WSF Downloads Payload that Sets-up a Server to Accept Incoming Connections

Monitored Processes

Behavior Information - Sequential View

Process #1: cscript.exe

(Host: 693, Network: 18)

Information	Value
ID	#1
File Name	c:\windows\system32\cscript.exe
Command Line	"C:\Windows\System32\CScript.exe" "C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:20, Reason: Analysis Target
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:02:00

OS Process Information

Information	Value
PID	0xf80
Parent PID	0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F84 0x FF0 0x FF4 0x FF8 0x FFC 0x C5C 0x C20 0x C18 0x C6C 0x C78 0x C74 0x 650 0x C90

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x0000009c3c600000	0x9c3c600000	0x9c3c61ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000009c3c600000	0x9c3c600000	0x9c3c60ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000009c3c610000	0x9c3c610000	0x9c3c616fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000009c3c620000	0x9c3c620000	0x9c3c633fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009c3c640000	0x9c3c640000	0x9c3c73ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000009c3c740000	0x9c3c740000	0x9c3c743fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009c3c750000	0x9c3c750000	0x9c3c750fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009c3c760000	0x9c3c760000	0x9c3c761fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3c770000	0x9c3c770000	0x9c3c776fff	Private Memory	Readable, Writable	Region Actions Download Dump
cscript.exe.mui	0x9c3c780000	0x9c3c782fff	Memory Mapped File	Readable	Region Actions
private_0x0000009c3c790000	0x9c3c790000	0x9c3c790fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3c7a0000	0x9c3c7a0000	0x9c3c7a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3c7b0000	0x9c3c7b0000	0x9c3c8affff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x9c3c8b0000	0x9c3c96dfff	Memory Mapped File	Readable	Region Actions
private_0x0000009c3c970000	0x9c3c970000	0x9c3ca6ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3ca70000	0x9c3ca70000	0x9c3cb1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
cscript.exe	0x9c3ca70000	0x9c3ca78fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000009c3ca80000	0x9c3ca80000	0x9c3ca80fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009c3ca80000	0x9c3ca80000	0x9c3ca83fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009c3ca90000	0x9c3ca90000	0x9c3ca90fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009c3caa0000	0x9c3caa0000	0x9c3caa0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009c3cab0000	0x9c3cab0000	0x9c3cac7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009c3cab0000	0x9c3cab0000	0x9c3cabffff	Private Memory	Readable, Writable	Region Actions Download Dump
msmplics.dll	0x9c3cac0000	0x9c3cac1fff	Memory Mapped File	Readable	Region Actions
tzres.dll	0x9c3cac0000	0x9c3cac2fff	Memory Mapped File	Readable	Region Actions
msxml3r.dll	0x9c3cac0000	0x9c3cac0fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000009c3cad0000	0x9c3cad0000	0x9c3cae7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009c3cad0000	0x9c3cad0000	0x9c3cad6fff	Private Memory	Readable, Writable	Region Actions Download Dump
wshom.ocx	0x9c3cae0000	0x9c3caf2fff	Memory Mapped File	Readable	Region Actions
tzres.dll.mui	0x9c3cb00000	0x9c3cb08fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000009c3cb00000	0x9c3cb00000	0x9c3cb00fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000009c3cb10000	0x9c3cb10000	0x9c3cb1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3cb20000	0x9c3cb20000	0x9c3cb2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000009c3cb30000	0x9c3cb30000	0x9c3ccb7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009c3ccc0000	0x9c3ccc0000	0x9c3ce40fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009c3ce50000	0x9c3ce50000	0x9c3e24ffff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x9c3e250000	0x9c3e325fff	Memory Mapped File	Readable	Region Actions
sortdefault.nls	0x9c3e250000	0x9c3e586fff	Memory Mapped File	Readable	Region Actions
private_0x0000009c3e590000	0x9c3e590000	0x9c3e68ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000009c3e690000	0x9c3e690000	0x9c3e747fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009c3e750000	0x9c3e750000	0x9c3e84ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3e850000	0x9c3e850000	0x9c3e94ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000009c3e950000	0x9c3e950000	0x9c3f94ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000009c3e950000	0x9c3e950000	0x9c3ea4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3ea50000	0x9c3ea50000	0x9c3eb5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3ea50000	0x9c3ea50000	0x9c3eb4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3eb50000	0x9c3eb50000	0x9c3eb5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3eb60000	0x9c3eb60000	0x9c3ed5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3ed60000	0x9c3ed60000	0x9c3ee5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3ee60000	0x9c3ee60000	0x9c3ef5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3ef60000	0x9c3ef60000	0x9c3f05ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3f060000	0x9c3f060000	0x9c3f45ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3f460000	0x9c3f460000	0x9c3f4affff	Private Memory	Readable, Writable	Region Actions Download Dump
counters.dat	0x9c3f460000	0x9c3f460fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
pagefile_0x0000009c3f470000	0x9c3f470000	0x9c3f470fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000009c3f480000	0x9c3f480000	0x9c3f481fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000009c3f480000	0x9c3f480000	0x9c3f48ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009c3f490000	0x9c3f490000	0x9c3f491fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009c3f4a0000	0x9c3f4a0000	0x9c3f4affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3f4b0000	0x9c3f4b0000	0x9c3f50ffff	Private Memory	Readable, Writable	Region Actions Download Dump
mswsock.dll.mui	0x9c3f4b0000	0x9c3f4b2fff	Memory Mapped File	Readable	Region Actions
private_0x0000009c3f4d0000	0x9c3f4d0000	0x9c3f4d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3f500000	0x9c3f500000	0x9c3f50ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3f5b0000	0x9c3f5b0000	0x9c3f7affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3f7b0000	0x9c3f7b0000	0x9c3ffaffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c3ffb0000	0x9c3ffb0000	0x9c403affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c403b0000	0x9c403b0000	0x9c404effff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x9c403b0000	0x9c4048efff	Memory Mapped File	Readable	Region Actions
private_0x0000009c404e0000	0x9c404e0000	0x9c404effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c404f0000	0x9c404f0000	0x9c406cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c404f0000	0x9c404f0000	0x9c405effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c404f0000	0x9c404f0000	0x9c405effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c406c0000	0x9c406c0000	0x9c406cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c406d0000	0x9c406d0000	0x9c408bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c406d0000	0x9c406d0000	0x9c407cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c408b0000	0x9c408b0000	0x9c408bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c408c0000	0x9c408c0000	0x9c40cbffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c40cc0000	0x9c40cc0000	0x9c40dbffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c40dc0000	0x9c40dc0000	0x9c40ebffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000009c40dc0000	0x9c40dc0000	0x9c40ebffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00007df5ffb70000	0x7df5ffb70000	0x7ff5ffb6ffff	Pagefile Backed Memory	-	Region Actions
private_0x00007ff7cb562000	0x7ff7cb562000	0x7ff7cb563fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb564000	0x7ff7cb564000	0x7ff7cb565fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb566000	0x7ff7cb566000	0x7ff7cb567fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb568000	0x7ff7cb568000	0x7ff7cb569fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb568000	0x7ff7cb568000	0x7ff7cb569fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb56a000	0x7ff7cb56a000	0x7ff7cb56bfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb56c000	0x7ff7cb56c000	0x7ff7cb56dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb56e000	0x7ff7cb56e000	0x7ff7cb56ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00007ff7cb570000	0x7ff7cb570000	0x7ff7cb66ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff7cb670000	0x7ff7cb670000	0x7ff7cb692fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff7cb694000	0x7ff7cb694000	0x7ff7cb695fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb696000	0x7ff7cb696000	0x7ff7cb697fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb698000	0x7ff7cb698000	0x7ff7cb699fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb69a000	0x7ff7cb69a000	0x7ff7cb69bfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb69c000	0x7ff7cb69c000	0x7ff7cb69dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00007ff7cb69e000	0x7ff7cb69e000	0x7ff7cb69efff	Private Memory	Readable, Writable	Region Actions Download Dump
cscript.exe	0x7ff7cbfd0000	0x7ff7cbffefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml3.dll	0x7ffb239c0000	0x7ffb23bf6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpclient.dll	0x7ffb23c00000	0x7ffb23cd9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
jscript.dll	0x7ffb23ce0000	0x7ffb23dadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7ffb240b0000	0x7ffb24159fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scrobj.dll	0x7ffb24160000	0x7ffb241a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scrrun.dll	0x7ffb242b0000	0x7ffb242e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshom.ocx	0x7ffb25120000	0x7ffb25148fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpoav.dll	0x7ffb25dc0000	0x7ffb25ddcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshext.dll	0x7ffb25f10000	0x7ffb25f2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mlang.dll	0x7ffb26110000	0x7ffb2614cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldp.dll	0x7ffb2bea0000	0x7ffb2beaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
amsi.dll	0x7ffb2d270000	0x7ffb2d27ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7ffb2e5a0000	0x7ffb2e846fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7ffb2ea50000	0x7ffb2ebe6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ondemandconnroutehelper.dll	0x7ffb2ec80000	0x7ffb2ec94fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x7ffb308c0000	0x7ffb308c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msisip.dll	0x7ffb30c90000	0x7ffb30c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7ffb318d0000	0x7ffb318d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7ffb31aa0000	0x7ffb31e15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7ffb333f0000	0x7ffb334c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7ffb34cc0000	0x7ffb34f33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x7ffb361e0000	0x7ffb36247fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7ffb373f0000	0x7ffb373fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7ffb37410000	0x7ffb37447fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7ffb37f40000	0x7ffb37f61fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7ffb38610000	0x7ffb386a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7ffb38c60000	0x7ffb38c82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x7ffb38f70000	0x7ffb38f8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7ffb39260000	0x7ffb39292fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7ffb39350000	0x7ffb3936efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7ffb393b0000	0x7ffb39457fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7ffb395b0000	0x7ffb3960cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7ffb39610000	0x7ffb39626fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7ffb39780000	0x7ffb3978afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7ffb39960000	0x7ffb3998bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7ffb39b60000	0x7ffb39b87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7ffb39b90000	0x7ffb39bfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7ffb39c00000	0x7ffb39c97fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7ffb39d40000	0x7ffb39d50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x7ffb39d60000	0x7ffb39d6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7ffb39d70000	0x7ffb39d82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7ffb39d90000	0x7ffb39dd9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x7ffb39de0000	0x7ffb3a407fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7ffb3a460000	0x7ffb3a4b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x7ffb3a570000	0x7ffb3a622fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7ffb3a630000	0x7ffb3a7f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7ffb3a9e0000	0x7ffb3a9e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7ffb3a9f0000	0x7ffb3aa40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7ffb3aa50000	0x7ffb3bf74fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb3bf80000	0x7ffb3c0a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb3c290000	0x7ffb3c2c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7ffb3c2d0000	0x7ffb3c375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb3c3e0000	0x7ffb3c564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7ffb3c570000	0x7ffb3c5d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
coml2.dll	0x7ffb3c5e0000	0x7ffb3c64efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb3c650000	0x7ffb3c79dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb3c950000	0x7ffb3c9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7ffb3c9b0000	0x7ffb3ca6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7ffb3ca70000	0x7ffb3cb14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7ffb3cb20000	0x7ffb3cc60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x7ffb3cc70000	0x7ffb3ceebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb3d020000	0x7ffb3d17bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 28 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\ciihmn~1\appdata\local\temp\84526935.scr	479.00 KB (490496 bytes)	MD5: f549977bce0051085abbe8d7728be589 SHA1: 33e0317a4da4cc10737f5ff54f010315a3b71867 SHA256: 21610f6f3397058086f90d9e0f74ba524aeb69d788efca24f344327460532a58		File Actions Show Properties Download

Threads

Thread 0xf84

(Host: 181, Network: 18)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff7cbfd0000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb3d27d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7ffb3d280f40	1	Fn
Module	Get Filename	module_name = c:\windows\system32\cscript.exe, process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 110	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.WSF	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.WSF, data = WSFFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\WSFFile\ScriptEngine	1	Fn
Module	Load	module_name = urlmon.dll, base_address = 0x7ffb2ea50000	1	Fn
Module	Get Address	module_name = c:\windows\system32\urlmon.dll, function = CreateURLMonikerEx, address_out = 0x7ffb2ea74fe0	1	Fn
COM	Create	interface = 06290BEA-48AA-11D2-8432-006008C3FBFC, cls_context = CLSCTX_INPROC_SERVER	1	Fn
COM	Create	interface = 06290BEA-48AA-11D2-8432-006008C3FBFC, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Info	type = Operating System	1	Fn
COM	Create	interface = 342D1EA0-AE25-11D1-89C5-006008C3FBFC, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Info	type = System Directory	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\shlwapi.dll, base_address = 0x7ffb3a9f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = PathCreateFromUrlW, address_out = 0x7ffb3a9fc5e0	1	Fn
COM	Get Class ID	cls_id = F414C260-6AC0-11CF-B6D1-00AA00BBBB58, prog_id = JScript	1	Fn
Module	Load	module_name = WLDP.DLL, base_address = 0x7ffb2bea0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wldp.dll, function = WldpGetLockdownPolicy, address_out = 0x7ffb2bea1010	1	Fn
Module	Get Address	module_name = c:\windows\system32\wldp.dll, function = WldpIsClassInApprovedList, address_out = 0x7ffb2bea3820	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF, filename = C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF, protection = PAGE_READONLY, maximum_size = 97272	1	Fn
Module	Map	C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF, process_name = c:\windows\system32\cscript.exe, desired_access = FILE_MAP_READ	1	Fn
Module	Unmap	process_name = c:\windows\system32\cscript.exe	1	Fn
System	Get Info	type = System Directory	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7ffb3c2da7d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7ffb3c2d3ba0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7ffb3c2e6cc0	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF, type = size	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\Desktop\2999BA~1.WSF, size = 97272, size_out = 97272	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Info	type = Hardware Information	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = QueryProtectedPolicy, address_out = 0x7ffb3a86d460	1	Fn
Module	Load	module_name = amsi.dll, base_address = 0x7ffb2d270000	1	Fn
Module	Get Address	module_name = c:\windows\system32\amsi.dll, function = AmsiInitialize, address_out = 0x7ffb2d272260	1	Fn
Module	Get Address	module_name = c:\windows\system32\amsi.dll, function = AmsiScanString, address_out = 0x7ffb2d2726b0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadedAPI, address_out = 0x7ffb3a85a1b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadsFromDll, address_out = 0x7ffb3a8be790	1	Fn
COM	Create	interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 107531	1	Fn
Module	Load	module_name = amsi.dll, base_address = 0x7ffb2d270000	1	Fn
Module	Get Address	module_name = c:\windows\system32\amsi.dll, function = AmsiInitialize, address_out = 0x7ffb2d272260	1	Fn
Module	Get Address	module_name = c:\windows\system32\amsi.dll, function = AmsiScanString, address_out = 0x7ffb2d2726b0	1	Fn
Environment	Get Environment String	name = JS_PROFILER	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 107562	1	Fn
System	Get Time	type = Ticks, time = 107640	19	Fn
System	Get Time	type = Ticks, time = 107656	4	Fn
System	Get Time	type = Ticks, time = 108218	14	Fn
System	Get Time	type = Ticks, time = 108234	18	Fn
System	Get Time	type = Ticks, time = 108250	10	Fn
System	Get Time	type = Ticks, time = 108265	17	Fn
System	Get Time	type = Ticks, time = 108281	13	Fn
System	Get Time	type = Ticks, time = 108296	8	Fn
System	Get Time	type = Ticks, time = 108312	12	Fn
System	Get Time	type = Ticks, time = 108328	10	Fn
System	Get Time	type = Ticks, time = 108343	6	Fn
System	Get Time	type = Ticks, time = 108468	16	Fn
System	Get Time	type = Ticks, time = 108484	18	Fn
System	Get Time	type = Ticks, time = 108500	13	Fn
System	Get Time	type = Ticks, time = 108515	17	Fn
System	Get Time	type = Ticks, time = 108531	9	Fn
System	Get Time	type = Ticks, time = 108609	2	Fn
System	Get Time	type = Ticks, time = 108625	4	Fn
System	Get Time	type = Ticks, time = 108656	3	Fn
System	Get Time	type = Ticks, time = 108671	3	Fn
System	Get Time	type = Ticks, time = 108687	3	Fn
System	Get Time	type = Ticks, time = 108703	3	Fn
System	Get Time	type = Ticks, time = 108718	3	Fn
System	Get Time	type = Ticks, time = 108734	3	Fn
System	Get Time	type = Ticks, time = 108828	1	Fn
System	Get Time	type = Ticks, time = 108843	2	Fn
System	Get Time	type = Ticks, time = 108859	2	Fn
System	Get Time	type = Ticks, time = 108875	2	Fn
System	Get Time	type = Ticks, time = 108890	2	Fn
System	Get Time	type = Ticks, time = 108906	1	Fn
System	Get Time	type = Ticks, time = 108921	2	Fn
System	Get Time	type = Ticks, time = 108937	1	Fn
System	Get Time	type = Ticks, time = 108953	2	Fn
System	Get Time	type = Ticks, time = 108968	3	Fn
System	Get Time	type = Ticks, time = 108984	1	Fn
System	Get Time	type = Ticks, time = 109000	3	Fn
System	Get Time	type = Ticks, time = 109015	2	Fn
System	Get Time	type = Ticks, time = 109031	1	Fn
System	Get Time	type = Ticks, time = 109062	1	Fn
System	Get Time	type = Ticks, time = 109078	20	Fn
System	Get Time	type = Ticks, time = 109093	34	Fn
System	Get Time	type = Ticks, time = 109109	27	Fn
System	Get Time	type = Ticks, time = 109125	27	Fn
System	Get Time	type = Ticks, time = 109140	22	Fn
System	Get Time	type = Ticks, time = 109156	20	Fn
System	Get Time	type = Ticks, time = 109171	10	Fn
System	Get Time	type = Ticks, time = 109187	18	Fn
System	Get Time	type = Ticks, time = 109203	18	Fn
System	Get Time	type = Ticks, time = 109218	20	Fn
System	Get Time	type = Ticks, time = 109234	16	Fn
System	Get Time	type = Ticks, time = 109250	16	Fn
System	Get Time	type = Ticks, time = 109265	12	Fn
System	Get Time	type = Ticks, time = 109281	16	Fn
System	Get Time	type = Ticks, time = 109296	12	Fn
System	Get Time	type = Ticks, time = 109312	14	Fn
System	Get Time	type = Ticks, time = 109328	10	Fn
System	Get Time	type = Ticks, time = 109546	2	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff7cbfd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\cscript.exe, function = 1, address_out = 0x7ff7cbfd1350	1	Fn
COM	Get Class ID	cls_id = F6D90F16-9C73-11D3-B32E-00C04F990BB4, prog_id = MSXML2.XMLHTTP	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = https, server_name = www.atdrrtd.vs, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1	1	Fn
Inet	Receive HTTP Status	status = 12007	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff7cbfd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\cscript.exe, function = 1, address_out = 0x7ff7cbfd1350	1	Fn
COM	Get Class ID	cls_id = F6D90F16-9C73-11D3-B32E-00C04F990BB4, prog_id = MSXML2.XMLHTTP	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = https, server_name = wsfxvers.ch, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /fdsffffjt.ico	1	Fn
Inet	Receive HTTP Status	status = 12007	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff7cbfd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\cscript.exe, function = 1, address_out = 0x7ff7cbfd1350	1	Fn
COM	Get Class ID	cls_id = F6D90F16-9C73-11D3-B32E-00C04F990BB4, prog_id = MSXML2.XMLHTTP	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = https, server_name = serfd.ch, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /fjgnt343.ico	1	Fn
Inet	Receive HTTP Status	status = 12007	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cscript.exe, file_name_orig = C:\Windows\System32\CScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cscript.exe, base_address = 0x7ff7cbfd0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\cscript.exe, function = 1, address_out = 0x7ff7cbfd1350	1	Fn
COM	Get Class ID	cls_id = F6D90F16-9C73-11D3-B32E-00C04F990BB4, prog_id = MSXML2.XMLHTTP	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = https, server_name = www.apapernotion.com, server_port = 443	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /wp-includes/Text/ri.php	1	Fn
Inet	Send HTTP Request	url = https://www.apapernotion.com/wp-includes/Text/ri.php	1	Fn
System	Get Time	type = Ticks, time = 111765	1	Fn
Inet	Receive HTTP Status	status = 200	1	Fn
COM	Get Class ID	cls_id = 00000566-0000-0010-8000-00AA006D2EA4, prog_id = ADODB.Stream	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Inet	Read Response	size_out = 490496	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr, size = 490496	1	Fn Data
Module	Load	module_name = shell32.dll, base_address = 0x7ffb3aa50000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x7ffb3ab32460	1	Fn
Process	Create	process_name = C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr, show_window = SW_SHOWNORMAL	1	Fn
Module	Get Address	module_name = c:\windows\system32\amsi.dll, function = AmsiUninitialize, address_out = 0x7ffb2d272490	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xff4

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 671033220080		1	Fn

Process #3: 84526935.scr

(Host: 1624, Network: 0)

Information	Value
ID	#3
File Name	c:\users\ciihmn~1\appdata\local\temp\84526935.scr
Command Line	"C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr" /S
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:40, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:40

