Sample details: ddd9d72f79e16464fbc0248b2768a473 --

Hashes
MD5: ddd9d72f79e16464fbc0248b2768a473
SHA1: 4e9b5452c00b069d363c7d429c1f2b62c203d84b
SHA256: 9680f3bcae582fb3e92e78f258305730b7e4a440444c7264a3c7c71b089350cb
SSDEEP: 24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvY:oEs1ha
Details
File Type: PE32
Yara Hits
YRP/Borland_Delphi_40_additional | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_Setup_Module | YRP/Borland_Delphi_40 | YRP/Borland_Delphi_v40_v50 | YRP/BobSoft_Mini_Delphi_BoB_BobSoft_additional | YRP/Borland_Delphi_v60_v70 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/Borland | YRP/BobSoftMiniDelphiBoBBobSoft | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/borland_delphi | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/Browsers | YRP/Dropper_Strings | YRP/SEH__vba | YRP/anti_dbg | YRP/network_dropper | YRP/screenshot | YRP/keylogger | YRP/spreading_file | YRP/win_mutex | YRP/win_registry | YRP/win_private_profile | YRP/win_files_operation | YRP/win_hook | YRP/Big_Numbers3 | YRP/Delphi_FormShow | YRP/Delphi_CompareCall | YRP/Delphi_Copy | YRP/Delphi_StrToInt | YRP/Delphi_DecodeDate | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/suspicious_packer_section | YRP/CAP_HookExKeylogger |
Strings
		_^[Y_]
Olx$co
n]h$XA
Eu<E4&
-&pGjd
8t=,#xh
XY]H]&
bAYm?D}
<7YG<X[C,
+K'lQDEuttBl
	{<t+(
(kttIn
ttLsO9 
>[P6tr
8c)||3
?]q0I*
=Wq:aOZ
Q_^[HPF$
lIq_^[C
j,->+;
3C\T0Ct
|,9@uY
<$d22GC0<C
;W2n	^s2
.rland\Delphi\Locales
_^[YY]
;IA@$Qgg
W$t?'s
odInactive	odNoAccel
4sFect
$ReF%rzP$1
Z$RqF%r~P$2^]$C
9Em=&b0.
TOwnerDrawState
t?wf,A
E$Y#Eu
4a~|,^
E|^w@3
+(1)HPM
Y]CzQ5$
rUtiBs
l2@F9_
Y/v=E1na|5cd
de0p4$
{v'cR)l@
Et:ROC
<m<!*h
$^u)Sh
uDM$v@
yYYYd	m
Xj98u`pvE
_^[YY]
vN1S]I
paLc)z4
	0tQX 
*v=@.a
0dOeeM&
;<P48R
c!+B&|
@drtzv
a@LPjUcr-;/
Yu8{P!
RhJ'R'
~/dYY]
LY^^[H
Fxu9+-
gJN3sD
tSk|ka
c$G)t-
a)Pt'@
C(Amu/
sS\_H%
J^^[{+7
_^[YY]
S	_^[]
TPUtilWindow
TColor
EInvalidGraphicp
EInvalidGraphicOperation
TFontPitch
	fpDefault
fpVariable
fpFixed
Graphics
	TFontName
TFontCharset
TFontStyle
fsBold
fsItalic
fsUnderline
fsStrikeOut
Graphics
TFontStyles
	TPenStyle
psSolid
psDash
psDot	psDashDot
psDashDotDot
psClear
psInsideFrame
Graphics
TPenMode
pmBlack
pmWhite
pmCopy	pmNotCopy
pmMergePenNot
pmMaskPenNot
pmMergeNotPen
pmMaskNotPen
pmMerge
pmNotMerge
pmMask	pmNotMask
pmNotXor
Graphics
TBrushStyle
bsSolid
bsClear
bsHorizontal
bsVertical
bsFDiagonal
bsBDiagonal
bsCross
bsDiagCross
Graphics
TGraphicsObjectx
TGraphicsObjectP
Graphics
IChangeNotifier$
Graphics
TFontT
TFont$
Graphics
Charset
Color<
Height
Pitch<
Graphics
Style<
TBrush
TBrush
Graphics
TCanvas
TCanvasd
Graphics
Brush<
CopyModeP
TProgressStage
psStarting	psRunning
psEnding
Graphicst
TProgressEvent
Sender
TObject
TProgressStage
PercentDone
	RedrawNow
Boolean
String
TGraphic
TGraphic
Graphics
TPicture
TPicture
Graphics
TSharedImage
TMetafileImage
	TMetafile
	TMetafile
Graphics
TBitmapImage
TBitmap<
TBitmap
Graphics
TIconImage
Graphics
TResourceManager
_^[YY]
clBlack
clMaroon
clGreen
clOlive
clNavy
clPurple
clTeal
clGray
clSilver
clLime
clYellow
clBlue
clFuchsia
clAqua
clWhite
clMoneyGreen
clSkyBlue
clCream
clMedGray
clActiveBorder
clActiveCaption
clAppWorkSpace
clBackground
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clDefault
clGradientActiveCaption
clGradientInactiveCaption
clGrayText
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clMenu
clMenuBar
clMenuHighlight
clMenuText
clNone
clScrollBar
cl3DDkShadow
cl3DLight
clWindow
clWindowFrame
clWindowText
ANSI_CHARSET
DEFAULT_CHARSET
SYMBOL_CHARSET
MAC_CHARSET
SHIFTJIS_CHARSET
HANGEUL_CHARSET
JOHAB_CHARSET
GB2312_CHARSET
CHINESEBIG5_CHARSET
GREEK_CHARSET
TURKISH_CHARSET
HEBREW_CHARSET
ARABIC_CHARSET
BALTIC_CHARSET
RUSSIAN_CHARSET
THAI_CHARSET
EASTEUROPE_CHARSET
OEM_CHARSET
Default
E$PVSj
_^[YY]
C ;C$s
TFileFormat
TFileFormatsList
QQQQSV
TClipboardFormats
_^[YY]
kD$TdP
kD$PdP
D$LPkD$XdPV
D$HPkD$TdPV
|$( EMFt
TBitmapCanvas
TBitmapCanvas
Graphics
_^[YY]
s(;~ t8
C(_^[Y]
TPatternManagerSV
_^[YY]
TObjectList
TOrderedList
TStack
GetMonitorInfoA
GetSystemMetrics
MonitorFromRect
MonitorFromWindow
MonitorFromPoint
GetMonitorInfo
DISPLAY
GetMonitorInfoA
DISPLAY
GetMonitorInfoW
DISPLAY
EnumDisplayMonitors
USER32.DLL
IHelpSelector$
:	HelpIntfs
IHelpSystem$
:	HelpIntfs
ICustomHelpViewer$
:	HelpIntfs	
IExtendedHelpViewer
:	HelpIntfs
ISpecialWinHelpViewer
:	HelpIntfs
IHelpManager$
:	HelpIntfs
EHelpSystemException
THelpViewerNode
THelpManager
comctl32.dll
InitializeFlatSB
UninitializeFlatSB
FlatSB_GetScrollProp
FlatSB_SetScrollProp
FlatSB_EnableScrollBar
FlatSB_ShowScrollBar
FlatSB_GetScrollRange
FlatSB_GetScrollInfo
FlatSB_GetScrollPos
FlatSB_SetScrollPos
FlatSB_SetScrollInfo
FlatSB_SetScrollRange
TSynchroObject
TCriticalSection
uxtheme.dll
OpenThemeData
CloseThemeData
DrawThemeBackground
DrawThemeText
GetThemeBackgroundContentRect
GetThemePartSize
GetThemeTextExtent
GetThemeTextMetrics
GetThemeBackgroundRegion
HitTestThemeBackground
DrawThemeEdge
DrawThemeIcon
IsThemePartDefined
IsThemeBackgroundPartiallyTransparent
GetThemeColor
GetThemeMetric
GetThemeString
GetThemeBool
GetThemeInt
GetThemeEnumValue
GetThemePosition
GetThemeFont
GetThemeRect
GetThemeMargins
GetThemeIntList
GetThemePropertyOrigin
SetWindowTheme
GetThemeFilename
GetThemeSysColor
GetThemeSysColorBrush
GetThemeSysBool
GetThemeSysSize
GetThemeSysFont
GetThemeSysString
GetThemeSysInt
IsThemeActive
IsAppThemed
GetWindowTheme
EnableThemeDialogTexture
IsThemeDialogTextureEnabled
GetThemeAppProperties
SetThemeAppProperties
GetCurrentThemeName
GetThemeDocumentationProperty
DrawThemeParentBackground
EnableTheming
TCommonDialog
TCommonDialog
Dialogs
HelpContext
OnClose
OnShowSV
TMessageForm
TMessageForm
Dialogs
_^[YY]
%s%s%s%s%s%s%s%s%s%s
Cancel
Ignore
NoToAll
YesToAll
Message
commdlg_help
commdlg_FindReplace
WndProcPtr%.8X%.8X
TImage
TImagex
ExtCtrls
Alignd>C
Anchors
AutoSize
Center
Constraints$7C
DragCursor
DragKind8=C
DragMode
Enabled
IncrementalDisplay
ParentShowHintP
Picture
	PopupMenu
Proportional
ShowHint
Stretch
Transparent
Visible
OnClick
OnContextPopup
OnDblClick
OnDragDrop,AC
OnDragOver\BC
	OnEndDock\BC
	OnEndDrag
OnMouseDown@@C
OnMouseMove
