windows\system32\version.dll, function = GetFileVersionInfoW, address_out = 0x74d919f4	1	Fn
Module	Get Address	module_name = c:\windows\system32\version.dll, function = VerQueryValueW, address_out = 0x74d91b51	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wininet.dll, base_address = 0x75c20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindCloseUrlCache, address_out = 0x75c68409	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindNextUrlCacheEntryW, address_out = 0x75c5989c	1	Fn
Module	Get Address	module_name = c:\windows\system32\wininet.dll, function = FindFirstUrlCacheEntryW, address_out = 0x75c5978a	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameA, address_out = 0x75b93735	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x75b847cb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x75b73530	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameW, address_out = 0x75b94543	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = AreFileApisANSI, address_out = 0x75bcf311	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x777377a0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTime, address_out = 0x75b8ced8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockFileEx, address_out = 0x75ba692f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageA, address_out = 0x75ba8868	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x75b92fde	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnlockFileEx, address_out = 0x75ba6947	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x75b8ba60	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockFile, address_out = 0x75ba642f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x75b77f81	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x7774a149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x75b8cee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetDiskFreeSpaceA, address_out = 0x75b9d7d2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x75b8ba46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x75b8cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x75b93891	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathA, address_out = 0x75ba6a65	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnlockFile, address_out = 0x75ba6417	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InterlockedCompareExchange, address_out = 0x75b8bb92	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77749ac5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesExW, address_out = 0x75b8273d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x75b8bb9f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesA, address_out = 0x75b91de6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77737760	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetEndOfFile, address_out = 0x75b82319	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemInfo, address_out = 0x75b93728	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceTypesW, address_out = 0x75ba2b37	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x75b8ca64	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x75b80273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x75b8cecb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x75b8ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FileTimeToLocalFileTime, address_out = 0x75b92004	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileW, address_out = 0x75b80f62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileW, address_out = 0x75b767c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x75b8cc56	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CompareFileTime, address_out = 0x75b913f3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x75b8d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address_out = 0x75b93c01	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x75b933d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x75b8bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FileTimeToSystemTime, address_out = 0x75b91dfe	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointerEx, address_out = 0x75b7f5b2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentDirectoryW, address_out = 0x75b9c13a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x75b84680	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x75b9450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x75b9452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalLock, address_out = 0x75b89e05	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetDateFormatW, address_out = 0x75b8afab	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileTime, address_out = 0x75b80f6f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageW, address_out = 0x75b854a3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameW, address_out = 0x75b76d1d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x75b83b1a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x75b90e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileW, address_out = 0x75b953b2	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x75b9374d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTimeFormatW, address_out = 0x75b8ac29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x75b8db36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesW, address_out = 0x75b964ff	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x75b804b6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x75b896fb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameW, address_out = 0x75b93c26	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x75b91400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindResourceW, address_out = 0x75b83e61	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x75b7fd29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrcpyW, address_out = 0x75b78bfa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x75b8d9e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x75b8984d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SystemTimeToTzSpecificLocalTime, address_out = 0x75b7b149	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExW, address_out = 0x75b84775	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x75b89ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalUnlock, address_out = 0x75b89d50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathW, address_out = 0x75b78b33	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileW, address_out = 0x75b8963a	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SizeofResource, address_out = 0x75b83e7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileMappingW, address_out = 0x75b80a7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MapViewOfFile, address_out = 0x75b8899b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = UnmapViewOfFile, address_out = 0x75b8db13	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x75b8cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DuplicateHandle, address_out = 0x75b8cdd9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75b8cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x75b859d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileStringW, address_out = 0x75b77d32	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WritePrivateProfileStringW, address_out = 0x75b780eb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileIntW, address_out = 0x75b7775f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceNamesW, address_out = 0x75ba7e29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x75b91e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetErrorMode, address_out = 0x75b94a51	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x75b9214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x75b7c1ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryW, address_out = 0x75b97663	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32FirstW, address_out = 0x75b7fa35	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = Process32NextW, address_out = 0x75b7faca	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x75b7f731	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DispatchMessageW, address_out = 0x764ccc61	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = BeginDeferWindowPos, address_out = 0x764ba6a6	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateMessage, address_out = 0x764c64c7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = IsDialogMessageW, address_out = 0x764c4104	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DrawTextExW, address_out = 0x764c5894	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMessageW, address_out = 0x764ccde8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostQuitMessage, address_out = 0x764bb308	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TrackPopupMenu, address_out = 0x764d2228	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterWindowMessageW, address_out = 0x764bdf8d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetKeyState, address_out = 0x764c2b4d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDeferWindowPos, address_out = 0x764ba67a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DialogBoxParamW, address_out = 0x764d3b9b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ChildWindowFromPoint, address_out = 0x764fb6aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadCursorW, address_out = 0x764bed90	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetCursor, address_out = 0x764c3075	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColorBrush, address_out = 0x764bf1ed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ShowWindow, address_out = 0x764bf2a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowTextW, address_out = 0x764c612b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemInt, address_out = 0x764dec2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = UpdateWindow, address_out = 0x764bffa8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemTextW, address_out = 0x764debd4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemTextW, address_out = 0x764decbc	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClientRect, address_out = 0x764c54dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x764c67cf	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DeferWindowPos, address_out = 0x764ba6c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateWindowExW, address_out = 0x764bec7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowRect, address_out = 0x764c558c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendDlgItemMessageW, address_out = 0x764d70d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemInt, address_out = 0x764ded56	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDialog, address_out = 0x764e3ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowLongW, address_out = 0x764c4449	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItem, address_out = 0x764e42bb	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = InvalidateRect, address_out = 0x764c566d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowPlacement, address_out = 0x764e69de	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadAcceleratorsW, address_out = 0x764b976d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DefWindowProcW, address_out = 0x764c507d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendMessageW, address_out = 0x764c5539	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostMessageW, address_out = 0x764c447b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterClassW, address_out = 0x764bed4a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MessageBoxW, address_out = 0x7650ea5f	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateAcceleratorW, address_out = 0x764c667e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetMenu, address_out = 0x764e6b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowPlacement, address_out = 0x764b7f78	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadImageW, address_out = 0x764c12eb	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadIconW, address_out = 0x764bf142	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowLongW, address_out = 0x764c61b8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetFocus, address_out = 0x764babad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuStringW, address_out = 0x764e6528	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CheckMenuItem, address_out = 0x764dee7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemCount, address_out = 0x764bae39	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CheckMenuRadioItem, address_out = 0x764d25df	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseClipboard, address_out = 0x764e446c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorPos, address_out = 0x764ba4b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetClipboardData, address_out = 0x764d2962	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableWindow, address_out = 0x764b8d02	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColor, address_out = 0x764cdb7a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetParent, address_out = 0x764c6029	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MapWindowPoints, address_out = 0x764c5caa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenu, address_out = 0x764e6b68	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDC, address_out = 0x764c544c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSubMenu, address_out = 0x764b9c19	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EmptyClipboard, address_out = 0x764d290c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableMenuItem, address_out = 0x764e43bc	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ReleaseDC, address_out = 0x764c5421	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClassNameW, address_out = 0x764c2a29	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = OpenClipboard, address_out = 0x764e447e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MoveWindow, address_out = 0x764b8d29	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateDialogParamW, address_out = 0x764e5630	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumChildWindows, address_out = 0x764c2948	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadStringW, address_out = 0x764bdfba	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyWindow, address_out = 0x764bb2f4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowPos, address_out = 0x764c1bc4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowTextW, address_out = 0x764bb8c5	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadMenuW, address_out = 0x764bf214	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ModifyMenuW, address_out = 0x764e46c7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemInfoW, address_out = 0x764baefa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgCtrlID, address_out = 0x764bb4e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyMenu, address_out = 0x764b87f7	1	Fn
Module	Get Handle	module_name = c:\windows\system32\gdi32.dll, base_address = 0x76460000	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkColor, address_out = 0x76466a3c	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SelectObject, address_out = 0x76466640	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetDeviceCaps, address_out = 0x76466f7f	1	Fn
Module	Get Handle	module_name = c:\windows\system32\comdlg32.dll, base_address = 0x77860000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x767c0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x76170000	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x72220000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x72226be6	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x767c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x767e0468	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini, type = file_attributes	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	18	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowInfoTip, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowTimeInGMT, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsIE, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsFirefox, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsChrome, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsOpera, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsSafari, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = LoadPasswordsYandex, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = UseChromeProfileFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = UseOperaPasswordFile, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = FirefoxProfileFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = FirefoxInstallFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ChromeProfileFolder	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = OperaPasswordFile	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = SaveFileEncoeding, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	2	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	24	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat, size = 256, size_out = 256	1	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	26	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	61	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat, size = 8, size_out = 8	92	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x760091dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7600e124	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7600df4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x7600df7e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7600df36	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7600df66	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x760471c1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7600b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76047941	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76047381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76047481	1	Fn
Module	Load	module_name = pstorec.dll, base_address = 0x72430000	1	Fn
Module	Get Address	module_name = c:\windows\system32\pstorec.dll, function = PStoreCreateInstance, address_out = 0x7243526c	1	Fn
Module	Load	module_name = vaultcli.dll, base_address = 0x723c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultOpenVault, address_out = 0x723c26a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultCloseVault, address_out = 0x723c2718	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x723c3099	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultFree, address_out = 0x723c4321	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultGetInformation, address_out = 0x723c24c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\vaultcli.dll, function = VaultGetItem, address_out = 0x723c3242	2	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, type = time	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/h231daer.default	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = IsRelative, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path	1	Fn
Ini	Read	file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = IsRelative, default_value = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Module	Get Handle	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x732a0000	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7335d70b	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7335d13c	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x732f3c51	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x732f3333	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x732dcbc4	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x732dd3ca	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x732f00a7	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Module	Get Handle	module_name = c:\program files\mozilla firefox\nss3.dll, base_address = 0x732a0000	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7335d70b	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7335d13c	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x732f3c51	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x732f3333	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x732dcbc4	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x732dd3ca	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x732f00a7	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Load	module_name = psapi.dll, base_address = 0x77830000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleBaseNameW, address_out = 0x7783152c	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x77831408	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleFileNameExW, address_out = 0x778313f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcesses, address_out = 0x77831544	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = GetModuleInformation, address_out = 0x77831420	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessTimes, address_out = 0x75b7f626	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\system32\userinit.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\program files\adobe\reader 10.0\reader\reader_sl.exe, file_name_orig = C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Get Filename	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe	1	Fn
File	Get Info	filename = C:\Program Files\Sea Monkey\nss3.dll, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_READ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 100, size_out = 100	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 2048, size_out = 2048	4	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 16, size_out = 16	1	Fn Data
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Apple Computer\Preferences\keychain.plist, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera\wand.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera7\profile\wand.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Opera Software\Opera Stable\Login Data, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt, size = 2	1	Fn Data