OS Process Information

Information	Value
PID	0xbec
Parent PID	0xf80 (c:\windows\system32\cscript.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 568 0x 344 0x 830 0x 468 0x CA4 0x C88 0x CF4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000230000	0x00230000	0x0028cfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003c0000	0x003c0000	0x003f8fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
84526935.scr	0x00400000	0x004a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
locale.nls	0x004b0000	0x0056dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000570000	0x00570000	0x0066ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000670000	0x00670000	0x007f7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000800000	0x00800000	0x008fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000800000	0x00800000	0x00838fff	Private Memory	Readable, Writable	Region Actions Download Dump
oleaut32.dll	0x00840000	0x008d0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000008f0000	0x008f0000	0x008fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000940000	0x00940000	0x0097ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000980000	0x00980000	0x0098ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000990000	0x00990000	0x00b10fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000b20000	0x00b20000	0x01f1ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001f20000	0x01f20000	0x0232ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002670000	0x02670000	0x0277ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002700000	0x02700000	0x0273ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002770000	0x02770000	0x0277ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002780000	0x02780000	0x0287ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002880000	0x02880000	0x0297ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002980000	0x02980000	0x029bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000029c0000	0x029c0000	0x02abffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ac0000	0x02ac0000	0x02afffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b00000	0x02b00000	0x02bfffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002c00000	0x02c00000	0x02c3ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002c40000	0x02c40000	0x02d3ffff	Private Memory	Readable, Writable	Region Actions Download Dump
wow64cpu.dll	0x5c9f0000	0x5c9f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x5ca00000	0x5ca72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x5ca80000	0x5cacefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74190000	0x74220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74230000	0x74288fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74290000	0x74299fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x742a0000	0x742bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74500000	0x7463ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74640000	0x74729fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74730000	0x7475afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74760000	0x75b1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75b80000	0x75c3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75c40000	0x75c83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75d40000	0x75dbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dc0000	0x75e03fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75f20000	0x76095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x760a0000	0x760e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x76280000	0x7630cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x764d0000	0x769acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x769b0000	0x76afcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76bc0000	0x76caffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76cf0000	0x76ea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76eb0000	0x76ebbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x77050000	0x7705efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77070000	0x7718ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77190000	0x77308fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007fea4000	0x7fea4000	0x7fea6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007fea7000	0x7fea7000	0x7fea9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007feaa000	0x7feaa000	0x7feacfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007fead000	0x7fead000	0x7feaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7ffb3d30ffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb3d4d2000	0x7ffb3d4d2000	0x7ffffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 23 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\users\ciihmn~1\appdata\local\temp\f2d7.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f2d8.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f2e8.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f2f9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f2fa.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f2fb.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f2fc.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f32c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f33c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f33d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f33e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f33f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f350.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f351.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f381.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f382.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f383.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f384.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f385.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f396.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f397.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f398.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f399.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f39a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f3d9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f3da.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f3eb.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f3ec.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f3ed.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f3fd.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f41e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f42e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f42f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f430.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f441.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f442.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f472.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f473.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f474.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f475.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f485.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f486.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f487.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f488.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f499.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4b9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4ba.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4bb.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4cc.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4cd.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4ce.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4cf.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4df.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4e0.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4f1.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4f2.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4f3.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4f4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f4f5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f506.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f507.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f508.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f509.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f50a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f51a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f51b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f51c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f53d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f53e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f53f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f540.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f541.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f551.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f552.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f553.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f554.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f565.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f566.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f567.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f568.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f569.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f579.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f57a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f57b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f57c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f58d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f58e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f58f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f590.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5a1.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5a2.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5a3.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5b3.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5b4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5b5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5c6.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5c7.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5c8.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5d9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5e9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5ea.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5fb.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5fc.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f5fd.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f60d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f60e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f60f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f610.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f621.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f622.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f623.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f634.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f635.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f636.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f637.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f647.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f648.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f649.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6b8.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6c8.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6c9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6da.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6db.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6dc.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6ed.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6ee.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6fe.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f6ff.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f700.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f701.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f712.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f722.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f723.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f724.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f725.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f736.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f737.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f738.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f749.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f74a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f75a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f75b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f75c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f77d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f77e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f78e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f78f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f790.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f7a1.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f7b1.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f7c2.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f7c3.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f7d4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f7d5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f7e5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f806.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f816.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f827.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f837.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f838.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f849.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f84a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f84b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f85c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f86c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f86d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f89d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f89e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f89f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f8cf.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f8e0.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f8f0.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f8f1.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f902.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f903.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f914.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f915.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f916.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f926.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f927.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f928.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f939.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f93a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f94a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f96b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f96c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f96d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f98d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f98e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f99f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9a0.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9c0.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9c1.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9c2.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9d2.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9d3.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9d4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9e5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9e6.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f9f7.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa07.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa08.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa09.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa0a.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa1b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa2c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa2d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa2e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa3e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa3f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa50.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa51.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa52.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa62.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa63.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa74.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa85.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa86.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa96.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa97.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa98.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fa99.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\faaa.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\faca.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\facb.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\facc.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\facd.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fb4b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fb6b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fb6c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fb6d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fb7e.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fb7f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fb90.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fb91.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fba1.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fba2.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fba3.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbb4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbb5.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbb6.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbb7.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbd7.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbd8.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbe9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbea.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbeb.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbec.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbfc.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbfd.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fbfe.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fc0f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fc10.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fc11.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fc22.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\fc23.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\ciihmn~1\appdata\local\temp\f2d7.tmp	0.01 KB (8 bytes)	MD5: ab28e0b612bc4ddf226676cd532c962d SHA1: b59526005703af82972679d96fc346768b4bfae8 SHA256: 60e9853af737363ea6439bee3a65a6683c9afdf1a87425e2e03c4b247e16534f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f2d8.tmp	0.01 KB (8 bytes)	MD5: ab28e0b612bc4ddf226676cd532c962d SHA1: b59526005703af82972679d96fc346768b4bfae8 SHA256: 60e9853af737363ea6439bee3a65a6683c9afdf1a87425e2e03c4b247e16534f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f2e8.tmp	0.01 KB (8 bytes)	MD5: fd530f884ded068a1e9bd0ac2a1e36d8 SHA1: 4ccc4866976f7ec567851d7c90015a60fd7ccf2a SHA256: db674604dc1fe9df020558e69b3038c738c697231903aa596700ac18070ffe85	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f2f9.tmp	0.01 KB (8 bytes)	MD5: df400c07cdf87dea697f5313673f45da SHA1: 78a9aa849ec7e4dc62c0a1f49454d93c45aabfca SHA256: da0800d82ed1c8d9d3a55ac2db30f1f9e27fdace3eb20f90926fcfbadc5a26f8	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f2fa.tmp	0.01 KB (8 bytes)	MD5: 4721c4ad3b7ab96da65f5567ea559b3c SHA1: 54af4a938d39230c512a88002c59cb74f0bc0d07 SHA256: 4240d971d7c5c08a44a34da39e4e65e50322fa79dfcc7c1904395409116280b7	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f2fb.tmp	0.01 KB (8 bytes)	MD5: a8a2dadf629bfbc4b37e71549b0305f3 SHA1: a277c6508628e442c5d51332f94b533596097639 SHA256: 39e93984d5cd1d066156fd8694cede26f9c1cf87a1bcd93412a4adea1d435933	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f2fc.tmp	0.01 KB (8 bytes)	MD5: a8a2dadf629bfbc4b37e71549b0305f3 SHA1: a277c6508628e442c5d51332f94b533596097639 SHA256: 39e93984d5cd1d066156fd8694cede26f9c1cf87a1bcd93412a4adea1d435933	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f32c.tmp	0.01 KB (8 bytes)	MD5: cf7f81d4b988308d3cd856a6b41bbc56 SHA1: 7027b22c141ed485279594918c8593af5e251aba SHA256: b05fdcc590001a2ba4dc7ac6c86157b0f33767ca499f98e60d711e86c4351a7a	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f33c.tmp	0.01 KB (8 bytes)	MD5: 37b7354ecaa8543098eb12c981ad4402 SHA1: 4d7147388a576aeb70d0f8afb28cfc8461aca2af SHA256: 4509324384f471a0043d8adb1b060297bbf35c6ced8275ed4c667bc78e21bb2c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f33d.tmp	0.01 KB (8 bytes)	MD5: 37b7354ecaa8543098eb12c981ad4402 SHA1: 4d7147388a576aeb70d0f8afb28cfc8461aca2af SHA256: 4509324384f471a0043d8adb1b060297bbf35c6ced8275ed4c667bc78e21bb2c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f33e.tmp	0.01 KB (8 bytes)	MD5: 37b7354ecaa8543098eb12c981ad4402 SHA1: 4d7147388a576aeb70d0f8afb28cfc8461aca2af SHA256: 4509324384f471a0043d8adb1b060297bbf35c6ced8275ed4c667bc78e21bb2c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f33f.tmp	0.01 KB (8 bytes)	MD5: 37b7354ecaa8543098eb12c981ad4402 SHA1: 4d7147388a576aeb70d0f8afb28cfc8461aca2af SHA256: 4509324384f471a0043d8adb1b060297bbf35c6ced8275ed4c667bc78e21bb2c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f350.tmp	0.01 KB (8 bytes)	MD5: 6563b28cb7911859a2569c553f469639 SHA1: 11ccbfeeeb88c1587a72cd8875ed8600a511aeec SHA256: 9c91d18494f82e9c8ec624330f428cfb6866396caff0b7ff09ed31f91be429f8	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f351.tmp	0.01 KB (8 bytes)	MD5: 6563b28cb7911859a2569c553f469639 SHA1: 11ccbfeeeb88c1587a72cd8875ed8600a511aeec SHA256: 9c91d18494f82e9c8ec624330f428cfb6866396caff0b7ff09ed31f91be429f8	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f381.tmp	0.01 KB (8 bytes)	MD5: 103e0b8fd12bb07ef8961566a7765a55 SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2 SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f382.tmp	0.01 KB (8 bytes)	MD5: 103e0b8fd12bb07ef8961566a7765a55 SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2 SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f383.tmp	0.01 KB (8 bytes)	MD5: 103e0b8fd12bb07ef8961566a7765a55 SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2 SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f384.tmp	0.01 KB (8 bytes)	MD5: 103e0b8fd12bb07ef8961566a7765a55 SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2 SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f385.tmp	0.01 KB (8 bytes)	MD5: 103e0b8fd12bb07ef8961566a7765a55 SHA1: f84633d25ea9b41c542644c0a381cb8457721ca2 SHA256: b249383eaadc3cac29adbbd2b933929ed5d6054e781c28770961aecbc70d7974	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f396.tmp	0.01 KB (8 bytes)	MD5: 375354fe68646f0128f6ab29e48869bd SHA1: 041bcbffc817e9e86000ae0c3c77281280719268 SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f397.tmp	0.01 KB (8 bytes)	MD5: 375354fe68646f0128f6ab29e48869bd SHA1: 041bcbffc817e9e86000ae0c3c77281280719268 SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f398.tmp	0.01 KB (8 bytes)	MD5: 375354fe68646f0128f6ab29e48869bd SHA1: 041bcbffc817e9e86000ae0c3c77281280719268 SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f399.tmp	0.01 KB (8 bytes)	MD5: 375354fe68646f0128f6ab29e48869bd SHA1: 041bcbffc817e9e86000ae0c3c77281280719268 SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f39a.tmp	0.01 KB (8 bytes)	MD5: 375354fe68646f0128f6ab29e48869bd SHA1: 041bcbffc817e9e86000ae0c3c77281280719268 SHA256: 5d393fd606d3ae2b4153699180cef6ad3c3f5aebe6cf05c43c109f7634949670	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f3d9.tmp	0.01 KB (8 bytes)	MD5: 9914902ffd73d3d52944d5f02c990052 SHA1: f1ba32861024ce89f2616150c71bd25a0be1097a SHA256: 438e2d2f7eed159de5d7d589ba5188e73b43c5f47aa6d561169346ae1e3d1c05	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f3da.tmp	0.01 KB (8 bytes)	MD5: 9914902ffd73d3d52944d5f02c990052 SHA1: f1ba32861024ce89f2616150c71bd25a0be1097a SHA256: 438e2d2f7eed159de5d7d589ba5188e73b43c5f47aa6d561169346ae1e3d1c05	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f3eb.tmp	0.01 KB (8 bytes)	MD5: 2841502da02a6dc1929c6b679d2d952b SHA1: e9542f012dcc2786e80130fd539129b7f7d6d553 SHA256: 7faae97a81dfe6e3a19ab568d3c36e4b68df217f4c7f21ea4bc13c1e33b8e92c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f3ec.tmp	0.01 KB (8 bytes)	MD5: 2841502da02a6dc1929c6b679d2d952b SHA1: e9542f012dcc2786e80130fd539129b7f7d6d553 SHA256: 7faae97a81dfe6e3a19ab568d3c36e4b68df217f4c7f21ea4bc13c1e33b8e92c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f3ed.tmp	0.01 KB (8 bytes)	MD5: 2841502da02a6dc1929c6b679d2d952b SHA1: e9542f012dcc2786e80130fd539129b7f7d6d553 SHA256: 7faae97a81dfe6e3a19ab568d3c36e4b68df217f4c7f21ea4bc13c1e33b8e92c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f3fd.tmp	0.01 KB (8 bytes)	MD5: 14f8d6416125ae53432caacf7f85edcf SHA1: cb0dc4b48c5703356951c02485ad6fcea8f6bc96 SHA256: 22924b1e57cb5405ae74e97b9d7b20c90b31c6111067035a1072de62688e230e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f41e.tmp	0.01 KB (8 bytes)	MD5: aa75d8a30aacd8184640a5bc63dd8add SHA1: 158000124dbae9ab0a834a306a1f2e52ead8cedd SHA256: c20f0cc73e42057066194ead502dee19fe7b65238890cc6ea3eca658d96ea018	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f42e.tmp	0.01 KB (8 bytes)	MD5: 684c21c6a46af124447bdb10f9c4de69 SHA1: ebeb1642dad077201aab5cd2566c8f34b0a3b604 SHA256: a7c626455caeb41a1a6db61c703e08eb645ad45d2d84587ed95e25a1dccf756d	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f42f.tmp	0.01 KB (8 bytes)	MD5: 684c21c6a46af124447bdb10f9c4de69 SHA1: ebeb1642dad077201aab5cd2566c8f34b0a3b604 SHA256: a7c626455caeb41a1a6db61c703e08eb645ad45d2d84587ed95e25a1dccf756d	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f430.tmp	0.01 KB (8 bytes)	MD5: 684c21c6a46af124447bdb10f9c4de69 SHA1: ebeb1642dad077201aab5cd2566c8f34b0a3b604 SHA256: a7c626455caeb41a1a6db61c703e08eb645ad45d2d84587ed95e25a1dccf756d	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f441.tmp	0.01 KB (8 bytes)	MD5: 18ccd98a45f94ad63b8f2751d5c64f47 SHA1: 39cce3420bf79b006df70fad5bd4bd25a4ed2354 SHA256: 2a020923b05677c27a82d2e6b8a3e4385827616724b78702394d76b0a03a3841	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f442.tmp	0.01 KB (8 bytes)	MD5: 18ccd98a45f94ad63b8f2751d5c64f47 SHA1: 39cce3420bf79b006df70fad5bd4bd25a4ed2354 SHA256: 2a020923b05677c27a82d2e6b8a3e4385827616724b78702394d76b0a03a3841	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f472.tmp	0.01 KB (8 bytes)	MD5: 0fe5a713f286f220c91a08b30542ae0f SHA1: 452bdea5a923e770304174c86876749ad68736e5 SHA256: 8123adf3394eb1db518c72de323441ab548b3ab30b9d3844102c1723c94d2f83	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f473.tmp	0.01 KB (8 bytes)	MD5: 0fe5a713f286f220c91a08b30542ae0f SHA1: 452bdea5a923e770304174c86876749ad68736e5 SHA256: 8123adf3394eb1db518c72de323441ab548b3ab30b9d3844102c1723c94d2f83	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f474.tmp	0.01 KB (8 bytes)	MD5: 0fe5a713f286f220c91a08b30542ae0f SHA1: 452bdea5a923e770304174c86876749ad68736e5 SHA256: 8123adf3394eb1db518c72de323441ab548b3ab30b9d3844102c1723c94d2f83	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f475.tmp	0.01 KB (8 bytes)	MD5: 0fe5a713f286f220c91a08b30542ae0f SHA1: 452bdea5a923e770304174c86876749ad68736e5 SHA256: 8123adf3394eb1db518c72de323441ab548b3ab30b9d3844102c1723c94d2f83	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f485.tmp	0.01 KB (8 bytes)	MD5: e102f4f45076f59380e7c6d844d55c39 SHA1: 3ac8c45455eaec9ee64251ecece9f70481af4b21 SHA256: 7822a8a931d8d38d67968a64e969ab18e9369a8d0b3fadbfd0018add463b0dd9	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f486.tmp	0.01 KB (8 bytes)	MD5: e102f4f45076f59380e7c6d844d55c39 SHA1: 3ac8c45455eaec9ee64251ecece9f70481af4b21 SHA256: 7822a8a931d8d38d67968a64e969ab18e9369a8d0b3fadbfd0018add463b0dd9	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f487.tmp	0.01 KB (8 bytes)	MD5: e102f4f45076f59380e7c6d844d55c39 SHA1: 3ac8c45455eaec9ee64251ecece9f70481af4b21 SHA256: 7822a8a931d8d38d67968a64e969ab18e9369a8d0b3fadbfd0018add463b0dd9	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f488.tmp	0.01 KB (8 bytes)	MD5: e102f4f45076f59380e7c6d844d55c39 SHA1: 3ac8c45455eaec9ee64251ecece9f70481af4b21 SHA256: 7822a8a931d8d38d67968a64e969ab18e9369a8d0b3fadbfd0018add463b0dd9	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f499.tmp	0.01 KB (8 bytes)	MD5: 9884e4f00c2714eeebf230e5b40e9480 SHA1: be8269c4c4929b4f35d057725d122d17805716b9 SHA256: f42fda1c199b447e1d1e4008eb7897c4ca4ecf3a2f7fdea829b9c35e6e044458	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4b9.tmp	0.01 KB (8 bytes)	MD5: b9fbcebb04b9f7e4d3f07b023a0229fd SHA1: f2173b4759317545d5f81a88982aa637099de5b6 SHA256: 359c38c6582afda6a9913c1f4870e5e35e47a1f8d6959dea71abb2b94b094476	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4ba.tmp	0.01 KB (8 bytes)	MD5: b9fbcebb04b9f7e4d3f07b023a0229fd SHA1: f2173b4759317545d5f81a88982aa637099de5b6 SHA256: 359c38c6582afda6a9913c1f4870e5e35e47a1f8d6959dea71abb2b94b094476	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4bb.tmp	0.01 KB (8 bytes)	MD5: b9fbcebb04b9f7e4d3f07b023a0229fd SHA1: f2173b4759317545d5f81a88982aa637099de5b6 SHA256: 359c38c6582afda6a9913c1f4870e5e35e47a1f8d6959dea71abb2b94b094476	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4cc.tmp	0.01 KB (8 bytes)	MD5: b3574d66d7c98d6f82168937555180f2 SHA1: c7e08e3a085493db3cb9df920890015bda11cc50 SHA256: 8544a403db6bc12357c9d122731239fb5101b1949bdfe09ffe6dbfeebcc73919	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4cd.tmp	0.01 KB (8 bytes)	MD5: b3574d66d7c98d6f82168937555180f2 SHA1: c7e08e3a085493db3cb9df920890015bda11cc50 SHA256: 8544a403db6bc12357c9d122731239fb5101b1949bdfe09ffe6dbfeebcc73919	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4ce.tmp	0.01 KB (8 bytes)	MD5: b3574d66d7c98d6f82168937555180f2 SHA1: c7e08e3a085493db3cb9df920890015bda11cc50 SHA256: 8544a403db6bc12357c9d122731239fb5101b1949bdfe09ffe6dbfeebcc73919	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4cf.tmp	0.01 KB (8 bytes)	MD5: b3574d66d7c98d6f82168937555180f2 SHA1: c7e08e3a085493db3cb9df920890015bda11cc50 SHA256: 8544a403db6bc12357c9d122731239fb5101b1949bdfe09ffe6dbfeebcc73919	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4df.tmp	0.01 KB (8 bytes)	MD5: 426861378070228083370ab1716f5d34 SHA1: 6bdb6c1b524e52bc373739e7022ee164a7b63086 SHA256: c371441da18d02cf86e7de5a784754e94b67f74f69012029901896b081d114d2	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4e0.tmp	0.01 KB (8 bytes)	MD5: 426861378070228083370ab1716f5d34 SHA1: 6bdb6c1b524e52bc373739e7022ee164a7b63086 SHA256: c371441da18d02cf86e7de5a784754e94b67f74f69012029901896b081d114d2	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4f1.tmp	0.01 KB (8 bytes)	MD5: 8c63a5d8e82e6edd83997890130d40c7 SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765 SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4f2.tmp	0.01 KB (8 bytes)	MD5: 8c63a5d8e82e6edd83997890130d40c7 SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765 SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4f3.tmp	0.01 KB (8 bytes)	MD5: 8c63a5d8e82e6edd83997890130d40c7 SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765 SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4f4.tmp	0.01 KB (8 bytes)	MD5: 8c63a5d8e82e6edd83997890130d40c7 SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765 SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f4f5.tmp	0.01 KB (8 bytes)	MD5: 8c63a5d8e82e6edd83997890130d40c7 SHA1: cb22abc76e59b8fd55b756731f2942b02a50d765 SHA256: 854926af3596aa48c171f2877729389f90de5d6add7a00334444d67683c510d6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f506.tmp	0.01 KB (8 bytes)	MD5: c753a995dd61c55c0ce9d9d0c996ed8a SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f507.tmp	0.01 KB (8 bytes)	MD5: c753a995dd61c55c0ce9d9d0c996ed8a SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f508.tmp	0.01 KB (8 bytes)	MD5: c753a995dd61c55c0ce9d9d0c996ed8a SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f509.tmp	0.01 KB (8 bytes)	MD5: c753a995dd61c55c0ce9d9d0c996ed8a SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f50a.tmp	0.01 KB (8 bytes)	MD5: c753a995dd61c55c0ce9d9d0c996ed8a SHA1: 3ddcbdc4fe23523efffc6cd03757955809caa83f SHA256: d0750b1dbe19dff3d69c999b47a93a5cf6b79c4e776579d6372394b6c22b4226	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f51a.tmp	0.01 KB (8 bytes)	MD5: a3894421dceb69d0f1ad369951902696 SHA1: ec9e7a1edd0c96c7522983fc4d03bfe30a7446a5 SHA256: 16d20f692fc19048728ae91e65e8c6e1e260af1e71617b19192047fd64ea981e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f51b.tmp	0.01 KB (8 bytes)	MD5: a3894421dceb69d0f1ad369951902696 SHA1: ec9e7a1edd0c96c7522983fc4d03bfe30a7446a5 SHA256: 16d20f692fc19048728ae91e65e8c6e1e260af1e71617b19192047fd64ea981e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f51c.tmp	0.01 KB (8 bytes)	MD5: a3894421dceb69d0f1ad369951902696 SHA1: ec9e7a1edd0c96c7522983fc4d03bfe30a7446a5 SHA256: 16d20f692fc19048728ae91e65e8c6e1e260af1e71617b19192047fd64ea981e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f53d.tmp	0.01 KB (8 bytes)	MD5: 7d1c896adc01c20ba38921c393cf3bf5 SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0 SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f53e.tmp	0.01 KB (8 bytes)	MD5: 7d1c896adc01c20ba38921c393cf3bf5 SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0 SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f53f.tmp	0.01 KB (8 bytes)	MD5: 7d1c896adc01c20ba38921c393cf3bf5 SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0 SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f540.tmp	0.01 KB (8 bytes)	MD5: 7d1c896adc01c20ba38921c393cf3bf5 SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0 SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f541.tmp	0.01 KB (8 bytes)	MD5: 7d1c896adc01c20ba38921c393cf3bf5 SHA1: 0a6d1315f79a81a81ff0baebe5a096255566bab0 SHA256: 4655b8389012aa3c527d58ae9ca214ca5ed4cdfbf378bcd6fe1a04b3b53e85ca	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f551.tmp	0.01 KB (8 bytes)	MD5: 4a0b19c62039f27899009aabbdf4770d SHA1: f7cd0536d3e7f06fa69d9d2445911a3048a59c29 SHA256: 7567e47e4a26c271f09bf78392cd1a89f48c9803f8393306761911ebb53f032c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f552.tmp	0.01 KB (8 bytes)	MD5: 4a0b19c62039f27899009aabbdf4770d SHA1: f7cd0536d3e7f06fa69d9d2445911a3048a59c29 SHA256: 7567e47e4a26c271f09bf78392cd1a89f48c9803f8393306761911ebb53f032c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f553.tmp	0.01 KB (8 bytes)	MD5: 4a0b19c62039f27899009aabbdf4770d SHA1: f7cd0536d3e7f06fa69d9d2445911a3048a59c29 SHA256: 7567e47e4a26c271f09bf78392cd1a89f48c9803f8393306761911ebb53f032c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f554.tmp	0.01 KB (8 bytes)	MD5: 4a0b19c62039f27899009aabbdf4770d SHA1: f7cd0536d3e7f06fa69d9d2445911a3048a59c29 SHA256: 7567e47e4a26c271f09bf78392cd1a89f48c9803f8393306761911ebb53f032c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f565.tmp	0.01 KB (8 bytes)	MD5: 23b161ac199d8c597729dbdb84b9c077 SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9 SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f566.tmp	0.01 KB (8 bytes)	MD5: 23b161ac199d8c597729dbdb84b9c077 SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9 SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f567.tmp	0.01 KB (8 bytes)	MD5: 23b161ac199d8c597729dbdb84b9c077 SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9 SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f568.tmp	0.01 KB (8 bytes)	MD5: 23b161ac199d8c597729dbdb84b9c077 SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9 SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f569.tmp	0.01 KB (8 bytes)	MD5: 23b161ac199d8c597729dbdb84b9c077 SHA1: 03ecd7fa3b32daf89555f179195c5c4ea2eea2d9 SHA256: c7624be02d1c2cb148ab1636771aebeb4cbb4eaa771e63c14b6433a1ee5b33c4	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f579.tmp	0.01 KB (8 bytes)	MD5: 6c2e843da5e5c4585641c3e39a20d0b5 SHA1: b0310d8410d972e6653160557a61c3740a392da7 SHA256: f8f41e0bf9b26685f9f49a646407fda564b61f98fbfc46499113ebfaf04ca409	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f57a.tmp	0.01 KB (8 bytes)	MD5: 6c2e843da5e5c4585641c3e39a20d0b5 SHA1: b0310d8410d972e6653160557a61c3740a392da7 SHA256: f8f41e0bf9b26685f9f49a646407fda564b61f98fbfc46499113ebfaf04ca409	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f57b.tmp	0.01 KB (8 bytes)	MD5: 6c2e843da5e5c4585641c3e39a20d0b5 SHA1: b0310d8410d972e6653160557a61c3740a392da7 SHA256: f8f41e0bf9b26685f9f49a646407fda564b61f98fbfc46499113ebfaf04ca409	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f57c.tmp	0.01 KB (8 bytes)	MD5: 6c2e843da5e5c4585641c3e39a20d0b5 SHA1: b0310d8410d972e6653160557a61c3740a392da7 SHA256: f8f41e0bf9b26685f9f49a646407fda564b61f98fbfc46499113ebfaf04ca409	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f58d.tmp	0.01 KB (8 bytes)	MD5: 82a4d57805e2c28295c1b84376ec3403 SHA1: 9b8b4271cd9764a98008263488ebde8bf9a0e68b SHA256: 3de59a36c317e7c0fae4c4aec2d5631570bee33aa9253993883c14fb2da50bcf	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f58e.tmp	0.01 KB (8 bytes)	MD5: 82a4d57805e2c28295c1b84376ec3403 SHA1: 9b8b4271cd9764a98008263488ebde8bf9a0e68b SHA256: 3de59a36c317e7c0fae4c4aec2d5631570bee33aa9253993883c14fb2da50bcf	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f58f.tmp	0.01 KB (8 bytes)	MD5: 82a4d57805e2c28295c1b84376ec3403 SHA1: 9b8b4271cd9764a98008263488ebde8bf9a0e68b SHA256: 3de59a36c317e7c0fae4c4aec2d5631570bee33aa9253993883c14fb2da50bcf	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f590.tmp	0.01 KB (8 bytes)	MD5: 82a4d57805e2c28295c1b84376ec3403 SHA1: 9b8b4271cd9764a98008263488ebde8bf9a0e68b SHA256: 3de59a36c317e7c0fae4c4aec2d5631570bee33aa9253993883c14fb2da50bcf	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5a1.tmp	0.01 KB (8 bytes)	MD5: 65bd4174941856c5365044693e566c11 SHA1: 03448f68180ca7416d9353e9c8430b8188253396 SHA256: f36f82223a4a106163c74c0ad620c3047d3cc2cdc0e232801e223e95381d309c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5a2.tmp	0.01 KB (8 bytes)	MD5: 