	OnMouseUpp
OnProgress
OnStartDock
OnStartDrag
TTimer
TTimer
ExtCtrls
Enabled|
Interval
OnTimerU
Delphi Picture
Delphi Component
EIniFileException
TCustomIniFile
TIniFile
_^[YY]
ERegistryException
	TRegistryS
MAPI32.DLL
TConversion
TConversionFormat
comctl32.dll
TThemeServices
Theme manager 
 2001, 2002 Mike Lischke
 !"#$%
TTextLayout
tlCenter
tlBottom
StdCtrls
TCustomLabel
TCustomLabelx
StdCtrls
TLabel
TLabel
StdCtrls'
AligndKA
	Alignmentd>C
Anchors
AutoSize
BiDiMode
Caption
Constraints$7C
DragCursor
DragKind8=C
DragMode
Enabled
FocusControlP
ParentBiDiMode
ParentColor
ParentFont
ParentShowHint
	PopupMenu
ShowAccelChar
ShowHint
Transparent
Layout
Visible
WordWrap
OnClick
OnContextPopup
OnDblClick
OnDragDrop,AC
OnDragOver\BC
	OnEndDock\BC
	OnEndDrag
OnMouseDown@@C
OnMouseMove
	OnMouseUp
OnMouseEnter
OnMouseLeave
OnStartDock
OnStartDragP
TCustomEdit
TCustomEditP
StdCtrls
TabStop
TScrollStyle
ssNone
ssHorizontal
ssVertical
ssBoth
StdCtrls
TCustomMemo
TCustomMemo\
StdCtrls
StdCtrls8
AligndKA
	Alignmentd>C
Anchors
BevelEdges
BevelInner
	BevelKind
BevelOuter
BiDiMode<
BorderStyle
Constraints
Ctl3D$7C
DragCursor
DragKind8=C
DragMode
EnabledP
HideSelection<LC
ImeMode
ImeNamePVA
Lines<
	MaxLength
OEMConvert
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
ParentShowHint
	PopupMenu
ReadOnly
ScrollBars
ShowHint
TabOrder
TabStop
Visible
WantReturns
WantTabs
WordWrap
OnChange
OnClick
OnContextPopup
OnDblClick
OnDragDrop,AC
OnDragOver\BC
	OnEndDock\BC
	OnEndDrag
OnEnter
OnExit
	OnKeyDown
OnKeyPress
OnKeyUp
OnMouseDown@@C
OnMouseMove
	OnMouseUp
OnStartDock
OnStartDrag
TButtonActionLink
TButtonControl
TButtonControl
StdCtrls
TButton
TButton|
StdCtrls&
Actiond>C
Anchors
BiDiMode
Cancel
Caption
Constraints
Default$7C
DragCursor
DragKind8=C
DragMode
EnabledP
ModalResult
ParentBiDiMode
ParentFont
ParentShowHint
	PopupMenu
ShowHint
TabOrder
TabStop
Visible
WordWrap
OnClick
OnContextPopup
OnDragDrop,AC
OnDragOver\BC
	OnEndDock\BC
	OnEndDrag
OnEnter
OnExit
	OnKeyDown
OnKeyPress
OnKeyUp
OnMouseDown@@C
OnMouseMove
	OnMouseUp
OnStartDock
OnStartDragL
TMemoStrings
TMemoStringsL
StdCtrls
GH+D$	
_^[YY]
_^[YY]
BUTTON
THintAction0)C
THintAction
StdActns
TWinHelpViewer
_^[YY]
_^[YY]
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
_^[YY]
MS_WINHELP
#32770
TModalResult
TCursor
TAlign
alNone
alBottom
alLeft
alRight
alClient
alCustom
Controls
TDragObject
TDragObject
Controls
TBaseDragControlObject
TBaseDragControlObject
Controls
TDragControlObject
TDragControlObjectEx
TDragDockObject
TDragDockObjecth:C
Controls
TDragDockObjectEx
TControlCanvas
TControlCanvas
Controls
TControlActionLink
TMouseButton
mbLeft
mbRight
mbMiddle
Controls<=C
	TDragMode
dmManual
dmAutomatic
Controls
TDragState
dsDragEnter
dsDragLeave
dsDragMove
Controls
	TDragKind
dkDrag
dkDock
Controls
	TTabOrder
TCaption
TAnchorKind
akLeft
akRight
akBottom
Controls
TAnchors
TConstraintSize
TSizeConstraints
TSizeConstraints
Controls
	MaxHeightx>C
MaxWidthx>C
	MinHeightx>C
MinWidth
TMouseEvent
Sender
TObject
Button
TMouseButton
TShiftState
Integer
Integer
TMouseMoveEvent
Sender
TObject
TShiftState
Integer
Integer
	TKeyEvent
Sender
TObject
TShiftState
TKeyPressEvent
Sender
TObject
TDragOverEvent
Sender
TObject
Source
TObject
Integer
Integer
TDragState
Accept
Boolean
TDragDropEvent
Sender
TObject
Source
TObject
Integer
Integer
TStartDragEvent
Sender
TObject	
DragObject
TDragObject
TEndDragEvent
Sender
TObject
Target
TObject
Integer
Integer
TDockDropEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
TDockOverEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
TDragState
Accept
Boolean
TUnDockEvent
Sender
TObject
Client
TControl
	NewTarget
TWinControl
Boolean
TStartDockEvent
Sender
TObject	
DragObject
TDragDockObject
TGetSiteInfoEvent
Sender
TObject
DockClient
TControl
InfluenceRect
MousePos
TPoint
CanDock
Boolean
TCanResizeEvent
Sender
TObject
NewWidth
Integer
	NewHeight
Integer
Resize
Boolean
TConstrainedResizeEvent
Sender
TObject
MinWidth
Integer
	MinHeight
Integer
MaxWidth
Integer
	MaxHeight
Integer
TMouseWheelEvent
Sender
TObject
TShiftState
WheelDelta
Integer
MousePos
TPoint
Handled
Boolean
TMouseWheelUpDownEvent
Sender
TObject
TShiftState
MousePos
TPoint
Handled
Boolean
TContextPopupEvent
Sender
TObject
MousePos
TPoint
Handled
Boolean
TControl
TControl
Controls	
Width<
Height$7C
Cursor
HelpType
HelpKeyword
HelpContext
TWinControlActionLink
TImeMode
	imDisable
imClose
imOpen
imDontCare
imSAlpha
imAlpha
imHira
imSKata
imKata	imChinese
imSHanguel	imHanguel
Controls
TImeName
TBorderWidth
	TBevelCut
bvNone	bvLowered
bvRaised
bvSpace
Controls
TBevelEdge
beLeft
beRight
beBottom
Controls
TBevelEdges
TBevelKind
bkNone
bkTile
bkSoft
bkFlat
Controls
IDockManager$
Controls
TWinControl
TWinControl`NC
Controls
TGraphicControl
TGraphicControl<RC
Controls
TCustomControl
TCustomControl\SC
Controls
THintWindow
THintWindow
Controls
	TDockZone
	TDockTree
TMouse
crDefault
crArrow
crCross
crIBeam
crSizeNESW
crSizeNS
crSizeNWSE
crSizeWE
crUpArrow
crHourGlass
crDrag
crNoDrop
crHSplit
crVSplit
crMultiDrag
crSQLWait
crAppStart
crHelp
crHandPoint
crSizeAll
crSize
	TSiteList
_^[YY]
S$_^[]
YZ]_^[
t%Jt?Jt[
%s (%s)
YZ]_^[
u$;~|u
tr;s@u
;CLtX3
_^[YY]
;s0t=;
IsControl
_^[YY]
_^[YY]
+WH+W@
:GauOFKu
DesignSize
_^[YY]
_^[YY]
seD[7,D
&erline
fsStri'
Graphio
2Ssc*d
uJpjN}
dt-N?eOp
\"soB&nf}7
EpjA11
pmNotXor
Fbgf/l)
Db#q,e
@Lb'L+rI
en{*ce}Hb
FbwO1o
*iQsG1
bkectP
IChang
Notijil3Hx'nlDM
uPoSi~
DChlg5~^3h
Pituh;U.a
H-nurolP
$ntw)Dex/du5P@
oh;"e~
{2Mdnu
Rtyle<
hnwAccel
.wHint
,5KTbT.sdT2efA
5e tPo
3a`C&,
`'r]BC
Eock\BC
npyMode
neDrag
OnMous
Xal*oMousgMovM<~C
og	psRu
UProgre
TProgr
{3hQy0
.rEzon
	(cqYFsgw/t`=
}JTS@3t{X
Btp"BC
HAkn3,
FAnchors
HBevelKind
5JBqC%lG@4e"
&e.c6y\
5raif3
&CQrso
Khups	
	00# k
clMaro
clOliv
Xellow
tchsia
On(	8$
mWhite
clSkyB
mMedGra
u2&Bosd
skSpace
clBtnFace
tBHig4'*ghA@
tff(a4]7
clHighliol7
k/ikjtTq67
	o`y)g
clWindow
<3A0-4E
^tdC3 )6m_
C_E	"&:*:d
.66ED@
SUSSIAN
CHAR]ERC
 # ,:<Co
3YUh`t
4Cumtw,
vo3XY]FB"Q
c{a,tt
HCPhC;
>e*$8P
A>o` 9
*Tc<M?
|BF+s*'
qhB.CU
c[[9= d
R"pUZvX
{K1OOE
\ClJCPXVBdF
(9Bt~t
?%W3BI
,P}9B5
iR@drpd
rent.se`Send
*PXfXP
?~gHl{
Cve1*[
Ta6':H
eqCuxw
g;kXUXx
D/S22h
\1G|1?