Process #14: regsvcs.exe

(Host: 337, Network: 0)

Information	Value
ID	#14
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:02

OS Process Information

Information	Value
PID	0x514
Parent PID	0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 510 0x 674

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable, Writable	Region Actions
tzres.dll	0x00070000	0x00070fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00086fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x002c7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00423fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x00530fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000540000	0x00540000	0x0054ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0064ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000680000	0x00680000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00690000	0x006cbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x0082ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00830000	0x00afefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000b00000	0x00b00000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b00000	0x00b00000	0x00bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x00d30000	0x00d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001940000	0x01940000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001940000	0x01940000	0x01a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a00000	0x01a00000	0x01afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b10000	0x01b10000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001b20000	0x01b20000	0x01f12fff	Pagefile Backed Memory	Readable	Region Actions
msvcp100.dll	0x6e240000	0x6e2a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x6e2b0000	0x6e36dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x6e370000	0x6e524fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6f020000	0x6f046fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x6f050000	0x6f071fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x721d0000	0x721d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x72220000	0x722a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x73f10000	0x73f5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x73fe0000	0x73ff6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x750b0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75310000	0x75325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75770000	0x7578afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75790000	0x7579bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x401000, size = 54784	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x422000, size = 3584	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x423000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x7ffd8008, size = 4	1	Fn Data
Modify Control Flow	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	os_tid = 0x510, address = 0x77737098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\wqnqmshpoxvbxmnplxmoexxv	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties

Threads

Thread 0x510

(Host: 335, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtect, address_out = 0x75b82341	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x75d20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x75d29894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strlwr, address_out = 0x75d3ca0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strupr, address_out = 0x75d3d49e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcslwr, address_out = 0x75d2fb25	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = qsort, address_out = 0x75d2d3e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _wcsnicmp, address_out = 0x75d2aae3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncmp, address_out = 0x75d2b443	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __dllonexit, address_out = 0x75d2f509	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _onexit, address_out = 0x75d3112d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _c_exit, address_out = 0x75d8b2db	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _exit, address_out = 0x75d8b2c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _XcptFilter, address_out = 0x75d4dc75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _cexit, address_out = 0x75d337d4	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = exit, address_out = 0x75d336aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _acmdln, address_out = 0x75dc04d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strrchr, address_out = 0x75d2dbae	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x75d2c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __setusermatherr, address_out = 0x75db77ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strchr, address_out = 0x75d2dbeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _ultoa, address_out = 0x75d71822	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x75d29cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _memicmp, address_out = 0x75d306c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcmp, address_out = 0x75d38b11	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsnbicmp, address_out = 0x75d83480	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsrchr, address_out = 0x75d38e5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snprintf, address_out = 0x75d4fa7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x75d29790	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strnicmp, address_out = 0x75d30578	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcschr, address_out = 0x75d2aa61	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsncmp, address_out = 0x75d2b05e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcslen, address_out = 0x75d3d335	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = abs, address_out = 0x75d4eb1e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = sprintf, address_out = 0x75d3d354	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = atoi, address_out = 0x75d2dbe0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcmp, address_out = 0x75d37975	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __getmainargs, address_out = 0x75d32bc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strcmpi, address_out = 0x75d2db38	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsicmp, address_out = 0x75d39238	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _purecall, address_out = 0x75d86ea9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = log, address_out = 0x75d4de50	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbscmp, address_out = 0x75d483c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strlen, address_out = 0x75d343d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _itoa, address_out = 0x75d44218	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcpy, address_out = 0x75d38d6e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strtoul, address_out = 0x75d3012e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcpy, address_out = 0x75d29910	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcscpy, address_out = 0x75d3d4f8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcat, address_out = 0x75d38d75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncat, address_out = 0x75d50909	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _adjust_fdiv, address_out = 0x75dc32ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__commode, address_out = 0x75d327c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__fmode, address_out = 0x75d327ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __set_app_type, address_out = 0x75d32804	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _controlfp, address_out = 0x75d2e1e1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _except_handler3, address_out = 0x75d4d770	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x72220000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 6, address_out = 0x7224a14c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_Create, address_out = 0x7222908c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_ReplaceIcon, address_out = 0x72286ea3	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 17, address_out = 0x72221739	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_AddMasked, address_out = 0x72228b75	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_SetImageCount, address_out = 0x72286e17	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = CreateToolbarEx, address_out = 0x7224a4d5	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x75b8903d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x75b9214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75b8cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x75b8cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CompareFileTime, address_out = 0x75b913f3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVolumeInformationA, address_out = 0x75ba41aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x75b91e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileStringA, address_out = 0x75b7d8d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileIntA, address_out = 0x75b7dc43	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceNamesA, address_out = 0x75ba5a34	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WritePrivateProfileStringA, address_out = 0x75b9d763	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x75b76ba9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathA, address_out = 0x75ba6a65	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetSystemDirectoryA, address_out = 0x75b88fc5	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetWindowsDirectoryA, address_out = 0x75ba5d02	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateRemoteThread, address_out = 0x75bcf33b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindResourceA, address_out = 0x75b8a05b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceTypesA, address_out = 0x75bccb42	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x75b7fd29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoA, address_out = 0x75b41e10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x75b847cb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x75b8984d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SizeofResource, address_out = 0x75b83e7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x75b9450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x75b933d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x75b8cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x75b8d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x75b9452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x75b91400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x75b9395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x75b7c1ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x75b8ba90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x75b8ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x75b8ca64	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteProcessMemory, address_out = 0x75b7c1de	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ResumeThread, address_out = 0x75b80f1c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAllocEx, address_out = 0x75b7c1b6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x75b859d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x75b80273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualFreeEx, address_out = 0x75b7c1ee	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentDirectoryA, address_out = 0x75b7733c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x75b78a5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x75b89ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x75b933f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalLock, address_out = 0x75b89e05	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalUnlock, address_out = 0x75b89d50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x75b8a187	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExA, address_out = 0x75b847fa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileA, address_out = 0x75b92d89	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x75b8cee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x75b8bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileTime, address_out = 0x75b80f6f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x75b8db36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesA, address_out = 0x75b91de6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameA, address_out = 0x75ba695f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x75b90e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExA, address_out = 0x75b93861	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageA, address_out = 0x75ba8868	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x75b896fb	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CopyRect, address_out = 0x764c4ad9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DrawTextExA, address_out = 0x764dae60	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DispatchMessageA, address_out = 0x764c2e32	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMessageA, address_out = 0x764c1899	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = IsDialogMessageA, address_out = 0x764d2019	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DeferWindowPos, address_out = 0x764ba6c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateMessage, address_out = 0x764c64c7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = BeginDeferWindowPos, address_out = 0x764ba6a6	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostQuitMessage, address_out = 0x764bb308	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TrackPopupMenu, address_out = 0x764d2228	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDeferWindowPos, address_out = 0x764ba67a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetFocus, address_out = 0x764c3a34	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterWindowMessageA, address_out = 0x764bc091	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowTextA, address_out = 0x764b6eed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemInfoA, address_out = 0x764b856a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetCursor, address_out = 0x764c3075	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ChildWindowFromPoint, address_out = 0x764fb6aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColorBrush, address_out = 0x764bf1ed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendMessageA, address_out = 0x764bad60	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadCursorA, address_out = 0x764b8328	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MessageBoxA, address_out = 0x7650ea11	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemTextA, address_out = 0x764d707a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemTextA, address_out = 0x76513d14	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowTextA, address_out = 0x764e0c5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDialog, address_out = 0x764e3ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItem, address_out = 0x764e42bb	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateWindowExA, address_out = 0x764bbf40	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowRect, address_out = 0x764c558c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterClassA, address_out = 0x764bbc6a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = UpdateWindow, address_out = 0x764bffa8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x764c67cf	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostMessageA, address_out = 0x764bb446	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetMenu, address_out = 0x764e6b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ShowWindow, address_out = 0x764bf2a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadAcceleratorsA, address_out = 0x764dae02	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowPos, address_out = 0x764c1bc4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DefWindowProcA, address_out = 0x764bbb1c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateAcceleratorA, address_out = 0x764e133f	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowPlacement, address_out = 0x764e69de	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadIconA, address_out = 0x764b64ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowLongA, address_out = 0x764ba95e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowLongA, address_out = 0x764b8ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = InvalidateRect, address_out = 0x764c566d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetFocus, address_out = 0x764babad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MapDialogRect, address_out = 0x764e347a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetRect, address_out = 0x764c498b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = OpenClipboard, address_out = 0x764e447e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDC, address_out = 0x764c544c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EmptyClipboard, address_out = 0x764d290c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableMenuItem, address_out = 0x764e43bc	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ReleaseDC, address_out = 0x764c5421	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MoveWindow, address_out = 0x764b8d29	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemCount, address_out = 0x764bae39	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CheckMenuItem, address_out = 0x764dee7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClientRect, address_out = 0x764c54dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuStringA, address_out = 0x76513a16	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetClipboardData, address_out = 0x764d2962	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorPos, address_out = 0x764ba4b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClassNameA, address_out = 0x764e2445	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseClipboard, address_out = 0x764e446c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MapWindowPoints, address_out = 0x764c5caa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadImageA, address_out = 0x764d7779	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColor, address_out = 0x764cdb7a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenu, address_out = 0x764e6b68	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSubMenu, address_out = 0x764b9c19	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadMenuA, address_out = 0x764cf92c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetParent, address_out = 0x764c6029	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadStringA, address_out = 0x764b66a7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateDialogParamA, address_out = 0x764d1f42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ModifyMenuA, address_out = 0x76513ae0	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyWindow, address_out = 0x764bb2f4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DialogBoxParamA, address_out = 0x764fcf42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgCtrlID, address_out = 0x764bb4e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyMenu, address_out = 0x764b87f7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumChildWindows, address_out = 0x764c2948	1	Fn
Module	Get Handle	module_name = c:\windows\system32\gdi32.dll, base_address = 0x76460000	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SelectObject, address_out = 0x76466640	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetTextColor, address_out = 0x76466906	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = CreateFontIndirectA, address_out = 0x7646d22d	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkMode, address_out = 0x764669b1	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = DeleteObject, address_out = 0x76465f14	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetTextExtentPoint32A, address_out = 0x764707b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkColor, address_out = 0x76466a3c	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetDeviceCaps, address_out = 0x76466f7f	1	Fn
Module	Get Handle	module_name = c:\windows\system32\comdlg32.dll, base_address = 0x77860000	1	Fn
Module	Get Address	module_name = c:\windows\system32\comdlg32.dll, function = GetSaveFileNameA, address_out = 0x7789a353	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x76014907	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExA, address_out = 0x76011481	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x760148ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyA, address_out = 0x7602a299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExW, address_out = 0x7601468d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegDeleteKeyA, address_out = 0x7602a8b7	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumValueA, address_out = 0x7600cf49	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7602a4b4	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumValueW, address_out = 0x760148cc	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7601469d	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x767c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetPathFromIDListA, address_out = 0x768e1c24	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetMalloc, address_out = 0x767e0602	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHBrowseForFolderA, address_out = 0x76a0dc6a	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteA, address_out = 0x76a07078	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x76170000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitialize, address_out = 0x7618b636	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x761b86d3	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x72220000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x72226be6	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x767c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x76a0fb26	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = OpenProcessToken, address_out = 0x76014304	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x7601404a	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x7601418e	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, value_name = ProgramFilesDir, data = C:\Program Files, type = REG_SZ	1	Fn
File	Get Info	filename = trillian, type = file_attributes	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Trillian\users\global, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\.gaim, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\.purple, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Miranda, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Miranda	1	Fn
File	Get Info	type = file_attributes	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder1	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder2	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder3	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder4	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder5	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Folder6	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadW, address_out = 0x760472a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7600b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76047481	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x75910000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x75945a7f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService	2	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadW, address_out = 0x760472a1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7600b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76047481	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x75b83ea8	1	Fn
Debug	Check for Presence	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AIM\AIMPRO	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\NewOwners	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners	1	Fn
System	Get Computer Name	result_out = CRH2YWU7	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\MySpace\IM\users.txt, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Paltalk	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Digsby\digsby.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, type = file_attributes	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite, type = time	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	1	Fn
Module	Load	module_name = C:\Program Files\Mozilla Firefox\nss3.dll, base_address = 0x6e370000	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x6e42d70b	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x6e42d13c	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x6e3c3c51	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x6e3c3333	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6e3ad3ca	1	Fn
Module	Get Address	module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x6e3c00a7	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x760091dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7600e124	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7600df4e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x7600df7e	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7600df36	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7600df66	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn

Process #15: regsvcs.exe

(Host: 430, Network: 0)

Information	Value
ID	#15
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:02

OS Process Information

Information	Value
PID	0x36c
Parent PID	0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 45C 0x 66C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00317fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000400000	0x00400000	0x0041dfff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005f0000	0x005f0000	0x006effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007d0000	0x007d0000	0x007dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008c0000	0x008c0000	0x008cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008d0000	0x008d0000	0x009cffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x009d0000	0x00c9efff	Memory Mapped File	Readable	Region Actions
regsvcs.exe	0x00d30000	0x00d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ac0000	0x01ac0000	0x01bbffff	Private Memory	Readable, Writable	Region Actions
comctl32.dll	0x72220000	0x722a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72430000	0x7243cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73b60000	0x73b73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75770000	0x7578afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x401000, size = 44032	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x41c000, size = 3584	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x41d000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x7ffd9008, size = 4	1	Fn Data
Modify Control Flow	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	os_tid = 0x45c, address = 0x77737098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\gsabfkrjcfngatbtcigqhckmyel	0.46 KB (469 bytes)	MD5: b2912991f1be1bdf15ea7028328cc3bf SHA1: a18027ccd9e804696cac7dc581c58ce59b77e3c5 SHA256: 1035b4c326e3ee76f23a9532c2de82ba28071fb55ebfa27f99f48bb08f7c8114		File Actions Show Properties Download