65bd4174941856c5365044693e566c11 SHA1: 03448f68180ca7416d9353e9c8430b8188253396 SHA256: f36f82223a4a106163c74c0ad620c3047d3cc2cdc0e232801e223e95381d309c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5a3.tmp	0.01 KB (8 bytes)	MD5: 65bd4174941856c5365044693e566c11 SHA1: 03448f68180ca7416d9353e9c8430b8188253396 SHA256: f36f82223a4a106163c74c0ad620c3047d3cc2cdc0e232801e223e95381d309c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5b3.tmp	0.01 KB (8 bytes)	MD5: 909c4777c9d2ceee9731b841043461e7 SHA1: 836254f5cbc625d36dcdc47b8574c639efe502ee SHA256: 5642676307f1b769c607971b10c0cfa559892ae103fe09d5ea636dd2e7d9d01f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5b4.tmp	0.01 KB (8 bytes)	MD5: 909c4777c9d2ceee9731b841043461e7 SHA1: 836254f5cbc625d36dcdc47b8574c639efe502ee SHA256: 5642676307f1b769c607971b10c0cfa559892ae103fe09d5ea636dd2e7d9d01f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5b5.tmp	0.01 KB (8 bytes)	MD5: 909c4777c9d2ceee9731b841043461e7 SHA1: 836254f5cbc625d36dcdc47b8574c639efe502ee SHA256: 5642676307f1b769c607971b10c0cfa559892ae103fe09d5ea636dd2e7d9d01f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5c6.tmp	0.01 KB (8 bytes)	MD5: dac45c31e753c98cdfbb9a51edfb4ed1 SHA1: bb0f1154d13a8eb32ab2ea618c6b387761bdf2c7 SHA256: fa5f036fda7fcdfeb8aa05db8ff3ac6b531c448f81eb24a4f57df9709054c5ec	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5c7.tmp	0.01 KB (8 bytes)	MD5: dac45c31e753c98cdfbb9a51edfb4ed1 SHA1: bb0f1154d13a8eb32ab2ea618c6b387761bdf2c7 SHA256: fa5f036fda7fcdfeb8aa05db8ff3ac6b531c448f81eb24a4f57df9709054c5ec	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5c8.tmp	0.01 KB (8 bytes)	MD5: dac45c31e753c98cdfbb9a51edfb4ed1 SHA1: bb0f1154d13a8eb32ab2ea618c6b387761bdf2c7 SHA256: fa5f036fda7fcdfeb8aa05db8ff3ac6b531c448f81eb24a4f57df9709054c5ec	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5d9.tmp	0.01 KB (8 bytes)	MD5: 5d9e27165b41816cfcc8873e8e932017 SHA1: 86df95f8233d001921091452a721280960ed9701 SHA256: 55da333db9d4c95cad23543590530407e1b8613be331be9544ed0a5a74fe8f47	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5e9.tmp	0.01 KB (8 bytes)	MD5: 39651cbfc4ba04e334dfc22acb4677aa SHA1: f9a26317f4b5230acf410efc869e5cedf678243b SHA256: 8585ea0f33414259b66ecaf5f8704a786967be092f4f9f6cbe3dc837f3833374	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5ea.tmp	0.01 KB (8 bytes)	MD5: 39651cbfc4ba04e334dfc22acb4677aa SHA1: f9a26317f4b5230acf410efc869e5cedf678243b SHA256: 8585ea0f33414259b66ecaf5f8704a786967be092f4f9f6cbe3dc837f3833374	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5fb.tmp	0.01 KB (8 bytes)	MD5: 1eb125acfc4ea168b8f1b26d23e6e14a SHA1: 802479d5223500d2bcb0d688a12919792c1b7234 SHA256: 7044172508df63cd40967a61aa41ae2c93b5beddaeebfbacbe8320bab5369b4f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5fc.tmp	0.01 KB (8 bytes)	MD5: 1eb125acfc4ea168b8f1b26d23e6e14a SHA1: 802479d5223500d2bcb0d688a12919792c1b7234 SHA256: 7044172508df63cd40967a61aa41ae2c93b5beddaeebfbacbe8320bab5369b4f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f5fd.tmp	0.01 KB (8 bytes)	MD5: 1eb125acfc4ea168b8f1b26d23e6e14a SHA1: 802479d5223500d2bcb0d688a12919792c1b7234 SHA256: 7044172508df63cd40967a61aa41ae2c93b5beddaeebfbacbe8320bab5369b4f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f60d.tmp	0.01 KB (8 bytes)	MD5: d679411f3fa692e6b752155b21d207de SHA1: 0337b72b2c72bf5c45e9302038d87fe81e026adf SHA256: 4fb1ecfa8639a9267c67cbe35f87dc80958c06ea9e061b31449169aff6d63faf	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f60e.tmp	0.01 KB (8 bytes)	MD5: d679411f3fa692e6b752155b21d207de SHA1: 0337b72b2c72bf5c45e9302038d87fe81e026adf SHA256: 4fb1ecfa8639a9267c67cbe35f87dc80958c06ea9e061b31449169aff6d63faf	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f60f.tmp	0.01 KB (8 bytes)	MD5: d679411f3fa692e6b752155b21d207de SHA1: 0337b72b2c72bf5c45e9302038d87fe81e026adf SHA256: 4fb1ecfa8639a9267c67cbe35f87dc80958c06ea9e061b31449169aff6d63faf	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f610.tmp	0.01 KB (8 bytes)	MD5: d679411f3fa692e6b752155b21d207de SHA1: 0337b72b2c72bf5c45e9302038d87fe81e026adf SHA256: 4fb1ecfa8639a9267c67cbe35f87dc80958c06ea9e061b31449169aff6d63faf	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f621.tmp	0.01 KB (8 bytes)	MD5: c434ddec0db61048762ff94721be7089 SHA1: e005a7ef6a8de613bccde48b1ee2a79dc6bb84c5 SHA256: db4e0f1ad6ecb6b825a9c9ba0687efc9038523a0584ab67902c20e2656612ef1	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f622.tmp	0.01 KB (8 bytes)	MD5: c434ddec0db61048762ff94721be7089 SHA1: e005a7ef6a8de613bccde48b1ee2a79dc6bb84c5 SHA256: db4e0f1ad6ecb6b825a9c9ba0687efc9038523a0584ab67902c20e2656612ef1	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f623.tmp	0.01 KB (8 bytes)	MD5: c434ddec0db61048762ff94721be7089 SHA1: e005a7ef6a8de613bccde48b1ee2a79dc6bb84c5 SHA256: db4e0f1ad6ecb6b825a9c9ba0687efc9038523a0584ab67902c20e2656612ef1	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f634.tmp	0.01 KB (8 bytes)	MD5: 44e8b72140c5937b35d5e11930f7894d SHA1: 8d49dc7f490f9440bc696f6541d77fb475fc823a SHA256: 940ce76f327c39d19a5736ec21801f09c0f1b02f65fb91fad20dade63ac1916f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f635.tmp	0.01 KB (8 bytes)	MD5: 44e8b72140c5937b35d5e11930f7894d SHA1: 8d49dc7f490f9440bc696f6541d77fb475fc823a SHA256: 940ce76f327c39d19a5736ec21801f09c0f1b02f65fb91fad20dade63ac1916f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f636.tmp	0.01 KB (8 bytes)	MD5: 44e8b72140c5937b35d5e11930f7894d SHA1: 8d49dc7f490f9440bc696f6541d77fb475fc823a SHA256: 940ce76f327c39d19a5736ec21801f09c0f1b02f65fb91fad20dade63ac1916f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f637.tmp	0.01 KB (8 bytes)	MD5: e6cb259c1703ccdd1197a25dd4942506 SHA1: ddf517ac9febd17ed5f2231aefccc1d03c9b1049 SHA256: fdaf5dbca4e66c9a3bdcd8d821342467ee34d931352acadcb9eef82d8bc73298	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f647.tmp	0.01 KB (8 bytes)	MD5: e6cb259c1703ccdd1197a25dd4942506 SHA1: ddf517ac9febd17ed5f2231aefccc1d03c9b1049 SHA256: fdaf5dbca4e66c9a3bdcd8d821342467ee34d931352acadcb9eef82d8bc73298	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f648.tmp	0.01 KB (8 bytes)	MD5: e6cb259c1703ccdd1197a25dd4942506 SHA1: ddf517ac9febd17ed5f2231aefccc1d03c9b1049 SHA256: fdaf5dbca4e66c9a3bdcd8d821342467ee34d931352acadcb9eef82d8bc73298	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f649.tmp	0.01 KB (8 bytes)	MD5: e6cb259c1703ccdd1197a25dd4942506 SHA1: ddf517ac9febd17ed5f2231aefccc1d03c9b1049 SHA256: fdaf5dbca4e66c9a3bdcd8d821342467ee34d931352acadcb9eef82d8bc73298	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6b8.tmp	0.01 KB (8 bytes)	MD5: d9ae701f5dd0b628c625a54059cb9744 SHA1: 49aee81e576bd9dbfba4d2ccf670b594bf53a140 SHA256: 6c4b9203660981bcdcec8d86415f9b4cdbee1c4471a1da2a90d0f8b4a6cd6290	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6c8.tmp	0.01 KB (8 bytes)	MD5: c4559a377c8f3401cca201ae5c720ef7 SHA1: 3562ca4504eb475d1b1041998c7dac1318917d40 SHA256: 0cb503a6c00617b3243aade53619796743a68a841325b68bdb34d2248164e300	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6c9.tmp	0.01 KB (8 bytes)	MD5: c4559a377c8f3401cca201ae5c720ef7 SHA1: 3562ca4504eb475d1b1041998c7dac1318917d40 SHA256: 0cb503a6c00617b3243aade53619796743a68a841325b68bdb34d2248164e300	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6da.tmp	0.01 KB (8 bytes)	MD5: 3d47d77bc99f5fe1d95276a04cce1137 SHA1: ed18709babbec5fdbddf0dd8aabb12bf68fea721 SHA256: d07a04edff9dc3e382e4852c5af20f3fc0d8aa10e925a89c38c4d555fd4f9f78	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6db.tmp	0.01 KB (8 bytes)	MD5: 3d47d77bc99f5fe1d95276a04cce1137 SHA1: ed18709babbec5fdbddf0dd8aabb12bf68fea721 SHA256: d07a04edff9dc3e382e4852c5af20f3fc0d8aa10e925a89c38c4d555fd4f9f78	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6dc.tmp	0.01 KB (8 bytes)	MD5: 3d47d77bc99f5fe1d95276a04cce1137 SHA1: ed18709babbec5fdbddf0dd8aabb12bf68fea721 SHA256: d07a04edff9dc3e382e4852c5af20f3fc0d8aa10e925a89c38c4d555fd4f9f78	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6ed.tmp	0.01 KB (8 bytes)	MD5: 9eb625764eff9a5f53568df532d096ed SHA1: d10090a0b0ad3cf65d7bf341298295b93c75213b SHA256: 5d14c595d307d37561310fc179766d170422b1cdf39cdca4e25e2d0153f92cb3	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6ee.tmp	0.01 KB (8 bytes)	MD5: 9eb625764eff9a5f53568df532d096ed SHA1: d10090a0b0ad3cf65d7bf341298295b93c75213b SHA256: 5d14c595d307d37561310fc179766d170422b1cdf39cdca4e25e2d0153f92cb3	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6fe.tmp	0.01 KB (8 bytes)	MD5: b5efbbd58f1dbb99e7fa14062ac32059 SHA1: 77fa96cf44e3939971ca3b9342b7b6c62c508187 SHA256: a7233f7c8b8a2957d37230ab75c25294696b7799ef4e5501ca51609331aa6a8e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f6ff.tmp	0.01 KB (8 bytes)	MD5: b5efbbd58f1dbb99e7fa14062ac32059 SHA1: 77fa96cf44e3939971ca3b9342b7b6c62c508187 SHA256: a7233f7c8b8a2957d37230ab75c25294696b7799ef4e5501ca51609331aa6a8e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f700.tmp	0.01 KB (8 bytes)	MD5: b5efbbd58f1dbb99e7fa14062ac32059 SHA1: 77fa96cf44e3939971ca3b9342b7b6c62c508187 SHA256: a7233f7c8b8a2957d37230ab75c25294696b7799ef4e5501ca51609331aa6a8e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f701.tmp	0.01 KB (8 bytes)	MD5: e26e61abc079fd0947f6a6a8b92eb4a7 SHA1: 7f76ab35199a93d5e2c0e6fdb557f3307278241a SHA256: f808fc0bccf2dff452da42c01e07725c2da632190bd91a5f6c6699cc91fdeb3f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f712.tmp	0.01 KB (8 bytes)	MD5: e26e61abc079fd0947f6a6a8b92eb4a7 SHA1: 7f76ab35199a93d5e2c0e6fdb557f3307278241a SHA256: f808fc0bccf2dff452da42c01e07725c2da632190bd91a5f6c6699cc91fdeb3f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f722.tmp	0.01 KB (8 bytes)	MD5: 4d65fe16cac0bcd7260a56a45bcf8f5d SHA1: f62d92c1bc87085916fe4e42952634f38083f67b SHA256: 8e804af1c8c68413dbc3bf40dc1b88ac1a6e5d545d07262995317429e3befeb6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f723.tmp	0.01 KB (8 bytes)	MD5: 4d65fe16cac0bcd7260a56a45bcf8f5d SHA1: f62d92c1bc87085916fe4e42952634f38083f67b SHA256: 8e804af1c8c68413dbc3bf40dc1b88ac1a6e5d545d07262995317429e3befeb6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f724.tmp	0.01 KB (8 bytes)	MD5: 4d65fe16cac0bcd7260a56a45bcf8f5d SHA1: f62d92c1bc87085916fe4e42952634f38083f67b SHA256: 8e804af1c8c68413dbc3bf40dc1b88ac1a6e5d545d07262995317429e3befeb6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f725.tmp	0.01 KB (8 bytes)	MD5: 4d65fe16cac0bcd7260a56a45bcf8f5d SHA1: f62d92c1bc87085916fe4e42952634f38083f67b SHA256: 8e804af1c8c68413dbc3bf40dc1b88ac1a6e5d545d07262995317429e3befeb6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f736.tmp	0.01 KB (8 bytes)	MD5: f8afc9c6812316cec7696bb2a37678a3 SHA1: aaf7be35be5cc96b7b25100d4ab1b49f53752284 SHA256: 90624a7ba75f055bed571c30352161717c67572d7623e8936c9989b930990696	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f737.tmp	0.01 KB (8 bytes)	MD5: f8afc9c6812316cec7696bb2a37678a3 SHA1: aaf7be35be5cc96b7b25100d4ab1b49f53752284 SHA256: 90624a7ba75f055bed571c30352161717c67572d7623e8936c9989b930990696	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f738.tmp	0.01 KB (8 bytes)	MD5: f8afc9c6812316cec7696bb2a37678a3 SHA1: aaf7be35be5cc96b7b25100d4ab1b49f53752284 SHA256: 90624a7ba75f055bed571c30352161717c67572d7623e8936c9989b930990696	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f749.tmp	0.01 KB (8 bytes)	MD5: c42ccc8f7fbc68f572190e4e1572d7de SHA1: c237aac1bfdd06bbfeb577aaa3edc0d5e763d198 SHA256: 68dc58bf8e170ef3616394c060f41602c6bff4ebd2bdf8225dc24c20832d9068	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f74a.tmp	0.01 KB (8 bytes)	MD5: c42ccc8f7fbc68f572190e4e1572d7de SHA1: c237aac1bfdd06bbfeb577aaa3edc0d5e763d198 SHA256: 68dc58bf8e170ef3616394c060f41602c6bff4ebd2bdf8225dc24c20832d9068	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f75a.tmp	0.01 KB (8 bytes)	MD5: 1465f646c10c7a837ad269d7406b7648 SHA1: 2127e787799c9e7d732630fc4dfb1ea4d0617aad SHA256: 18c80ffadcc8321911f11ad7c61f13d1be11378edcceb69494fe84a366393896	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f75b.tmp	0.01 KB (8 bytes)	MD5: 1465f646c10c7a837ad269d7406b7648 SHA1: 2127e787799c9e7d732630fc4dfb1ea4d0617aad SHA256: 18c80ffadcc8321911f11ad7c61f13d1be11378edcceb69494fe84a366393896	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f75c.tmp	0.01 KB (8 bytes)	MD5: 1465f646c10c7a837ad269d7406b7648 SHA1: 2127e787799c9e7d732630fc4dfb1ea4d0617aad SHA256: 18c80ffadcc8321911f11ad7c61f13d1be11378edcceb69494fe84a366393896	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f77d.tmp	0.01 KB (8 bytes)	MD5: bcce097053a3f275ce63b83cc9003344 SHA1: 940b3f697a8db360b6583033e24b09217e81b226 SHA256: d7d4ea3fb166395e6967e5f2aeb2a9099cd58fc3c0bd5c4c2b02f9876411c6f4	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f77e.tmp	0.01 KB (8 bytes)	MD5: bcce097053a3f275ce63b83cc9003344 SHA1: 940b3f697a8db360b6583033e24b09217e81b226 SHA256: d7d4ea3fb166395e6967e5f2aeb2a9099cd58fc3c0bd5c4c2b02f9876411c6f4	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f78e.tmp	0.01 KB (8 bytes)	MD5: 2772d0360800271925bf506615111529 SHA1: ae6369b1f7b9a6b43c7cdbaf3245e8f1f54fd0e3 SHA256: 159758f584f37f9f1f2b5317516c5a55814a2532cd4014a3f6b580d7d42b8b42	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f78f.tmp	0.01 KB (8 bytes)	MD5: 2772d0360800271925bf506615111529 SHA1: ae6369b1f7b9a6b43c7cdbaf3245e8f1f54fd0e3 SHA256: 159758f584f37f9f1f2b5317516c5a55814a2532cd4014a3f6b580d7d42b8b42	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f790.tmp	0.01 KB (8 bytes)	MD5: 2772d0360800271925bf506615111529 SHA1: ae6369b1f7b9a6b43c7cdbaf3245e8f1f54fd0e3 SHA256: 159758f584f37f9f1f2b5317516c5a55814a2532cd4014a3f6b580d7d42b8b42	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f7a1.tmp	0.01 KB (8 bytes)	MD5: 2677f86fc97191cfdcf4df7911e67aaa SHA1: 96f634f884f15734c7288f84f3b2d75ee84a3b68 SHA256: 5189b0d164dcaf3e4cc07d9401f77ec50cc9fc77957fff4acc1c7aa374a3d584	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f7b1.tmp	0.01 KB (8 bytes)	MD5: f0c25a3aa9b0acff64a2af4b9cf1afd3 SHA1: c42fcede3a7f5920d2cfa0a2a3ee3e1348f1779e SHA256: 4a0e739848ed9baf99b6ac33eff9047b483488bbaf9039c7d996eb9e1752fe6f	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f7c2.tmp	0.01 KB (8 bytes)	MD5: 1948b9f403d68cd6844908aabcc5c939 SHA1: 67e3f5a917854dd20c1f7cd6ec9848514967ba58 SHA256: 8522cb0c4505729ace062d2b3c3647447ef8fbf03a1e9c5f1acc638bf78cff5b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f7c3.tmp	0.01 KB (8 bytes)	MD5: 1948b9f403d68cd6844908aabcc5c939 SHA1: 67e3f5a917854dd20c1f7cd6ec9848514967ba58 SHA256: 8522cb0c4505729ace062d2b3c3647447ef8fbf03a1e9c5f1acc638bf78cff5b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f7d4.tmp	0.01 KB (8 bytes)	MD5: bd51cab61855f9d12f4d77bc8385e650 SHA1: 2b6c410e14106ae324de9ebd37a3f50ef2116bb0 SHA256: 4901e09aaca43a2224b3d3ab32d7bfb8aa2811168c7c56e847450c90977ff47c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f7d5.tmp	0.01 KB (8 bytes)	MD5: bd51cab61855f9d12f4d77bc8385e650 SHA1: 2b6c410e14106ae324de9ebd37a3f50ef2116bb0 SHA256: 4901e09aaca43a2224b3d3ab32d7bfb8aa2811168c7c56e847450c90977ff47c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f7e5.tmp	0.01 KB (8 bytes)	MD5: db556c7c5654a84643530888819e14fa SHA1: 02c237a4065b907e3f5633d14ed2eb3724d15a7c SHA256: 45ec52e9a1b57b459fec2e02f20ee3e068b84a29ce3879f504d41ed2bec6e2f7	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f806.tmp	0.01 KB (8 bytes)	MD5: 0b35b5699bddbc69989221709be7da6f SHA1: 5c0a221bea8809640159e961559f2581fc57c7ae SHA256: 5d9a9fb8e5859dbd9b32a5ab686bd912418accdfb41a8d92066e314a0a12cdd4	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f816.tmp	0.01 KB (8 bytes)	MD5: f036b8921890b0d10f00a5bf5bdec729 SHA1: be34e2dd32efe37497f5edcc21d63c56bdc8c9a2 SHA256: 586b668ed7a5c3b8adbf7304f8d0ba1e81b7f6db1c8e28f36cf0d84cdb496085	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f827.tmp	0.01 KB (8 bytes)	MD5: 34f91cc086c33b49dd108f5b14450c89 SHA1: e6bed0a0920ac06a427b3bc6a3243128a7eb50a9 SHA256: 28df75a9d1d3bbfd16bc948c6efe745cdba2d547b02b6f075ca9b8d3f3f26e29	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f837.tmp	0.01 KB (8 bytes)	MD5: 5d788fedeae6f1d83c718b993aaf0edd SHA1: ff657760b607416f954c0d0f02cd4081f1bf8884 SHA256: 38dd54a874e8468282ba8fda9eb499c8c9279e5ecbcfdee55be0059a1c9c4fac	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f838.tmp	0.01 KB (8 bytes)	MD5: 5d788fedeae6f1d83c718b993aaf0edd SHA1: ff657760b607416f954c0d0f02cd4081f1bf8884 SHA256: 38dd54a874e8468282ba8fda9eb499c8c9279e5ecbcfdee55be0059a1c9c4fac	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f849.tmp	0.01 KB (8 bytes)	MD5: e7afa0433ffd6793611c0a074ae02376 SHA1: 81765b7c10b940e6b6a118e2c4830b581485ca05 SHA256: d356cc8eb66171878f6a4055f83203f1ee1de244eb98f46917db817182bed6a5	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f84a.tmp	0.01 KB (8 bytes)	MD5: e7afa0433ffd6793611c0a074ae02376 SHA1: 81765b7c10b940e6b6a118e2c4830b581485ca05 SHA256: d356cc8eb66171878f6a4055f83203f1ee1de244eb98f46917db817182bed6a5	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f84b.tmp	0.01 KB (8 bytes)	MD5: e7afa0433ffd6793611c0a074ae02376 SHA1: 81765b7c10b940e6b6a118e2c4830b581485ca05 SHA256: d356cc8eb66171878f6a4055f83203f1ee1de244eb98f46917db817182bed6a5	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f85c.tmp	0.01 KB (8 bytes)	MD5: 73b3446145b1a005af670273cae6c659 SHA1: 1a5f91c6abd1921fdc318aee04047214c53b7728 SHA256: 2e0cb62b2237bf00fc5d0cac237814459bc1a8c55af3a8322a516be603f607b7	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f86c.tmp	0.01 KB (8 bytes)	MD5: 53b31cba57364071f0b92fde987dbb3d SHA1: 5ce79151e953a2e7274fed831cbbad2172425346 SHA256: c8d9a97dda600fdc3fd84b54389f23829622ab669cc670f6f1b38726dc8b0566	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f86d.tmp	0.01 KB (8 bytes)	MD5: 53b31cba57364071f0b92fde987dbb3d SHA1: 5ce79151e953a2e7274fed831cbbad2172425346 SHA256: c8d9a97dda600fdc3fd84b54389f23829622ab669cc670f6f1b38726dc8b0566	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f89d.tmp	0.01 KB (8 bytes)	MD5: 95da43c0275776c1345d8855df05c984 SHA1: 58ee37d07d867952be28228ea30697d807db2114 SHA256: 42904201e2d09103766321fa614bd05f4a00c54de19288f8aff55e05ea5d6a70	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f89e.tmp	0.01 KB (8 bytes)	MD5: 95da43c0275776c1345d8855df05c984 SHA1: 58ee37d07d867952be28228ea30697d807db2114 SHA256: 42904201e2d09103766321fa614bd05f4a00c54de19288f8aff55e05ea5d6a70	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f89f.tmp	0.01 KB (8 bytes)	MD5: a09268114b4cb6df8a6767265fa71727 SHA1: b51ae0ee85cbeb67a4aa34a88bcbb8aa174c6221 SHA256: 4341640a4f141d3a35ab3c57580e1d2c9f71e3442ede2896bbf72f07968b3766	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f8cf.tmp	0.01 KB (8 bytes)	MD5: c1e7b3719d3e604334d4ea5170a9da97 SHA1: 814555207667f27a53e2e8a503c560032c132172 SHA256: aa09ad35144137e416e44096a8b9c5f5053673e504744d69a28ab53539de015c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f8e0.tmp	0.01 KB (8 bytes)	MD5: ad613ffd617822549d6c82e66c06dd4c SHA1: 4bd9d96d580efbdc14c7a2c24fa3403fbee0faec SHA256: df541758b76999b1786e35e3c6f9afab27889d377e60f31b21cea992d2cf3fc6	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f8f0.tmp	0.01 KB (8 bytes)	MD5: c9d7caaccde02d9cbe0f9af60d6827dc SHA1: 95a6a85dc88f99e224cf7a6fef66214033274a22 SHA256: 624b42c6e21d8e6392d494035eb838afc665f04bf8154cbebd3f99eab87a8777	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f8f1.tmp	0.01 KB (8 bytes)	MD5: c9d7caaccde02d9cbe0f9af60d6827dc SHA1: 95a6a85dc88f99e224cf7a6fef66214033274a22 SHA256: 624b42c6e21d8e6392d494035eb838afc665f04bf8154cbebd3f99eab87a8777	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f902.tmp	0.01 KB (8 bytes)	MD5: e483e583f1511325f2fa9904bb27fa70 SHA1: 4cd5bdd3a2fe1eec6fa520609fed4def59fd727f SHA256: 8226ebf822344f196d7f95a18bf20c7803664fa10947a9b73a8ef71083b33ad2	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f903.tmp	0.01 KB (8 bytes)	MD5: e483e583f1511325f2fa9904bb27fa70 SHA1: 4cd5bdd3a2fe1eec6fa520609fed4def59fd727f SHA256: 8226ebf822344f196d7f95a18bf20c7803664fa10947a9b73a8ef71083b33ad2	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f914.tmp	0.01 KB (8 bytes)	MD5: dd1e78498286fe8b7914235fbfe4772a SHA1: fb9888908deb70127878642bd1b74e5817873dc8 SHA256: 157c5610fdba420b1bcd3f2bf7a2dbaa541da0a951f077471f5b0024ec858d6e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f915.tmp	0.01 KB (8 bytes)	MD5: dd1e78498286fe8b7914235fbfe4772a SHA1: fb9888908deb70127878642bd1b74e5817873dc8 SHA256: 157c5610fdba420b1bcd3f2bf7a2dbaa541da0a951f077471f5b0024ec858d6e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f916.tmp	0.01 KB (8 bytes)	MD5: dd1e78498286fe8b7914235fbfe4772a SHA1: fb9888908deb70127878642bd1b74e5817873dc8 SHA256: 157c5610fdba420b1bcd3f2bf7a2dbaa541da0a951f077471f5b0024ec858d6e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f926.tmp	0.01 KB (8 bytes)	MD5: b0e57fcf3eb588d105106b90168b352c SHA1: ee62a235a427b229dfbeb59ff0c66e891b1ea9fc SHA256: 99e24199c9a832f4839c7e5c749dc99d2ef728004c42a30c6896edd5ada9a466	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f927.tmp	0.01 KB (8 bytes)	MD5: b0e57fcf3eb588d105106b90168b352c SHA1: ee62a235a427b229dfbeb59ff0c66e891b1ea9fc SHA256: 99e24199c9a832f4839c7e5c749dc99d2ef728004c42a30c6896edd5ada9a466	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f928.tmp	0.01 KB (8 bytes)	MD5: b0e57fcf3eb588d105106b90168b352c SHA1: ee62a235a427b229dfbeb59ff0c66e891b1ea9fc SHA256: 99e24199c9a832f4839c7e5c749dc99d2ef728004c42a30c6896edd5ada9a466	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f939.tmp	0.01 KB (8 bytes)	MD5: 6779791e5c451ee29f3f08eeecbdf3f1 SHA1: 0d10e85482ca5dfeaef1dccd914da033aaf479eb SHA256: 34bc853f027d1404caec15171d9d51a5e79f6ef0a423b7bbda419e71d6750288	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f93a.tmp	0.01 KB (8 bytes)	MD5: 6779791e5c451ee29f3f08eeecbdf3f1 SHA1: 0d10e85482ca5dfeaef1dccd914da033aaf479eb SHA256: 34bc853f027d1404caec15171d9d51a5e79f6ef0a423b7bbda419e71d6750288	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f94a.tmp	0.01 KB (8 bytes)	MD5: b04c67deab4025f734171f9b27454cbe SHA1: a36bb54f7d0f7545656de9e1a5d5efc9475f6a30 SHA256: 71127f5ad12f0455cabb4dc16456a9ea5004c3686b2c366961b59c5dac0f35ae	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f96b.tmp	0.01 KB (8 bytes)	MD5: f19a90ae7e669a69bff86c46ea7815da SHA1: 1994848ee4007ab80507cec3a98864d3214e9691 SHA256: a6af512d23f2e48b9184b61e0bfb9f9fc355d743e9fd10cbc97aeba44a27005b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f96c.tmp	0.01 KB (8 bytes)	MD5: 03dbace4773f49af413532681a14eec1 SHA1: bd48ed36b583498d83f67b28dcb029354af96ef3 SHA256: 59c055358a9142b72e21a30eb0492ce9af9cfbf4189768c8eca4d48f71029bc0	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f96d.tmp	0.01 KB (8 bytes)	MD5: 03dbace4773f49af413532681a14eec1 SHA1: bd48ed36b583498d83f67b28dcb029354af96ef3 SHA256: 59c055358a9142b72e21a30eb0492ce9af9cfbf4189768c8eca4d48f71029bc0	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f98d.tmp	0.01 KB (8 bytes)	MD5: 741a7dea8e76eb32e7142675d554f22b SHA1: 6b605107d3827f9c9ffd4029b72ccdd72628cdc2 SHA256: 8007de0dbdecff7d678e651c68a0b12b0dc20651fcdb628fc090c3084afeadd3	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f98e.tmp	0.01 KB (8 bytes)	MD5: 741a7dea8e76eb32e7142675d554f22b SHA1: 6b605107d3827f9c9ffd4029b72ccdd72628cdc2 SHA256: 8007de0dbdecff7d678e651c68a0b12b0dc20651fcdb628fc090c3084afeadd3	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f99f.tmp	0.01 KB (8 bytes)	MD5: 897a33741143f50b74704df8eec736d9 SHA1: 526a435f2efd108412d4088b073cabfeef22bac9 SHA256: bc7df27c00dd642509782a90f9d1b9dea55de8234d9de3890bd72c5f62ed56da	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9a0.tmp	0.01 KB (8 bytes)	MD5: 897a33741143f50b74704df8eec736d9 SHA1: 526a435f2efd108412d4088b073cabfeef22bac9 SHA256: bc7df27c00dd642509782a90f9d1b9dea55de8234d9de3890bd72c5f62ed56da	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9c0.tmp	0.01 KB (8 bytes)	MD5: c32740bd78c0eda34b5e1272188e4bbe SHA1: a5cc6a17b4a4e1ad7e0ea976d5989bbe2df6ba9a SHA256: dc2dba534fc133d5c92dd22761408da96ce04131d96f35f6808fd2dc21bb7374	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9c1.tmp	0.01 KB (8 bytes)	MD5: c32740bd78c0eda34b5e1272188e4bbe SHA1: a5cc6a17b4a4e1ad7e0ea976d5989bbe2df6ba9a SHA256: dc2dba534fc133d5c92dd22761408da96ce04131d96f35f6808fd2dc21bb7374	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9c2.tmp	0.01 KB (8 bytes)	MD5: c32740bd78c0eda34b5e1272188e4bbe SHA1: a5cc6a17b4a4e1ad7e0ea976d5989bbe2df6ba9a SHA256: dc2dba534fc133d5c92dd22761408da96ce04131d96f35f6808fd2dc21bb7374	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9d2.tmp	0.01 KB (8 bytes)	MD5: 7bfacda96d83ac7a5eab6029ed31d8d3 SHA1: 2b648c326cc2b2ee0a9f1cc4618d82ad1931571f SHA256: 6e4a86d543899fe2a0739fd7395794ed3f485f157b40dc2ca93817e3b604b913	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9d3.tmp	0.01 KB (8 bytes)	MD5: 7bfacda96d83ac7a5eab6029ed31d8d3 SHA1: 2b648c326cc2b2ee0a9f1cc4618d82ad1931571f SHA256: 6e4a86d543899fe2a0739fd7395794ed3f485f157b40dc2ca93817e3b604b913	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9d4.tmp	0.01 KB (8 bytes)	MD5: 7bfacda96d83ac7a5eab6029ed31d8d3 SHA1: 2b648c326cc2b2ee0a9f1cc4618d82ad1931571f SHA256: 6e4a86d543899fe2a0739fd7395794ed3f485f157b40dc2ca93817e3b604b913	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9e5.tmp	0.01 KB (8 bytes)	MD5: 8ac380e6de1059d479390edacc24a177 SHA1: fd26c908afa389126339d2688cfe38988c66d52d SHA256: 4f2143552d67291e7516198a09565806a4bd7c6ed70f8ed7f6f70326e54db657	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9e6.tmp	0.01 KB (8 bytes)	MD5: 8ac380e6de1059d479390edacc24a177 SHA1: fd26c908afa389126339d2688cfe38988c66d52d SHA256: 4f2143552d67291e7516198a09565806a4bd7c6ed70f8ed7f6f70326e54db657	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\f9f7.tmp	0.01 KB (8 bytes)	MD5: 125843ec029a307caee53b4425fbd0e3 SHA1: 05789d4895e3a75820e0f1e1a219abbb8f3755ec SHA256: 41350403f48627cc9cb7443ba08ddaf9e285945ec92ce302c10cb17d836a900c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa07.tmp	0.01 KB (8 bytes)	MD5: 32bc58962b0017f1042a028ce6cd759c SHA1: e857327c6c51dfd5f689e8703d9ab1292cedf6d6 SHA256: 09cd28b840d6944ed8ebb3b83a724556f693e4e08237ff5ce84c0d20ba24675b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa08.tmp	0.01 KB (8 bytes)	MD5: 32bc58962b0017f1042a028ce6cd759c SHA1: e857327c6c51dfd5f689e8703d9ab1292cedf6d6 SHA256: 09cd28b840d6944ed8ebb3b83a724556f693e4e08237ff5ce84c0d20ba24675b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa09.tmp	0.01 KB (8 bytes)	MD5: 32bc58962b0017f1042a028ce6cd759c SHA1: e857327c6c51dfd5f689e8703d9ab1292cedf6d6 SHA256: 09cd28b840d6944ed8ebb3b83a724556f693e4e08237ff5ce84c0d20ba24675b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa0a.tmp	0.01 KB (8 bytes)	MD5: 32bc58962b0017f1042a028ce6cd759c SHA1: e857327c6c51dfd5f689e8703d9ab1292cedf6d6 SHA256: 09cd28b840d6944ed8ebb3b83a724556f693e4e08237ff5ce84c0d20ba24675b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa1b.tmp	0.01 KB (8 bytes)	MD5: c861afd8ab2c119e747b9038121efbd4 SHA1: e4ef07dbdf70890a1ea1f4ce8c70ca3591809e3b SHA256: f44eb347a2110f8913a5ed5c5e9924f7a631103eb659a1b5b4e5dc35938d0b45	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa2c.tmp	0.01 KB (8 bytes)	MD5: 5c8edf47a392abb29245c0e97c788d2a SHA1: c8c9e10829621d8a837d039bbbc0ae90bf56f3df SHA256: fce9e4ccb87999fb59ee2e263f81df07f922388a0dbf4287833a5289c4d992b3	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa2d.tmp	0.01 KB (8 bytes)	MD5: 5c8edf47a392abb29245c0e97c788d2a SHA1: c8c9e10829621d8a837d039bbbc0ae90bf56f3df SHA256: fce9e4ccb87999fb59ee2e263f81df07f922388a0dbf4287833a5289c4d992b3	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa2e.tmp	0.01 KB (8 bytes)	MD5: 5c8edf47a392abb29245c0e97c788d2a SHA1: c8c9e10829621d8a837d039bbbc0ae90bf56f3df SHA256: fce9e4ccb87999fb59ee2e263f81df07f922388a0dbf4287833a5289c4d992b3	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa3e.tmp	0.01 KB (8 bytes)	MD5: ad92c5adef9404e652c1be24d9595274 SHA1: daef89630ad3aa8530b2d78ddd5a3839655ee87f SHA256: 38e33077367c38f9ec31aa9cf565a8cf75989237bbafe13fd01b4e34f12d2873	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa3f.tmp	0.01 KB (8 bytes)	MD5: ad92c5adef9404e652c1be24d9595274 SHA1: daef89630ad3aa8530b2d78ddd5a3839655ee87f SHA256: 38e33077367c38f9ec31aa9cf565a8cf75989237bbafe13fd01b4e34f12d2873	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa50.tmp	0.01 KB (8 bytes)	MD5: ed0ea0131bd1863d91c1615d80148e0b SHA1: 201e52a437c5b55eaf17ee2d2685ef39e4e77310 SHA256: e063b195f6b560352ca55d6b39967e1601c3b18ab9264069d844120ad6798bf7	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa51.tmp	0.01 KB (8 bytes)	MD5: ed0ea0131bd1863d91c1615d80148e0b SHA1: 201e52a437c5b55eaf17ee2d2685ef39e4e77310 SHA256: e063b195f6b560352ca55d6b39967e1601c3b18ab9264069d844120ad6798bf7	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa52.tmp	0.01 KB (8 bytes)	MD5: adb1ec5b8fff0370b151c026632030f2 SHA1: 1d513be75293975e4281946cd43c72c46f79605e SHA256: 0e6f743e28b5364aecef7a7a1f029993567f93edf44b36f3c98953df7c74fbee	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa62.tmp	0.01 KB (8 bytes)	MD5: adb1ec5b8fff0370b151c026632030f2 SHA1: 1d513be75293975e4281946cd43c72c46f79605e SHA256: 0e6f743e28b5364aecef7a7a1f029993567f93edf44b36f3c98953df7c74fbee	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa63.tmp	0.01 KB (8 bytes)	MD5: adb1ec5b8fff0370b151c026632030f2 SHA1: 1d513be75293975e4281946cd43c72c46f79605e SHA256: 0e6f743e28b5364aecef7a7a1f029993567f93edf44b36f3c98953df7c74fbee	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa74.tmp	0.01 KB (8 bytes)	MD5: 288eb2692b7d4dabd18b3cd550d15b5e SHA1: a742c56e5c9f1c78535a2d5c3d1b512ecc903701 SHA256: 63052ebdc0c14a1f49a392276d6846fede6bce315e1c4787d62da9d1a64cecd5	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa85.tmp	0.01 KB (8 bytes)	MD5: 138f3113f76d726288c4e978cb0413f2 SHA1: 611ca0828647b0ac4ea3bcd22f3c28686824a101 SHA256: 573fd261ce7b58332e9f24a7c4a17d2224e3d0d4c48941e5e03297a7d305f35b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa86.tmp	0.01 KB (8 bytes)	MD5: 138f3113f76d726288c4e978cb0413f2 SHA1: 611ca0828647b0ac4ea3bcd22f3c28686824a101 SHA256: 573fd261ce7b58332e9f24a7c4a17d2224e3d0d4c48941e5e03297a7d305f35b	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa96.tmp	0.01 KB (8 bytes)	MD5: 418548d74f249fbcc5f08511e5c7bb56 SHA1: b751b27e5a560d2973a7432be8e37d02686faf24 SHA256: 146953e94da698ad13f60d6002476e2ee28273caff5ab17f059f1d9b97054b2c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa97.tmp	0.01 KB (8 bytes)	MD5: 418548d74f249fbcc5f08511e5c7bb56 SHA1: b751b27e5a560d2973a7432be8e37d02686faf24 SHA256: 146953e94da698ad13f60d6002476e2ee28273caff5ab17f059f1d9b97054b2c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa98.tmp	0.01 KB (8 bytes)	MD5: 418548d74f249fbcc5f08511e5c7bb56 SHA1: b751b27e5a560d2973a7432be8e37d02686faf24 SHA256: 146953e94da698ad13f60d6002476e2ee28273caff5ab17f059f1d9b97054b2c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fa99.tmp	0.01 KB (8 bytes)	MD5: 418548d74f249fbcc5f08511e5c7bb56 SHA1: b751b27e5a560d2973a7432be8e37d02686faf24 SHA256: 146953e94da698ad13f60d6002476e2ee28273caff5ab17f059f1d9b97054b2c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\faaa.tmp	0.01 KB (8 bytes)	MD5: 0511f1993ecc2f294faa8dace502d19c SHA1: 98ee28a4f58bdac0f7e0ddc22e03a7f530956408 SHA256: fc0750c6642725c86799dc19741bc1a529186a18530d7fd030a3668e961b30b7	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\faca.tmp	0.01 KB (8 bytes)	MD5: b5975ffa385dc00cc1ee73251b6f7cdf SHA1: 87164e350ca6d29c9ea1aa778ea40372a8eef860 SHA256: 5e7554b0e9e8cdd55822716d16264911814f41976e4476e112c3a46bda5316df	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\facb.tmp	0.01 KB (8 bytes)	MD5: b5975ffa385dc00cc1ee73251b6f7cdf SHA1: 87164e350ca6d29c9ea1aa778ea40372a8eef860 SHA256: 5e7554b0e9e8cdd55822716d16264911814f41976e4476e112c3a46bda5316df	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\facc.tmp	0.01 KB (8 bytes)	MD5: 93c8cf85d0d5b115d17169d1e9308d1c SHA1: 0253e619a7e637ad4e0dc752f4847c5031faa630 SHA256: 77cef3d40b18c42fe9b813a853be8711f1b2f971da24c26fba35d44122d84b89	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\facd.tmp	0.01 KB (8 bytes)	MD5: 93c8cf85d0d5b115d17169d1e9308d1c SHA1: 0253e619a7e637ad4e0dc752f4847c5031faa630 SHA256: 77cef3d40b18c42fe9b813a853be8711f1b2f971da24c26fba35d44122d84b89	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fb4b.tmp	0.01 KB (8 bytes)	MD5: a03c7050677123d24e0f908411639daf SHA1: faad9f20113781013e8895743428e74fb4abf633 SHA256: cf4c4c6109dcf0a94857fefd4dc36767bf61ca3885e9e575481096e24f290e4c	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fb6b.tmp	0.01 KB (8 bytes)	MD5: 5021321237c3cbcedbe86bc2eda5575f SHA1: 8282b1d20c1cbb3149c3269733801eeb9a3de567 SHA256: 402bea642f6fa667bdd43ffe9acea915addead54da069c3282d074e05c03eb8e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fb6c.tmp	0.01 KB (8 bytes)	MD5: 5021321237c3cbcedbe86bc2eda5575f SHA1: 8282b1d20c1cbb3149c3269733801eeb9a3de567 SHA256: 402bea642f6fa667bdd43ffe9acea915addead54da069c3282d074e05c03eb8e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fb6d.tmp	0.01 KB (8 bytes)	MD5: 5021321237c3cbcedbe86bc2eda5575f SHA1: 8282b1d20c1cbb3149c3269733801eeb9a3de567 SHA256: 402bea642f6fa667bdd43ffe9acea915addead54da069c3282d074e05c03eb8e	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fb7e.tmp	0.01 KB (8 bytes)	MD5: 3b6d47524dd9aadcd8087e8066cfedbb SHA1: 95e7c67e66d21b44a437cd408c1fe891073218e9 SHA256: 8a14e9bef42d8e77d645765a27de8d55846007ef73b48a4cdf37619801f93ce2	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fb7f.tmp	0.01 KB (8 bytes)	MD5: 3b6d47524dd9aadcd8087e8066cfedbb SHA1: 95e7c67e66d21b44a437cd408c1fe891073218e9 SHA256: 8a14e9bef42d8e77d645765a27de8d55846007ef73b48a4cdf37619801f93ce2	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fb90.tmp	0.01 KB (8 bytes)	MD5: f98f23a4f9e6dc8f433d6c263e6ad636 SHA1: ca167eead7432324b32261a98f0b05f6fd581edc SHA256: df020e01c7255d67feab95591a7b9b90718d3d556352a17d5bc29c5a8df7cc41	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fb91.tmp	0.01 KB (8 bytes)	MD5: f98f23a4f9e6dc8f433d6c263e6ad636 SHA1: ca167eead7432324b32261a98f0b05f6fd581edc SHA256: df020e01c7255d67feab95591a7b9b90718d3d556352a17d5bc29c5a8df7cc41	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fba1.tmp	0.01 KB (8 bytes)	MD5: b8403b24cec2c2fe3ad8d388ff5c2692 SHA1: 391d3e10403f244ec1919fca4dd1bf5d2180d73a SHA256: 232b42d82017c86b66aa5f4dcd362c5be6aee746f55e8465a4eb1e62eb6fae3d	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fba2.tmp	0.01 KB (8 bytes)	MD5: b8403b24cec2c2fe3ad8d388ff5c2692 SHA1: 391d3e10403f244ec1919fca4dd1bf5d2180d73a SHA256: 232b42d82017c86b66aa5f4dcd362c5be6aee746f55e8465a4eb1e62eb6fae3d	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fba3.tmp	0.01 KB (8 bytes)	MD5: b8403b24cec2c2fe3ad8d388ff5c2692 SHA1: 391d3e10403f244ec1919fca4dd1bf5d2180d73a SHA256: 232b42d82017c86b66aa5f4dcd362c5be6aee746f55e8465a4eb1e62eb6fae3d	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbb4.tmp	0.01 KB (8 bytes)	MD5: e307f8f8f230a2dd8989867ae53a7840 SHA1: d6a7d14aeffddf8a05d8c52aaf0e949cc8af4df9 SHA256: f4d61ad4fa3f52aa710ba9ef52a71b9c8faa9dbbb52ff66c47b4441febe8c6e9	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbb5.tmp	0.01 KB (8 bytes)	MD5: e307f8f8f230a2dd8989867ae53a7840 SHA1: d6a7d14aeffddf8a05d8c52aaf0e949cc8af4df9 SHA256: f4d61ad4fa3f52aa710ba9ef52a71b9c8faa9dbbb52ff66c47b4441febe8c6e9	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbb6.tmp	0.01 KB (8 bytes)	MD5: e307f8f8f230a2dd8989867ae53a7840 SHA1: d6a7d14aeffddf8a05d8c52aaf0e949cc8af4df9 SHA256: f4d61ad4fa3f52aa710ba9ef52a71b9c8faa9dbbb52ff66c47b4441febe8c6e9	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbb7.tmp	0.01 KB (8 bytes)	MD5: e307f8f8f230a2dd8989867ae53a7840 SHA1: d6a7d14aeffddf8a05d8c52aaf0e949cc8af4df9 SHA256: f4d61ad4fa3f52aa710ba9ef52a71b9c8faa9dbbb52ff66c47b4441febe8c6e9	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbd7.tmp	0.01 KB (8 bytes)	MD5: 644b05368f7512cae99e3857f9027bcf SHA1: 690f3b113810afc8e70466194bf436cc1312b33e SHA256: 864f9116027c7a0276777094e7a0f8dc73993c34f9123c7d978ee744e4dbd500	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbd8.tmp	0.01 KB (8 bytes)	MD5: 644b05368f7512cae99e3857f9027bcf SHA1: 690f3b113810afc8e70466194bf436cc1312b33e SHA256: 864f9116027c7a0276777094e7a0f8dc73993c34f9123c7d978ee744e4dbd500	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbe9.tmp	0.01 KB (8 bytes)	MD5: 29a8e19f453787602095a98287b92983 SHA1: b7e1af9f360642f06d7d75a41e09838bdfc71afc SHA256: d7c0b9600744ea6c64c05815a19cf3d91ada60e64edeeb3f9a3b5fbc98a22ee1	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbea.tmp	0.01 KB (8 bytes)	MD5: 29a8e19f453787602095a98287b92983 SHA1: b7e1af9f360642f06d7d75a41e09838bdfc71afc SHA256: d7c0b9600744ea6c64c05815a19cf3d91ada60e64edeeb3f9a3b5fbc98a22ee1	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbeb.tmp	0.01 KB (8 bytes)	MD5: 29a8e19f453787602095a98287b92983 SHA1: b7e1af9f360642f06d7d75a41e09838bdfc71afc SHA256: d7c0b9600744ea6c64c05815a19cf3d91ada60e64edeeb3f9a3b5fbc98a22ee1	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbec.tmp	0.01 KB (8 bytes)	MD5: 29a8e19f453787602095a98287b92983 SHA1: b7e1af9f360642f06d7d75a41e09838bdfc71afc SHA256: d7c0b9600744ea6c64c05815a19cf3d91ada60e64edeeb3f9a3b5fbc98a22ee1	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbfc.tmp	0.01 KB (8 bytes)	MD5: 03b26eefb62150cc56da444a144e9be1 SHA1: f40a7f3e6c9d8b7a979d4d776a32767bb79bc89f SHA256: 1160ca78c4e98eda9addcb9966a4e56df9f102fcc1a9e48f3e6f512ff2974b61	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbfd.tmp	0.01 KB (8 bytes)	MD5: 03b26eefb62150cc56da444a144e9be1 SHA1: f40a7f3e6c9d8b7a979d4d776a32767bb79bc89f SHA256: 1160ca78c4e98eda9addcb9966a4e56df9f102fcc1a9e48f3e6f512ff2974b61	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fbfe.tmp	0.01 KB (8 bytes)	MD5: 03b26eefb62150cc56da444a144e9be1 SHA1: f40a7f3e6c9d8b7a979d4d776a32767bb79bc89f SHA256: 1160ca78c4e98eda9addcb9966a4e56df9f102fcc1a9e48f3e6f512ff2974b61	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fc0f.tmp	0.01 KB (8 bytes)	MD5: 474a65b62cb05adc115bbd1ede09301b SHA1: 919343acf762452776e634a9bf202c30fb6a7f9b SHA256: 99eae660e8a11ebd18d71e8faf2fea8b3cfc95ae93bf339ff326e8e65b53a293	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fc10.tmp	0.01 KB (8 bytes)	MD5: 474a65b62cb05adc115bbd1ede09301b SHA1: 919343acf762452776e634a9bf202c30fb6a7f9b SHA256: 99eae660e8a11ebd18d71e8faf2fea8b3cfc95ae93bf339ff326e8e65b53a293	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fc11.tmp	0.01 KB (8 bytes)	MD5: 474a65b62cb05adc115bbd1ede09301b SHA1: 919343acf762452776e634a9bf202c30fb6a7f9b SHA256: 99eae660e8a11ebd18d71e8faf2fea8b3cfc95ae93bf339ff326e8e65b53a293	File Actions Show Properties Download
c:\users\ciihmn~1\appdata\local\temp\fc22.tmp	0.01 KB (8 bytes)	MD5: e6a85d90c192b656121d5fb773bc9c7c SHA1: f1923f3d154592e13686c626a452c5712572c703 SHA256: 4ab81fc69870779cdfccf4c642b53c832301c6173f803deb225a6e428b875813	File Actions Show Properties Download