$~x.~5
t%; f'I
SPh?"S
93/v,	
<D]XYd
JfKD:[
,R}'ts
xJYYda
ozPbAD3
U,8.>D
Eu#m"U
H1Yav<`
zMnt?)X[<o
cr-v8+
cR&%tp
$ )t8U~
'TavK9
wvc0+~G
-L6tuS
Hdme u
Pnund&k
ckg)6(
tTheme
LmVa@uM
0seU Ks 
mePar68
H1MCv<`
vU;SLqW
-Omose
Uv5n9 z
?Oc:#b
c,Tnvo
P~XYdN
x DPp	z
	Ext7h
3@UYR'
k}j<tK
Ww'){\
tkh^^[
t(	Tv,H/Al
<cZXv8+
bW^^[5
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
ExitThread
CreateThread
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
kernel32.dll
lstrcpyA
WritePrivateProfileStringA
WriteFile
WinExec
WaitForSingleObject
VirtualQuery
VirtualAlloc
UnmapViewOfFile
SizeofResource
SetThreadLocale
SetFilePointer
SetFileAttributesA
SetEvent
SetErrorMode
SetEndOfFile
ResumeThread
ResetEvent
ReadFile
MultiByteToWideChar
MulDiv
MoveFileA
MapViewOfFile
LockResource
LocalFree
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetVersionExA
GetVersion
GetTickCount
GetThreadLocale
GetTempPathA
GetSystemInfo
GetSystemDirectoryA
GetStringTypeExA
GetStdHandle
GetShortPathNameA
GetProcAddress
GetPrivateProfileStringA
GetModuleHandleA
GetModuleFileNameA
GetLogicalDriveStringsA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileAttributesA
GetExitCodeThread
GetDriveTypeA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetCPInfo
GetACP
FreeResource
InterlockedIncrement
InterlockedExchange
InterlockedDecrement
FreeLibrary
FormatMessageA
FindResourceA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
EnumCalendarInfoA
EnterCriticalSection
DeleteFileA
DeleteCriticalSection
CreateThread
CreateFileA
CreateEventA
CopyFileA
CompareStringA
CloseHandle
version.dll
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
gdi32.dll
UnrealizeObject
StretchBlt
SetWindowOrgEx
SetWinMetaFileBits
SetViewportOrgEx
SetTextColor
SetStretchBltMode
SetROP2
SetPixel
SetEnhMetaFileBits
SetDIBColorTable
SetBrushOrgEx
SetBkMode
SetBkColor
SelectPalette
SelectObject
SaveDC
RestoreDC
Rectangle
RectVisible
RealizePalette
PlayEnhMetaFile
PatBlt
MoveToEx
MaskBlt
LineTo
IntersectClipRect
GetWindowOrgEx
GetWinMetaFileBits
GetTextMetricsA
GetTextExtentPointA
GetTextExtentPoint32A
GetSystemPaletteEntries
GetStockObject
GetPixel
GetPaletteEntries
GetObjectA
GetEnhMetaFilePaletteEntries
GetEnhMetaFileHeader
GetEnhMetaFileBits
GetDeviceCaps
GetDIBits
GetDIBColorTable
GetDCOrgEx
GetCurrentPositionEx
GetClipBox
GetBrushOrgEx
GetBitmapBits
ExcludeClipRect
DeleteObject
DeleteEnhMetaFile
DeleteDC
CreateSolidBrush
CreatePenIndirect
CreatePalette
CreateHalftonePalette
CreateFontIndirectA
CreateDIBitmap
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
CreateBrushIndirect
CreateBitmap
CopyEnhMetaFileA
BitBlt
user32.dll
CreateWindowExA
WindowFromPoint
WinHelpA
WaitMessage
UpdateWindow
UnregisterClassA
UnhookWindowsHookEx
TranslateMessage
TranslateMDISysAccel
TrackPopupMenu
SystemParametersInfoA
ShowWindow
ShowScrollBar
ShowOwnedPopups
ShowCursor
SetWindowsHookExA
SetWindowTextA
SetWindowPos
SetWindowPlacement
SetWindowLongA
SetTimer
SetScrollRange
SetScrollPos
SetScrollInfo
SetRect
SetPropA
SetParent
SetMenuItemInfoA
SetMenu
SetForegroundWindow
SetFocus
SetCursor
SetClipboardData
SetClassLongA
SetCapture
SetActiveWindow
SendMessageA
ScrollWindow
ScreenToClient
RemovePropA
RemoveMenu
ReleaseDC
ReleaseCapture
RegisterWindowMessageA
RegisterClipboardFormatA
RegisterClassA
RedrawWindow
PtInRect
PostQuitMessage
PostMessageA
PeekMessageA
OpenClipboard
OffsetRect
OemToCharA
MsgWaitForMultipleObjects
MessageBoxA
MessageBeep
MapWindowPoints
MapVirtualKeyA
LoadStringA
LoadKeyboardLayoutA
LoadIconA
LoadCursorA
LoadBitmapA
KillTimer
IsZoomed
IsWindowVisible
IsWindowEnabled
IsWindow
IsRectEmpty
IsIconic
IsDialogMessageA
IsChild
InvalidateRect
IntersectRect
InsertMenuItemA
InsertMenuA
InflateRect
GetWindowThreadProcessId
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowLongA
GetWindowDC
GetTopWindow
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSysColor
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMenuStringA
GetMenuState
GetMenuItemInfoA
GetMenuItemID
GetMenuItemCount
GetMenu
GetLastActivePopup
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetIconInfo
GetForegroundWindow
GetFocus
GetDesktopWindow
GetDCEx
GetCursorPos
GetCursor
GetClipboardData
GetClientRect
GetClassNameA
GetClassInfoA
GetCapture
GetActiveWindow
FrameRect
FindWindowA
FillRect
ExitWindowsEx
EqualRect
EnumWindows
EnumThreadWindows
EndPaint
EnableWindow
EnableScrollBar
EnableMenuItem
EmptyClipboard
DrawTextA
DrawMenuBar
DrawIconEx
DrawIcon
DrawFrameControl
DrawEdge
DispatchMessageA
DestroyWindow
DestroyMenu
DestroyIcon
DestroyCursor
DeleteMenu
DefWindowProcA
DefMDIChildProcA
DefFrameProcA
CreatePopupMenu
CreateMenu
CreateIcon
CloseClipboard
ClientToScreen
CheckMenuItem
CallWindowProcA
CallNextHookEx
BeginPaint
CharNextA
CharLowerBuffA
CharLowerA
CharUpperBuffA
CharToOemA
AdjustWindowRectEx
ActivateKeyboardLayout
kernel32.dll
oleaut32.dll
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
ole32.dll
OleUninitialize
OleInitialize
CoCreateInstance
CoUninitialize
CoInitialize
oleaut32.dll
GetErrorInfo
SysFreeString
comctl32.dll
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_GetDragImage
ImageList_DragShowNolock
ImageList_SetDragCursorImage
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_ReplaceIcon
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
shell32.dll
SHGetSpecialFolderLocation
SHGetPathFromIDListA
ADVAPI32.DLL
SetSecurityInfo
SetEntriesInAclA
GetSecurityInfo
333333333333333333
33333333?333333
333338
33333833
333838
3333339
3333333333333338
333333333333333333
334C33333338
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*"*"$3338
"*"$33
:33:"$
"C8338
"J"C3333
3333:"$
#33338
"J333333
33333:"$3333338
333333
$3333333
333333:"33333338
3333333
33333333
333333333333333333
33333333?333333
333338
33333833
333838
3333339
3333333333333338
333333333333333333
33DDDDD3333
33333333333
333333?
333333
333333
3333f3333333?
3336Dc3333338
333>fC333333
c333333
3333333333338
3333Dc3333333
3336fC3333338
333>fC333333
333>fd333333
fC33333
3333>fd333338
fC333?3
33fd3>fC333
fDFfC338
33>ffffc338
fff3333
3333333333338
4DF334DC33
333*C33
c33*C333
33338?383
F*F333383
"$c33333
"dc3333833
CjC338
CjC338
D*C33383
C33333833?33
3333333
3334JC33333338?333
C3333333
C3333333
3333fc33333338
333333333333?
33333?
333333
333333333333333333
333333333333333333
333333333333
334C33333338
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
3333:"$3333338
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
333DDD33333?
2C4"""D338
2$B""""C38
2""333:"C8
2""#33:DC8
333338
333333333333333
333333DDD3
:DC33:""$8
:"C333
$334B"$3
"DDB""$3
3:"""""
333333
333333333333333333
333333333333333333
333333333333
334C33333338
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
3333:"$3333338
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
33333333
HelpMe
'KillandHide
(ShlObj
System
SysInit
KWindows
UTypes
sActiveX
3Messages
CommCtrl
*ShellAPI
RegStr
?WinInet
UrlMon
FComObj
qComConst
CVariants
SysConst
$VarUtils
SysUtils
Dialogs
ExtCtrls
Consts
5Themes
nComCtrls
Printers
WWinSpool
^Classes
"RTLConsts
QTypInfo
+Graphics
FlatSB
StdActns
Clipbrd
YStrUtils
&Controls
MultiMon
vMenus
Contnrs
ImgList
EActnList
dStdCtrls
WinHelpViewer
RHelpIntfs
ComStrs
ExtActns
ExtDlgs
3CommDlg
Buttons
8Registry
IniFiles
CUxTheme
SyncObjs
RichEdit
ToolWin
ListActns
AAccCtrl
AclAPI
TlHelp32
Un_Main
TPF0	TFrm_Main
Frm_Main
AlphaBlend	
AlphaBlendValue
BorderIcons
BorderStyle
bsNone
ClientHeight
ClientWidth
	clBtnFace
Font.Charset
DEFAULT_CHARSET
Font.Color
clWindowText
Font.Height
	Font.Name
MS Sans Serif
Font.Style
OldCreateOrder
Position
poScreenCenter
OnCreate
FormCreate
PixelsPerInch
TextHeight
Height
TabOrder
TTimer
Interval
OnTimer
	tmr1Timer
VirtualAlloc
VirtualFree
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
 (08@P`p
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
user32.dll
advapi32.dll
oleaut32.dll
advapi32.dll
version.dll
gdi32.dll
user32.dll
oleaut32.dll
ole32.dll
oleaut32.dll
comctl32.dll
shell32.dll
advapi32.dll
GetKeyboardType
RegQueryValueExA
SysFreeString
RegSetValueExA
VerQueryValueA
UnrealizeObject
CreateWindowExA
SafeArrayPtrOfIndex
OleUninitialize
GetErrorInfo
ImageList_SetIconSize
SHGetSpecialFolderLocation
SetSecurityInfo
q|H"mxe
t~Hif D
#D|[aa
_^J2|;
i}|7|M
Tt\t.-
R#M|^uZ
f#k&+r
e]n^ip
+Gh33O
eEM	~_nNK
T`Is%Lp
833%b233G
)q$	,V
Hy733O5
U033O4
bkNf8Q
Dw433G
QwQUCg
%P433:
QwQU_g
:33O4T
49Qzki
QwQU_g
|$iO!H
@Ww@t,
 CD%e3
p&:aR2a^
@Io"G.
HHtXHBt
s^TS18
?If90t
BADDW<]V"
dV fY)
q"KN4T_,O
t_0fY)+
"K^]b6Kov`f
g@0I2.