Threads

Thread 0x45c

(Host: 428, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtect, address_out = 0x75b82341	1	Fn
Module	Get Handle	module_name = c:\windows\system32\msvcrt.dll, base_address = 0x75d20000	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memmove, address_out = 0x75d29e5a	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcschr, address_out = 0x75d2aa61	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcslen, address_out = 0x75d3d335	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsncmp, address_out = 0x75d2b05e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _itoa, address_out = 0x75d44218	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strlwr, address_out = 0x75d3ca0b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = qsort, address_out = 0x75d2d3e6	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncmp, address_out = 0x75d2b443	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _snprintf, address_out = 0x75d4fa7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsrchr, address_out = 0x75d38e5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsnbicmp, address_out = 0x75d83480	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __dllonexit, address_out = 0x75d2f509	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _onexit, address_out = 0x75d3112d	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _c_exit, address_out = 0x75d8b2db	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _exit, address_out = 0x75d8b2c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _XcptFilter, address_out = 0x75d4dc75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _cexit, address_out = 0x75d337d4	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strnicmp, address_out = 0x75d30578	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _acmdln, address_out = 0x75dc04d8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __getmainargs, address_out = 0x75d32bc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _initterm, address_out = 0x75d2c151	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _memicmp, address_out = 0x75d306c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = malloc, address_out = 0x75d29cee	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strrchr, address_out = 0x75d2dbae	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _stricmp, address_out = 0x75d2db38	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = free, address_out = 0x75d29894	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = modf, address_out = 0x75d37551	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcmp, address_out = 0x75d37975	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strtoul, address_out = 0x75d3012e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memcpy, address_out = 0x75d29910	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = sprintf, address_out = 0x75d3d354	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbsicmp, address_out = 0x75d39238	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = atoi, address_out = 0x75d2dbe0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _strcmpi, address_out = 0x75d2db38	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strlen, address_out = 0x75d343d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcmp, address_out = 0x75d38b11	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = exit, address_out = 0x75d336aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _adjust_fdiv, address_out = 0x75dc32ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = wcsstr, address_out = 0x75d2bf71	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = log, address_out = 0x75d4de50	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _mbscmp, address_out = 0x75d483c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strchr, address_out = 0x75d2dbeb	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _purecall, address_out = 0x75d86ea9	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strncat, address_out = 0x75d50909	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = abs, address_out = 0x75d4eb1e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcat, address_out = 0x75d38d75	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _ultoa, address_out = 0x75d71822	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = strcpy, address_out = 0x75d38d6e	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = memset, address_out = 0x75d29790	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__commode, address_out = 0x75d327c3	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __p__fmode, address_out = 0x75d327ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __set_app_type, address_out = 0x75d32804	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _controlfp, address_out = 0x75d2e1e1	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = _except_handler3, address_out = 0x75d4d770	1	Fn
Module	Get Address	module_name = c:\windows\system32\msvcrt.dll, function = __setusermatherr, address_out = 0x75db77ad	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x72220000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = CreateToolbarEx, address_out = 0x7224a4d5	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_Create, address_out = 0x7222908c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_AddMasked, address_out = 0x72228b75	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_SetImageCount, address_out = 0x72286e17	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 17, address_out = 0x72221739	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = ImageList_ReplaceIcon, address_out = 0x72286ea3	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = 6, address_out = 0x7224a14c	1	Fn
Module	Get Handle	module_name = c:\windows\system32\rpcrt4.dll, base_address = 0x76360000	1	Fn
Module	Get Address	module_name = c:\windows\system32\rpcrt4.dll, function = UuidFromStringA, address_out = 0x76367348	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x75b40000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentDirectoryA, address_out = 0x75b7733c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x75b8cf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x75b8903d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x75b8cdcf	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x75b9214f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75b8cac4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadProcessMemory, address_out = 0x75b7c1ce	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x75b859d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x75b91e46	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileIntA, address_out = 0x75b7dc43	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceNamesA, address_out = 0x75ba5a34	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WritePrivateProfileStringA, address_out = 0x75b9d763	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetComputerNameA, address_out = 0x75b76ba9	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x75b80273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x75b8cee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalUnlock, address_out = 0x75b89d50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalLock, address_out = 0x75b89e05	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempPathA, address_out = 0x75ba6a65	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x75b89ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x75b8ca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindResourceA, address_out = 0x75b8a05b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadResource, address_out = 0x75b8984d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = EnumResourceTypesA, address_out = 0x75bccb42	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SizeofResource, address_out = 0x75b83e7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LockResource, address_out = 0x75b7fd29	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x75b847cb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoA, address_out = 0x75b41e10	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileStringA, address_out = 0x75b7d8d7	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x75b9452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x75b9450e	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x75b78a5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x75b8ca64	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x75b91400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileSectionA, address_out = 0x75bc78ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x75b8d9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x75b933d3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x75b9395c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x75b933f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileA, address_out = 0x75b92d89	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x75b8a187	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x75b8db36	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x75b8bf00	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExA, address_out = 0x75b847fa	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesA, address_out = 0x75b91de6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameA, address_out = 0x75ba695f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x75b90e62	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FormatMessageA, address_out = 0x75ba8868	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetWindowsDirectoryA, address_out = 0x75ba5d02	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x75b896fb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetVersionExA, address_out = 0x75b93861	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x764b0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClassNameA, address_out = 0x764e2445	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMessageA, address_out = 0x764c1899	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateMessage, address_out = 0x764c64c7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterWindowMessageA, address_out = 0x764bc091	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostQuitMessage, address_out = 0x764bb308	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TrackPopupMenu, address_out = 0x764d2228	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = PostMessageA, address_out = 0x764bb446	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetFocus, address_out = 0x764c3a34	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DispatchMessageA, address_out = 0x764c2e32	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DrawTextExA, address_out = 0x764dae60	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = IsDialogMessageA, address_out = 0x764d2019	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowTextA, address_out = 0x764b6eed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemInfoA, address_out = 0x764b856a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumChildWindows, address_out = 0x764c2948	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyMenu, address_out = 0x764b87f7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgCtrlID, address_out = 0x764bb4e8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DialogBoxParamA, address_out = 0x764fcf42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ShowWindow, address_out = 0x764bf2a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetCursor, address_out = 0x764c3075	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadCursorA, address_out = 0x764b8328	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ChildWindowFromPoint, address_out = 0x764fb6aa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColorBrush, address_out = 0x764bf1ed	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDialog, address_out = 0x764e3ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItem, address_out = 0x764e42bb	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateWindowExA, address_out = 0x764bbf40	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = InvalidateRect, address_out = 0x764c566d	