Threads

Thread 0x568

(Host: 1623, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76bda330	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76bd7580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76bd9910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x76bdf400	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\ciihmn~1\appdata\local\temp\84526935.scr, file_name_orig = C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76bd9640	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76bd8b70	2	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77190000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x771f8cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x771f8df0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x771e3010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x771f8e40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x771f8d50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = mbstowcs, address_out = 0x771fe610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x771fee50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x771fe7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x771f8f40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x771f8e80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x771f8e60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUpcaseUnicodeString, address_out = 0x771de040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x771f9080	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x771f9d20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeUnicodeString, address_out = 0x771cb940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x771eaca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x771f8e10	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x75dc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionW, address_out = 0x75dd7c40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x75de2900	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionA, address_out = 0x75de1db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x75de26c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathCombineW, address_out = 0x75ddcd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x75dd80d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrW, address_out = 0x75dd6a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrTrimW, address_out = 0x75dd83a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameA, address_out = 0x75dd8970	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x76be60b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76be5f20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76bdd8d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x76be5f70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateWaitableTimerA, address_out = 0x76bddb30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x76be57f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x76c00960	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x76be6510	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileA, address_out = 0x76be61a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76be6590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x771cda90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x76be60c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x76be6380	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76bd7940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x76bd2db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x76bfd320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x76bd77b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x76be6170	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x76bd7540	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76bd25e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x76bd2d80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetWaitableTimer, address_out = 0x76be60d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x76bda4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76be74f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76bd9640	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x76bd9950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x76bdd940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76be6110	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76bd2b90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76be61b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x76c00da0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x76c02a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x76bda280	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x76bded00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x76bdc1f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x76be63f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryA, address_out = 0x76be6140	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x76be6410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76bd1b90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x76be6360	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpynA, address_out = 0x76bdf7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileA, address_out = 0x76be6270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareFileTime, address_out = 0x76be6130	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x76bd47c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76bd92b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x76bda300	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76bd1d90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76be61d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x76bde320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x76bdc8c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x76bdefc0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76be3a30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x76be6530	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76be64a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76bd9560	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76bda040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76be6180	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x76bd2af0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76bd8c70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x76bd7610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76bd8b70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x76be64f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x76bfd410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x76be6150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x76be62a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x76bd87c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileA, address_out = 0x76be6210	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x74500000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7452ddf0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7452ea00	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x75d40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x75d5ee40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x75d8bda0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x75d631a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x75d5ed40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x75d5ee90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x75d60ea0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x75d63150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x75d5f0a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x75d60750	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x75d60ca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x75d5f590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x75d62520	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x75d5efa0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x75d5ed60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x75d5f000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x75d60f50	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x74760000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x748f4cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x748f4370	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 92, address_out = 0x749d7560	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x74640000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x76d5cd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x76d5dca0	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\local\temp\84526935.scr, base_address = 0x400000	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2D8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2E8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2F9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F2FC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F32C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F33F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F350.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F351.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F381.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F382.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F383.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F384.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F385.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F396.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F397.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F398.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F399.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F39A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3D9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3DA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3EC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3ED.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F3FD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F41E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F42F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F430.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F441.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F442.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F472.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F473.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F474.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F475.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F485.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F486.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F487.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F488.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F499.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4B9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4BB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4CF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4DF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4E0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F4F5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F506.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F507.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F508.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F509.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F50A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F51C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F53F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F540.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F541.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F551.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F552.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F553.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F554.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F565.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F566.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F567.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F568.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F569.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F579.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F58F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F590.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5A3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5B5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5C8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5D9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5E9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5EA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F5FD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F60F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F610.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F621.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F622.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F623.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F634.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F635.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F636.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F637.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F647.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F648.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F649.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6B8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6C9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6DC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6ED.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6EE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F6FF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F700.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F701.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F712.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F722.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F723.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F724.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F725.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F736.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F737.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F737.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F737.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F737.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F737.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F738.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F738.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F738.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F738.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F738.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F749.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F749.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F749.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F749.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F749.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F74A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F74A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F74A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F74A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F74A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F75C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F77E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F78F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F790.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F790.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F790.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F790.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F790.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7A1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7A1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7A1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7A1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7A1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7B1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7B1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7B1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7B1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7B1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7C3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7D5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7E5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7E5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7E5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7E5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F7E5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F806.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F806.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F806.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F806.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F806.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F816.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F816.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F816.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F816.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F816.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F827.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F827.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F827.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F827.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F827.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F837.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F837.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F837.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F837.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F837.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F838.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F838.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F838.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F838.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F838.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F849.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F849.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F849.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F849.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F849.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F84B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F85C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F85C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F85C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F85C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F85C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F86D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F89F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
For performance reasons, the remaining 622 entries are omitted. The remaining entries can be found in glog.xml.

Process #4: cmd.exe

(Host: 252, Network: 0)

Information	Value
ID	#4
File Name	c:\windows\syswow64\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat" "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr""
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:56, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:24

OS Process Information

Information	Value
PID	0xcc4
Parent PID	0xbec (c:\users\ciihmn~1\appdata\local\temp\84526935.scr)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x CCC 0x 5B4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000420000	0x00420000	0x0043ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000420000	0x00420000	0x0042ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x00433fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x00441fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000440000	0x00440000	0x00443fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x00463fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000470000	0x00470000	0x004affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x005affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005b0000	0x005b0000	0x005b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x005c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005d0000	0x005d0000	0x005d1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005e0000	0x005e0000	0x0061ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000620000	0x00620000	0x0062ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000650000	0x00650000	0x0065ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00660000	0x0071dfff	Memory Mapped File	Readable	Region Actions
cmd.exe.mui	0x00720000	0x00740fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000800000	0x00800000	0x008fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000900000	0x00900000	0x009fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000be0000	0x00be0000	0x00beffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00bf0000	0x00f26fff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x01350000	0x0139ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000013a0000	0x013a0000	0x0539ffff	Pagefile Backed Memory	-	Region Actions
wow64cpu.dll	0x5c9f0000	0x5c9f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x5ca00000	0x5ca72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x5ca80000	0x5cacefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cmdext.dll	0x73390000	0x73397fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74230000	0x74288fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74290000	0x74299fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x742a0000	0x742bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75b80000	0x75c3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75d40000	0x75dbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75f20000	0x76095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x760a0000	0x760e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76bc0000	0x76caffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77190000	0x77308fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f4b0000	0x7f4b0000	0x7f5affff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007f5b0000	0x7f5b0000	0x7f5d2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f5d7000	0x7f5d7000	0x7f5d7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f5d9000	0x7f5d9000	0x7f5d9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f5da000	0x7f5da000	0x7f5dcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f5dd000	0x7f5dd000	0x7f5dffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfb3d30ffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb3d310000	0x7dfb3d310000	0x7ffb3d30ffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb3d4d2000	0x7ffb3d4d2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xccc

(Host: 211, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x1350000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76c02780	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 40, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76bdfa80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76bda790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x760335c0	1	Fn
File	Get Info	filename = "C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat", type = file_attributes	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 110	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 99	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 20	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 4	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 73	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 4	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 12	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 66	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 20	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 125	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xd80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 50	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 20	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 13	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 4	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 10	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 19	1	Fn Data
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	-	2	Fn
File	Read	size = 8191, size_out = 6	1	Fn Data
File	Open	-	1	Fn
File	Read	size = 8191, size_out = 0	1	Fn
File	Open	-	1	Fn
File	Get Info	type = file_type	1	Fn
File	Open	-	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 20	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 53	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, type = file_attributes	1	Fn
File	Open	filename = \??\C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\697\FD09.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 33	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #6: cmd.exe

(Host: 52, Network: 0)

Information	Value
ID	#6
File Name	c:\windows\syswow64\cmd.exe
Command Line	cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr""
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:57, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:23

OS Process Information

Information	Value
PID	0xd80
Parent PID	0xcc4 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x D64 0x D7C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000f30000	0x00f30000	0x00f4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000f30000	0x00f30000	0x00f3ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00f43fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f50000	0x00f50000	0x00f51fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000f50000	0x00f50000	0x00f53fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000f60000	0x00f60000	0x00f73fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000f80000	0x00f80000	0x00fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fc0000	0x00fc0000	0x010bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000010c0000	0x010c0000	0x010c3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000010d0000	0x010d0000	0x010d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000010e0000	0x010e0000	0x010e1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x010f0000	0x011adfff	Memory Mapped File	Readable	Region Actions
private_0x00000000011b0000	0x011b0000	0x011bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011c0000	0x011c0000	0x011fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001200000	0x01200000	0x012fffff	Private Memory	Readable, Writable	Region Actions
cmd.exe	0x01350000	0x0139ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000013a0000	0x013a0000	0x0539ffff	Pagefile Backed Memory	-	Region Actions
private_0x00000000054c0000	0x054c0000	0x055bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005760000	0x05760000	0x0576ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x05770000	0x05aa6fff	Memory Mapped File	Readable	Region Actions
wow64cpu.dll	0x5c9f0000	0x5c9f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x5ca00000	0x5ca72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x5ca80000	0x5cacefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74190000	0x74220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75b80000	0x75c3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75f20000	0x76095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76bc0000	0x76caffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77190000	0x77308fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysmain.sdb	0x7efd0000	0x7f35ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x000000007f360000	0x7f360000	0x7f45ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007f460000	0x7f460000	0x7f482fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f485000	0x7f485000	0x7f485fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f487000	0x7f487000	0x7f489fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f48a000	0x7f48a000	0x7f48cfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f48d000	0x7f48d000	0x7f48dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfb3d30ffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb3d310000	0x7dfb3d310000	0x7ffb3d30ffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb3d4d2000	0x7ffb3d4d2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xd64

(Host: 48, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x1350000	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76c02780	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 56, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x76bdfa80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76bda790	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x760335c0	1	Fn
File	Get Info	filename = "C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe", type = file_attributes	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe, os_pid = 0xd68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #7: chakmcat.exe

(Host: 3709, Network: 0)

Information	Value
ID	#7
File Name	c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe
Command Line	"C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe" "C:\Users\CIIHMN~1\AppData\Local\Temp\84526935.scr"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:57, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:23

OS Process Information

Information	Value
PID	0xd68
Parent PID	0xd80 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x D60 0x D5C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x002f0000	0x003adfff	Memory Mapped File	Readable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable	Region Actions
chakmcat.exe	0x00400000	0x004a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000004b0000	0x004b0000	0x005affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005b0000	0x005b0000	0x00737fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x008c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008d0000	0x008d0000	0x01ccffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001cd0000	0x01cd0000	0x01e2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001cd0000	0x01cd0000	0x01d2cfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000001d30000	0x01d30000	0x01d68fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000001d70000	0x01d70000	0x01d70fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000001d80000	0x01d80000	0x01db8fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dc0000	0x01dc0000	0x01dc0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e20000	0x01e20000	0x01e2ffff	Private Memory	Readable, Writable	Region Actions
oleaut32.dll	0x01e30000	0x01ec0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001e30000	0x01e30000	0x022cffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x022d0000	0x02606fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002610000	0x02610000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x028d1fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002710000	0x02710000	0x027a1fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x00000000027b0000	0x027b0000	0x02971fff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x5c9f0000	0x5c9f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x5ca00000	0x5ca72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x5ca80000	0x5cacefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74190000	0x74220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74230000	0x74288fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74290000	0x74299fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x742a0000	0x742bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74500000	0x7463ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74640000	0x74729fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74730000	0x7475afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74760000	0x75b1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75b80000	0x75c3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75c40000	0x75c83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75d40000	0x75dbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dc0000	0x75e03fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e70000	0x75f1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75f20000	0x76095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x760a0000	0x760e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x76280000	0x7630cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x764d0000	0x769acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x769b0000	0x76afcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76bc0000	0x76caffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76cf0000	0x76ea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76eb0000	0x76ebbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x77050000	0x7705efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77070000	0x7718ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77190000	0x77308fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffb3d30ffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb3d4d2000	0x7ffb3d4d2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xd60

(Host: 3698, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76bda330	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76bd7580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76bd9910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x76bdf400	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\Amsisigd\Chakmcat.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76bd8b70	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x77190000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x771f8cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x771f8df0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x771e3010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x771f8e40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x771f8d50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = mbstowcs, address_out = 0x771fe610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x771fee50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x771fe7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x771f8f40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x771f8e80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x771f8e60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUpcaseUnicodeString, address_out = 0x771de040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x771f9080	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x771f9d20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeUnicodeString, address_out = 0x771cb940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x771eaca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x771f8e10	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x75dc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionW, address_out = 0x75dd7c40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x75de2900	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionA, address_out = 0x75de1db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x75de26c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathCombineW, address_out = 0x75ddcd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x75dd80d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrW, address_out = 0x75dd6a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrTrimW, address_out = 0x75dd83a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameA, address_out = 0x75dd8970	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76bc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x76be60b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76be5f20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76bdd8d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x76be5f70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateWaitableTimerA, address_out = 0x76bddb30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x76be57f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x76c00960	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x76be6510	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileA, address_out = 0x76be61a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76be6590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x771cda90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x76be60c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x76be6380	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76bd7940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x76bd2db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x76bfd320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x76bd77b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x76be6170	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x76bd7540	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76bd25e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x76bd2d80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetWaitableTimer, address_out = 0x76be60d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x76bda4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76be74f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76bd9640	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x76bd9950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x76bdd940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76be6110	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76bd2b90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x76be61b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x76c00da0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x76c02a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x76bda280	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x76bded00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x76bdc1f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x76be63f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryA, address_out = 0x76be6140	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x76be6410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76bd1b90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x76be6360	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpynA, address_out = 0x76bdf7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileA, address_out = 0x76be6270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareFileTime, address_out = 0x76be6130	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x76bd47c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76bd92b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x76bda300	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76bd1d90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76be61d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x76bde320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x76bdc8c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x76bdefc0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76be3a30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x76be6530	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76be64a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76bd9560	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76bda040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76be6180	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x76bd2af0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76bd8c70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x76bd7610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76bd8b70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x76be64f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x76bfd410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x76be6150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x76be62a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x76bd87c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileA, address_out = 0x76be6210	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x74500000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x7452ddf0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7452ea00	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x75d40000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x75d5ee40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x75d8bda0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x75d631a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x75d5ed40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x75d5ee90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x75d60ea0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x75d63150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x75d5f0a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x75d60750	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x75d60ca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x75d5f590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x75d62520	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x75d5efa0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x75d5ed60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x75d5f000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x75d60f50	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x74760000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x748f4cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x748f4370	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 92, address_out = 0x749d7560	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x74640000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x76d5cd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x76d5dca0	1	Fn
Module	Get Handle	module_name = c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe, base_address = 0x400000	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12A6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12B9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12BA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12BA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12BA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12BA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12BA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12CD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12DD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12DD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12DD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12DD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12DD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12EF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\12F2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1302.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1302.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1302.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1302.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1302.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1303.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1303.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1303.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1303.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1303.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1304.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1304.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1304.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1304.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1304.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1305.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1305.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1305.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1305.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1305.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1316.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1316.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1316.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1316.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1316.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1317.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1317.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1317.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1317.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1317.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1318.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1318.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1318.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1318.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1318.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1319.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1319.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1319.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1319.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1319.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\131A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\131A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\131A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\131A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\131A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\132E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\133F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1340.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1340.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1340.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1340.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1340.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1341.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1341.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1341.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1341.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1341.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1352.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1352.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1352.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1352.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1352.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1353.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1353.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1353.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1353.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1353.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1354.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1354.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1354.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1354.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1354.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1355.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1355.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1355.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1355.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1355.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1375.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1375.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1375.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1375.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1375.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1376.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1376.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1376.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1376.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1376.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1387.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1387.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1387.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1387.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1387.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1388.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1388.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1388.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1388.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1388.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1389.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1389.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1389.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1389.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1389.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\138B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\139E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13AF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13AF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13AF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13AF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13AF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13B3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13C5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13D8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13E9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13E9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13E9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13E9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13E9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13EC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\13FF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1400.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1400.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1400.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1400.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1400.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1401.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1401.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1401.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1401.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1401.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1411.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1411.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1411.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1411.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1411.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1412.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1412.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1412.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1412.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1412.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1413.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1413.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1413.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1413.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1413.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1414.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1414.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1414.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1414.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1414.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1425.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1425.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1425.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1425.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1425.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1435.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1435.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1435.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1435.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1435.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1436.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1436.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1436.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1436.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1436.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1437.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1437.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1437.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1437.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1437.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1448.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1448.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1448.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1448.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1448.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1459.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1459.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1459.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1459.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1459.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\145A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\145A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\145A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\145A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\145A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\146E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\147F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\147F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\147F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\147F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\147F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1480.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1480.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1480.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1480.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1480.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1481.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1481.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1481.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1481.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1481.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1482.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1482.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1482.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1482.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1482.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1493.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1493.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1493.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1493.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1493.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1494.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1494.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1494.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1494.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1494.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1495.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1495.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1495.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1495.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1495.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1496.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1496.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1496.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1496.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1496.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1497.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1497.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1497.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1497.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1497.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14A9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14AB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14BF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14C0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14C0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14C0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14C0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14C0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14D4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14E9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\14FE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\150F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1510.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1510.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1510.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1510.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1510.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1511.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1511.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1511.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1511.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1511.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1512.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1512.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1512.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1512.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1512.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1523.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1523.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1523.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1523.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1523.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1524.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1524.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1524.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1524.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1524.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1525.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1525.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1525.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1525.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1525.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1526.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1526.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1526.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1526.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1526.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1527.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1527.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1527.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1527.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1527.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1528.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1528.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1528.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1528.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1528.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1539.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1539.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1539.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1539.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1539.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\153C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\154F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1560.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1560.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1560.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1560.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1560.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1561.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1561.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1561.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1561.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1561.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1562.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1562.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1562.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1562.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1562.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1563.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1563.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1563.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1563.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1563.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1564.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1564.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1564.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1564.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1564.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1574.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1574.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1574.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1574.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1574.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1575.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1575.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1575.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1575.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1575.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1576.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1576.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1576.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1576.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1576.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1577.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1577.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1577.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1577.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1577.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1578.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1578.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1578.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1578.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1578.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1579.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1579.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1579.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1579.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\1579.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\158E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\159F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\159F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\159F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\159F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\159F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15A2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15B5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15C9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15CA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15CA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15CA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15CA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15CA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15DB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15DB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15DB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15DB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15DB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15DC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15DC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\15DC.tmp, type = time	1	Fn
For performance reasons, the remaining 2697 entries are omitted. The remaining entries can be found in glog.xml.

Process #8: svchost.exe

(Host: 268, Network: 0)

Information	Value
ID	#8
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:01, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:19

OS Process Information

Information	Value
PID	0xd84
Parent PID	0xd68 (c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x D88 0x CBC 0x 9A4 0x DD8

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000260000	0x00260000	0x002f1fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000300000	0x00300000	0x00300fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000000007f766000	0x7f766000	0x7f766fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x0000006c8b260000	0x6c8b260000	0x6c8b27ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000006c8b260000	0x6c8b260000	0x6c8b26ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000006c8b270000	0x6c8b270000	0x6c8b271fff	Private Memory	Readable, Writable	Region Actions
svchost.exe.mui	0x6c8b270000	0x6c8b270fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000006c8b280000	0x6c8b280000	0x6c8b293fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000006c8b2a0000	0x6c8b2a0000	0x6c8b31ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000006c8b320000	0x6c8b320000	0x6c8b323fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000006c8b330000	0x6c8b330000	0x6c8b330fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000006c8b340000	0x6c8b340000	0x6c8b341fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x6c8b350000	0x6c8b40dfff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x6c8b410000	0x6c8b443fff	Memory Mapped File	Readable	Region Actions
private_0x0000006c8b410000	0x6c8b410000	0x6c8b410fff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8b420000	0x6c8b420000	0x6c8b420fff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8b450000	0x6c8b450000	0x6c8b456fff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8b460000	0x6c8b460000	0x6c8b4dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8b500000	0x6c8b500000	0x6c8b5fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8b600000	0x6c8b600000	0x6c8b648fff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8b650000	0x6c8b650000	0x6c8b84ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000006c8b650000	0x6c8b650000	0x6c8b6e1fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000006c8b700000	0x6c8b700000	0x6c8b7fffff	Private Memory	Readable, Writable	Region Actions
ole32.dll	0x6c8b800000	0x6c8b940fff	Memory Mapped File	Readable	Region Actions
private_0x0000006c8b800000	0x6c8b800000	0x6c8b9d8fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000006c8b800000	0x6c8b800000	0x6c8b987fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000006c8b9d0000	0x6c8b9d0000	0x6c8b9d8fff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8b9e0000	0x6c8b9e0000	0x6c8bbdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8ba00000	0x6c8ba00000	0x6c8bafffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8bb00000	0x6c8bb00000	0x6c8bcfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8bb00000	0x6c8bb00000	0x6c8bbfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8bc00000	0x6c8bc00000	0x6c8bdfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8bc00000	0x6c8bc00000	0x6c8bcfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8bd00000	0x6c8bd00000	0x6c8befffff	Private Memory	Readable, Writable	Region Actions
private_0x0000006c8bd00000	0x6c8bd00000	0x6c8bdfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000006c8be00000	0x6c8be00000	0x6c8bf80fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000006c8bf90000	0x6c8bf90000	0x6c8d38ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x6c8d390000	0x6c8d6c6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00007df5ffc50000	0x7df5ffc50000	0x7ff5ffc4ffff	Pagefile Backed Memory	-	Region Actions
pagefile_0x00007ff6c6f90000	0x7ff6c6f90000	0x7ff6c708ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff6c7090000	0x7ff6c7090000	0x7ff6c70b2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff6c70b6000	0x7ff6c70b6000	0x7ff6c70b6fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff6c70bc000	0x7ff6c70bc000	0x7ff6c70bdfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff6c70be000	0x7ff6c70be000	0x7ff6c70bffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x7ff6c7e00000	0x7ff6c7e0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7ffb39960000	0x7ffb3998bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7ffb3a9f0000	0x7ffb3aa40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb3bf80000	0x7ffb3c0a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb3c290000	0x7ffb3c2c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7ffb3c2d0000	0x7ffb3c375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb3c3e0000	0x7ffb3c564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb3c650000	0x7ffb3c79dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb3c950000	0x7ffb3c9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7ffb3c9b0000	0x7ffb3ca6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x7ffb3cc70000	0x7ffb3ceebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x7ffb3cfb0000	0x7ffb3cfb7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb3d020000	0x7ffb3d17bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#7: c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe	0xd60	address = 0x260000, size = 598016	1	Fn
Modify Memory	#7: c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe	0xd60	address = 0x300000, size = 792	1	Fn Data
Modify Control Flow	#7: c:\users\ciihmn~1\appdata\roaming\micros~1\amsisigd\chakmcat.exe	0xd60	os_tid = 0xd88, address = 0xc70b6000	1	Fn

Threads

Thread 0xd88

(Host: 253, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = wcstombs, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = DuplicateHandle, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetVersionExA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = UnregisterWait, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x6c8b31fa10	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0x6c8b31fa10	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0x6c8b31fa10	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:38 (UTC)	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = OLEAUT32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x7ffb3d27e960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb3c2ed610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb3a9f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7ffb3aa04dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb3c650000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x7ffb3c672610	1	Fn
Mutex	Create	mutex_name = {BB8A49DA-DE80-A5F2-C01F-F2A9F4C346ED}	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb3d310000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7ffb3c2fec40	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb3d310000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb3cfb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x7ffb3cfb1040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	16	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:38 (UTC)	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7ffb3c2eb9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7ffb3c2e7dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7ffb3c2e72e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrToIntExA, address_out = 0x7ffb3aa04e70	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x7ffb3aa04cc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimA, address_out = 0x7ffb3aa04e80	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetShellWindow, address_out = 0x7ffb3c674060	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7ffb3c664040	1	Fn
Process	Open	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = RtlExitUserThread, address_out = 0x7ffb3d319fa0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateRemoteThread, address_out = 0x7ffb3d2a26d0	1	Fn
Thread	Create	process_name = c:\windows\explorer.exe, proc_address = 0x7ffb3d319fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED	1	Fn
Memory	Read	process_name = c:\windows\explorer.exe, address = 0x7ffb3d319fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x7ffb3d319fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xcb0	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xcb0	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xcb0	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 466191773984	1	Fn
Module	Map	process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6c8b650000	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xeda0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb3d310000	1	Fn
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Memory	Allocate	process_name = c:\windows\explorer.exe, address = 0x6c8b31eb80, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 466191772552	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xcb0	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x900000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\explorer.exe, os_tid = 0xcb0	1	Fn
Module	Unmap	process_name = c:\windows\system32\svchost.exe	1	Fn
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x7ffb3d319fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xcb0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7ffb3c316dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, data = 76, type = REG_NONE	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x7ffb3c2eda40	1	Fn
System	Get Computer Name	-	1	Fn
System	Get Computer Name	result_out = LHNIWSJ	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExA, address_out = 0x7ffb3c2d2680	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, size = 40, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Scr, type = REG_NONE	1	Fn