">LE35
V B<S$>L5
bMADD5Z=3W</
5Z=saU_;A`f
y;VF$S
LE$P1Q
uTVWhC
QCj@j ^V
i_H1CSu
ST\P"EQ
Pou6Wx	u
< tK<	tG
^VhUNMP
A]8N\TP
C>UEQ2
VGALFP
HHtYHHq
vLIV'Z
Get>emue
w?rtMP
"$~U=P#Q
jmh4(k
\]0tt8{ud
j&hH(3
Z(!JIH
U.*?>=u
 L_43N
].#GFE
(LV<;F
ccd Cl
t,qrd	l
[%<hsp
VD>s0R
(ctrUc
9>4?'#r|
d",VwJ
n`Name
WSBESS
BddA54
08xH,Hd
6OeJ(#%s
es",HK
t	WFpG
e`X$M7P <
X{",&l
_-s"+"P~J$
**,"QU6Y-
>KG&DJ
}*%w",W?
zvIce;{
.mrv)c
X{",&%
	[erVi
Mp%08|W6JtRQu
iJp3Qd
Q*","`&
Xl","e
C8x-08
1]RE#,W8D
_$"Ckn
zvikeX$XD 2(
}XJD%%
Q*GAVL H-
&&0,du8MC
_*/"wS
Q*A4S$APG2
)ZK7B<
_$#EbM
>KG&IJ
/MbY8J
8FA'S+7eZU
M0x#,"
_-s",#P~J
>zeaue>
Q*lpQu
X{",&%
P6%s"<W{
W;J2VK\
_dpSuB>r
/ML!E+
_[V6T-
X{#Y5M
/ML!E=_
_[]6T-G
>Il*Z)
**,"FQ<V=
%>%wSW
/?2Eq%
/d Eq%
/|rSu6
!B<qT0
~b|#55
jY#ub(
h	(V2}
F-),.t
(pr-2!
]v?bu"
3!!#<s
.MT	-2
h$i^d=
y}}?5!
Z!#O^T
vy#r2~
|H5,.w
7)4#<p
x+Oid=
vI#r2~
|d4,.w
!V%f#<
zr(,.w
7b|#|"
bCr-2>
Q%"ds&
%0u1(*
8*uvcp
ti5uu 
+a'r2~
.+2E`d
tM`'y2
@ <J	W <J!e",
iG?Ms*,"
m`+oema
B/#D"*,"
#<Jnmtw
C$U!N]E
$cJ,*%d
iG?Ms*
TB$Dgwn
2F#Md*,"
#V)IDUR
r=V%{"
{ eide
$cJ,*%d
2&n	dDib
#<JFIIL
ME:E*,"
#<JlxBa
#<JRmad
TS+E[S"
e=V0p%0
vcJ,*dw
,.Xx-08
-2Md*,"
#x.ide-
#D"Lel
","lpFileName->%s"
"%s","%d","%s","%d","filesystem","DeleteFileW","SUCCESS","","lpFileName->%ws"
"%s","%d","%s","%d","filesystem","DeleteFileW","FAILURE","","lpFileName->%ws"
"%s","%d","%s","%d","filesystem","MoveFileExW","SUCCESS","","lpExistingFileName->%s","lpNewFileName->%s"
EWX_LOGOFF
"%s","%d","%s","%d","filesystem","MoveFileExW","FAILURE","","lpExistingFileName->%s","lpNewFileName->%s"
EWX_REBOOT
"%s","%d","%s","%d","filesystem","MoveFileExW","SUCCESS","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","MoveFileExW","FAILURE","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","MoveFileWithProgressA","SUCCESS","","lpExistingFileName->%s","lpNewFileName->%s"
"%s","%d","%s","%d","filesystem","MoveFileWithProgressA","FAILURE","","lpExistingFileName->%s","lpNewFileName->%s"
"%s","%d","%s","%d","filesystem","MoveFileWithProgressW","SUCCESS","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","CopyFileA","SUCCESS","","lpExistingFileName->%s","lpNewFileName->%s"
GENERIC_WRITE
INTERNET_FLAG_EXISTING_CONNECT
EWX_RESTARTAPPS
SHTDN_REASON_MAJOR_HARDWARE
"%s","%d","%s","%d","filesystem","CopyFileA","FAILURE","","lpExistingFileName->%s","lpNewFileName->%s"
SERVICE_CONTROL_NETBINDENABLE
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
SHTDN_REASON_MAJOR_OPERATINGSYSTEM
"%s","%d","%s","%d","filesystem","CopyFileW","SUCCESS","","lpExistingFileName->%ws","lpNewFileName->%ws"
SHTDN_REASON_MAJOR_OTHER
"%s","%d","%s","%d","filesystem","CopyFileW","FAILURE","","lpExistingFileName->%ws","lpNewFileName->%ws"
SHTDN_REASON_MAJOR_POWER
"%s","%d","%s","%d","filesystem","CopyFileExA","SUCCESS","","lpExistingFileName->%s","lpNewFileName->%s"
SHTDN_REASON_MAJOR_SOFTWARE
"%s","%d","%s","%d","filesystem","CopyFileExA","FAILURE","","lpExistingFileName->%s","lpNewFileName->%s"
SHTDN_REASON_MAJOR_SYSTEM
"%s","%d","%s","%d","filesystem","CopyFileExW","SUCCESS","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","CopyFileExW","FAILURE","","lpExistingFileName->%ws","lpNewFileName->%ws"
"%s","%d","%s","%d","filesystem","ReplaceFileA","SUCCESS","","lpReplacedFileName->%s","lpReplacementFileName->%s"
WH_CALLWNDPROCRET
"%s","%d","%s","%d","filesystem","ReplaceFileA","FAILURE","","lpReplacedFileName->%s","lpReplacementFileName->%s"
WH_DEBUG
"%s","%d","%s","%d","filesystem","ReplaceFileW","SUCCESS","","lpReplacedFileName->%ws","lpReplacementFileName->%ws"
"%s","%d","%s","%d","filesystem","ReplaceFileW","FAILURE","","lpReplacedFileName->%ws","lpReplacementFileName->%ws"
"%s","%d","%s","%d","device","DeviceIoControl","FAILURE","","hDevice->0x%08x","dwIoControlCode->0x%08x","lpInBuffer->0x%08x","nInBufferSize->0x%08x","lpOutBuffer->0x%08x","nOutBufferSize->0x%08x","lpBytesReturned->0x%08x","lpOverlapped->0x%08x"
"%s","%d","%s","%d","device","DeviceIoControl","SUCCESS","","hDevice->0x%08x","dwIoControlCode->0x%08x","lpInBuffer->0x%08x","nInBufferSize->0x%08x","lpOutBuffer->0x%08x","nOutBufferSize->0x%08x","lpBytesReturned->0x%08x","lpOverlapped->0x%08x"
GENERIC_READ
GENERIC_READ | GENERIC_WRITE
SERVICE_DEMAND_START
SERVICE_SYSTEM_START
SC_MANAGER_ENUMERATE_SERVICE
SC_MANAGER_QUERY_LOCK_STATUS
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_QUERY_CONFIG
SERVICE_QUERY_STATUS
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
GENERIC_READ
SERVICE_CONTROL_NETBINDREMOVE
SERVICE_CONTROL_PAUSE
SERVICE_CONTROL_STOP
READ_CONTROL
SEMAPHORE_ALL_ACCESS
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_KEEP_CONNECTION
INTERNET_FLAG_NO_AUTH
INTERNET_FLAG_NO_AUTO_REDIRECT
INTERNET_FLAG_NO_CACHE_WRITE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PRAGMA_NOCACHE
INTERNET_FLAG_RAW_DATA
INTERNET_FLAG_RELOAD
INTERNET_FLAG_SECURE
0x%08x
EWX_POWEROFF
EWX_SHUTDOWN
0x%08x
SHTDN_REASON_MAJOR_APPLICATION
SHTDN_REASON_MAJOR_LEGACY_API
0x%08x
WH_CALLWNDPROC
WH_CBT
WH_FOREGROUNDIDLE
WH_GETMESSAGE
WH_JOURNALPLAYBACK
WH_JOURNALRECORD
WH_KEYBOARD
WH_KEYBOARD_LL
WH_MOUSE
WH_MOUSE_LL
WH_MSGFILTER
WH_SHELL
WH_SYSMSGFILTER
kernel32.dll
CreateProcessInternalW
C:\cuckoo\
%slogs\%d.csv
RSDSHGjl
C:\Documents and Settings\emartinez\Escritorio\cmonitor\Release\cmonitor.pdb
ExitProcess
CreateMutexW
CopyFileExW
CreateRemoteThread
WriteFile
LoadLibraryW
ReadProcessMemory
TerminateProcess
ReplaceFileW
ReadFile
CreateFileW
OpenMutexW
GetProcAddress
ReadFileEx
VirtualAllocEx
LoadLibraryA
DeviceIoControl
IsDebuggerPresent
WinExec
WriteFileEx
DeleteFileW
GetCurrentProcessId
MoveFileWithProgressW
WriteProcessMemory
CreateThread
WideCharToMultiByte
GetSystemTime
GetCurrentProcess
Process32First
WaitForSingleObject
GetLastError
Process32Next
GetExitCodeThread
GetModuleHandleA
CreateToolhelp32Snapshot
DuplicateHandle
CloseHandle
MultiByteToWideChar
CreateFileA
SetFilePointer
WaitNamedPipeW
KERNEL32.dll
FindWindowA
SetWindowsHookExW
SetWindowsHookExA
ExitWindowsEx
FindWindowW
USER32.dll
CreateServiceW
OpenServiceA
DeleteService
OpenSCManagerW
OpenServiceW
RegSetValueExA
RegCreateKeyExW
CreateServiceA
RegQueryValueExW
RegDeleteKeyA
RegDeleteKeyW
StartServiceA
RegCreateKeyExA
RegOpenKeyExA
StartServiceW
OpenSCManagerA
RegEnumValueW
RegOpenKeyExW
ControlService
RegEnumKeyExW
RegSetValueExW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteExA
SHELL32.dll
WS2_32.dll
InternetOpenUrlW
WININET.dll
URLDownloadToFileW
urlmon.dll
GetTickCount
VirtualProtect
OutputDebugStringA
HeapFree
GetCurrentThreadId
DecodePointer
GetCommandLineA
HeapReAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
EncodePointer
IsProcessorFeaturePresent
HeapAlloc
HeapCreate
HeapDestroy
RaiseException
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetModuleHandleW
SetLastError
InterlockedDecrement
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetConsoleCP
GetConsoleMode
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetModuleFileNameW
RtlUnwind
SetStdHandle
WriteConsoleW
LCMapStringW
GetStringTypeW
FlushFileBuffers
0123456789abcdef00
##%%&'%#&'&'
 !"#$%&'()*+,-./0123456789
 !"#$%&'()*+,-./
 !"#$%&'()*+,-./012345678
 !"#$%&'()*+
,-./0123456789:;
 !"#$%&'(
$%&'()*+,-./0123
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGXZ
!"#$%&'()*+,-.