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemInt, address_out = 0x764dec2e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = BeginPaint, address_out = 0x764c5d14	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetClientRect, address_out = 0x764c54dd	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindow, address_out = 0x764c2780	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetDlgItemTextA, address_out = 0x764d707a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DrawFrameControl, address_out = 0x764db4f9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemTextA, address_out = 0x76513d14	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendDlgItemMessageA, address_out = 0x764d7241	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowTextA, address_out = 0x764e0c5b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowRect, address_out = 0x764c558c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x764c67cf	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDlgItemInt, address_out = 0x764ded56	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DeferWindowPos, address_out = 0x764ba6c8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndPaint, address_out = 0x764c5d42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DefWindowProcA, address_out = 0x764bbb1c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = TranslateAcceleratorA, address_out = 0x764e133f	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MessageBoxA, address_out = 0x7650ea11	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowPlacement, address_out = 0x764e69de	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = RegisterClassA, address_out = 0x764bbc6a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = UpdateWindow, address_out = 0x764bffa8	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetMenu, address_out = 0x764e6b0e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadAcceleratorsA, address_out = 0x764dae02	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowPos, address_out = 0x764c1bc4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SendMessageA, address_out = 0x764bad60	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadIconA, address_out = 0x764b64ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowLongA, address_out = 0x764ba95e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetWindowLongA, address_out = 0x764b8ba3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetFocus, address_out = 0x764babad	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = BeginDeferWindowPos, address_out = 0x764ba6a6	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EndDeferWindowPos, address_out = 0x764ba67a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CheckMenuItem, address_out = 0x764dee7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuItemCount, address_out = 0x764bae39	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = SetClipboardData, address_out = 0x764d2962	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenuStringA, address_out = 0x76513a16	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableWindow, address_out = 0x764b8d02	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = DestroyWindow, address_out = 0x764bb2f4	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetCursorPos, address_out = 0x764ba4b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadImageA, address_out = 0x764d7779	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSysColor, address_out = 0x764cdb7a	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MapWindowPoints, address_out = 0x764c5caa	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMenu, address_out = 0x764e6b68	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CloseClipboard, address_out = 0x764e446c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetParent, address_out = 0x764c6029	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = OpenClipboard, address_out = 0x764e447e	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDC, address_out = 0x764c544c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EmptyClipboard, address_out = 0x764d290c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MoveWindow, address_out = 0x764b8d29	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSubMenu, address_out = 0x764b9c19	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnableMenuItem, address_out = 0x764e43bc	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ReleaseDC, address_out = 0x764c5421	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadMenuA, address_out = 0x764cf92c	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = LoadStringA, address_out = 0x764b66a7	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = CreateDialogParamA, address_out = 0x764d1f42	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ModifyMenuA, address_out = 0x76513ae0	1	Fn
Module	Get Handle	module_name = c:\windows\system32\gdi32.dll, base_address = 0x76460000	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetDeviceCaps, address_out = 0x76466f7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetTextColor, address_out = 0x76466906	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = CreateFontIndirectA, address_out = 0x7646d22d	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkMode, address_out = 0x764669b1	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = DeleteObject, address_out = 0x76465f14	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetTextExtentPoint32A, address_out = 0x764707b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SetBkColor, address_out = 0x76466a3c	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SelectObject, address_out = 0x76466640	1	Fn
Module	Get Handle	module_name = c:\windows\system32\comdlg32.dll, base_address = 0x77860000	1	Fn
Module	Get Address	module_name = c:\windows\system32\comdlg32.dll, function = GetOpenFileNameA, address_out = 0x7789a2a9	1	Fn
Module	Get Address	module_name = c:\windows\system32\comdlg32.dll, function = GetSaveFileNameA, address_out = 0x7789a353	1	Fn
Module	Get Address	module_name = c:\windows\system32\comdlg32.dll, function = FindTextA, address_out = 0x7789acd6	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyA, address_out = 0x7602a299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyExA, address_out = 0x76011481	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x760148ef	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x76014907	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegDeleteKeyA, address_out = 0x7602a8b7	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7602a4b4	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7601469d	1	Fn
Module	Get Handle	module_name = c:\windows\system32\shell32.dll, base_address = 0x767c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHBrowseForFolderA, address_out = 0x76a0dc6a	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetPathFromIDListA, address_out = 0x768e1c24	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetMalloc, address_out = 0x767e0602	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteA, address_out = 0x76a07078	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x76170000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitialize, address_out = 0x7618b636	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoTaskMemFree, address_out = 0x761c6f41	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x761b86d3	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x72220000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x72226be6	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x767c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x76a0fb26	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini, type = file_attributes	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Roaming\Thunderbird\Profiles, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird	1	Fn
File	Get Info	filename = C:\Program Files\Mozilla Thunderbird, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
Module	Load	module_name = pstorec.dll, base_address = 0x72430000	1	Fn
Module	Get Address	module_name = c:\windows\system32\pstorec.dll, function = PStoreCreateInstance, address_out = 0x7243526c	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x75910000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x75945a7f	1	Fn
System	Get Computer Name	result_out = CRH2YWU7	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x760471c1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7600b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76047941	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76047381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76047481	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}, value_name = Username, data = Main Identity, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Internet Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = POP3 User, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = IMAP User, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = HTTP User, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = SMTP User, data = 24, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP User, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User, data = 24, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 User, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Server, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = Display Name, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = Email, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP Server, type = REG_BINARY	1	Fn Data
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Use SPA, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Password, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary, value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\IncrediMail\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Group Mail	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x760471c1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7600b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76047941	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76047381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76047481	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x75910000	1	Fn
Module	Get Address	module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x75945a7f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76000000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredReadA, address_out = 0x760471c1	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x7600b2ec	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredDeleteA, address_out = 0x76047941	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76047381	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateW, address_out = 0x76047481	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount, size = 1734, size_out = 1734	1	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount, size = 1506, size_out = 1506	1	Fn Data
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount, size = 670, size_out = 670	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	1	Fn
File	Create	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 50	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 2	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 30	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 52	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 35	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 27	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 22	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 24	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 26	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 27	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 22	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 29	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 22	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 25	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 22	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 50	1	Fn Data
File	Write	filename = C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel, size = 2	2	Fn Data