Process #9: explorer.exe

(Host: 1632, Network: 895)

Information	Value
ID	#9
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\Explorer.EXE
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:02, Reason: Injection
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:18

OS Process Information

Information	Value
PID	0x728
Parent PID	0xffffffffffffffff (Unknown)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D74 0x F88 0x 47C 0x 7F4 0x 7D4 0x AD8 0x B90 0x B88 0x B84 0x B80 0x B7C 0x B78 0x B74 0x B60 0x B5C 0x A80 0x A7C 0x A58 0x A38 0x A20 0x A1C 0x A18 0x A14 0x A10 0x A0C 0x A08 0x A04 0x 9FC 0x 9F8 0x 9D0 0x 9B0 0x 940 0x 92C 0x 918 0x 8F4 0x 8E4 0x 8E0 0x 8D8 0x 8D0 0x 8CC 0x 8C8 0x 8A0 0x 894 0x 88C 0x 878 0x 86C 0x 868 0x 864 0x 858 0x 854 0x 850 0x 84C 0x 848 0x 844 0x 840 0x 83C 0x 838 0x 834 0x 82C 0x 828 0x 824 0x 820 0x 81C 0x 808 0x 804 0x 6FC 0x 724 0x CB0 0x DEC 0x DE4 0x E40 0x E1C 0x DFC 0x E60 0x 258 0x 818 0x 274 0x 438 0x 664 0x ECC 0x EE8 0x F94 0x D3C 0x F5C

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000750000	0x00750000	0x0075ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000760000	0x00760000	0x00766fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x00783fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000790000	0x00790000	0x0080ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x00813fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x00822fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000830000	0x00830000	0x00831fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00840000	0x008fdfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000910000	0x00910000	0x00911fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000920000	0x00920000	0x00922fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000930000	0x00930000	0x00931fff	Pagefile Backed Memory	Readable	Region Actions
wscui.cpl.mui	0x00940000	0x00951fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000980000	0x00980000	0x00986fff	Private Memory	Readable, Writable	Region Actions
explorer.exe.mui	0x00990000	0x00997fff	Memory Mapped File	Readable	Region Actions
private_0x00000000009a0000	0x009a0000	0x00a9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000aa0000	0x00aa0000	0x00c27fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00c30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00c40fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c50000	0x00c50000	0x00c50fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c60000	0x00c60000	0x00c60fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c70000	0x00c70000	0x00c70fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000c80000	0x00c80000	0x00c80fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c90000	0x00c90000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ca0000	0x00ca0000	0x00e20fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000e30000	0x00e30000	0x0222ffff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x02230000	0x02233fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db	0x02240000	0x02261fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002270000	0x02270000	0x02270fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002280000	0x02280000	0x022fffff	Private Memory	Readable, Writable	Region Actions
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000030.db	0x02300000	0x0231bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002320000	0x02320000	0x02322fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002330000	0x02330000	0x02332fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002340000	0x02340000	0x0234ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02350000	0x02686fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002690000	0x02690000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x0278ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002790000	0x02790000	0x0280ffff	Private Memory	Readable, Writable	Region Actions
shell32.dll.mui	0x02810000	0x02870fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002880000	0x02880000	0x028a9fff	Pagefile Backed Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x028b0000	0x0298efff	Memory Mapped File	Readable	Region Actions
thumbcache_idx.db	0x02990000	0x02991fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x00000000029a0000	0x029a0000	0x029a1fff	Pagefile Backed Memory	Readable	Region Actions
hcproviders.dll.mui	0x029b0000	0x029b1fff	Memory Mapped File	Readable	Region Actions
actioncenter.dll.mui	0x029c0000	0x029cafff	Memory Mapped File	Readable	Region Actions
thumbcache_idx.db	0x029d0000	0x029d1fff	Memory Mapped File	Readable, Writable	Region Actions
iconcache_idx.db	0x029e0000	0x029e1fff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_idx.db	0x029f0000	0x029f1fff	Memory Mapped File	Readable, Writable	Region Actions
iconcache_idx.db	0x02a00000	0x02a01fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002a10000	0x02a10000	0x02a8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a90000	0x02a90000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002b10000	0x02b10000	0x02b11fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002b20000	0x02b20000	0x02b21fff	Pagefile Backed Memory	Readable	Region Actions
oleaccrc.dll	0x02b30000	0x02b31fff	Memory Mapped File	Readable	Region Actions
oleaccrc.dll.mui	0x02b40000	0x02b44fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002b50000	0x02b50000	0x02c07fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002c10000	0x02c10000	0x02c13fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002c20000	0x02c20000	0x02d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d20000	0x02d20000	0x02e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e20000	0x02e20000	0x02e26fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002e30000	0x02e30000	0x02e32fff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02e40000	0x03e7ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000003e80000	0x03e80000	0x03e80fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e90000	0x03e90000	0x03e90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ea0000	0x03ea0000	0x03ea0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003eb0000	0x03eb0000	0x03eb2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003ec0000	0x03ec0000	0x03f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003f40000	0x03f40000	0x03f41fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003f50000	0x03f50000	0x03f50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003f60000	0x03f60000	0x03f60fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003f70000	0x03f70000	0x03f70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003f80000	0x03f80000	0x03f80fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003f90000	0x03f90000	0x03f9ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000003fa0000	0x03fa0000	0x03faffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000003fb0000	0x03fb0000	0x03fbffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000003fc0000	0x03fc0000	0x03fc0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003fd0000	0x03fd0000	0x03fd0fff	Private Memory	Readable, Writable	Region Actions
cversions.1.db	0x03fe0000	0x03fe3fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003ff0000	0x03ff0000	0x03ff0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004000000	0x04000000	0x04000fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004010000	0x04010000	0x04010fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004020000	0x04020000	0x04022fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004030000	0x04030000	0x04030fff	Private Memory	Readable, Writable	Region Actions
cversions.2.db	0x04040000	0x04043fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004050000	0x04050000	0x040cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000040d0000	0x040d0000	0x04108fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004110000	0x04110000	0x04110fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004120000	0x04120000	0x04122fff	Pagefile Backed Memory	Readable	Region Actions
stobject.dll.mui	0x04130000	0x04131fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000004140000	0x04140000	0x04142fff	Pagefile Backed Memory	Readable	Region Actions
inputswitch.dll.mui	0x04150000	0x04151fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004160000	0x04160000	0x04160fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004170000	0x04170000	0x04172fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004180000	0x04180000	0x04181fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004190000	0x04190000	0x0420ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004210000	0x04210000	0x0428ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004290000	0x04290000	0x04292fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x042a0000	0x042a3fff	Memory Mapped File	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db	0x042b0000	0x042f2fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004300000	0x04300000	0x0437ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004380000	0x04380000	0x043fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004400000	0x04400000	0x04400fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004410000	0x04410000	0x0448ffff	Private Memory	Readable, Writable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db	0x04490000	0x0451afff	Memory Mapped File	Readable	Region Actions
private_0x0000000004520000	0x04520000	0x0459ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000045a0000	0x045a0000	0x045a0fff	Private Memory	Readable, Writable	Region Actions
propsys.dll.mui	0x045b0000	0x045c0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000045d0000	0x045d0000	0x0464ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004650000	0x04650000	0x046cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046d0000	0x046d0000	0x0474ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004750000	0x04750000	0x047cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047d0000	0x047d0000	0x0484ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004850000	0x04850000	0x048cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048d0000	0x048d0000	0x050cffff	Private Memory	-	Region Actions
pagefile_0x00000000050d0000	0x050d0000	0x055c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000055d0000	0x055d0000	0x056cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000056d0000	0x056d0000	0x0574ffff	Private Memory	Readable, Writable	Region Actions
msxml6r.dll	0x05750000	0x05750fff	Memory Mapped File	Readable	Region Actions
private_0x0000000005760000	0x05760000	0x05766fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005770000	0x05770000	0x057effff	Private Memory	Readable, Writable	Region Actions
winnlsres.dll	0x057f0000	0x057f4fff	Memory Mapped File	Readable	Region Actions
winnlsres.dll.mui	0x05800000	0x0580ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000005810000	0x05810000	0x05810fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000005820000	0x05820000	0x05820fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005830000	0x05830000	0x05830fff	Private Memory	Readable, Writable	Region Actions
mswsock.dll.mui	0x05840000	0x05842fff	Memory Mapped File	Readable	Region Actions
private_0x0000000005850000	0x05850000	0x0585ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005860000	0x05860000	0x0595ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005960000	0x05960000	0x059dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000059e0000	0x059e0000	0x05a5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005a60000	0x05a60000	0x05adffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005ae0000	0x05ae0000	0x05b5ffff	Private Memory	Readable, Writable	Region Actions
iconcache_256.db	0x05b60000	0x05b60fff	Memory Mapped File	Readable, Writable	Region Actions
iconcache_idx.db	0x05b70000	0x05b71fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000005b80000	0x05b80000	0x05b82fff	Pagefile Backed Memory	Readable	Region Actions
sndvolsso.dll.mui	0x05b90000	0x05b91fff	Memory Mapped File	Readable	Region Actions
windows.storage.dll.mui	0x05ba0000	0x05ba7fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000005bb0000	0x05bb0000	0x05bb2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005bc0000	0x05bc0000	0x05bc0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
iconcache_256.db	0x05bd0000	0x05bd0fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000005be0000	0x05be0000	0x05be2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000005bf0000	0x05bf0000	0x05bf0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005c00000	0x05c00000	0x05c08fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005c10000	0x05c10000	0x05c13fff	Private Memory	Readable, Writable	Region Actions
thumbcache_idx.db	0x05c20000	0x05c21fff	Memory Mapped File	Readable, Writable	Region Actions
netmsg.dll	0x05c30000	0x05c30fff	Memory Mapped File	Readable	Region Actions
private_0x0000000005c40000	0x05c40000	0x05c40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005c50000	0x05c50000	0x05c58fff	Private Memory	Readable, Writable	Region Actions
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000031.db	0x05c60000	0x05c7afff	Memory Mapped File	Readable	Region Actions
thumbcache_idx.db	0x05c90000	0x05c91fff	Memory Mapped File	Readable, Writable	Region Actions
imageres.dll.mui	0x05ca0000	0x05ca0fff	Memory Mapped File	Readable	Region Actions
For performance reasons, the remaining 872 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Create Remote Thread	#8: c:\windows\system32\svchost.exe	0xd88	address = 0x7ffb3d319fa0	1	Fn
Modify Memory	#8: c:\windows\system32\svchost.exe	0xd88	address = 0xeda0000, size = 598016	1	Fn
Modify Memory	#8: c:\windows\system32\svchost.exe	0xd88	address = 0x900000, size = 792	1	Fn Data
Modify Control Flow	#8: c:\windows\system32\svchost.exe	0xd88	os_tid = 0xcb0, address = 0x0	1	Fn
Modify Memory	#8: c:\windows\system32\svchost.exe	0xd88	address = 0x7ffb3d319fa0, size = 4	1	Fn Data

Threads

Thread 0x47c

(Host: 22, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Activation Manager Shim FTM	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\activationmanager.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = ExecModelProxy	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\execmodelproxy.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0xb88

(Host: 34, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Immersive Shell	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = PSFactoryBuffer	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\ActXPrxy.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn

Thread 0xb7c

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Sync root manager	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\shell32.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0x918

(Host: 13, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Network List Manager	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn

Thread 0x868

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = PSFactoryBuffer	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\npmproxy.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0x858

(Host: 8, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn

Thread 0x848

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GameDVR, value_name = VKToggleGameBar, type = REG_NONE		1	Fn

Thread 0x83c

(Host: 14, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = CLSID_NotificationController	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = CLSID_NotificationController Proxy Stub	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\NotificationControllerPS.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0x81c

(Host: 16, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Start Menu Cache	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrCmpIW, address_out = 0x7ffb3a9fbe50	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\shell32.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search, value_name = UseApp	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search, value_name = SearchboxTaskbarMode, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search, value_name = UseApp	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search, value_name = SearchboxTaskbarMode, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search, value_name = UseApp	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search, value_name = SearchboxTaskbarMode, type = REG_NONE	1	Fn

Thread 0x804

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection, value_name = DisableRealtimeMonitoring, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, value_name = DisableAntiSpyware, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection, value_name = DisableRealtimeMonitoring, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance, value_name = CustomActivator, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance, value_name = ForcePersonableToasts, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance, value_name = ShowInActionCenter, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Current\\Windows.SystemToast.SecurityAndMaintenance\196, value_name = ImageFileUri, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Current\\Windows.SystemToast.SecurityAndMaintenance\196, value_name = ImageFileUri, type = REG_NONE	1	Fn

Thread 0x724

(Host: 33, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Shared Task Scheduler	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\windows.storage.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	-	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\windowscodecs.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	-	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\dataexchange.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = DisplayVersion, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Control Panel\Desktop, value_name = PaintDesktopVersion, type = REG_NONE	1	Fn

Thread 0xcb0

(Host: 218, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = wcstombs, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = DuplicateHandle, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetVersionExA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = UnregisterWait, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x5e8fe50	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0x5e8fe50	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0x5e8fe50	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:38 (UTC)	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = OLEAUT32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = Unknown module name, function = IsWow64Process, address_out = 0x7ffb3d27e960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb3c2ed610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb3a9f0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrRChrA, address_out = 0x7ffb3aa04dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb3c650000	1	Fn
Module	Get Address	module_name = Unknown module name, function = wsprintfA, address_out = 0x7ffb3c672610	1	Fn
Mutex	Create	mutex_name = {0F90C438-223E-19A7-A4B3-765D18970AE1}	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb3d260000	1	Fn
Module	Get Handle	module_name = NTDLL.DLL, base_address = 0x7ffb3d310000	1	Fn
Module	Get Handle	module_name = kernelbase, base_address = 0x7ffb3a800000	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetUserNameA, address_out = 0x7ffb3c2fec40	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetShellWindow, address_out = 0x7ffb3c674060	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetWindowThreadProcessId, address_out = 0x7ffb3c664040	1	Fn
Module	Get Handle	module_name = NTDLL.DLL, base_address = 0x7ffb3d310000	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb3d260000	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb3c2d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb3cfb0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = EnumProcessModules, address_out = 0x7ffb3cfb1040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	63	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:39 (UTC)	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegOpenKeyA, address_out = 0x7ffb3c2eb9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegQueryValueExA, address_out = 0x7ffb3c2e7dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegCloseKey, address_out = 0x7ffb3c2e72e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrToIntExA, address_out = 0x7ffb3aa04e70	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrChrA, address_out = 0x7ffb3aa04cc0	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrTrimA, address_out = 0x7ffb3aa04e80	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegCreateKeyA, address_out = 0x7ffb3c316dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, type = REG_BINARY	1	Fn Data
Module	Load	module_name = ole32.dll, base_address = 0x7ffb3cb20000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateStreamOnHGlobal, address_out = 0x7ffb3cc970a0	1	Fn
Module	Load	module_name = ADVAPI32.DLL, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb3c2d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
File	Create Pipe	pipe_name = \device\namedpipe\{d0964750-ef7b-8278-f904-93d63d78776a}, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255	1	Fn

Thread 0xdec

(Host: 236, Network: 128)

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = Unknown module name, function = StrStrIA, address_out = 0x7ffb3a9fe1c0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = WINHTTP.dll, base_address = 0x7ffb333f0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpOpen, address_out = 0x7ffb3340bc40	1	Fn
Inet	Open Session	access_type = WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpConnect, address_out = 0x7ffb33409550	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = titanliquor.ca, server_port = 80	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpOpenRequest, address_out = 0x7ffb33409c10	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /images/A/2.tif, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpQueryOption, address_out = 0x7ffb333f1900	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpSetOption, address_out = 0x7ffb33407a20	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpSendRequest, address_out = 0x7ffb33408330	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = titanliquor.ca/images/A/2.tif	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpReceiveResponse, address_out = 0x7ffb33408c80	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpQueryHeaders, address_out = 0x7ffb33406d90	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_RAW_HEADERS_CRLF	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_RAW_HEADERS_CRLF, size_out = 710	1	Fn Data
Module	Get Address	module_name = Unknown module name, function = WinHttpQueryDataAvailable, address_out = 0x7ffb33416ac0	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpReadData, address_out = 0x7ffb33404200	1	Fn
Inet	Read Response	size = 3693, size_out = 3693	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 2280, size_out = 2280	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	4	Fn Data
Inet	Read Response	size = 2492, size_out = 2492	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	11	Fn Data
Inet	Read Response	size = 1408, size_out = 1408	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	3	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	2	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 2232, size_out = 2232	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	8	Fn Data
Inet	Read Response	size = 2080, size_out = 2080	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	14	Fn Data
Inet	Read Response	size = 736, size_out = 736	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	12	Fn Data
Inet	Read Response	size = 3120, size_out = 3120	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	13	Fn Data
Inet	Read Response	size = 3380, size_out = 3380	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 3164, size_out = 3164	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	10	Fn Data
Inet	Read Response	size = 2600, size_out = 2600	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	11	Fn Data
Inet	Read Response	size = 1408, size_out = 1408	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 3684, size_out = 3684	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	36	Fn Data
Inet	Read Response	size = 3552, size_out = 3552	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 3164, size_out = 3164	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 2232, size_out = 2232	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 2232, size_out = 2232	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	4	Fn Data
Inet	Read Response	size = 1040, size_out = 1040	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 3164, size_out = 3164	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	7	Fn Data
Inet	Read Response	size = 368, size_out = 368	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	13	Fn Data
Inet	Read Response	size = 476, size_out = 476	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	516	Fn Data
Inet	Read Response	size = 3556, size_out = 3556	1	Fn Data
Module	Get Address	module_name = Unknown module name, function = WinHttpCloseHandle, address_out = 0x7ffb33405860	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp, size = 3162112	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = TorClient, size = 46, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = TorClient, type = REG_BINARY	2	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp, type = size	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6DB4.tmp, size = 3162112, size_out = 3162112	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreateEventW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetEnvironmentVariableA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CompareStringW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CompareStringA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreateMutexW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = DisableThreadLibraryCalls, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = PeekNamedPipe, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetHandleInformation, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetSystemDirectoryW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LoadLibraryW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = TerminateProcess, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreatePipe, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FormatMessageW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetVersionExW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreateFileMappingW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetSystemInfo, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetTempPathW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetModuleHandleW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = MultiByteToWideChar, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetStdHandle, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetFileType, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GlobalMemoryStatus, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FlushConsoleInputBuffer, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SystemTimeToFileTime, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = InitializeCriticalSectionAndSpinCount, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = PostQueuedCompletionStatus, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FlsSetValue, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetCommandLineA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetDateFormatA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetTimeFormatA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = ExitProcess, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FileTimeToSystemTime, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetFileInformationByHandle, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetDriveTypeA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = MoveFileA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = ExitThread, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LockFile, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = UnlockFile, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetFileTime, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LocalFileTimeToFileTime, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetFullPathNameA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = UnhandledExceptionFilter, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetUnhandledExceptionFilter, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RtlCaptureContext, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetConsoleCtrlHandler, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = ReadConsoleInputA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetConsoleMode, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetConsoleMode, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetCurrentProcess, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = IsDebuggerPresent, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RtlVirtualUnwind, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RtlLookupFunctionEntry, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetCPInfo, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetACP, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetOEMCP, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = IsValidCodePage, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = EncodePointer, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = DecodePointer, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FlsGetValue, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FlsFree, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FlsAlloc, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetHandleCount, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetStartupInfoA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FreeEnvironmentStringsA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetEnvironmentStrings, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FreeEnvironmentStringsW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetEnvironmentStringsW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = HeapSetInformation, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RtlUnwindEx, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetTimeZoneInformation, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = HeapSize, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetStdHandle, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetCurrentDirectoryA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetConsoleCP, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LCMapStringA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = LCMapStringW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetProcessHeap, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetStringTypeA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetStringTypeW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetLocaleInfoA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = WriteConsoleA, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetConsoleOutputCP, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = WriteConsoleW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 22, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 112, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 17, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 20, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 52, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 57, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 111, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 23, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 3, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 1, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 16, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 19, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 4, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 21, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 7, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 13, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 14, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 15, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 115, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 18, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 10, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 116, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0x5f0f3a0	1	Fn
Module	Load	module_name = CRYPT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CertOpenStore, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CertFreeCertificateContext, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CertFindCertificateInStore, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CertCloseStore, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CertGetCertificateContextProperty, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CertEnumCertificatesInStore, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CertDuplicateCertificateContext, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = GetProcessWindowStation, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = GetUserObjectInformationW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = MessageBoxW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CryptSignHashW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptGetProvParam, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptCreateHash, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptDestroyKey, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptDecrypt, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptDestroyHash, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptGetUserKey, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptAcquireContextW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptGenRandom, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RegQueryValueExW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RegOpenKeyExW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RegCloseKey, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = RegisterEventSourceW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = DeregisterEventSource, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = ReportEventW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptSetHashParam, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptExportKey, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptReleaseContext, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = CryptEnumProvidersW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = SHGetPathFromIDListW, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SHGetMalloc, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
Module	Get Address	function = SHGetSpecialFolderLocation, ordinal = 0, address_out = 0x5f0f3a0	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:58 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 159593	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Get Filename	module_name = SHELL32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Mutex	Create	-	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn

Thread 0xde4

(Host: 58, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegQueryValueExW, address_out = 0x7ffb3c2e6c70	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = Accocca, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = Accocca, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, type = REG_SZ	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrChrW, address_out = 0x7ffb3a9fa2a0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathCombineW, address_out = 0x7ffb3a9fd130	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrRChrW, address_out = 0x7ffb3a9fdd80	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, type = size	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, size = 11465, size_out = 11465	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, size = 48	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Handle	module_name = kernelbase, base_address = 0x7ffb3a800000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	5	Fn
Process	Open	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
Module	Get Address	module_name = Unknown module name, function = RtlExitUserThread, address_out = 0x7ffb3d319fa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateRemoteThread, address_out = 0x7ffb3d2a26d0	1	Fn
Thread	Create	process_name = c:\windows\system32\runtimebroker.exe, proc_address = 0x7ffb3d319fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED	1	Fn
Memory	Read	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb3d319fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb3d319fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xe30	1	Fn
Thread	Suspend	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xe30	1	Fn
Thread	Get Context	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xe30	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 157544624	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xf3c0000	1	Fn
Module	Map	process_name = c:\windows\system32\runtimebroker.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x942a670000	1	Fn
Module	Get Handle	module_name = NTDLL.DLL, base_address = 0x7ffb3d310000	1	Fn
Module	Get Filename	module_name = NTDLL.DLL, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = NTDLL.DLL, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = NTDLL.DLL, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Memory	Allocate	process_name = c:\windows\system32\runtimebroker.exe, address = 0x963eb10, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 157543192	1	Fn
Thread	Get Context	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xe30	1	Fn
Memory	Write	process_name = c:\windows\system32\runtimebroker.exe, address = 0x94282f0000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xe30	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
Memory	Protect	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb3d319fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb3d319fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xe30	1	Fn

Thread 0xe40

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0xe1c

(Host: 12, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 140390	1	Fn
Module	Get Handle	module_name = Unknown module name, base_address = 0x7ff67bf70000	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegisterClassA, address_out = 0x7ffb3c671310	1	Fn
Module	Get Handle	module_name = Unknown module name, base_address = 0x7ff67bf70000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateWindowExA, address_out = 0x7ffb3c674df0	1	Fn
Window	Create	class_name = {9696FF0D-1508-34C7-917A-554EEBBC4FB0}, wndproc_parameter = 249366880	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetWindowLongPtrA, address_out = 0x7ffb3c65cae0	1	Fn
Module	Get Address	module_name = Unknown module name, function = DefWindowProcA, address_out = 0x7ffb3d3a3230	1	Fn
Module	Get Address	module_name = Unknown module name, function = SetWindowLongPtrA, address_out = 0x7ffb3c6661f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetMessageA, address_out = 0x7ffb3c66aa50	1	Fn
Module	Get Address	module_name = Unknown module name, function = TranslateMessage, address_out = 0x7ffb3c6636a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = DispatchMessageA, address_out = 0x7ffb3c6761e0	1	Fn

Thread 0xdfc

(Host: 4, Network: 0)

Category	Operation	Information	Count	Logfile
System	Sleep	duration = -1 (infinite)	1	Fn
File	Read	size = 16, size_out = 16	1	Fn Data
File	Write	size = 16	1	Fn Data
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0xe60

(Host: 46, Network: 1)

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathFindFileNameA, address_out = 0x7ffb3a9fcf30	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = {C2A3A3DE-3990-44FC-D316-7DB8B7AA016C}, type = REG_NONE	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:39 (UTC)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegSetValueExA, address_out = 0x7ffb3c2d2680	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = {C2A3A3DE-3990-44FC-D316-7DB8B7AA016C}, size = 8, type = REG_BINARY	1	Fn Data
Mutex	Open	mutex_name = Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38}	1	Fn
Mutex	Open	mutex_name = Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346}	1	Fn
Mutex	Release	mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = {DB94E230-7EC4-C521-603F-92C994E3E60D}, type = REG_NONE	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:54 (UTC)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = {DB94E230-7EC4-C521-603F-92C994E3E60D}, size = 8, type = REG_BINARY	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:43:54 (UTC)	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathFindExtensionA, address_out = 0x7ffb3aa04800	1	Fn
Process	Create	process_name = cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1", os_pid = 0xef0, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Process	Create	process_name = cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1", os_pid = 0xd34, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1, type = size	1	Fn
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1, size = 125, size_out = 125	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1	1	Fn
Module	Load	module_name = WS2_32.dll, base_address = 0x7ffb3c570000	1	Fn
Module	Get Address	module_name = Unknown module name, function = 115, address_out = 0x7ffb3c5730c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = 52, address_out = 0x7ffb3c59aab0	1	Fn
DNS	Resolve Name	host = 87.142.152.58, address_out = 87.142.152.58	1	Fn
Module	Get Address	module_name = Unknown module name, function = 116, address_out = 0x7ffb3c583ce0	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, size = 40, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299\Run	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299\Config	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegNotifyChangeKeyValue, address_out = 0x7ffb3c2e8fd0	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
System	Get Time	type = Ticks, time = 161171	2	Fn

Thread 0x258

(Host: 54, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance, value_name = Rank, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance, value_name = DisplayName, type = REG_NONE	2	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance, value_name = IconUri, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance, value_name = IconBackgroundColor, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance, value_name = CustomActivator, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = NotificationObjFactory	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\NotificationObjFactory.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Free	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = tiledatamodelsvc	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = XML DOM Document 6.0	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\msxml6.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = XML Schema Cache 6.0	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\msxml6.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	value_name = ActivationType, type = REG_NONE	1	Fn
Registry	Read Value	value_name = Threading, type = REG_NONE	1	Fn
Registry	Read Value	value_name = TrustLevel, type = REG_NONE	1	Fn
Registry	Read Value	value_name = ActivateAsUser, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance, value_name = ForcePersonableToasts, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance, value_name = ShowInActionCenter, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Current\\Windows.SystemToast.SecurityAndMaintenance\195, value_name = ImageFileUri, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Windows Push Notification Platform	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Current\\Windows.SystemToast.SecurityAndMaintenance\195, value_name = ImageFileUri, type = REG_NONE	1	Fn

Thread 0x818

(Host: 9, Network: 0)

Category	Operation	Information	Count	Logfile
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = Windows Push Notification Developer Proxy Stub	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\wpnapps.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn

Thread 0xf94

(Host: 206, Network: 78)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-12-11 16:43:58 (UTC)	7	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = MonitorRegistry	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace, value_name = MonitorRegistry, data = 1	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = ValidateRegItems	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, value_name = MonitorRegistry	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetTickCount64, address_out = 0x7ffb3d2765a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetTickCount, address_out = 0x7ffb3d2760a0	1	Fn
System	Get Time	type = Ticks, time = 159734	2	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:58 (UTC)	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Bind	protocol = IPPROTO_IP, local_address = 127.0.0.1, local_port = 49430, hint = "OS assigned a local port from the dynamic client port range."	1	Fn
Socket	Listen	local_address = 127.0.0.1, local_port = 0, queue_length = 1	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Connect	remote_address = 127.0.0.1, remote_port = 49430	1	Fn
Socket	Accept	type = SOCK_STREAM, remote_address_out = 127.0.0.1, remote_port_out = 49431	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:58 (UTC)	10	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state.tmp, desired_access = DELETE, GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state.tmp, type = file_type	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state.tmp, size = 223	1	Fn Data
File	Move	source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state.tmp, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\state	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:58 (UTC)	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\router-stability, desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\geoip, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:58 (UTC)	1	Fn
Module	Load	module_name = ADVAPI32.DLL, base_address = 0x7ffb3c2d0000	1	Fn
Module	Load	module_name = KERNEL32.DLL, base_address = 0x7ffb3d260000	1	Fn
Module	Load	module_name = NETAPI32.DLL, base_address = 0x7ffb30240000	1	Fn
Module	Get Address	module_name = Unknown module name, function = NetStatisticsGet, address_out = 0x7ffb30242480	1	Fn
Module	Get Address	module_name = Unknown module name, function = NetApiBufferFree, address_out = 0x7ffb38f91930	1	Fn
Module	Get Address	module_name = Unknown module name, function = CryptAcquireContextW, address_out = 0x7ffb3c2e89e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CryptGenRandom, address_out = 0x7ffb3c2e90d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CryptReleaseContext, address_out = 0x7ffb3c2e8ee0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = Unknown module name, base_address = 0x7ff67bf70000	1	Fn
Module	Get Address	module_name = Unknown module name, function = _OPENSSL_isservice, address_out = 0x0	1	Fn
Module	Load	module_name = USER32.DLL, base_address = 0x7ffb3c650000	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetForegroundWindow, address_out = 0x7ffb3c680010	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetCursorInfo, address_out = 0x7ffb3c683480	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetQueueStatus, address_out = 0x7ffb3c66ae40	1	Fn
System	Get Info	type = Operating System	2	Fn
Module	Get Address	module_name = Unknown module name, function = CreateToolhelp32Snapshot, address_out = 0x7ffb3d286830	1	Fn
Module	Get Address	module_name = Unknown module name, function = CloseToolhelp32Snapshot, address_out = 0x0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Heap32First, address_out = 0x7ffb3d2a4d30	1	Fn
Module	Get Address	module_name = Unknown module name, function = Heap32Next, address_out = 0x7ffb3d2a5150	1	Fn
Module	Get Address	module_name = Unknown module name, function = Heap32ListFirst, address_out = 0x7ffb3d2a4f80	1	Fn
Module	Get Address	module_name = Unknown module name, function = Heap32ListNext, address_out = 0x7ffb3d2a5070	1	Fn
Module	Get Address	module_name = Unknown module name, function = Process32First, address_out = 0x7ffb3d2a55f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Process32Next, address_out = 0x7ffb3d2a56e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Thread32First, address_out = 0x7ffb3d2801b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Thread32Next, address_out = 0x7ffb3d276720	1	Fn
Module	Get Address	module_name = Unknown module name, function = Module32First, address_out = 0x7ffb3d2a53b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Module32Next, address_out = 0x7ffb3d2a54d0	1	Fn
System	Get Time	type = Ticks, time = 160062	1	Fn
System	Get Time	type = Ticks, time = 160453	1	Fn
System	Get Time	type = Ticks, time = 160718	1	Fn
System	Get Time	type = Ticks, time = 160890	1	Fn
System	Get Time	type = Ticks, time = 161078	1	Fn
System	Get Time	type = Ticks, time = 161093	8	Fn
System	Get Time	type = Ticks, time = 161109	6	Fn
System	Get Time	type = Ticks, time = 161125	7	Fn
System	Get Time	type = Ticks, time = 161140	7	Fn
System	Get Time	type = Ticks, time = 161171	6	Fn
System	Get Time	type = Ticks, time = 161187	9	Fn
System	Get Time	type = Ticks, time = 161203	9	Fn
System	Get Time	type = Ticks, time = 161218	4	Fn
System	Get Time	type = Ticks, time = 161218	1	Fn
Module	Load	module_name = ADVAPI32.DLL, base_address = 0x7ffb3c2d0000	1	Fn
Module	Load	module_name = KERNEL32.DLL, base_address = 0x7ffb3d260000	1	Fn
Module	Load	module_name = NETAPI32.DLL, base_address = 0x7ffb30240000	1	Fn
Module	Get Address	module_name = Unknown module name, function = NetStatisticsGet, address_out = 0x7ffb30242480	1	Fn
Module	Get Address	module_name = Unknown module name, function = NetApiBufferFree, address_out = 0x7ffb38f91930	1	Fn
Module	Get Address	module_name = Unknown module name, function = CryptAcquireContextW, address_out = 0x7ffb3c2e89e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CryptGenRandom, address_out = 0x7ffb3c2e90d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CryptReleaseContext, address_out = 0x7ffb3c2e8ee0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = USER32.DLL, base_address = 0x7ffb3c650000	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetForegroundWindow, address_out = 0x7ffb3c680010	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetCursorInfo, address_out = 0x7ffb3c683480	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetQueueStatus, address_out = 0x7ffb3c66ae40	1	Fn
System	Get Info	type = Operating System	2	Fn
Module	Get Address	module_name = Unknown module name, function = CreateToolhelp32Snapshot, address_out = 0x7ffb3d286830	1	Fn
Module	Get Address	module_name = Unknown module name, function = CloseToolhelp32Snapshot, address_out = 0x0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Heap32First, address_out = 0x7ffb3d2a4d30	1	Fn
Module	Get Address	module_name = Unknown module name, function = Heap32Next, address_out = 0x7ffb3d2a5150	1	Fn
Module	Get Address	module_name = Unknown module name, function = Heap32ListFirst, address_out = 0x7ffb3d2a4f80	1	Fn
Module	Get Address	module_name = Unknown module name, function = Heap32ListNext, address_out = 0x7ffb3d2a5070	1	Fn
Module	Get Address	module_name = Unknown module name, function = Process32First, address_out = 0x7ffb3d2a55f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Process32Next, address_out = 0x7ffb3d2a56e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Thread32First, address_out = 0x7ffb3d2801b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Thread32Next, address_out = 0x7ffb3d276720	1	Fn
Module	Get Address	module_name = Unknown module name, function = Module32First, address_out = 0x7ffb3d2a53b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = Module32Next, address_out = 0x7ffb3d2a54d0	1	Fn
System	Get Time	type = Ticks, time = 162453	1	Fn
System	Get Time	type = Ticks, time = 162921	1	Fn
System	Get Time	type = Ticks, time = 163281	1	Fn
System	Get Time	type = Ticks, time = 163640	9	Fn
System	Get Time	type = Ticks, time = 163656	8	Fn
System	Get Time	type = Ticks, time = 163671	6	Fn
System	Get Time	type = Ticks, time = 163687	6	Fn
System	Get Time	type = Ticks, time = 163703	2	Fn
System	Get Time	type = Ticks, time = 163984	11	Fn
System	Get Time	type = Ticks, time = 164000	7	Fn
System	Get Time	type = Ticks, time = 164015	7	Fn
System	Get Time	type = Ticks, time = 164031	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	189	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-certs, desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-consensus, desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\unverified-consensus, desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-microdesc-consensus, desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\unverified-microdesc-consensus, desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
File	Create	filename = \tor\fallback-consensus, desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	3	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-microdescs, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-microdescs.new, desired_access = DELETE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_DELETE_ON_CLOSE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	2	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-descriptors, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	3	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\cached-extrainfo, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	3	Fn
System	Get Time	type = Ticks, time = 164750	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 164765	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	28	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Connect	remote_address = 193.23.244.244, remote_port = 443	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	6	Fn
System	Get Time	type = Ticks, time = 164765	2	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	2	Fn
System	Get Time	type = Ticks, time = 164765	1	Fn
System	Get Time	type = Ticks, time = 164796	2	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\iphlpapi.dll, base_address = 0x7ffb37410000	1	Fn
Socket	Create	protocol = IPPROTO_UDP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 18.0.0.1, remote_port = 9	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\iphlpapi.dll, base_address = 0x7ffb37410000	1	Fn
Socket	Create	protocol = IPPROTO_UDP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 18.0.0.1, remote_port = 9	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 237, size_out = 237	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 7, size_out = -1	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 7, size_out = -1	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 164828	2	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 7, size_out = 7	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 60, size_out = 60	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 586, size_out = 586	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 331, size_out = 331	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4, size_out = 4	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 134, size_out = 134	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = -1	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 164859	2	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1, size_out = 1	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 48, size_out = 48	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	2	Fn
System	Get Time	type = Ticks, time = 164859	2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 74, size_out = 74	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 164875	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 164890	2	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 2048, size_out = 2048	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	9	Fn
System	Get Time	type = Ticks, time = 164906	2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 586, size_out = 586	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 164906	2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 586, size_out = 586	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 164968	1	Fn
System	Get Time	type = Ticks, time = 164984	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165062	2	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 544, size_out = 544	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	5	Fn
System	Get Time	type = Ticks, time = 165062	2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 586, size_out = 586	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165093	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165093	2	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 544, size_out = 544	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	3	Fn
System	Get Time	type = Ticks, time = 165109	2	Fn
Socket	Send	flags = NO_FLAG_SET, size = 586, size_out = 586	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165140	2	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4080, size_out = 4080	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	9	Fn
System	Get Time	type = Ticks, time = 165140	2	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4080, size_out = 4080	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	10	Fn
System	Get Time	type = Ticks, time = 165140	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165140	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 640, size_out = 640	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	11	Fn
System	Get Time	type = Ticks, time = 165140	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165140	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4080, size_out = 4080	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	15	Fn
System	Get Time	type = Ticks, time = 165140	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165140	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4080, size_out = 4080	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	16	Fn
System	Get Time	type = Ticks, time = 165156	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165156	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 640, size_out = 640	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	10	Fn
System	Get Time	type = Ticks, time = 165156	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165156	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 32, size_out = 32	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 5, size_out = 5	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4080, size_out = 728	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3352, size_out = -1	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	8	Fn
System	Get Time	type = Ticks, time = 165156	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 165156	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:04 (UTC)	6	Fn

Thread 0xd3c

(Host: 100, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = Unknown module name, function = CoInitializeEx, address_out = 0x7ffb3cce3170	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoCreateInstance, address_out = 0x7ffb3ccf7000	1	Fn
COM	Create	interface = FD465481-1384-11D0-ABBD-0020AFDFD10A, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = CLSID_ImnAccountManager	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\system32\msoeacct.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Mail Setup, value_name = DelayInitialized, type = REG_NONE	2	Fn
Module	Get Address	module_name = Unknown module name, function = PathFindFileNameW, address_out = 0x7ffb3a9fb610	1	Fn
Process	Create	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, os_pid = 0xd24, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetProcessImageFileNameW, address_out = 0x7ffb3cfb10a0	1	Fn
Process	Get filename	file_name = \Device\HarddiskVolume1\Program Files\Windows Mail\WinMail.exe	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Memory	Read	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72a86f000, size = 616	1	Fn Data
Memory	Read	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b500000, size = 4096	1	Fn Data
Memory	Read	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b5000e8, size = 4096	1	Fn Data
Memory	Read	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b509940, size = 40	1	Fn Data
Memory	Read	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b508540, size = 4096	1	Fn Data
Memory	Read	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b5076c0, size = 4	1	Fn Data
Memory	Protect	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b5076c0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b5076c0, size = 4	1	Fn Data
Memory	Protect	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b5076c0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 99661504	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xa340000	1	Fn
Module	Map	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, protection = PAGE_EXECUTE_READWRITE, address_out = 0x7eac890000	1	Fn
Memory	Allocate	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x5f0b120, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 99660072	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Memory	Write	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7eac860000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
Memory	Protect	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b5076c0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b5076c0, size = 4	1	Fn Data
Memory	Protect	process_name = "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE, address = 0x7ff72b5076c0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0xd3c	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Mail Setup, value_name = DelayInitialized, type = REG_NONE	1	Fn
COM	Create	interface = AD553D98-DEB1-474A-8E17-FC0C2075B738, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = ContactManager class	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Program Files\Common Files\System\wab32.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Apartment	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Registry	Read Value	reg_name = TreatAs, type = REG_NONE	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = SAX XML Reader 6.0	1	Fn
Registry	Read Value	value_name = InprocServer32	1	Fn
Registry	Read Value	data = 0	1	Fn
Registry	Read Value	data = C:\Windows\System32\msxml6.dll	1	Fn
Registry	Read Value	value_name = ThreadingModel, data = Both	1	Fn
Registry	Read Value	reg_name = InprocHandler32	1	Fn
Registry	Read Value	reg_name = InprocHandler	1	Fn
Module	Get Address	module_name = Unknown module name, function = wsprintfW, address_out = 0x7ffb3c67b1d0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\WAB\DLLPath	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegQueryValueA, address_out = 0x7ffb3c318180	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\WAB\DLLPath	2	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Mail	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegOpenKeyExW, address_out = 0x7ffb3c2e6cb0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7993.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin, size = 190	1	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 16:44:03 (UTC)	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrDupW, address_out = 0x7ffb3a9fd270	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, type = file_attributes	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, size = 30	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, size = 7	1	Fn Data
File	Read	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin, size = 190, size_out = 190	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, size = 106	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, size = 30	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, size = 53	1	Fn Data
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, size = 22	1	Fn Data
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\8F3C.bin, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoCreateGuid, address_out = 0x7ffb3cce2340	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299\Files	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299\Files, value_name = AAAA1B69FB9D72400E, size = 92, type = REG_BINARY	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7993.bin	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoUninitialize, address_out = 0x7ffb3cce2380	1	Fn

Process #10: runtimebroker.exe

(Host: 210, Network: 0)

Information	Value
ID	#10
File Name	c:\windows\system32\runtimebroker.exe
Command Line	C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Injection
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:17

OS Process Information

Information	Value
PID	0x85c
Parent PID	0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BF4 0x B34 0x 888 0x 880 0x 87C 0x 874 0x 860 0x E30 0x E2C 0x 478 0x F38 0x ED8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
pagefile_0x0000009427ea0000	0x9427ea0000	0x9427eaffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000009427eb0000	0x9427eb0000	0x9427eb0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000009427ec0000	0x9427ec0000	0x9427ed3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009427ee0000	0x9427ee0000	0x9427f5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000009427f60000	0x9427f60000	0x9427f63fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009427f70000	0x9427f70000	0x9427f71fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009427f80000	0x9427f80000	0x9427f81fff	Private Memory	Readable, Writable	Region Actions
private_0x0000009427f90000	0x9427f90000	0x9427f90fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000009427fa0000	0x9427fa0000	0x9427fa0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000009427fb0000	0x9427fb0000	0x9427fb6fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000009427fc0000	0x9427fc0000	0x9427fc0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009427fd0000	0x9427fd0000	0x9427ff9fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000009428000000	0x9428000000	0x94280fffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x9428100000	0x94281bdfff	Memory Mapped File	Readable	Region Actions
private_0x00000094281c0000	0x94281c0000	0x942823ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000009428240000	0x9428240000	0x9428242fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009428250000	0x9428250000	0x9428250fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000009428260000	0x9428260000	0x9428260fff	Pagefile Backed Memory	Readable, Writable	Region Actions
windows.storage.dll.mui	0x9428270000	0x9428277fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x9428280000	0x9428283fff	Memory Mapped File	Readable	Region Actions
private_0x0000009428290000	0x9428290000	0x9428296fff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db	0x94282a0000	0x94282c1fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000094282d0000	0x94282d0000	0x94282d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x94282e0000	0x94282e3fff	Memory Mapped File	Readable	Region Actions
private_0x00000094282f0000	0x94282f0000	0x94282f0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000009428300000	0x9428300000	0x94283fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000009428400000	0x9428400000	0x942847ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000009428480000	0x9428480000	0x9428607fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000009428610000	0x9428610000	0x9428790fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000094287a0000	0x94287a0000	0x9429b9ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x9429ba0000	0x9429ed6fff	Memory Mapped File	Readable	Region Actions
private_0x0000009429ee0000	0x9429ee0000	0x9429f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000009429f60000	0x9429f60000	0x9429fdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000009429fe0000	0x9429fe0000	0x942a05ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a060000	0x942a060000	0x942a0c8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a060000	0x942a060000	0x942a061fff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a0c0000	0x942a0c0000	0x942a0c8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a0e0000	0x942a0e0000	0x942a15ffff	Private Memory	Readable, Writable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db	0x942a160000	0x942a1a2fff	Memory Mapped File	Readable	Region Actions
private_0x000000942a1b0000	0x942a1b0000	0x942a1b6fff	Private Memory	Readable, Writable	Region Actions
propsys.dll.mui	0x942a1c0000	0x942a1d0fff	Memory Mapped File	Readable	Region Actions
private_0x000000942a200000	0x942a200000	0x942a2fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a300000	0x942a300000	0x942a3fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a400000	0x942a400000	0x942a47ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x942a500000	0x942a5defff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db	0x942a5e0000	0x942a66afff	Memory Mapped File	Readable	Region Actions
pagefile_0x000000942a670000	0x942a670000	0x942a701fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x000000942a710000	0x942a710000	0x942a90ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a800000	0x942a800000	0x942a8fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a900000	0x942a900000	0x942aafffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942a900000	0x942a900000	0x942a9fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942aa00000	0x942aa00000	0x942abfffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942aa00000	0x942aa00000	0x942aafffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942ab00000	0x942ab00000	0x942acfffff	Private Memory	Readable, Writable	Region Actions
private_0x000000942ab00000	0x942ab00000	0x942abfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00007df5ff630000	0x7df5ff630000	0x7ff5ff62ffff	Pagefile Backed Memory	-	Region Actions
private_0x00007ff7186e8000	0x7ff7186e8000	0x7ff7186e9fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff7186ea000	0x7ff7186ea000	0x7ff7186ebfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff7186ee000	0x7ff7186ee000	0x7ff7186effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00007ff7186f0000	0x7ff7186f0000	0x7ff7187effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff7187f0000	0x7ff7187f0000	0x7ff718812fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff718814000	0x7ff718814000	0x7ff718814fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff718816000	0x7ff718816000	0x7ff718817fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff718818000	0x7ff718818000	0x7ff718819fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff71881a000	0x7ff71881a000	0x7ff71881bfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff71881c000	0x7ff71881c000	0x7ff71881dfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff71881e000	0x7ff71881e000	0x7ff71881ffff	Private Memory	Readable, Writable	Region Actions
runtimebroker.exe	0x7ff719590000	0x7ff7195a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntoskrnl.exe	0x7ff7a62c0000	0x7ff7a6b11fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.search.dll	0x7ffb25f30000	0x7ffb25ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
structuredquery.dll	0x7ffb26000000	0x7ffb260b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.internal.shell.broker.dll	0x7ffb29c70000	0x7ffb29d01fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwapi.dll	0x7ffb2afc0000	0x7ffb2afd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.networking.connectivity.dll	0x7ffb2afe0000	0x7ffb2b08bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tokenbroker.dll	0x7ffb2cfd0000	0x7ffb2d095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
execmodelclient.dll	0x7ffb2d630000	0x7ffb2d672fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
edputil.dll	0x7ffb2dc70000	0x7ffb2dc9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7ffb2dd30000	0x7ffb2e199fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7ffb2e8e0000	0x7ffb2e8edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7ffb2e9e0000	0x7ffb2ea3efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7ffb2fa50000	0x7ffb2fa8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
idstore.dll	0x7ffb30d10000	0x7ffb30d36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.networking.hostname.dll	0x7ffb30dd0000	0x7ffb30e07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.ui.immersive.dll	0x7ffb318e0000	0x7ffb31a96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7ffb31aa0000	0x7ffb31e15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mrmcorer.dll	0x7ffb32ec0000	0x7ffb32fcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp110_win.dll	0x7ffb350b0000	0x7ffb35141fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
policymanager.dll	0x7ffb35150000	0x7ffb35188fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7ffb352c0000	0x7ffb352f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintypes.dll	0x7ffb36330000	0x7ffb36460fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7ffb36530000	0x7ffb3654bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7ffb366c0000	0x7ffb366d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7ffb36950000	0x7ffb36ad2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mmdevapi.dll	0x7ffb36ae0000	0x7ffb36b51fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7ffb36c00000	0x7ffb36c15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7ffb373f0000	0x7ffb373fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7ffb37410000	0x7ffb37447fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7ffb37a60000	0x7ffb37a72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sppc.dll	0x7ffb37af0000	0x7ffb37b14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7ffb37b20000	0x7ffb37b45fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
coremessaging.dll	0x7ffb380d0000	0x7ffb38197fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7ffb38610000	0x7ffb386a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7ffb386b0000	0x7ffb386d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
twinapi.appcore.dll	0x7ffb387f0000	0x7ffb388ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7ffb38f90000	0x7ffb38f9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7ffb39260000	0x7ffb39292fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7ffb39350000	0x7ffb3936efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7ffb39610000	0x7ffb39626fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7ffb39780000	0x7ffb3978afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7ffb39960000	0x7ffb3998bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7ffb39b60000	0x7ffb39b87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7ffb39b90000	0x7ffb39bfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7ffb39c00000	0x7ffb39c97fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7ffb39d40000	0x7ffb39d50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x7ffb39d60000	0x7ffb39d6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7ffb39d70000	0x7ffb39d82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7ffb39d90000	0x7ffb39dd9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x7ffb39de0000	0x7ffb3a407fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7ffb3a410000	0x7ffb3a453fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x7ffb3a570000	0x7ffb3a622fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7ffb3a630000	0x7ffb3a7f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7ffb3a9e0000	0x7ffb3a9e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7ffb3a9f0000	0x7ffb3aa40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7ffb3aa50000	0x7ffb3bf74fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb3bf80000	0x7ffb3c0a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb3c290000	0x7ffb3c2c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7ffb3c2d0000	0x7ffb3c375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb3c3e0000	0x7ffb3c564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb3c650000	0x7ffb3c79dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb3c950000	0x7ffb3c9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7ffb3c9b0000	0x7ffb3ca6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7ffb3ca70000	0x7ffb3cb14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7ffb3cb20000	0x7ffb3cc60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x7ffb3cc70000	0x7ffb3ceebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x7ffb3cfb0000	0x7ffb3cfb7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb3d020000	0x7ffb3d17bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Create Remote Thread	#9: c:\windows\explorer.exe	0xde4	address = 0x7ffb3d319fa0	1	Fn
Modify Memory	#9: c:\windows\explorer.exe	0xde4	address = 0x7ffb3d319fa0, size = 4	2	Fn Data
Modify Memory	#9: c:\windows\explorer.exe	0xde4	address = 0x942a670000, size = 598016	1	Fn
Modify Memory	#9: c:\windows\explorer.exe	0xde4	address = 0x94282f0000, size = 792	1	Fn Data
Modify Control Flow	#9: c:\windows\explorer.exe	0xde4	os_tid = 0xe30, address = 0x0	1	Fn

Threads

Thread 0xe30

(Host: 209, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = wcstombs, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = DuplicateHandle, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetVersionExA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = UnregisterWait, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x942823fb90	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0x942823fb90	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0x942823fb90	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:39 (UTC)	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = OLEAUT32.dll, process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x7ffb3d27e960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb3c2ed610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb3a9f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7ffb3aa04dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb3c650000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x7ffb3c672610	1	Fn
Mutex	Create	mutex_name = {B3575357-76B9-5D62-1897-0AE1CCBBDEA5}	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb3d310000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7ffb3c2fec40	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb3d310000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb3cfb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x7ffb3cfb1040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:43:39 (UTC)	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7ffb3c2eb9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7ffb3c2e7dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7ffb3c2e72e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrToIntExA, address_out = 0x7ffb3aa04e70	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x7ffb3aa04cc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimA, address_out = 0x7ffb3aa04e80	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7ffb3c316dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Scr, type = REG_NONE	1	Fn

Thread 0xe2c

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Process #11: cmd.exe

(Host: 61, Network: 0)

Information	Value
ID	#11
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:18, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:02

OS Process Information

Information	Value
PID	0xef0
Parent PID	0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x EC0 0x F74

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x0000002e45920000	0x2e45920000	0x2e4593ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000002e45920000	0x2e45920000	0x2e4592ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000002e45930000	0x2e45930000	0x2e45936fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000002e45940000	0x2e45940000	0x2e45953fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000002e45960000	0x2e45960000	0x2e45a5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000002e45a60000	0x2e45a60000	0x2e45a63fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000002e45a70000	0x2e45a70000	0x2e45a70fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000002e45a80000	0x2e45a80000	0x2e45a81fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x2e45a90000	0x2e45b4dfff	Memory Mapped File	Readable	Region Actions
private_0x0000002e45b50000	0x2e45b50000	0x2e45b56fff	Private Memory	Readable, Writable	Region Actions
private_0x0000002e45b90000	0x2e45b90000	0x2e45c8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000002e45c90000	0x2e45c90000	0x2e45d8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000002e45dd0000	0x2e45dd0000	0x2e45ddffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x2e45de0000	0x2e46116fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00007df5ffa40000	0x7df5ffa40000	0x7ff5ffa3ffff	Pagefile Backed Memory	-	Region Actions
pagefile_0x00007ff699c00000	0x7ff699c00000	0x7ff699cfffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff699d00000	0x7ff699d00000	0x7ff699d22fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff699d24000	0x7ff699d24000	0x7ff699d24fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff699d2c000	0x7ff699d2c000	0x7ff699d2dfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff699d2e000	0x7ff699d2e000	0x7ff699d2ffff	Private Memory	Readable, Writable	Region Actions
cmd.exe	0x7ff69a200000	0x7ff69a258fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Threads

Thread 0xec0

(Host: 54, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff69a200000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb3d27d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb3d2825e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb3d281f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb3a853a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\nslookup.exe, os_pid = 0xf7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #13: nslookup.exe

(Host: 9, Network: 19)

Information	Value
ID	#13
File Name	c:\windows\system32\nslookup.exe
Command Line	nslookup myip.opendns.com resolver1.opendns.com
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:20, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:01:00

OS Process Information

Information	Value
PID	0xf7c
Parent PID	0xef0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x EA0 0x EAC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x0000004d203d0000	0x4d203d0000	0x4d203effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000004d203d0000	0x4d203d0000	0x4d203dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000004d203e0000	0x4d203e0000	0x4d203e6fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000004d203f0000	0x4d203f0000	0x4d20403fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000004d20410000	0x4d20410000	0x4d2048ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000004d20490000	0x4d20490000	0x4d20493fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000004d204a0000	0x4d204a0000	0x4d204a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000004d204b0000	0x4d204b0000	0x4d204b1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000004d204c0000	0x4d204c0000	0x4d204c6fff	Private Memory	Readable, Writable	Region Actions
nslookup.exe.mui	0x4d204d0000	0x4d204d4fff	Memory Mapped File	Readable	Region Actions
private_0x0000004d204e0000	0x4d204e0000	0x4d205dffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x4d205e0000	0x4d2069dfff	Memory Mapped File	Readable	Region Actions
private_0x0000004d206a0000	0x4d206a0000	0x4d2071ffff	Private Memory	Readable, Writable	Region Actions
imm32.dll	0x4d20720000	0x4d20753fff	Memory Mapped File	Readable	Region Actions
private_0x0000004d20720000	0x4d20720000	0x4d20720fff	Private Memory	Readable, Writable	Region Actions
private_0x0000004d20730000	0x4d20730000	0x4d20730fff	Private Memory	Readable, Writable	Region Actions
private_0x0000004d20800000	0x4d20800000	0x4d2080ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000004d20810000	0x4d20810000	0x4d20997fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000004d209a0000	0x4d209a0000	0x4d20b20fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000004d20b30000	0x4d20b30000	0x4d21f2ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007df5ff780000	0x7df5ff780000	0x7ff5ff77ffff	Pagefile Backed Memory	-	Region Actions
pagefile_0x00007ff624a40000	0x7ff624a40000	0x7ff624b3ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff624b40000	0x7ff624b40000	0x7ff624b62fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff624b6a000	0x7ff624b6a000	0x7ff624b6bfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff624b6c000	0x7ff624b6c000	0x7ff624b6dfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff624b6e000	0x7ff624b6e000	0x7ff624b6efff	Private Memory	Readable, Writable	Region Actions
nslookup.exe	0x7ff625810000	0x7ff62582afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x7ffb2e450000	0x7ffb2e464fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x7ffb2e470000	0x7ffb2e489fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x7ffb2e490000	0x7ffb2e49cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x7ffb308c0000	0x7ffb308c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x7ffb361e0000	0x7ffb36247fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7ffb373f0000	0x7ffb373fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7ffb37410000	0x7ffb37447fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7ffb37470000	0x7ffb37487fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7ffb393b0000	0x7ffb39457fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7ffb395b0000	0x7ffb3960cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7ffb39b60000	0x7ffb39b87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7ffb3a9e0000	0x7ffb3a9e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb3bf80000	0x7ffb3c0a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb3c290000	0x7ffb3c2c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb3c3e0000	0x7ffb3c564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7ffb3c570000	0x7ffb3c5d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb3c650000	0x7ffb3c79dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb3c950000	0x7ffb3c9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb3d020000	0x7ffb3d17bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Threads

Thread 0xea0

(Host: 9, Network: 19)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\nslookup.exe, base_address = 0x7ff625810000	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList	1	Fn
DNS	Get Hostname	name_out = LHnIwsj	1	Fn
DNS	Resolve Name	host = resolver1.opendns.com, address_out = 208.67.222.222	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 208.67.222.222, remote_port = 53	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 45, size_out = 45	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 80	1	Fn Data
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 208.67.222.222, remote_port = 53	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 34, size_out = 34	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 50	1	Fn Data
Socket	Close	type = SOCK_DGRAM	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 27	1	Fn Data
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 208.67.222.222, remote_port = 53	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 34, size_out = 34	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 102	1	Fn Data
Socket	Close	type = SOCK_DGRAM	1	Fn

Process #14: cmd.exe

(Host: 60, Network: 0)

Information	Value
ID	#14
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:22, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:00:58

OS Process Information

Information	Value
PID	0xd34
Parent PID	0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B0 0x D2C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x0000005f2eeb0000	0x5f2eeb0000	0x5f2eecffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000005f2eeb0000	0x5f2eeb0000	0x5f2eebffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000005f2eec0000	0x5f2eec0000	0x5f2eec6fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000005f2eed0000	0x5f2eed0000	0x5f2eee3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000005f2eef0000	0x5f2eef0000	0x5f2efeffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000005f2eff0000	0x5f2eff0000	0x5f2eff3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000005f2f000000	0x5f2f000000	0x5f2f000fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000005f2f010000	0x5f2f010000	0x5f2f011fff	Private Memory	Readable, Writable	Region Actions
private_0x0000005f2f020000	0x5f2f020000	0x5f2f026fff	Private Memory	Readable, Writable	Region Actions
private_0x0000005f2f0d0000	0x5f2f0d0000	0x5f2f1cffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x5f2f1d0000	0x5f2f28dfff	Memory Mapped File	Readable	Region Actions
private_0x0000005f2f290000	0x5f2f290000	0x5f2f38ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000005f2f520000	0x5f2f520000	0x5f2f52ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00007df5ff5b0000	0x7df5ff5b0000	0x7ff5ff5affff	Pagefile Backed Memory	-	Region Actions
pagefile_0x00007ff699b10000	0x7ff699b10000	0x7ff699c0ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff699c10000	0x7ff699c10000	0x7ff699c32fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff699c38000	0x7ff699c38000	0x7ff699c38fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff699c3c000	0x7ff699c3c000	0x7ff699c3dfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff699c3e000	0x7ff699c3e000	0x7ff699c3ffff	Private Memory	Readable, Writable	Region Actions
cmd.exe	0x7ff69a200000	0x7ff69a258fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Threads

Thread 0xb0

(Host: 53, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff69a200000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb3d27d550	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb3d2825e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb3d281f90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb3a853a10	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\A7BD.bi1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = size	1	Fn
File	Read	filename = STD_OUTPUT_HANDLE, size = 1, size_out = 1	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 11	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #16: winmail.exe

(Host: 210, Network: 0)

Information	Value
ID	#16
File Name	c:\program files\windows mail\winmail.exe
Command Line	"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:00:55

OS Process Information

Information	Value
PID	0xd24
Parent PID	0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00013d92 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D1C 0x F70 0x F30

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x0000007eac4f0000	0x7eac4f0000	0x7eac50ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000007eac4f0000	0x7eac4f0000	0x7eac4fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000007eac500000	0x7eac500000	0x7eac506fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000007eac510000	0x7eac510000	0x7eac523fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000007eac530000	0x7eac530000	0x7eac5affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000007eac5b0000	0x7eac5b0000	0x7eac5b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000007eac5c0000	0x7eac5c0000	0x7eac5c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000007eac5d0000	0x7eac5d0000	0x7eac5d1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000007eac5e0000	0x7eac5e0000	0x7eac65ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000007eac660000	0x7eac660000	0x7eac666fff	Private Memory	Readable, Writable	Region Actions
winmail.exe.mui	0x7eac670000	0x7eac671fff	Memory Mapped File	Readable	Region Actions
private_0x0000007eac680000	0x7eac680000	0x7eac680fff	Private Memory	Readable, Writable	Region Actions
private_0x0000007eac690000	0x7eac690000	0x7eac78ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x7eac790000	0x7eac84dfff	Memory Mapped File	Readable	Region Actions
private_0x0000007eac850000	0x7eac850000	0x7eac850fff	Private Memory	Readable, Writable	Region Actions
private_0x0000007eac860000	0x7eac860000	0x7eac860fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000007eac870000	0x7eac870000	0x7eac871fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000007eac880000	0x7eac880000	0x7eac881fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000007eac890000	0x7eac890000	0x7eac921fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000007eac930000	0x7eac930000	0x7eac931fff	Private Memory	Readable, Writable	Region Actions
private_0x0000007eac930000	0x7eac930000	0x7eac936fff	Private Memory	Readable, Writable	Region Actions
private_0x0000007eac9c0000	0x7eac9c0000	0x7eac9cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000007eac9d0000	0x7eac9d0000	0x7eacb57fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000007eacb60000	0x7eacb60000	0x7eacce0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000007eaccf0000	0x7eaccf0000	0x7eae0effff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000007eae0f0000	0x7eae0f0000	0x7eae50ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x7eae510000	0x7eae846fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00007df5ff160000	0x7df5ff160000	0x7ff5ff15ffff	Pagefile Backed Memory	-	Region Actions
pagefile_0x00007ff72a740000	0x7ff72a740000	0x7ff72a83ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff72a840000	0x7ff72a840000	0x7ff72a862fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff72a86b000	0x7ff72a86b000	0x7ff72a86cfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff72a86d000	0x7ff72a86d000	0x7ff72a86efff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff72a86f000	0x7ff72a86f000	0x7ff72a86ffff	Private Memory	Readable, Writable	Region Actions
winmail.exe	0x7ff72b500000	0x7ff72b569fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msoert2.dll	0x7ffb25180000	0x7ffb251a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7ffb34cc0000	0x7ffb34f33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7ffb39960000	0x7ffb3998bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x7ffb39d60000	0x7ffb39d6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7ffb39d70000	0x7ffb39d82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7ffb39d90000	0x7ffb39dd9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x7ffb39de0000	0x7ffb3a407fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x7ffb3a570000	0x7ffb3a622fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb3a800000	0x7ffb3a9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7ffb3a9f0000	0x7ffb3aa40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7ffb3aa50000	0x7ffb3bf74fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb3bf80000	0x7ffb3c0a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb3c290000	0x7ffb3c2c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7ffb3c2d0000	0x7ffb3c375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb3c3e0000	0x7ffb3c564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb3c650000	0x7ffb3c79dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb3c950000	0x7ffb3c9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7ffb3c9b0000	0x7ffb3ca6dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7ffb3cb20000	0x7ffb3cc60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x7ffb3cc70000	0x7ffb3ceebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb3cf10000	0x7ffb3cfacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x7ffb3cfb0000	0x7ffb3cfb7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb3d020000	0x7ffb3d17bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb3d260000	0x7ffb3d30cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb3d310000	0x7ffb3d4d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#9: c:\windows\explorer.exe	0xd3c	address = 0x7ff72b5076c0, size = 4	2	Fn Data
Modify Memory	#9: c:\windows\explorer.exe	0xd3c	address = 0x7eac890000, size = 598016	1	Fn
Modify Memory	#9: c:\windows\explorer.exe	0xd3c	address = 0x7eac860000, size = 792	1	Fn Data
Modify Control Flow	#9: c:\windows\explorer.exe	0xd3c	os_tid = 0xd1c, address = 0x7ff72a86f000	1	Fn