/0123456789
<=>?@ABCDE
FGHIJKLMNO
PQRSTUVWXY
 !"#$%&'()
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdef
ghijklmnopqrstuvwxyz{|}~
 !"#$%&
'()*+,-
./01234
56789:;
<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
31Z1c1w3
6.6?6P6a6r6
9$:E:T:
<(=D=\=`=d=h=l=
:D;H;L;P;T;X;\;`;
3.4Q4X4@5
3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
41585P5T5X5
70:4:8:<:@:D:H:L:P:T:X:\:`:
=%=j>t>
242;2C2H2L2P2y2
2*3034383<3
3'4Y4`4d4h4l4p4t4x4|4
7M7S7X7`7p7z7
7;8s8x8
9L9R9X9m9
9&:S:#;);5;l;
<Y=a=v=
>K?Z?u?
>!>g>m>w>o?{?
0o1t1}1
122a2g2v2
2/3;3B3N3T3`3f3o3u3~3
444t4z4
576G6M6Y6_6o6u6{6
7!7&7,70767;7A7F7U7k7q7y7~7
838<8H8
:3:>:X:c:k:{:
;#<h<o<
>(>M>X>g>
2"2'2H2M2q2
6*6S6[6
020D0J0d0s0
1$1.1T1
5)535F5j5
858N8j8s8y8
<C<I<O<_<j<~=
:B;b;g;
<[<s<}<
>1>?>E>h>o>
0?0E0M0
0_1h1n1
455H5`5
7!8L8m8v8
2*2<2N2`2r2
3 3'3.363>3F3R3[3`3f3p3y3
4&4+4<4D4J4T4Z4d4j4t4}4
7U8o8x8
020T0a0x0
2:2Z2z2
3:3Z3z3
5!5J5j5
606S6v6
6"7E7h7
878W8w8
9&9I9l9
:2:O:l:
;*;J;g;
<-<M<m<
=3=S=s=
?(?C?j?
*0J0j0
202P2k2
3#3@3[3
5(5/5=5D5R5Y5g5n5|5
6$6+696@6N6U6c6j6x6
7 7'757<7J7Q7_7f7t7{7
8#81888F8M8[8b8p8w8
8%9+999C9K9Q9X9f9l9s9
:#:):0:>:D:K:Y:_:f:t:z:
;#;1;7;>;L;R;Y;g;m;t;
<!<'<.<<<B<I<W<]<d<r<x<
=!=/=5=<=J=P=W=e=k=r=
>">(>/>=>C>J>X>^>e>s>y>
>(?.?3?[?m?
0%0+050L0
1%1+151L1
2&2J2P2V2`2w2
3&3,313;3\3b3g3q3
4#4)434P4V4[4e4{4
5A5G5L5V5w5}5
5%6I6O6U6_6
6%7I7O7U7_7
778q8w8|8
:H;N;T;^;
<8=>=D=N={=
0 0*0S0Y0^0h0~0#1]1c1h1r1
4$4.4O4U4Z4d4z4
4#5]5c5i5s5
8%8+858V8\8b8l8
;$;*;0;:;P;U;g;
<N<T<Z<d<
=%>+>1>;>Q>V>h>$?
0^1d1i1s1
1A2b2h2n2x2
4%424L4r4
4-5l5r5x5
93999>9K9d9
:P:V:\:f:
:M;r;x;};
<L<-=3=9=C=Z=
22282>2K2e2
7?7E7J7T7j7
8M8S8X8b8
8Q9u9{9
=)=F=L=Q=[=q=
>B>H>M>W>x>~>
>-?R?X?]?g?
=0b0h0m0w0
0M1r1x1}1
4V4\4a4k4
5 6'6,6P6W6\6
7@7G7L7p7w7|7
80878<8`8g8l8
8 9'9,9P9W9\9
:@:G:L:p:w:|:
;0;7;<;`;g;l;
; <'<,<P<W<\<
=@=G=L=p=w=|=
>0>7><>`>g>l>
> ?'?,?P?W?\?
0@0G0L0p0w0|0
10171<1`1g1l1
1 2'2,2P2W2\2
3@3G3L3p3w3|3
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<3H3L3P3T3`3d3
6$6,646<6D6L6
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6
5 585<5T5d5h5|5
6$6,6@6`6|6
707P7p7
808L8P8p8
:<:@:H:L:
:8;<;@;D;H;L;P;X;\;
<l<p<t<x<|<
=$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
?0?4?<?@?l?p?x?|?
\0`0d0h0l0p0t0x0|0
1$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3,30383<3h3l3t3x3|4
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5l5p5\6`6d6h6l6p6t6x6|6
74787@7D7p7t7|7
: :$:(:,:0:4:8:<:@:D:H:L:P:T:(;,;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
=(>,>0>4>8><>@>D>L>P>
?(?0?4?
4080<0@0D0H0L0P0X0\0x0
2 2$2(2,20242<2@2
3 3(3,3p3t3x3
3 4$4(40444x4|4
4(5,50585<5
5064686@6D6
687<7@7H7L7
7084888@8D8
889<9@9H9L9
9@:D:H:P:T:
;@<D<H<P<T<
=H=L=P=X=\=
>P>T>X>`>d>
?X?\?`?h?l?
0`0d0h0p0t0
1 1$1(10141x1|1
1(2,20282<2
2H3L3P3T3\3`3
3h4l4p4t4|4
4L5P5T5\5`54686<6@6D6H6L6P6X6\6
7T7X7`7d7
8 8$8(8,80848<8@8
8D9H9L9P9T9\9`9
90:4:8:<:D:H:
:0;4;<;@;
;4<8<<<D<H<
< =$=,=0=t=x=|=
>L>P>T>\>`>
> ?$?(?0?4?x?|?
0P1T1X1\1`1h1l1
2 2$2\2`2h2l2
3`3d3h3p3t3
4 4$4h4l4p4x4|4
5 5(5,5p5t5x5
5 6$6(60646x6|6
6074787<7@7D7H7L7T7X7
9<:@:D:H:L:P:X:\:
= =$=(=0=4=
?`?d?h?l?t?x?
0 0$0(0,0004080@0D0
1P1T1\1`1
2L2P2X2\2
3H3L3T3X3
4D4H4P4T4
4@5D5L5P5|5
6X6\6d6h6
7l7p7t7|7
8$8(8l8p8x8|8
9 9$9h9l9t9x9
:0:8:<:h:p:t:|;
<0<4<<<@<l<p<x<|<
=D=H=P=T=
>H>P>T>
>(?0?4?`?h?l?
0@0H0L0x0
0 1(1,1X1`1d1
282@2D2p2x2|2
3 3$3P3X3\3
40484<4h4p4t4
5L5P5X5\5
5$6(60646l6p6x6|6
7D7H7P7T7
8 8(8,8d8h8p8t8
9<9@9H9L9
:0:8:<:h:p:t:
;<;@;H;L;
< <$<\<`<h<l<
<4=8=@=D=
=8><>@>H>L>x>
>,?0?8?<?h?p?t?
0H0P0T0
1`1d1h1p1t1
2 2$2h2l2p2x2|2
3 3(3,3p3t3x3
3 4$4(40444x4|4
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7p7t7
7D8H8L8P8X8\8
8d9h9l9p9t9x9
;H<L<P<T<\<`<
=h=l=p=t=|=
=P>T>X>\>d>h>
? ?$?(?,?0?4?<?@?
0 0$0(0,0004080@0D0
1 1$1(1,1014181<1D1H1p2t2|3
5P6T6X6\6`6d6l6p6L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<=@=H=L=
X6X7\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
9(989H9X9|9
;(;,;0;4;8;<;@;D;H;L;P;
eekxYC.dll
"20190111212121.331","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00150000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00000000","dwSize->6144","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.331","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00260000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00000000","dwSize->377102","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.341","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00160000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00000000","dwSize->5390","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.341","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00160000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00000000","dwSize->9998","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.341","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00160000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00000000","dwSize->26674","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.351","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Borland\Locales"
"20190111212121.351","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Borland\Locales"
"20190111212121.351","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Borland\Delphi\Locales"
"20190111212121.351","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00150000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00000000","dwSize->1048576","flAllocationType->0x00002000","flProtect->0x00000001"
"20190111212121.351","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00150000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00150000","dwSize->16384","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.361","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00250000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00000000","dwSize->4096","flAllocationType->0x00001000","flProtect->0x00000040"
"20190111212121.361","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190111212121.361","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x000000a0","lpFileName->C:\9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","dwDesiredAccess->GENERIC_READ"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->268"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000098","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00154000","th32ProcessID->1748","szExeFile->9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpAddress->0x00154000","dwSize->65536","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->61440"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000098","nNumberOfBytesToWrite->61440"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->61440"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000098","nNumberOfBytesToWrite->61440"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->61440"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000098","nNumberOfBytesToWrite->61440"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->32094"
"20190111212121.381","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000098","nNumberOfBytesToWrite->32094"
"20190111212121.391","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","synchronization","OpenMutexW","SUCCESS","0x000000ac","dwDesiredAccess->0x00120001","lpName->ShimCacheMutex"
"20190111212121.391","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000b8","hKey->0x000000bc","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20190111212121.391","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b8","lpValueName->Cache"
"20190111212121.391","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","system","LoadLibraryA","SUCCESS","0x77dd0000","lpFileName->advapi32.dll"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","process","CreateProcessInternalW","SUCCESS","1400","lpApplicationName->(null)","lpCommandLine->C:\WINDOWS\system32\HelpMe.exe"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","process","WinExec","SUCCESS","","lpCmdLine->C:\WINDOWS\system32\HelpMe.exe"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->268"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x000000a4","lpFileName->C:\DOCUME~1\JANETT~1\LOCALS~1\Temp\\MZ
","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00154000","th32ProcessID->1400","szExeFile->HelpMe.exe","lpAddress->0x00154000","dwSize->65536","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->61440"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x000000a4","nNumberOfBytesToWrite->61440"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->61440"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x000000a4","nNumberOfBytesToWrite->61440"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->61440"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x000000a4","nNumberOfBytesToWrite->61440"
"20190111212121.401","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000a0","nNumberOfBytesToRead->61440"
"20190111212121.421","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->0x000000c0","lpSubKey->Software\Microsoft\Windows\CurrentVersion\ThemeManager"
"20190111212121.421","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->Compositing"
"20190111212121.421","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000098","hKey->0x000000c0","lpSubKey->Control Panel\Desktop"
"20190111212121.421","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x00000098","lpValueName->LameButtonText"
"20190111212121.421","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","system","LoadLibraryA","SUCCESS","0x5ad70000","lpFileName->uxtheme.dll"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","process","CreateRemoteThread","SUCCESS","0x000000c0","lpStartAddress->0x00404008","th32ProcessID->1400","szExeFile->HelpMe.exe"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","process","CreateRemoteThread","SUCCESS","0x000000c4","lpStartAddress->0x00404008","th32ProcessID->1400","szExeFile->HelpMe.exe"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegCreateKeyExW","SUCCESS","0x000000d0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SoftWare\Microsoft\Windows NT\CurrentVersion\Winlogon"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegSetValueExA","SUCCESS","","hKey->0x000000d0","lpValueName->Shell","dwType->1","lpData->Explorer.exe  HelpMe.exe","cbData->25"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegCreateKeyExW","SUCCESS","0x000000d4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegSetValueExA","SUCCESS","","hKey->0x000000d4","lpValueName->CheckedValue","dwType->4","lpData->0","cbData->4"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegCreateKeyExW","SUCCESS","0x000000dc","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000dc","lpValueName->Startup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegCreateKeyExW","SUCCESS","0x000000dc","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegSetValueExW","SUCCESS","","hKey->0x000000dc","lpValueName->Startup","dwType->1","lpData->C:\Documents and Settings\janettedoe\Start Menu\Programs\Startup","cbData->130"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x000000e0","lpValueName->NoNetHood"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x000000e0","lpValueName->NoPropertiesMyComputer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x000000e0","lpValueName->NoInternetIcon"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x000000e0","lpValueName->NoCommonGroups"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x000000e0","lpValueName->NoControlPanel"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x000000e0","lpValueName->NoSetFolders"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExA","SUCCESS","0x000000e2","hKey->HKEY_CLASSES_ROOT","lpSubKey->CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e2","lpValueName->(null)"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\Setup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->SystemSetupInProgress"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\CurrentControlSet\Control\MiniNT"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\WPA\PnP"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->seed"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->OsLoaderPath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->OsLoaderPath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->SystemPartition"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->SystemPartition"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->SourcePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->SourcePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->ServicePackSourcePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->ServicePackSourcePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->ServicePackCachePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->ServicePackCachePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->DriverCachePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->DriverCachePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000e8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000e8","lpValueName->DevicePath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","synchronization","CreateMutexW","SUCCESS","0x000000e4","lpName->(null)"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","synchronization","CreateMutexW","SUCCESS","0x000000f0","lpName->(null)"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","synchronization","CreateMutexW","SUCCESS","0x000000f8","lpName->(null)"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fc","lpValueName->LogLevel"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fc","lpValueName->LogLevel"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fc","lpValueName->LogPath"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000fc","lpSubKey->AppLogLevels"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","system","LoadLibraryA","SUCCESS","0x77920000","lpFileName->SETUPAPI.dll"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc\PagedBuffers"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExA","SUCCESS","0x000000fc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d\RpcThreadPoolThrottle"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Policies\Microsoft\Windows NT\Rpc"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","system","LoadLibraryW","SUCCESS","0x77e70000","lpFileName->rpcrt4.dll"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x000000cc","lpFileName->C:\9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","dwDesiredAccess->GENERIC_READ"
"20190111212126.389","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000128","nNumberOfBytesToWrite->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000128","nNumberOfBytesToWrite->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000128","nNumberOfBytesToWrite->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000128","nNumberOfBytesToWrite->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000128","nNumberOfBytesToWrite->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000128","nNumberOfBytesToWrite->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000128","nNumberOfBytesToWrite->20342"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->65536"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CopyFileExW","SUCCESS","","lpExistingFileName->C:\9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","lpNewFileName->C:\AutoRun.exe"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x000000cc","lpFileName->C:\9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","dwDesiredAccess->GENERIC_READ"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->268"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x000000cc","lpFileName->C:\AUTOEXEC.BAT","dwDesiredAccess->GENERIC_READ"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->268"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x000000cc","lpFileName->C:\9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","dwDesiredAccess->GENERIC_READ"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x0000012c","lpFileName->C:\AUTOEXEC.BAT","dwDesiredAccess->GENERIC_READ"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000130","lpFileName->C:\AUTOEXEC.BAT.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000124","dwIoControlCode->0x004d0008","lpInBuffer->0x00000000","nInBufferSize->0x00000000","lpOutBuffer->0x0120f37c","nOutBufferSize->0x00000208","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000124","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","FAILURE","","hDevice->0x00000124","dwIoControlCode->0x006d0008","lpInBuffer->0x0049bb00","nInBufferSize->0x00000046","lpOutBuffer->0x00498780","nOutBufferSize->0x00000020","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000124","dwIoControlCode->0x006d0008","lpInBuffer->0x0049bb00","nInBufferSize->0x00000046","lpOutBuffer->0x00486100","nOutBufferSize->0x000000ee","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000124","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000138","hKey->0x00000124","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000138","lpValueName->Data"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000138","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000124","hKey->0x00000138","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000124","lpValueName->Generation"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000124","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","FAILURE","","hDevice->0x00000124","dwIoControlCode->0x006d0034","lpInBuffer->0x0049ca38","nInBufferSize->0x00000208","lpOutBuffer->0x00499e40","nOutBufferSize->0x00000008","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000124","dwIoControlCode->0x006d0034","lpInBuffer->0x0049ca38","nInBufferSize->0x00000208","lpOutBuffer->0x0049cc48","nOutBufferSize->0x00000010","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000124","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","memory","VirtualAllocEx","SUCCESS","0x00164000","th32ProcessID->1400","szExeFile->HelpMe.exe","lpAddress->0x00164000","dwSize->65536","flAllocationType->0x00001000","flProtect->0x00000004"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->61440"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x000000cc","nNumberOfBytesToRead->44918"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->44918"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->268"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","WriteFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToWrite->268"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","DeleteFileW","SUCCESS","","lpFileName->C:\AUTOEXEC.BAT"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","MoveFileWithProgressW","SUCCESS","","lpExistingFileName->C:\AUTOEXEC.BAT.exe","lpNewFileName->C:\AUTOEXEC.BAT"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000130","lpFileName->C:\AutoRun.exe","dwDesiredAccess->GENERIC_READ"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToRead->268"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000130","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","ReadFile","SUCCESS","","hFile->0x00000130","nNumberOfBytesToRead->268"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x00000130","lpFileName->C:\9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","dwDesiredAccess->GENERIC_READ"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x0000012c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","filesystem","CreateFileW","SUCCESS","0x000000cc","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","FAILURE","","hDevice->0x00000124","dwIoControlCode->0x006d0034","lpInBuffer->0x0049ca38","nInBufferSize->0x00000208","lpOutBuffer->0x00499e40","nOutBufferSize->0x00000008","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","device","DeviceIoControl","SUCCESS","","hDevice->0x00000124","dwIoControlCode->0x006d0034","lpInBuffer->0x0049ca38","nInBufferSize->0x00000208","lpOutBuffer->0x0049cc88","nOutBufferSize->0x00000010","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegCreateKeyExW","SUCCESS","0x00000124","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegSetValueExW","SUCCESS","","hKey->0x00000124","lpValueName->BaseClass","dwType->1","lpData->Drive","cbData->12"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000124","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x0000013c","hKey->0x00000124","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000013c","lpValueName->Generation"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","system","LoadLibraryA","SUCCESS","0x7c9c0000","lpFileName->SHELL32.dll"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x0000013e","hKey->HKEY_CLASSES_ROOT","lpSubKey->Directory"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000013e","lpSubKey->CurVer"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000126","hKey->0x0000013e","lpSubKey->(null)"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x0000013c","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x0000013c","lpValueName->DontShowSuperHidden"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x0000013c","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000140","hKey->0x0000013c","lpSubKey->(null)"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000140","lpValueName->ShellState"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000140","lpValueName->ShellState"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegOpenKeyExW","SUCCESS","0x00000140","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190111212126.399","1748","9dd688cfe6ceb376d9d51d79bc2fc574bd1bfdd442d6bdca8180fc24b8da744d","1768","registry","RegQueryValueExW","FAILURE","","hKey->0x00000140","lpValueName->ForceActiveDesktopOn"
"20190111212126.399","1748","9dd68MZ
!This program cannot be run in DOS mode.