Threads

Thread 0xd1c

(Host: 209, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = wcstombs, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = DuplicateHandle, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetVersionExA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = UnregisterWait, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x7eac5afcc0	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0x7eac5afcc0	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0x7eac5afcc0	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:02 (UTC)	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = OLEAUT32.dll, process_name = c:\program files\windows mail\winmail.exe, file_name_orig = C:\Program Files\Windows Mail\WinMail.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x7ffb3d27e960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb3c2ed610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb3a9f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7ffb3aa04dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb3c650000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x7ffb3c672610	1	Fn
Mutex	Create	mutex_name = {DB45C3D0-7EC1-C5FA-603F-92C994E3E60D}	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb3d310000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7ffb3c2fec40	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb3d310000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb3cfb0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x7ffb3cfb1040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 16:44:02 (UTC)	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7ffb3c2eb9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7ffb3c2e7dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7ffb3c2e72e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrToIntExA, address_out = 0x7ffb3aa04e70	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x7ffb3aa04cc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimA, address_out = 0x7ffb3aa04e80	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7ffb3c316dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Scr, type = REG_NONE	1	Fn

Thread 0xf30

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Process #17: chakmcat.exe

(Host: 2182, Network: 0)

Information	Value
ID	#17
File Name	c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:00, Reason: Autostart
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:00:20

OS Process Information

Information	Value
PID	0x2d4
Parent PID	0x2b4 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 2F0 0x 30C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001d0000	0x0028dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x0033cfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000340000	0x00340000	0x00378fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000380000	0x00380000	0x00380fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000390000	0x00390000	0x00390fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003f8fff	Private Memory	Readable, Writable	Region Actions
chakmcat.exe	0x00400000	0x004a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000004b0000	0x004b0000	0x005affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000610000	0x00610000	0x0070ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00897fff	Pagefile Backed Memory	Readable	Region Actions
oleaut32.dll	0x008a0000	0x00930fff	Memory Mapped File	Readable	Region Actions
private_0x00000000008a0000	0x008a0000	0x0099ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009a0000	0x009a0000	0x009affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x00b30fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000b40000	0x00b40000	0x01f3ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001f40000	0x01f40000	0x0204ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001f40000	0x01f40000	0x01fd1fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000000002040000	0x02040000	0x0204ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002050000	0x02050000	0x024effff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x024f0000	0x02826fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002830000	0x02830000	0x029f1fff	Private Memory	Readable, Writable	Region Actions
wow64win.dll	0x650f0000	0x65162fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x65170000	0x65177fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x65180000	0x651cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x743c0000	0x74450fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74460000	0x744b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x744c0000	0x744c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x744d0000	0x744edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x74550000	0x746c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74890000	0x75c4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75c50000	0x75c93fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75d10000	0x75d8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75d90000	0x75dbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75dc0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75fa0000	0x760ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76140000	0x7622ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76230000	0x7634ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76350000	0x76439fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x764e0000	0x76523fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76530000	0x7653bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x76750000	0x76c2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x76c30000	0x76c3efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76c40000	0x76cfdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76f00000	0x770b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x771e0000	0x7726cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77270000	0x7731bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77320000	0x77362fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x773c0000	0x77538fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffb6761ffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb67620000	0x7ffb677e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb677e2000	0x7ffb677e2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0x2f0

(Host: 2170, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7615a330	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76157580	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76159910	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7615f400	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7741f190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7741f190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7741f190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7741f190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7741f190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7741f190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7741f190	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x7741a200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x7741a200	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x7741f190	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x7741a200	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, size = 260	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76159640	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76158b70	2	Fn
Module	Load	module_name = ntdll.dll, base_address = 0x773c0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwClose, address_out = 0x77428cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationToken, address_out = 0x77428df0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlNtStatusToDosError, address_out = 0x77413010	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcess, address_out = 0x77428e40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x77428d50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = mbstowcs, address_out = 0x7742e610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memset, address_out = 0x7742ee50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = memcpy, address_out = 0x7742e7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77428f40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x77428e80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtMapViewOfSection, address_out = 0x77428e60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUpcaseUnicodeString, address_out = 0x7740e040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtCreateSection, address_out = 0x77429080	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = ZwOpenProcessToken, address_out = 0x77429d20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlFreeUnicodeString, address_out = 0x773fb940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x7741aca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtQueryVirtualMemory, address_out = 0x77428e10	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x764e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionW, address_out = 0x764f7c40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrRChrA, address_out = 0x76502900	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionA, address_out = 0x76501db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrA, address_out = 0x765026c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathCombineW, address_out = 0x764fcd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address_out = 0x764f80d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrW, address_out = 0x764f6a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = StrTrimW, address_out = 0x764f83a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameA, address_out = 0x764f8970	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x76140000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResetEvent, address_out = 0x761660b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76165f20	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x7615d8d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventA, address_out = 0x76165f70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateWaitableTimerA, address_out = 0x7615db30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x761657f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x76180960	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x76166510	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileA, address_out = 0x761661a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76166590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x773fda90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEvent, address_out = 0x761660c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x76166380	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76157940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x76152db0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x7617d320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x761577b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x76166170	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x76157540	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x761525e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x76152d80	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetWaitableTimer, address_out = 0x761660d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineW, address_out = 0x7615a4b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x761674f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76159640	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x76159950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x7615d940	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76166110	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76152b90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address_out = 0x761661b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x76180da0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x76182a00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x7615a280	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x7615ed00	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x7615c1f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameA, address_out = 0x761663f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryA, address_out = 0x76166140	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathA, address_out = 0x76166410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76151b90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x76166360	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpynA, address_out = 0x7615f7b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileA, address_out = 0x76166270	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareFileTime, address_out = 0x76166130	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLongPathNameW, address_out = 0x761547c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x761592b0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x7615a300	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76151d90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x761661d0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x7615e320	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x7615c8c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x7615efc0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76163a30	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x76166530	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x761664a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76159560	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x7615a040	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76166180	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x76152af0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76158c70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x76157610	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76158b70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x761664f0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x7617d410	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x76166150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x761662a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x761587c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileA, address_out = 0x76166210	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x75dc0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x75deddf0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x75deea00	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x75d10000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExA, address_out = 0x75d2ee40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x75d5bda0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyA, address_out = 0x75d331a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x75d2ed40	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x75d2ee90	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x75d30ea0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyA, address_out = 0x75d33150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x75d2f0a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExA, address_out = 0x75d30750	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegDeleteValueW, address_out = 0x75d30ca0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyW, address_out = 0x75d2f590	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegEnumKeyExA, address_out = 0x75d32520	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x75d2efa0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x75d2ed60	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExA, address_out = 0x75d2f000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x75d30f50	1	Fn
Module	Load	module_name = SHELL32.dll, base_address = 0x74890000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x74a24cb0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x74a24370	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 92, address_out = 0x74b07560	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x76350000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoInitializeEx, address_out = 0x76f6cd50	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoUninitialize, address_out = 0x76f6dca0	1	Fn
Module	Get Handle	module_name = c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe, base_address = 0x400000	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C83.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C83.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C83.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C83.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C83.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C93.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C93.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C93.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C93.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C93.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C94.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C94.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C94.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C94.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C94.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C95.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C95.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C95.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C95.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C95.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C96.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C96.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C96.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C96.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C96.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C97.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C97.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C97.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C97.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C97.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C98.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C98.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C98.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C98.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7C98.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CA9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CA9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CA9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CA9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CA9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CAD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CBF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CC2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CD9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CED.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CED.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CED.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CED.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CED.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CEF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CFF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CFF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CFF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CFF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7CFF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D00.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D00.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D00.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D00.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D00.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D01.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D01.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D01.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D01.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D01.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D02.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D02.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D02.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D02.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D02.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D03.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D03.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D03.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D03.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D03.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D14.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D14.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D14.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D14.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D14.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D15.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D15.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D15.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D15.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D15.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D16.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D16.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D16.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D16.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D16.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D17.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D17.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D17.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D17.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D17.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D18.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D18.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D18.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D18.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D18.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D19.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D19.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D19.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D19.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D19.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D2F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D3F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D3F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D3F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D3F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D3F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D40.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D40.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D40.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D40.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D40.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D41.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D41.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D41.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D41.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D41.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D42.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D42.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D42.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D42.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D42.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D43.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D43.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D43.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D43.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D43.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D44.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D44.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D44.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D44.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D44.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D55.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D55.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D55.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D55.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D55.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D56.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D56.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D56.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D56.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D56.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D57.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D57.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D57.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D57.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D57.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D58.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D58.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D58.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D58.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D58.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D59.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D59.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D59.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D59.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D59.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D5A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D5A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D5A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D5A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D5A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D6E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D7F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D7F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D7F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D7F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D7F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D80.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D80.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D80.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D80.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D80.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D81.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D81.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D81.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D81.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D81.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D82.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D82.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D82.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D82.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D82.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D83.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D83.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D83.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D83.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D83.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D84.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D84.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D84.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D84.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D84.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D95.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D95.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D95.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D95.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D95.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D96.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D96.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D96.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D96.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D96.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D97.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D97.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D97.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D97.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D97.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D98.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D98.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D98.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D98.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D98.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D99.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D99.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D99.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D99.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D99.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D9A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D9A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D9A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D9A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7D9A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DAF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DC4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DD9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DDB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DED.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DED.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DED.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DED.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DED.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7DEF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E00.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E00.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E00.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E00.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E00.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E01.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E01.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E01.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E01.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E01.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E02.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E02.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E02.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E02.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E02.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E03.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E03.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E03.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E03.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E03.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E04.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E04.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E04.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E04.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E04.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E14.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E14.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E14.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E14.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E14.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E15.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E15.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E15.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E15.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E15.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E16.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E16.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E16.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E16.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E16.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E17.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E17.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E17.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E17.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E17.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E18.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E18.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E18.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E18.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E18.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E29.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E29.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E29.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E29.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E29.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E2E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E3F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E3F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E3F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E3F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E3F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E40.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E40.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E40.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E40.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E40.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E41.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E41.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E41.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E41.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E41.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E42.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E42.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E42.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E42.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E42.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E43.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E43.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E43.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E43.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E43.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E44.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E44.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E44.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E44.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E44.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E54.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E54.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E54.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E54.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E54.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E55.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E55.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E55.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E55.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E55.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E56.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E56.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E56.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E56.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E56.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E57.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E57.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E57.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E57.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E57.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E58.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E58.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E58.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E58.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E58.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E69.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E69.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E69.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E69.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E69.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E6D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7F.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7F.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E7F.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E80.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E80.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E80.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E80.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E80.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E81.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E81.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E81.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E81.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E81.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E82.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E82.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E82.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E82.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E82.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E83.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E83.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E83.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E83.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E83.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E93.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E93.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E93.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E93.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E93.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E94.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E94.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E94.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E94.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E94.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E95.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E95.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E95.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E95.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E95.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E96.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E96.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E96.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E96.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E96.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E97.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E97.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E97.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E97.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E97.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E98.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E98.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E98.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E98.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7E98.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EA9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EA9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EA9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EA9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EA9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EAA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EAA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EAA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EAA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EAA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBA.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBA.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBA.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBA.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBA.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBB.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBB.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBB.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBB.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBB.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBC.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBC.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBC.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBC.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBC.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBD.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBD.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBD.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBD.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBD.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBE.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBE.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBE.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBE.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBE.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBF.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBF.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBF.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBF.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EBF.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED0.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED0.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED0.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED0.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED1.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED1.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED1.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED1.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED1.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED2.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED2.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED2.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED2.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED2.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED3.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED3.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED3.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED3.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED3.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED4.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED4.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED4.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED4.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7ED4.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE5.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE5.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE5.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE5.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE5.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EE6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF6.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF6.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF6.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF6.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF6.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF7.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF7.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF7.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF7.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF7.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF8.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF8.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF8.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF8.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF8.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF9.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF9.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF9.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF9.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7EF9.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0A.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0A.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0A.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0A.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0A.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0B.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0B.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0B.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0B.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0B.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0C.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0C.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0C.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0C.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0C.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0D.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0D.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0D.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0D.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0D.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0E.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0E.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0E.tmp, type = time	1	Fn
File	Write	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0E.tmp, size = 8	1	Fn Data
File	Delete	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F0E.tmp	1	Fn
File	Create Temp File	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F1F.tmp, path = C:\Users\CIIHMN~1\AppData\Local\Temp\	1	Fn
File	Create	filename = C:\Users\CIIHMN~1\AppData\Local\Temp\7F1F.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
For performance reasons, the remaining 1170 entries are omitted. The remaining entries can be found in glog.xml.

Process #18: svchost.exe

(Host: 261, Network: 0)

Information	Value
ID	#18
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:03, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:00:17

OS Process Information

Information	Value
PID	0x998
Parent PID	0x2d4 (c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 904 0x 880 0x BFC 0x 80C

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000c70000	0x00c70000	0x00d01fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d10000	0x00d10000	0x00d10fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000000007ffb0000	0x7ffb0000	0x7ffb0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000ff91c70000	0xff91c70000	0xff91c8ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000ff91c70000	0xff91c70000	0xff91c7ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000ff91c80000	0xff91c80000	0xff91c81fff	Private Memory	Readable, Writable	Region Actions
svchost.exe.mui	0xff91c80000	0xff91c80fff	Memory Mapped File	Readable	Region Actions
pagefile_0x000000ff91c90000	0xff91c90000	0xff91ca3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000ff91cb0000	0xff91cb0000	0xff91d2ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000ff91d30000	0xff91d30000	0xff91d33fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000ff91d40000	0xff91d40000	0xff91d40fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000ff91d50000	0xff91d50000	0xff91d51fff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff91d60000	0xff91d60000	0xff91ddffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff91de0000	0xff91de0000	0xff91de0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff91df0000	0xff91df0000	0xff91df0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff91e00000	0xff91e00000	0xff91e06fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0xff91e10000	0xff91ecdfff	Memory Mapped File	Readable	Region Actions
private_0x000000ff91f00000	0xff91f00000	0xff91ffffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92000000	0xff92000000	0xff921a8fff	Private Memory	Readable, Writable	Region Actions
ole32.dll	0xff92000000	0xff92140fff	Memory Mapped File	Readable	Region Actions
private_0x000000ff92000000	0xff92000000	0xff92128fff	Private Memory	Readable, Writable	Region Actions
imm32.dll	0xff92000000	0xff92033fff	Memory Mapped File	Readable	Region Actions
pagefile_0x000000ff92000000	0xff92000000	0xff92091fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x000000ff92120000	0xff92120000	0xff92128fff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff921a0000	0xff921a0000	0xff921a8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff921b0000	0xff921b0000	0xff923affff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92200000	0xff92200000	0xff922fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92300000	0xff92300000	0xff924fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92300000	0xff92300000	0xff923fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92400000	0xff92400000	0xff925fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92400000	0xff92400000	0xff924fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92500000	0xff92500000	0xff926fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92500000	0xff92500000	0xff925fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92600000	0xff92600000	0xff927fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000ff92600000	0xff92600000	0xff926fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000ff92700000	0xff92700000	0xff92887fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000ff92890000	0xff92890000	0xff92a10fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000ff92a20000	0xff92a20000	0xff93e1ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0xff93e20000	0xff94156fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00007df5ff180000	0x7df5ff180000	0x7ff5ff17ffff	Pagefile Backed Memory	-	Region Actions
pagefile_0x00007ff77a5c0000	0x7ff77a5c0000	0x7ff77a6bffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff77a6c0000	0x7ff77a6c0000	0x7ff77a6e2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff77a6eb000	0x7ff77a6eb000	0x7ff77a6ebfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff77a6ec000	0x7ff77a6ec000	0x7ff77a6edfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff77a6ee000	0x7ff77a6ee000	0x7ff77a6effff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x7ff77a6f0000	0x7ff77a6fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7ffb63c70000	0x7ffb63c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb64a50000	0x7ffb64c2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7ffb64cf0000	0x7ffb64dadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb64f80000	0x7ffb65104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb66640000	0x7ffb66765fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x7ffb66770000	0x7ffb66777fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb66780000	0x7ffb667b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb667c0000	0x7ffb6690dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7ffb66b30000	0x7ffb66b80fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x7ffb66bf0000	0x7ffb66e6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb670d0000	0x7ffb6717cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb672d0000	0x7ffb6736cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7ffb673a0000	0x7ffb67445fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb67450000	0x7ffb675abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb675c0000	0x7ffb6761afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb67620000	0x7ffb677e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#17: c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe	0x2f0	address = 0xc70000, size = 598016	1	Fn
Modify Memory	#17: c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe	0x2f0	address = 0xd10000, size = 792	1	Fn Data
Modify Control Flow	#17: c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe	0x2f0	os_tid = 0x904, address = 0x7a6eb000	1	Fn
Modify Memory	#17: c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\amsisigd\chakmcat.exe	0x2f0	address = 0x7ff77a6f3440, size = 4	1	Fn Data

Threads

Thread 0x904

(Host: 246, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = wcstombs, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = DuplicateHandle, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetVersionExA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = UnregisterWait, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = QueryPerformanceFrequency, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0xff91d2f830	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0xff91d2f830	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0xff91d2f830	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 05:44:38 (UTC)	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = OLEAUT32.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x7ffb670ee960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb673a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb673bd610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb66b30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7ffb66b44dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb667c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x7ffb667e2610	1	Fn
Mutex	Create	mutex_name = {BF4FAD76-121A-4972-1463-668D8847FA11}	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb67620000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb64a50000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7ffb673cec40	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb67620000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb673a0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb673a0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb66770000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x7ffb66771040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	16	Fn
System	Get Time	type = System Time, time = 2017-12-11 05:44:38 (UTC)	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7ffb673bb9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7ffb673b7dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7ffb673b72e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrToIntExA, address_out = 0x7ffb66b44e70	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x7ffb66b44cc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimA, address_out = 0x7ffb66b44e80	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetShellWindow, address_out = 0x7ffb667e4060	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetWindowThreadProcessId, address_out = 0x7ffb667d4040	1	Fn
Process	Open	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
Module	Get Address	module_name = c:\windows\system32\ntdll.dll, function = RtlExitUserThread, address_out = 0x7ffb67629fa0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateRemoteThread, address_out = 0x7ffb671126d0	1	Fn
Thread	Create	process_name = c:\windows\explorer.exe, proc_address = 0x7ffb67629fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED	1	Fn
Memory	Read	process_name = c:\windows\explorer.exe, address = 0x7ffb67629fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x7ffb67629fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0x940	1	Fn
Thread	Suspend	process_name = c:\windows\explorer.exe, os_tid = 0x940	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0x940	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 1097663180608	1	Fn
Module	Map	process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xff92000000	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9090000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb67620000	1	Fn
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = c:\windows\system32\ntdll.dll, process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Memory	Allocate	process_name = c:\windows\explorer.exe, address = 0xff91d2e9a0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1097663179176	1	Fn
Thread	Get Context	process_name = c:\windows\explorer.exe, os_tid = 0x940	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x9130000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\explorer.exe, os_tid = 0x940	1	Fn
Module	Unmap	process_name = c:\windows\system32\svchost.exe	1	Fn
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\explorer.exe, address = 0x7ffb67629fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\explorer.exe, address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\explorer.exe, os_tid = 0x940	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7ffb673e6dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Scr, type = REG_NONE	1	Fn

Process #19: explorer.exe

(Host: 572, Network: 804)

Information	Value
ID	#19
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\Explorer.EXE
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:03, Reason: Injection
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:00:17

OS Process Information

Information	Value
PID	0x2b4
Parent PID	0x478 (c:\windows\system32\userinit.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7A8 0x 7AC 0x 750 0x 87C 0x BEC 0x BE8 0x BE0 0x BDC 0x BD8 0x BA0 0x B9C 0x B88 0x B84 0x A74 0x A6C 0x A68 0x A64 0x A50 0x A40 0x A38 0x A30 0x A2C 0x A28 0x A1C 0x 9F8 0x 9C4 0x 9B0 0x 994 0x 990 0x 958 0x 954 0x 94C 0x 944 0x 938 0x 92C 0x 928 0x 91C 0x 900 0x 8FC 0x 8F4 0x 8EC 0x 8E4 0x 8E0 0x 8D4 0x 8D0 0x 8CC 0x 8C8 0x 8C4 0x 8C0 0x 8BC 0x 8B4 0x 8B0 0x 8A8 0x 88C 0x 85C 0x 834 0x 808 0x 804 0x 6E8 0x 414 0x 418 0x 748 0x 74C 0x 73C 0x 710 0x 484 0x 480 0x 650 0x 62C 0x 5E4 0x 57C 0x 5D0 0x 608 0x 588 0x 4F0 0x 940 0x 654 0x 9E4 0x 82C 0x 9CC 0x B30 0x 7B4 0x 7DC

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000170000	0x00170000	0x0017ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x00186fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00233fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00242fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x00251fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00260000	0x0031dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000320000	0x00320000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003a6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x004affff	Private Memory	Readable, Writable	Region Actions
explorer.exe.mui	0x004b0000	0x004b7fff	Memory Mapped File	Readable	Region Actions
private_0x00000000004c0000	0x004c0000	0x004c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x004d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004e0000	0x004e0000	0x004e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x004f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00500fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00510fff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x00520000	0x00523fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db	0x00530000	0x00551fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x00560fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00707fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00890fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008a0000	0x008a0000	0x01c9ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ca0000	0x01ca0000	0x01d1ffff	Private Memory	Readable, Writable	Region Actions
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000031.db	0x01d20000	0x01d3afff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d40000	0x01d40000	0x01d4ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01d50000	0x02086fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002090000	0x02090000	0x0210ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002110000	0x02110000	0x0218ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002190000	0x02190000	0x0220ffff	Private Memory	Readable, Writable	Region Actions
shell32.dll.mui	0x02210000	0x02270fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002280000	0x02280000	0x02282fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002290000	0x02290000	0x02292fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000022a0000	0x022a0000	0x022c9fff	Pagefile Backed Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x022d0000	0x023aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000023b0000	0x023b0000	0x0242ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002430000	0x02430000	0x024affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024b0000	0x024b0000	0x0252ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002530000	0x02530000	0x02531fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002540000	0x02540000	0x02541fff	Pagefile Backed Memory	Readable	Region Actions
oleaccrc.dll	0x02550000	0x02551fff	Memory Mapped File	Readable	Region Actions
oleaccrc.dll.mui	0x02560000	0x02564fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002570000	0x02570000	0x02627fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002630000	0x02630000	0x02633fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002640000	0x02640000	0x0273ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002740000	0x02740000	0x0283ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002840000	0x02840000	0x02846fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002850000	0x02850000	0x02852fff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02860000	0x0389ffff	Memory Mapped File	Readable	Region Actions
private_0x00000000038a0000	0x038a0000	0x038a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000038b0000	0x038b0000	0x038b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000038c0000	0x038c0000	0x038c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000038d0000	0x038d0000	0x038d2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000038e0000	0x038e0000	0x0395ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003960000	0x03960000	0x03961fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003970000	0x03970000	0x03970fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003980000	0x03980000	0x03980fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003990000	0x03990000	0x03990fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000039a0000	0x039a0000	0x039a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000039b0000	0x039b0000	0x039bffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000039c0000	0x039c0000	0x039cffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000039d0000	0x039d0000	0x039dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000039e0000	0x039e0000	0x039e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000039f0000	0x039f0000	0x039f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003a00000	0x03a00000	0x03a00fff	Private Memory	Readable, Writable	Region Actions
cversions.1.db	0x03a10000	0x03a13fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003a20000	0x03a20000	0x03a20fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003a30000	0x03a30000	0x03a30fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000003a40000	0x03a40000	0x03a40fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003a50000	0x03a50000	0x03a52fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000003a60000	0x03a60000	0x03a98fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000003aa0000	0x03aa0000	0x03aa0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ab0000	0x03ab0000	0x03ab0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003ac0000	0x03ac0000	0x03ac2fff	Pagefile Backed Memory	Readable	Region Actions
stobject.dll.mui	0x03ad0000	0x03ad1fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000003ae0000	0x03ae0000	0x03ae2fff	Pagefile Backed Memory	Readable	Region Actions
inputswitch.dll.mui	0x03af0000	0x03af1fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003b00000	0x03b00000	0x03b00fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003b10000	0x03b10000	0x03b12fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000003b20000	0x03b20000	0x03b21fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000003b30000	0x03b30000	0x03b32fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x03b40000	0x03b43fff	Memory Mapped File	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db	0x03b50000	0x03b92fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x03ba0000	0x03ba3fff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db	0x03bb0000	0x03c3afff	Memory Mapped File	Readable	Region Actions
propsys.dll.mui	0x03c40000	0x03c50fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003c60000	0x03c60000	0x03cdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ce0000	0x03ce0000	0x03d5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d60000	0x03d60000	0x03ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003de0000	0x03de0000	0x03e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e60000	0x03e60000	0x03e60fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e70000	0x03e70000	0x03eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ef0000	0x03ef0000	0x03f6ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003f70000	0x03f70000	0x04461fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004470000	0x04470000	0x044effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000044f0000	0x044f0000	0x0456ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004570000	0x04570000	0x045effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000045f0000	0x045f0000	0x0466ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004670000	0x04670000	0x046effff	Private Memory	Readable, Writable	Region Actions
iconcache_idx.db	0x046f0000	0x046f1fff	Memory Mapped File	Readable, Writable	Region Actions
iconcache_256.db	0x04700000	0x04700fff	Memory Mapped File	Readable, Writable	Region Actions
winnlsres.dll	0x04710000	0x04714fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004720000	0x04720000	0x0479ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000047a0000	0x047a0000	0x047a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000047b0000	0x047b0000	0x047b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047c0000	0x047c0000	0x047c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047d0000	0x047d0000	0x0484ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004850000	0x04850000	0x04851fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004860000	0x04860000	0x048dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048e0000	0x048e0000	0x0495ffff	Private Memory	Readable, Writable	Region Actions
iconcache_idx.db	0x04960000	0x04961fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000004970000	0x04970000	0x04a6ffff	Private Memory	Readable, Writable	Region Actions
winnlsres.dll.mui	0x04a70000	0x04a7ffff	Memory Mapped File	Readable	Region Actions
mswsock.dll.mui	0x04a80000	0x04a82fff	Memory Mapped File	Readable	Region Actions
imageres.dll.mui	0x04a90000	0x04a90fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004aa0000	0x04aa0000	0x04aa8fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ab0000	0x04ab0000	0x04ab3fff	Private Memory	Readable, Writable	Region Actions
thumbcache_idx.db	0x04ac0000	0x04ac1fff	Memory Mapped File	Readable, Writable	Region Actions
netmsg.dll	0x04ad0000	0x04ad0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004ae0000	0x04ae0000	0x04ae8fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004af0000	0x04af0000	0x04af0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b00000	0x04b00000	0x04b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b80000	0x04b80000	0x04bfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004c00000	0x04c00000	0x04c02fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004c10000	0x04c10000	0x04c57fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004c60000	0x04c60000	0x04ca7fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004cb0000	0x04cb0000	0x04d2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004d30000	0x04d30000	0x0552ffff	Private Memory	-	Region Actions
thumbcache_48.db	0x05530000	0x0562ffff	Memory Mapped File	Readable, Writable	Region Actions
netmsg.dll.mui	0x05630000	0x05661fff	Memory Mapped File	Readable	Region Actions
private_0x0000000005670000	0x05670000	0x056effff	Private Memory	Readable, Writable	Region Actions
iconcache_idx.db	0x056f0000	0x056f1fff	Memory Mapped File	Readable, Writable	Region Actions
iconcache_48.db	0x05700000	0x057fffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000005800000	0x05800000	0x0587ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005880000	0x05880000	0x058fffff	Private Memory	Readable, Writable	Region Actions
thumbcache_idx.db	0x05900000	0x05901fff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_48.db	0x05910000	0x05a0ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_idx.db	0x05a10000	0x05a11fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000005a20000	0x05a20000	0x05a68fff	Private Memory	Readable, Writable	Region Actions
cversions.2.db	0x05a70000	0x05a73fff	Memory Mapped File	Readable	Region Actions
sndvolsso.dll.mui	0x05a80000	0x05a81fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000005a90000	0x05a90000	0x05a92fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000005aa0000	0x05aa0000	0x05aa0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000005ab0000	0x05ab0000	0x05ab1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000005ac0000	0x05ac0000	0x05ac0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005ad0000	0x05ad0000	0x05b4ffff	Private Memory	Readable, Writable	Region Actions
windows.storage.dll.mui	0x05b50000	0x05b57fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000005b60000	0x05b60000	0x05b62fff	Pagefile Backed Memory	Readable	Region Actions
For performance reasons, the remaining 787 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Create Remote Thread	#18: c:\windows\system32\svchost.exe	0x904	address = 0x7ffb67629fa0	1	Fn
Modify Memory	#18: c:\windows\system32\svchost.exe	0x904	address = 0x7ffb67629fa0, size = 4	2	Fn Data
Modify Memory	#18: c:\windows\system32\svchost.exe	0x904	address = 0x9090000, size = 598016	1	Fn
Modify Memory	#18: c:\windows\system32\svchost.exe	0x904	address = 0x9130000, size = 792	1	Fn Data
Modify Control Flow	#18: c:\windows\system32\svchost.exe	0x904	os_tid = 0x940, address = 0x0	1	Fn