@.rsrc
SetupResources.pdb
[product]
product_affid=739
AVScanner.ini
<?xml version="1.0" encoding="utf-8"?>
<!--_SIG=OIkYBVpRJQpKOUSKu9iaND/PMdYvFSzzK2T38AcooiH7Vje23ZzKhhBdrUmlC8vkMFs5d7nA2HJkOptncUuZvJoXGklvPQNM8QGoV9cvm+q4EaOPvlzqexOFEFKoFuMhPVTPSejLjq7vAnUoYc2eZ9rGfrOAvbTLaXvzgWOl6lo=-->
<Package Id="OutlookMUI.en-us" Type="MSI" Path="OutlookMUI.MSI" Version="1.0" ProductCode="{90120000-001A-0409-0000-0000000FF1CE}" MSIVersion="12.0.4518.1014" Platform="x86">
	<Feature Id="WORDSharedFilesIntl_1033" Cost="878888">
		<OptionRef Id="WORDSharedFiles"/>
	</Feature>
	<Feature Id="SetupXmlFiles" Cost="6806">
		<OptionRef Id="AlwaysInstalled"/>
	</Feature>
	<Feature Id="WhiteRabbitHiddenIntl_1033" Cost="57344">
		<OptionRef Id="WhiteRabbitHidden"/>
	</Feature>
	<Feature Id="OutlookDVPabFilesIntl_1033" Cost="12104">
		<OptionRef Id="OutlookDVPabFiles"/>
	</Feature>
	<Feature Id="SetupControllerFiles" Cost="6806">
		<OptionRef Id="AlwaysInstalled"/>
	</Feature>
	<Feature Id="OUTLOOKFilesIntl_1033" Cost="6863064">
		<OptionRef Id="OUTLOOKFiles"/>
	</Feature>
	<Feature Id="OutlookDVCsvDosFilesIntl_1033" Cost="11104">
		<OptionRef Id="OutlookDVCsvDosFiles"/>
	</Feature>
	<Feature Id="OutlookDVExtensionsFilesIntl_1033" Cost="87008">
		<OptionRef Id="OutlookDVExtensionsFiles"/>
	</Feature>
	<Feature Id="OutlookMAPI2Intl_1033" Cost="1300750">
		<OptionRef Id="OutlookMAPI2"/>
	</Feature>
	<Feature Id="OutlookOmsIntl_1033" Cost="130602">
		<OptionRef Id="OutlookOms"/>
	</Feature>
	<Feature Id="OUTLOOKNonBootFilesIntl_1033" Cost="88391">
		<OptionRef Id="OUTLOOKFiles"/>
	</Feature>
	<Feature Id="OutlookDVOrg97FilesIntl_1033" Cost="13656">
		<OptionRef Id="OutlookDVOrg97Files"/>
	</Feature>
	<Feature Id="Gimme_OnDemandData" Cost="0">
		<OptionRef Id="Gimme_OnDemandData"/>
	</Feature>
	<Feature Id="OutlookTemplateFilesIntl_1033" Cost="12288">
		<OptionRef Id="OutlookTemplateFiles"/>
	</Feature>
	<Feature Id="OutlookStationeryExtendedIntl_1033" Cost="21821">
		<OptionRef Id="OutlookStationeryExtended"/>
	</Feature>
	<Feature Id="OutlookStationeryBasicFilesIntl_1033" Cost="17617">
		<OptionRef Id="OutlookStationeryBasicFiles"/>
	</Feature>
	<Feature Id="MsoInstalledPackagesScopedIntl_1033" Cost="0">
		<OptionRef Id="AlwaysInstalled"/>
	</Feature>
	<Feature Id="OutlookDVCsvWinFilesIntl_1033" Cost="11104">
		<OptionRef Id="OutlookDVCsvWinFiles"/>
	</Feature>
	<Feature Id="OutlookDVAct3FilesIntl_1033" Cost="14152">
		<OptionRef Id="OutlookDVAct3Files"/>
	</Feature>
	<Feature Id="OutlookDVDbaseFilesIntl_1033" Cost="12616">
		<OptionRef Id="OutlookDVDbaseFiles"/>
	</Feature>
	<Feature Id="OutlookImportExportFilesIntl_1033" Cost="51344">
		<OptionRef Id="OutlookImportExportFiles"/>
	</Feature>
	<Feature Id="OutlookMessagingIntl_1033" Cost="175540">
		<OptionRef Id="OutlookMessaging"/>
	</Feature>
	<Feature Id="OutlookHelpFilesIntl_1033" Cost="13431672">
		<OptionRef Id="OutlookHelpFiles"/>
	</Feature>
</Package>
OutlookMUI.xml
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
2","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x0000017e","hKey->HKEY_CLASSES_ROOT","lpSubKey->Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017e","lpValueName->DriveMask"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000180","hKey->HKEY_CURRENT_USER","lpSu 
faBer}B
a]EytQ
=gf!U?
e(CDutC$maQ|m=
s~[#cC
ttD5320+600
b612",
{%luMm.
B%","19
M4ry","
['CreatEZ%yOxW"
RENT_TSMRk
bluS}bJ%9->Sof|7!rd\Ei
2/sjf|\
(.dows\
42r`n|V
03ion\E
2,osez\[0%r!S`e
/`Fnlle|7b
wr0)600Xib6
%lwMm.">%"tdq9vrb,&ragistry","*-'QQefyValueExW
fbSUCCESAb,)","
vpx4yp0%xx0Mebl
GJ"20190910075320.6
 Setti^gs\*anetted
,"cbDaua->}UVV-*r@_[\SM
,"SUCCESS","0x00000180","hKey->HKEY_6SRR
MT_UVE
M^O]p^txK
:ljsBF5
myY^dvvs
CWsQcmtV	
l\ExpmoseR|]otnpP
knte2\CxC\VOlum%"
#24190910275320.680","612","HelpMe
017c","hKey->0x00000180","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.680","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x0000017c","lpValueName->Generation"
612.csv
44downs sto
JTCCQ_^43V4Q;
1!366.
K{lpMf(e4
73'T"=oBb
y0/"Bk
w?alAhjo/$
^CAJD_@@GH
mYFCRM[Ls
=xmAFa
-,Jexr
f2exe'*" 
@ervU>Hx
!2"dwUoz)L\Q\
csti{l
80]^DoX_OI"unPqoted
x00890]ZE}lfN]G1*371q\T_G
eFA@VM[L1
5/","Aml
tJce"&)D
r|o*,q; 7'*$="+
hDe}cc
_W_VV0 7/,l
>0x<?3T^Eo^M^A	
fvq!>v
z\VwDJ"
KqBufkkr>
VUBVUC0#!-"ApI
@Pffe|'>]
\@"?!cO;
000?>0]LY}
r}fh-x_
nmOveb`a
JJJJ0#31" 
091!:8]^AiCUZGC@""086lCP%
","vlv
O?JYV7:4-E
P 6"",1aD
XR\I0#310
 xwIoWfn
Y>#{50r[_ED8
.8lpI{Ju
7$f06vIQV,
mJjBu`fer
Y:e*>0x
p07100N
blwOutjX&fbr->
Tp062fc
b,#nMuhj5fferS
p"0r,pCyteSI%turned->0x001
","mpLvyZ,apped
0000"$J"
`q91910l#p046.442","137j9l"/elpLe/edMb,"372
5	o@ont
t,","SUCCESS","
N`ije.>Ey
DCode->0x00390008","l
CnBuffer->0x77e46318","
OnBuffe
@)z)->0.r
00","lpOutBuf
er->0x0012fc3>"%&nOutBuffer
8100#,"lqByt
kp0I2fc
erlapped->0x0000000QLycQZEE]_N_0`J_ZQUZ
42r^M[VTB
Ielle%.exe"
s7Bil"Hivik5b,dV%vi3%IEC3n5r*l
,~S#C!E#SP,M"F"
0X0E0D3P"C"
C3d5-L0
0Z3\0S0L"
"Bp?n u
fer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20190910080046.442","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlap
$-80x01000,
t4:rl"1376
*>HelpMe.exe","s(r"-"de
@#e","D%i)cdIoC'q4rol",fL
CUESSj3b"""
dp00003
F.t2omCWde-
80>3:0008","lp
px97f4v308
ulffrSize->0x<
blzOvt
uyf%r->LRp0
34","nOu\a5fn
p010u00"
,pOywesReturne
L#2n"/",pNv-rla
Y%d?>3x00000000
q0"830t6/4x2",
s7>"/"HelpMe.e
bdmvjc%"-"
L	oHomtrol","SUSg
bhOeui#e,>dx00
p0"4!,"dwIoConXV/l
px!009p018z,"l
`.B`feer->0x77e|
c.B`fee2S{z9->0
p020200","lpOu
80211f#35"L"nO
uvffrSize->0x
bl`Bzt%sCe
urnmOm>1x3012fc2c",
kly[0ee-=080"0X000
!23190910080
	q346!,bHwl
R%"*"072","file
h2egtfF)lwWR,"S
EVS!,"0x00000
uprB,eKanem>Q:(WIN
SXszstem32\He0V
bdsDfs)rdd9cce
Zm>KEMERIC_READ
q0<830t6/4I2",
s79"/"HelpMe.e
bfflfs9sue
L!dRioe","SUCCE
m)lq-=08010
l"}NvmberOfBytuT
x0745.452","13
f%.bxf"l"27
@,ezyptem","Cre)S%F
bFHIOU>bb,[
BnepMb,7L7Desir-{
ELl`| GEN5M	C
*p910080046
2b1M$v"
e.exe","372","memory","Vi
S5alAll
bSUCCESS","0x00aa0000","th32ProcessID->137H
l"szExeFile->HelpMe.exe","lpAddress->0x0000000
1l"flAlloca
g0eS-px
bflProdE#t
 pxN#p0
q90910
(n4K!b,
B,pMe.e
-w2\?bm
1l"VA2tualA
paa000
vs2.a/c
>~1376","szExeFile->HelpMe.exe","lpAddress->0x00aa0000","dwSize->257","flAlloca
g0eS-px
#p0","flProtD#t
 pxN#p0
q90910080046.512","1376","HelpMe.exe","372","registry","RegOpenKeyExW"
#p080","hKey->0x00000094","lpSubKey->Software\Microsoft\Windows\CurrentVersion\
#q90910080046.512","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAI4t
2b"R1(K
kp0000080","lpValueName->Compositing"
"20190910080046.512","1376","HelpMe.exe"
?bRegOpenKeyExW","SUCCESS","0x00000080","hKey->0x00000094","lpSubKey->Control P
q00800
,b,\"s7
Bnexe",:
v5eryVa,W%E
?b","hKey->XZp0
.p0F#b,
5eName->La
j/n*v8t
#q90910
WpZm",
Fv^ryA
/aW,","
"Ei2->u
iaaexe
/VaVteR
rteThread&}bS)q
xews)>4x@
t04008","th32P
F#ezwID$:1376", szE
N,pMe.exe"
p9?008
#1376"L9
H8e","3
bb,"pro
L3s$,"Creat
dThrea
`p00098
blsStartAd
?0x004
pXs2Proc
#3ID->1
v"-"szExeF
dlpMe.ex%"
"20!90=10080055.459","1
=6"<"HelpMf.exe"<"3'2","begist"
VCrea2
HExWOHN
;&VHMG
0}_TE\
1PhhM]D19
ogDMKP)
$(KOP\D]DX
R*VYF;
'Mn=:7Sk7
zb,"","nKey$>0x<
xblpValueNa-
xeOBW<
->2XLxUC^\^N091]^Mo\ZVARS9"ALDlZWLYC$el
"N@X)/9CESS
LP,zEY_L
"#)3yAC
'Wy-r2-#8dAR(286
en\S%!"