Threads

Thread 0x940

(Host: 218, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = wcstombs, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = DuplicateHandle, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetVersionExA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = UnregisterWait, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = QueryPerformanceFrequency, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0x908f810	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0x908f810	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0x908f810	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0x908f810	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0x908f810	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 05:44:39 (UTC)	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = OLEAUT32.dll, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb670d0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = IsWow64Process, address_out = 0x7ffb670ee960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb673a0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb673bd610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb66b30000	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrRChrA, address_out = 0x7ffb66b44dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb667c0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = wsprintfA, address_out = 0x7ffb667e2610	1	Fn
Mutex	Create	mutex_name = {2B1EAAC7-8E9D-9587-F08F-A2992433F6DD}	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb670d0000	1	Fn
Module	Get Handle	module_name = NTDLL.DLL, base_address = 0x7ffb67620000	1	Fn
Module	Get Handle	module_name = kernelbase, base_address = 0x7ffb64a50000	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetUserNameA, address_out = 0x7ffb673cec40	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetShellWindow, address_out = 0x7ffb667e4060	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetWindowThreadProcessId, address_out = 0x7ffb667d4040	1	Fn
Module	Get Handle	module_name = NTDLL.DLL, base_address = 0x7ffb67620000	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb670d0000	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb673a0000	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = KERNEL32.DLL, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb673a0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb66770000	1	Fn
Module	Get Address	module_name = Unknown module name, function = EnumProcessModules, address_out = 0x7ffb66771040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	63	Fn
System	Get Time	type = System Time, time = 2017-12-11 05:44:39 (UTC)	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegOpenKeyA, address_out = 0x7ffb673bb9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegQueryValueExA, address_out = 0x7ffb673b7dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegCloseKey, address_out = 0x7ffb673b72e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrToIntExA, address_out = 0x7ffb66b44e70	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrChrA, address_out = 0x7ffb66b44cc0	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrTrimA, address_out = 0x7ffb66b44e80	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegCreateKeyA, address_out = 0x7ffb673e6dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, type = REG_BINARY	1	Fn Data
Module	Load	module_name = ole32.dll, base_address = 0x7ffb66e70000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateStreamOnHGlobal, address_out = 0x7ffb66c170a0	1	Fn
Module	Load	module_name = ADVAPI32.DLL, base_address = 0x7ffb673a0000	1	Fn
Module	Get Handle	module_name = ADVAPI32.DLL, base_address = 0x7ffb673a0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
File	Create Pipe	pipe_name = pipe\{d0964750-ef7b-8278-f904-93d63d78776a}, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255	1	Fn

Thread 0x654

(Host: 15, Network: 154)

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = Unknown module name, function = StrStrIA, address_out = 0x7ffb66b3e1c0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = WINHTTP.dll, base_address = 0x7ffb5d730000	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpOpen, address_out = 0x7ffb5d74bc40	1	Fn
Inet	Open Session	user_agent = Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0, access_type = WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY, flags = WINHTTP_FLAG_SYNC	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrCmpIW, address_out = 0x7ffb66b3be50	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = ProxySettingsPerUser	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpConnect, address_out = 0x7ffb5d749550	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = titanliquor.ca, server_port = 80	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpOpenRequest, address_out = 0x7ffb5d749c10	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /images/A/2.tif, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpQueryOption, address_out = 0x7ffb5d731900	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpSetOption, address_out = 0x7ffb5d747a20	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpSendRequest, address_out = 0x7ffb5d748330	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = titanliquor.ca/images/A/2.tif	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpReceiveResponse, address_out = 0x7ffb5d748c80	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpQueryHeaders, address_out = 0x7ffb5d746d90	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_RAW_HEADERS_CRLF	1	Fn
Inet	Query HTTP Info	flags = HTTP_QUERY_RAW_HEADERS_CRLF, size_out = 710	1	Fn Data
Module	Get Address	module_name = Unknown module name, function = WinHttpQueryDataAvailable, address_out = 0x7ffb5d756ac0	1	Fn
Module	Get Address	module_name = Unknown module name, function = WinHttpReadData, address_out = 0x7ffb5d744200	1	Fn
Inet	Read Response	size = 3693, size_out = 3693	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 2280, size_out = 2280	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	4	Fn Data
Inet	Read Response	size = 1040, size_out = 1040	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 3684, size_out = 3684	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 3684, size_out = 3684	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	2	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 3684, size_out = 3684	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	9	Fn Data
Inet	Read Response	size = 3792, size_out = 3792	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	15	Fn Data
Inet	Read Response	size = 2448, size_out = 2448	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 3684, size_out = 3684	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	2	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	8	Fn Data
Inet	Read Response	size = 3532, size_out = 3532	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	3	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 3684, size_out = 3684	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 3164, size_out = 3164	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 2232, size_out = 2232	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	11	Fn Data
Inet	Read Response	size = 1408, size_out = 1408	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	53	Fn Data
Inet	Read Response	size = 3616, size_out = 3616	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 260, size_out = 260	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 1712, size_out = 1712	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 1972, size_out = 1972	1	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	2	Fn Data
Inet	Read Response	size = 1452, size_out = 1452	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	3	Fn Data
Inet	Read Response	size = 780, size_out = 780	1	Fn Data
Inet	Read Response	size = 2904, size_out = 2904	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	4	Fn Data
Inet	Read Response	size = 3944, size_out = 3944	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 520, size_out = 520	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	2	Fn Data
Inet	Read Response	size = 3424, size_out = 3424	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	499	Fn Data

Thread 0x9e4

(Host: 59, Network: 0)

Category	Operation	Information	Count	Logfile
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
File	Create	filename = C:\Windows\system32\c_1252.nls, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\system32\c_1252.nls, type = time	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegQueryValueExW, address_out = 0x7ffb673b6c70	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = Accocca, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = Accocca, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, type = REG_SZ	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrChrW, address_out = 0x7ffb66b3a2a0	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Amsisigd\Chakmcat.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathCombineW, address_out = 0x7ffb66b3d130	1	Fn
Module	Get Address	module_name = Unknown module name, function = StrRChrW, address_out = 0x7ffb66b3dd80	1	Fn
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, type = size	1	Fn
File	Read	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, size = 11513, size_out = 11513	1	Fn Data
File	Create	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Write	filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\prefs.js, size = 48	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegSetValueExA, address_out = 0x7ffb673a2680	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Get Handle	module_name = kernelbase, base_address = 0x7ffb64a50000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	191	Fn
Process	Open	desired_access = PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
Module	Get Address	module_name = Unknown module name, function = RtlExitUserThread, address_out = 0x7ffb67629fa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateRemoteThread, address_out = 0x7ffb671126d0	1	Fn
Thread	Create	process_name = c:\windows\system32\runtimebroker.exe, proc_address = 0x7ffb67629fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED	1	Fn
Memory	Read	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb67629fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb67629fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	os_tid = 0xb2c	1	Fn
Thread	Suspend	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xb2c	1	Fn
Thread	Get Context	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xb2c	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 153416944	1	Fn
Module	Map	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9450000	1	Fn
Module	Map	process_name = c:\windows\system32\runtimebroker.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xfa3ba00000	1	Fn
Module	Get Handle	module_name = NTDLL.DLL, base_address = 0x7ffb67620000	1	Fn
Module	Get Filename	module_name = NTDLL.DLL, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = NTDLL.DLL, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Module	Get Filename	module_name = NTDLL.DLL, process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260	1	Fn
File	Create	filename = C:\Windows\SYSTEM32\ntdll.dll, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\SYSTEM32\ntdll.dll, size = 4, size_out = 4	1	Fn Data
Thread	Get Context	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xb2c	1	Fn
Memory	Write	process_name = c:\windows\system32\runtimebroker.exe, address = 0xfa398d0000, size = 792	1	Fn Data
Thread	Set Context	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xb2c	1	Fn
Module	Unmap	process_name = c:\windows\explorer.exe	1	Fn
Memory	Protect	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READWRITE, size = 4	1	Fn
Memory	Write	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb67629fa0, size = 4	1	Fn Data
Memory	Protect	process_name = c:\windows\system32\runtimebroker.exe, address = 0x7ffb67629fa0, protection = PAGE_EXECUTE_READ, size = 4	1	Fn
Thread	Resume	process_name = c:\windows\system32\runtimebroker.exe, os_tid = 0xb2c	1	Fn

Thread 0x82c

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0x9cc

(Host: 12, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 35765	1	Fn
Module	Get Handle	module_name = Unknown module name, base_address = 0x7ff77f080000	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegisterClassA, address_out = 0x7ffb667e1310	1	Fn
Module	Get Handle	module_name = Unknown module name, base_address = 0x7ff77f080000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateWindowExA, address_out = 0x7ffb667e4df0	1	Fn
Window	Create	class_name = {0A62B810-AC2F-6BC2-4439-B87D16D3AAB7}, wndproc_parameter = 151783776	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetWindowLongPtrA, address_out = 0x7ffb667ccae0	1	Fn
Module	Get Address	module_name = Unknown module name, function = DefWindowProcA, address_out = 0x7ffb676b3230	1	Fn
Module	Get Address	module_name = Unknown module name, function = SetWindowLongPtrA, address_out = 0x7ffb667d61f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetMessageA, address_out = 0x7ffb667daa50	1	Fn
Module	Get Address	module_name = Unknown module name, function = TranslateMessage, address_out = 0x7ffb667d36a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = DispatchMessageA, address_out = 0x7ffb667e61e0	1	Fn

Thread 0xb30

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn

Thread 0x7b4

(Host: 13, Network: 0)

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Module	Get Address	module_name = Unknown module name, function = PathFindFileNameA, address_out = 0x7ffb66b3cf30	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = {C2A3A3DE-3990-44FC-D316-7DB8B7AA016C}, type = REG_BINARY	2	Fn Data
System	Get Time	type = System Time, time = 2017-12-11 05:44:41 (UTC)	1	Fn
Mutex	Open	mutex_name = Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{2EBE0010-B5EF-903D-AF42-B9C45396FD38}	1	Fn
Mutex	Open	mutex_name = Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Create	mutex_name = Local\{CC210EB6-BBF2-DEC8-A5C0-1FF2A9F4C346}	1	Fn
Mutex	Release	mutex_name = Local\{14572DFD-6357-66D5-8D88-47FA113C6BCE}	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Process #20: runonce.exe

Information	Value
ID	#20
File Name	c:\windows\syswow64\runonce.exe
Command Line	C:\Windows\SysWOW64\runonce.exe /Run6432
Initial Working Directory	C:\Windows\SysWOW64\
Monitor	Start Time: 00:02:03, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:00:17
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x190
Parent PID	0x2b4 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 278 0x 9B0 0x 744

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x00000000004e0000	0x004e0000	0x004fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004e0000	0x004e0000	0x004effff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000004f0000	0x004f0000	0x004f3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000500000	0x00500000	0x00500fff	Private Memory	Readable, Writable	Region Actions
runonce.exe.mui	0x00500000	0x00500fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00523fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000530000	0x00530000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000570000	0x00570000	0x005affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005b0000	0x005b0000	0x005b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x005c2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005d0000	0x005d0000	0x005d1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x005e0000	0x0069dfff	Memory Mapped File	Readable	Region Actions
private_0x00000000006a0000	0x006a0000	0x006dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006e0000	0x006e0000	0x006effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006f0000	0x006f0000	0x0072ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000730000	0x00730000	0x00730fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000740000	0x00740000	0x00740fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x00761fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000770000	0x00770000	0x007a3fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000820000	0x00820000	0x0091ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000920000	0x00920000	0x0095ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a20000	0x00a20000	0x00a2ffff	Private Memory	Readable, Writable	Region Actions
runonce.exe	0x00a90000	0x00a9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000aa0000	0x00aa0000	0x04a9ffff	Pagefile Backed Memory	-	Region Actions
pagefile_0x0000000004aa0000	0x04aa0000	0x04c27fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004c30000	0x04c30000	0x04db0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004dc0000	0x04dc0000	0x061bffff	Pagefile Backed Memory	Readable	Region Actions
wow64win.dll	0x650f0000	0x65162fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x65170000	0x65177fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x65180000	0x651cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x741d0000	0x74244fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74250000	0x74458fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74460000	0x744b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x744c0000	0x744c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x744d0000	0x744edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x74550000	0x746c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74890000	0x75c4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75c50000	0x75c93fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75d10000	0x75d8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75d90000	0x75dbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75dc0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75fa0000	0x760ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76140000	0x7622ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76230000	0x7634ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76350000	0x76439fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x764e0000	0x76523fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76530000	0x7653bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x76750000	0x76c2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x76c30000	0x76c3efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76c40000	0x76cfdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x76f00000	0x770b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x771e0000	0x7726cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77270000	0x7731bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77320000	0x77362fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x773c0000	0x77538fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ea7d000	0x7ea7d000	0x7ea7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007ea80000	0x7ea80000	0x7eb7ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007eb80000	0x7eb80000	0x7eba2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007eba5000	0x7eba5000	0x7eba5fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007eba8000	0x7eba8000	0x7ebaafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ebab000	0x7ebab000	0x7ebadfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ebae000	0x7ebae000	0x7ebaefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfb6761ffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb67620000	0x7dfb67620000	0x7ffb6761ffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb67620000	0x7ffb677e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb677e2000	0x7ffb677e2000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Process #21: onenotem.exe

Information	Value
ID	#21
File Name	c:\program files\microsoft office\root\office16\onenotem.exe
Command Line	"C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:04, Reason: Child Process
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:00:16
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x11c
Parent PID	0x2b4 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 858 0x 7CC 0x 75C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000141b670000	0x141b670000	0x141b68ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000141b670000	0x141b670000	0x141b67ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000141b680000	0x141b680000	0x141b686fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000141b690000	0x141b690000	0x141b6a3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000141b6b0000	0x141b6b0000	0x141b7affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000141b7b0000	0x141b7b0000	0x141b7b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000141b7c0000	0x141b7c0000	0x141b7c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000141b7d0000	0x141b7d0000	0x141b7d1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x141b7e0000	0x141b89dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x000000141b8a0000	0x141b8a0000	0x141b8a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000141b8b0000	0x141b8b0000	0x141b8b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000141b8c0000	0x141b8c0000	0x141b8c6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000141b8d0000	0x141b8d0000	0x141b9cffff	Private Memory	Readable, Writable	Region Actions
private_0x000000141b9d0000	0x141b9d0000	0x141bacffff	Private Memory	Readable, Writable	Region Actions
private_0x000000141bad0000	0x141bad0000	0x141bad0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000141bae0000	0x141bae0000	0x141bae0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000141baf0000	0x141baf0000	0x141baf0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000141bb00000	0x141bb00000	0x141bbfffff	Private Memory	Readable, Writable	Region Actions
private_0x000000141bc00000	0x141bc00000	0x141bc00fff	Private Memory	Readable, Writable	Region Actions
private_0x000000141bc10000	0x141bc10000	0x141bc10fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000141bc20000	0x141bc20000	0x141bc21fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000141bc30000	0x141bc30000	0x141bc3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000141bc40000	0x141bc40000	0x141bdc7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000141bdd0000	0x141bdd0000	0x141bf50fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000141bf60000	0x141bf60000	0x141d35ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x141d360000	0x141d696fff	Memory Mapped File	Readable	Region Actions
private_0x000000141d720000	0x141d720000	0x141d72ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000141d7a0000	0x141d7a0000	0x141d7affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00007ff7ae2d0000	0x7ff7ae2d0000	0x7ff7ae3cffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff7ae3d0000	0x7ff7ae3d0000	0x7ff7ae3f2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff7ae3fb000	0x7ff7ae3fb000	0x7ff7ae3fbfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff7ae3fc000	0x7ff7ae3fc000	0x7ff7ae3fdfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff7ae3fe000	0x7ff7ae3fe000	0x7ff7ae3fffff	Private Memory	Readable, Writable	Region Actions
onenotem.exe	0x7ff7ae8a0000	0x7ff7ae8cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vcruntime140.dll	0x7ffb557b0000	0x7ffb557c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
c2r64.dll	0x7ffb58bd0000	0x7ffb58cf8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
appvisvsubsystems64.dll	0x7ffb58d00000	0x7ffb58f35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
appvisvstream64.dll	0x7ffb59070000	0x7ffb590e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x7ffb5da60000	0x7ffb5dd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x7ffb5dda0000	0x7ffb5df48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ucrtbase.dll	0x7ffb5fed0000	0x7ffb5ffc1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msimg32.dll	0x7ffb61ef0000	0x7ffb61ef6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7ffb627a0000	0x7ffb62817fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7ffb62920000	0x7ffb629b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7ffb63600000	0x7ffb6361efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7ffb63a90000	0x7ffb63a9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7ffb63e70000	0x7ffb63e97fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7ffb63ea0000	0x7ffb63f0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7ffb64050000	0x7ffb64062fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7ffb64070000	0x7ffb640b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x7ffb640c0000	0x7ffb640cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x7ffb64140000	0x7ffb64767fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb64a50000	0x7ffb64c2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x7ffb64c30000	0x7ffb64ce2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7ffb64cf0000	0x7ffb64dadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb64f80000	0x7ffb65104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7ffb65110000	0x7ffb66634fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb66640000	0x7ffb66765fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb66780000	0x7ffb667b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb667c0000	0x7ffb6690dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7ffb66b30000	0x7ffb66b80fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x7ffb66bf0000	0x7ffb66e6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7ffb66e70000	0x7ffb66fb0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb670d0000	0x7ffb6717cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb672d0000	0x7ffb6736cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7ffb673a0000	0x7ffb67445fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb67450000	0x7ffb675abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb675b0000	0x7ffb675b0000	0x7ffb675bffff	Private Memory	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb675c0000	0x7ffb6761afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb67620000	0x7ffb677e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Process #22: runtimebroker.exe

(Host: 272, Network: 0)

Information	Value
ID	#22
File Name	c:\windows\system32\runtimebroker.exe
Command Line	C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:05, Reason: Injection
Unmonitor	End Time: 00:02:20, Reason: Terminated by Timeout
Monitor Duration	00:00:15

OS Process Information

Information	Value
PID	0x6e0
Parent PID	0x23c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	LHNIWSJ\CIiHmnxMn6Ps
Groups	LHNIWSJ\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account and member of Administrators group (USE_FOR_DENY_ONLY) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Local account (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00018798 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B8C 0x B6C 0x B64 0x 9F0 0x 848 0x 83C 0x 838 0x 4FC 0x 5B4 0x 4CC 0x B2C 0x 99C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
pagefile_0x000000fa39370000	0xfa39370000	0xfa3937ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000fa39380000	0xfa39380000	0xfa39380fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000fa39390000	0xfa39390000	0xfa393a3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000fa393b0000	0xfa393b0000	0xfa3942ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000fa39430000	0xfa39430000	0xfa39433fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000fa39440000	0xfa39440000	0xfa39441fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000fa39450000	0xfa39450000	0xfa39451fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0xfa39460000	0xfa3951dfff	Memory Mapped File	Readable	Region Actions
private_0x000000fa39520000	0xfa39520000	0xfa39520fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000fa39530000	0xfa39530000	0xfa39530fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000fa39540000	0xfa39540000	0xfa39540fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000fa39550000	0xfa39550000	0xfa39556fff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa39560000	0xfa39560000	0xfa395dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000fa395e0000	0xfa395e0000	0xfa395e2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000fa395f0000	0xfa395f0000	0xfa395f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000fa39600000	0xfa39600000	0xfa396fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa39700000	0xfa39700000	0xfa3977ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa39780000	0xfa39780000	0xfa397fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa39800000	0xfa39800000	0xfa3987ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000fa39880000	0xfa39880000	0xfa39880fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000fa39890000	0xfa39890000	0xfa39896fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000fa398a0000	0xfa398a0000	0xfa398c9fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000fa398d0000	0xfa398d0000	0xfa398d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000000fa398e0000	0xfa398e0000	0xfa398e8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa398f0000	0xfa398f0000	0xfa398f1fff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa39900000	0xfa39900000	0xfa399fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000fa39a00000	0xfa39a00000	0xfa39b87fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000fa39b90000	0xfa39b90000	0xfa39d10fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000fa39d20000	0xfa39d20000	0xfa3b11ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0xfa3b120000	0xfa3b456fff	Memory Mapped File	Readable	Region Actions
private_0x000000fa3b460000	0xfa3b460000	0xfa3b4dffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3b4e0000	0xfa3b4e0000	0xfa3b55ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3b590000	0xfa3b590000	0xfa3b596fff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3b600000	0xfa3b600000	0xfa3b6fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3b700000	0xfa3b700000	0xfa3b7fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3b800000	0xfa3b800000	0xfa3b87ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3b880000	0xfa3b880000	0xfa3b8fffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3b900000	0xfa3b900000	0xfa3b97ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3b980000	0xfa3b980000	0xfa3b9fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000fa3ba00000	0xfa3ba00000	0xfa3ba91fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x000000fa3baa0000	0xfa3baa0000	0xfa3bc9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3bb00000	0xfa3bb00000	0xfa3bbfffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3bc00000	0xfa3bc00000	0xfa3bdfffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3bc00000	0xfa3bc00000	0xfa3bcfffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3bd00000	0xfa3bd00000	0xfa3befffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3bd00000	0xfa3bd00000	0xfa3bdfffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3be00000	0xfa3be00000	0xfa3bffffff	Private Memory	Readable, Writable	Region Actions
private_0x000000fa3be00000	0xfa3be00000	0xfa3befffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00007df5ff7f0000	0x7df5ff7f0000	0x7ff5ff7effff	Pagefile Backed Memory	-	Region Actions
ntoskrnl.exe	0x7ff644bc0000	0x7ff645411fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ff67ce16000	0x7ff67ce16000	0x7ff67ce17fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67ce18000	0x7ff67ce18000	0x7ff67ce19fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67ce1a000	0x7ff67ce1a000	0x7ff67ce1bfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67ce1c000	0x7ff67ce1c000	0x7ff67ce1dfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67ce1e000	0x7ff67ce1e000	0x7ff67ce1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00007ff67ce20000	0x7ff67ce20000	0x7ff67cf1ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00007ff67cf20000	0x7ff67cf20000	0x7ff67cf42fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00007ff67cf43000	0x7ff67cf43000	0x7ff67cf44fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67cf45000	0x7ff67cf45000	0x7ff67cf46fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67cf47000	0x7ff67cf47000	0x7ff67cf48fff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67cf49000	0x7ff67cf49000	0x7ff67cf4afff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67cf4b000	0x7ff67cf4b000	0x7ff67cf4cfff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67cf4d000	0x7ff67cf4d000	0x7ff67cf4efff	Private Memory	Readable, Writable	Region Actions
private_0x00007ff67cf4f000	0x7ff67cf4f000	0x7ff67cf4ffff	Private Memory	Readable, Writable	Region Actions
runtimebroker.exe	0x7ff67d5a0000	0x7ff67d5b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.networking.hostname.dll	0x7ffb525e0000	0x7ffb52617fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authbroker.dll	0x7ffb530d0000	0x7ffb530f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msauserext.dll	0x7ffb53100000	0x7ffb53119fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.security.authentication.onlineid.dll	0x7ffb53190000	0x7ffb53242fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.internal.shell.broker.dll	0x7ffb53f10000	0x7ffb53fa1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwapi.dll	0x7ffb55310000	0x7ffb55325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.networking.connectivity.dll	0x7ffb553a0000	0x7ffb5544bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tokenbroker.dll	0x7ffb574c0000	0x7ffb57585fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
execmodelproxy.dll	0x7ffb57770000	0x7ffb57784fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
execmodelclient.dll	0x7ffb57990000	0x7ffb579d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7ffb57bf0000	0x7ffb58059fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7ffb58370000	0x7ffb58616fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
idstore.dll	0x7ffb58b80000	0x7ffb58ba6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7ffb59af0000	0x7ffb59afdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x7ffb5a1a0000	0x7ffb5a1fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7ffb5a510000	0x7ffb5a54efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.ui.immersive.dll	0x7ffb5b850000	0x7ffb5ba06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mrmcorer.dll	0x7ffb5ce30000	0x7ffb5cf3efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintypes.dll	0x7ffb60640000	0x7ffb60770fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7ffb60780000	0x7ffb6079bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7ffb60b80000	0x7ffb60b97fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7ffb60c60000	0x7ffb60de2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mmdevapi.dll	0x7ffb60df0000	0x7ffb60e61fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7ffb60f50000	0x7ffb60f65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7ffb61880000	0x7ffb6188afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7ffb618a0000	0x7ffb618d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7ffb61d70000	0x7ffb61d82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sppc.dll	0x7ffb61e00000	0x7ffb61e24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7ffb61e30000	0x7ffb61e55fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
coremessaging.dll	0x7ffb62300000	0x7ffb623c7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7ffb62920000	0x7ffb629b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7ffb629c0000	0x7ffb629e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
twinapi.appcore.dll	0x7ffb62b00000	0x7ffb62bedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7ffb632a0000	0x7ffb632abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7ffb63510000	0x7ffb63542fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7ffb63600000	0x7ffb6361efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7ffb63920000	0x7ffb63936fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7ffb63a90000	0x7ffb63a9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7ffb63c70000	0x7ffb63c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7ffb63e70000	0x7ffb63e97fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7ffb63ea0000	0x7ffb63f0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7ffb63f10000	0x7ffb63fa7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7ffb64050000	0x7ffb64062fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7ffb64070000	0x7ffb640b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x7ffb640c0000	0x7ffb640cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7ffb640d0000	0x7ffb640e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7ffb640f0000	0x7ffb64133fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x7ffb64140000	0x7ffb64767fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7ffb64770000	0x7ffb64930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7ffb64a50000	0x7ffb64c2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shcore.dll	0x7ffb64c30000	0x7ffb64ce2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7ffb64cf0000	0x7ffb64dadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7ffb64f80000	0x7ffb65104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7ffb65110000	0x7ffb66634fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7ffb66640000	0x7ffb66765fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x7ffb66770000	0x7ffb66777fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7ffb66780000	0x7ffb667b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x7ffb667c0000	0x7ffb6690dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7ffb66b30000	0x7ffb66b80fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x7ffb66bf0000	0x7ffb66e6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7ffb66e70000	0x7ffb66fb0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7ffb67020000	0x7ffb670c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x7ffb670d0000	0x7ffb6717cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7ffb672d0000	0x7ffb6736cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7ffb67390000	0x7ffb67397fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7ffb673a0000	0x7ffb67445fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7ffb67450000	0x7ffb675abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7ffb675c0000	0x7ffb6761afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x7ffb67620000	0x7ffb677e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Create Remote Thread	#19: c:\windows\explorer.exe	0x9e4	address = 0x7ffb67629fa0	1	Fn
Modify Memory	#19: c:\windows\explorer.exe	0x9e4	address = 0x7ffb67629fa0, size = 4	2	Fn Data
Modify Memory	#19: c:\windows\explorer.exe	0x9e4	address = 0xfa3ba00000, size = 598016	1	Fn
Modify Memory	#19: c:\windows\explorer.exe	0x9e4	address = 0xfa398d0000, size = 792	1	Fn Data
Modify Control Flow	#19: c:\windows\explorer.exe	0x9e4	os_tid = 0xb2c, address = 0x0	1	Fn

Threads

Thread 0xb2c

(Host: 209, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = ntdll.dll, base_address = 0x0	1	Fn
Module	Get Address	function = _snprintf, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = sprintf, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ZwOpenProcess, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ZwOpenProcessToken, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ZwClose, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ZwQueryInformationToken, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = strcpy, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = NtQuerySystemInformation, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = memcpy, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = _wcsupr, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = _strupr, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = memmove, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = memset, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = wcscpy, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ZwQueryKey, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = wcstombs, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = mbstowcs, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RtlImageNtHeader, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = NtMapViewOfSection, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = NtCreateSection, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = __C_specific_handler, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = __chkstk, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = CreateFileMappingA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SetFilePointerEx, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = QueueUserWorkItem, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = VirtualProtectEx, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetComputerNameW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = FindNextFileA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CompareFileTime, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = FindFirstFileA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetFileTime, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetCurrentProcessId, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = QueryPerformanceCounter, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetModuleFileNameA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateDirectoryA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetLastError, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = HeapFree, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RemoveDirectoryA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CloseHandle, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateFileA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = DeleteFileA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrcpyA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrlenA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrcatA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = WriteFile, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = HeapAlloc, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = HeapDestroy, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = HeapCreate, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SetEvent, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = HeapReAlloc, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = WaitForSingleObject, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SuspendThread, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = OpenProcess, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ResumeThread, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrcpyW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrcmpiW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetModuleHandleA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateThread, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateFileW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SwitchToThread, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrcatW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = Sleep, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetTickCount, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SetWaitableTimer, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CopyFileW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetCurrentThreadId, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetCurrentThread, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = DuplicateHandle, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrlenW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateEventA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = DeleteFileW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateDirectoryW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetTempPathA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrcmpiA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = WaitForMultipleObjects, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrcmpA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ResetEvent, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateMutexA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = OpenWaitableTimerA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = MapViewOfFile, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = OpenMutexA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ReleaseMutex, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetVersionExA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateWaitableTimerA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SetLastError, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = InitializeCriticalSection, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = EnterCriticalSection, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = LeaveCriticalSection, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = UnregisterWait, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RegisterWaitForSingleObject, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = TlsAlloc, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = TlsGetValue, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = LoadLibraryExW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = TlsSetValue, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetDriveTypeW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = WideCharToMultiByte, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = OpenFileMappingA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetExitCodeProcess, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = LocalFree, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateProcessA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetFileSize, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = lstrcpynA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = Thread32First, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = QueueUserAPC, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = OpenThread, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = Thread32Next, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ConnectNamedPipe, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetOverlappedResult, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CancelIo, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = DisconnectNamedPipe, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = FlushFileBuffers, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CallNamedPipeA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = CreateNamedPipeA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetSystemTime, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = WaitNamedPipeA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ReadFile, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SleepEx, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = OpenEventA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = LocalAlloc, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = FreeLibrary, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RaiseException, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = VirtualFree, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetModuleFileNameW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetVersion, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetLocalTime, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = QueryPerformanceFrequency, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = DeleteCriticalSection, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetTempFileNameA, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = FindNextFileW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SetEndOfFile, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = SetFilePointer, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = FindFirstFileW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = RemoveDirectoryW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = GetFileAttributesW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = FindClose, ordinal = 0, address_out = 0xfa3b9ffb60	1	Fn
Module	Load	module_name = OLEAUT32.dll, base_address = 0x0	1	Fn
Module	Get Address	function = 0, ordinal = 9, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = 0, ordinal = 6, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = 0, ordinal = 2, address_out = 0xfa3b9ffb60	1	Fn
Module	Get Address	function = 0, ordinal = 8, address_out = 0xfa3b9ffb60	1	Fn
System	Get Time	type = System Time, time = 2017-12-11 05:44:41 (UTC)	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	module_name = OLEAUT32.dll, process_name = c:\windows\system32\runtimebroker.exe, file_name_orig = C:\Windows\System32\RuntimeBroker.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x7ffb670ee960	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x7ffb673a0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb673bd610	1	Fn
Module	Load	module_name = SHLWAPI.dll, base_address = 0x7ffb66b30000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrRChrA, address_out = 0x7ffb66b44dd0	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x7ffb667c0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x7ffb667e2610	1	Fn
Mutex	Create	mutex_name = {67DC9F31-9A2E-31AD-DC8B-6EF5D0EF82F9}	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb67620000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb64a50000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = GetUserNameA, address_out = 0x7ffb673cec40	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb67620000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb673a0000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb670d0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Get Handle	module_name = c:\windows\system32\advapi32.dll, base_address = 0x7ffb673a0000	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x7ffb66770000	1	Fn
Module	Get Address	module_name = c:\windows\system32\psapi.dll, function = EnumProcessModules, address_out = 0x7ffb66771040	1	Fn
Process	Get Info	type = PROCESS_BASIC_INFORMATION	63	Fn
System	Get Time	type = System Time, time = 2017-12-11 05:44:41 (UTC)	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyA, address_out = 0x7ffb673bb9e0	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x7ffb673b7dd0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Ini, type = REG_NONE	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7ffb673b72e0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrToIntExA, address_out = 0x7ffb66b44e70	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrChrA, address_out = 0x7ffb66b44cc0	1	Fn
Module	Get Address	module_name = c:\windows\system32\shlwapi.dll, function = StrTrimA, address_out = 0x7ffb66b44e80	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x7ffb673e6dc0	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Client, type = REG_BINARY	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\07430283-BA24-D1EC-FC2B-8E95F08FA299, value_name = Scr, type = REG_NONE	1	Fn

Thread 0x99c

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Sleep	duration = -1 (infinite)		1	Fn