910080051
	l"RegSmtVa
u&E9Av,"SUCUE
S",#"t"l
(0p000m4",Q
e?>Ch6
:8pe->4","lpDota-{HKXu
p91048
du1.459","1
ry"-"RegSze(T,K
^SS","0x00	
GEQ_CURRMNP[YSYR","llSqfLey-K 
GEaru\Mi 
B4Verwi
Explorer\
909>008cUAfGZQVU`M_Tv6"
xb372","reg
,"SYCCE
6VaGQ_C
p000ec
xblpValueNa
005=. 59","1376
72"T"1e&i'tRy
WW,VS1C,E$SL,"0x04000=ai","hKey->nKEY
C'R=E)T-U2E?"A"	p!uXKEy~>8o
cro/oft
lUrJrsS
0X9^9U0E8C0A1\4\9G,Q1
7U"C"%eCp+eAe
eW,O372",lreg>s
WV,RSoClE|SU,U"["FK
yN>QxD0
"," wTyXen>
aD>$:4D
cUmWnDs
g0\+a:eYt,d
gramsFSta
pV,KcOD
t	-K1G0F
e"E0_909;008D0Z1Z4T9N,"1176"
rYAq,JS C7E7SM,U0
qe->.l	3^.
q2X1L0M1T0W0G5_.459"
b,"Hal
%.exe","37
ExW.,*FAILURE",t`m
)5->HK
 1HINE}sT
abz[2019ofGRQjUS`_G`ZxL_K137i}Z@)#
gw2}sT
P,"Re8
JW"s}%7"
,"o'FRQy
B",}7=
<!&ENT_
30CjP	
Y>Sof+(
9Curr:1
=("olic6:
"moG[QvSZc]D0jnXVT
PIG~Q]6","
NXa[RQIc@
egis+-
$>~URE*,""e"-K1y~>0x004000c0j,&lpV`l
eLame->No
ALdQ[d^l^P100goFWPbUA\kHaP_[zF,"H:3
dEZ@C@","re[[3t
KeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->S
Micrnsoft\WijV/ws\Cu
X/n\Policies\Ex
lorar"
u9","1376","He
&%g!Y4r
1'O8O.K
^Jj0,p7
bKey}Z
llueN:
pute"F
3|b,J`Wp0X
dm3A0]E
!"372}ry
Key-n,
5]s2J=%b2X
HxW",y
=0b4"w
dstryy
",""|F
.Dd~0V
=x000k
b4_1D2Q
xeryV:
_;d>b"H
hKey}Z
Jt"q9T
1008`T
7L2q3g
Fey->k
}@CH/wH
e)}T/)b
/,"37i
`?d>bS1
CESSrH
,_,Yo^
 pbdJhr,p<!
J3TCC-
%.dxe"
w]7)ssry"
kw59ExU",
7>u'Q%
p]=~0'
rSerficePackCachePath"
)xe*a"3+
?egU>tr+o,"8(gQ
s0x>~00,~b4
al'+Na
+->!+rv
w104w00#~.4
~37pm,"
*lp!*.e
m,"0x00}cfr4y
ACQlpSu=*
/@\Win;0
201foOSQvJUUzSDx^JV,"13hWFF}.
 T.ex:}Z@ReWAmL
'!@Mn 07
,+ V^"",}7=
~[D+ICDU]u
FM^"lp	>
	hePa+	FgUDVYGf]
008ooCSO{USqIV137i}Z@)*
xe",}RSX}JF
5FETPsOY}
y->o;yCY^00b4}sT
%amehh
f^\wL^ZEY_VsQY].47f}Z@PeVDm^"Hel/,
CXC]72"s}
0FoC>	++pen
= K,"0=fu~doc+zisp
^[HKEY
00>+MAC
rren+7
"20nXTSnVTQFBj\
79",}nEUWd|g0
xe",}p~^MK"reg6,
04qESS}MFHsD
0000oQ
FW'amera2
"moG[Qp
cDJ0051qkA[CjPTVdBP`K;
}JFZA@}A
Aynch-
1P,"C-:
"0xosyQDQ
ll)"RUTPQbMBt^FU8005nOX[TW@"13hukXC&elpM:m,
R,"37m}Z@
izat60
MutexW","SUCCESS","0x000000bc","lpName->(null)"
"20190910080051.479","1376","HelpMe.exe","372","synchronization","CreateMutexW","SUCCESS","0x000000c4","lpName->(null)"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000c8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000c8","lpValueName->LogLevel"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000c8","lpValueName->LogLevel"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000c8","lpValueName->LogPath"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000c8","lpSubKey->AppLogLevels"
"20190910080051.479","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x77920000","lpFileName->SETUPAPI.dll"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc\PagedBuffers"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExA","SUCCESS","0x000000c8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpMe.exe\RpcThreadPoolThrottle"
"20190910080051.479","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Policies\Microsoft\Windows NT\Rpc"
"20190910080051.479","1376","HelpMe.exe","372","system","LoadLibraryW","SUCCESS","0x77e70000","lpFileName->rpcrt4.dll"
"20190910080051.479","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000ec","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190910080051.519","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000e8","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20190910080051.539","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x004d0008","lpInBuffer->0x00000000","nInBufferSize->0x00000000","lpOutBuffer->0x0120f37c","nOutBufferSize->0x00000208","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190910080051.539","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190910080051.539","1376","HelpMe.exe","372","device","DeviceIoControl","FAILURE","","hDevice->0x000000f0","dwIoControlCode->0x006d0008","lpInBuffer->0x00157af8","nInBufferSize->0x00000046","lpOutBuffer->0x00156e78","nOutBufferSize->0x00000020","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190910080051.539","1376","HelpMe.exe","372","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f0","dwIoControlCode->0x006d0008","lpInBuffer->0x00157af8","nInBufferSize->0x00000046","lpOutBuffer->0x00146030","nOutBufferSize->0x000000ee","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->0x000000f0","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Data"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910080051.539","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f0",
Xu->0x030300fl",
bpSu"Ke
!11e1-8989-8@6d
"2118091
 "1376#,
>","refizpry
,"RegQu
u0kmlueExV","SU
CESS","
+kUGey->0y00000
Blpvclu
Jame->Gu
erutio
11.539","1376",
JQlpM3.6x:"z"v7`"
"/i#e=y,t,ml,dC=eateF
",#SUCBESS","0y000000f0","lpBileOame->\\.\MountP+intMa8a
ss->ApTVIBU
L2C1U0X1D0Q0_5_.549"%&
7",#H6l
"K"u7["@"
eD,MDev5beInC_n@r_l
"&"iD&v
0^0I0~fQ"A"
t1o-C;de->0L0"6e0`3F"C"
f+rL>]xU0158bc0P,Mn#n'u
rbize->
x:010v2Y8N,Gl&O
rB>^x0015
nOutBEflesS9z
0E0S0D0n"I"
tur_eJ-
0H0120f
8."-"%p!v
dL>\x~0Q0]0U0"
k"\0E9Y9B0X8E0A1J5[9U,L1376"`"jemp
eE,K3Y2C,Nd#v
c	"I"*e
"E" U+C0S'"H"M,Uh*eXi
eU>Ux000000g0#,
DgInCkn
x00vd0024&,"lpIn@uffer->0x00158b30","nInB
ferSize->0x00000010","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190910080051.549","1376","HelpMe.exe","372","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20190910080051.549","1376","HelpMe.exe","372","device","DeviceIoControl","FAILURE","","hDevice->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00156078","nOutBufferSize->0x00000008","lpBytesReturned->0x012
ce->0x000000f0","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00158d58","nOutBufferSize->0x00000010","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegCreateKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegSetValueExW","SUCCESS","","hKey->0x000000f0","lpValueName->BaseClass","dwType->1","lpData->Drive","cbData->12"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->0x000000f0","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Generation"
"20190910080051.569","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x7c9c0000","lpFileName->SHELL32.dll"
"20190910080051.569","1376","HelpMe.exe","372","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f6","hKey->HKEY_CLASSES_ROOT","lpSubKey->Directory"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f6","lpSubKey->CurVer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f2","hKey->0x000000f6","lpSubKey->(null)"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->DontShowSuperHidden"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer"
"20190910080051.569","1376","HelpMe.exe",`ZYV","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->0x000000f4","lpSubKey->(null)"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->ShellState"
"20190910080051.569","1376","Help5
WZI"segistry","RegQueryValueE
,"SUCCESS","","hKey->:x00
ame5<ShonlSt
q10800
K6"d"IelpMefe@
b-'272
bsughs7ry"
5e>KeymQB"
32entVersion,Po7
\IU=2CXP]Bi
m\G_>=EJIN$9],
cFC]pYL\
7u]QDG?9
E[$' !:  &7x
IZ	}Y7
y->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910080051.569","1376","HelpMe.exe","372","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->ForceActiveDesktopOn"
"20190910080051.569","1376","HelpMe.exe","372","r
#es5'-m~w
c"g,"-
ey->HKEY_LO@AL_
NE"i"lpoubK
pI#Undo
Curre>u
2050.47
!2"reKist
ub,<SUC
","lpSubK
y->q]VENQKTl}^VA^FAS@ouELR^EQpa=
KCLmiWXKOK
C^q]U_ZtH
c`rmpej
xU\RaGZ
KWr^MPRAQef_[QXAV^[QVg*
( V2ZI
6!PIQQ
kKVGANbQUCGbC
YQ@Z=:
VT`BZEKVB
xGazoW
\PSZQXPO
y}nyp!GZKAI
,;& *"vsw
l}YSB_@[DX~3
Y_]e`_\QAEG
_g[tLDJGC`^LG
_G}WX`
,CQLgG
#`YD $;
(56:'+!
lgY^T_GC~N
P@U_Mf\CCYX[oaZB\WZG_~sIBNCP-
JP@PAI
sSTEA-,
`bqaiq!GKKQXP
{UIuHg
'#(1-xmu*
GXF`DZiI[Cw=-
_VDlgX^TM[Q03:
Dhxq[JT
N\`HGREpIV=
BIfQ\EUuZZ(
vpp|lcu
IoT[STp_z^^DJ_\
fbzaiqb
f[I=Hg
vqqnyp)ReL`YD
0|r<kz|rynso/
;#DIP?
c_VEGQPI~!
@\_BUC
\A{IMTCb]DEG_KQ
	C\RVS
ZBUWYCDBI
!(pWW~IUWzUIrMd
fapaiqe
ZxU\@}UH]ZI
jgg=:5<17gbv
0%,1GeM/
:%722!GpoKOP
GClsEBAQLXt
]IyWsEV^UB
BUVYCV^[N\m'
UuIeDO
0VnWDJG
OTB\Y@@PU
/BG^@|\
AGKKEE@[
dmk(0$,AI
*7+> /c`}
GQBUl}ZWPCQ
fUAJY_^drCN
^yVrESWKGdPXI
xT\@oI
*WX`FQTG^
%qEX6x}s=cc
\@$AVIQ:.
_P-/hgo;ebcw(7m6qipN\m
DGQBUl}YA
eQ]VEegP_T_@For@\GQ]VzGDB[MB~
$ Z\N^K]F
!(FWFXZU
t]FYVTgZtVLXP^_
DfVA[AI
xq1|ea|
ZCgYNYG (
U@vDDrMVVPC
ZBUWYCEBI
xq1|ecwDO
6[[:'$)/)+n
|'}qsxy~u
/fRaESrU@
cXSGFT\Ph~KOPYB]DX~
P^G_MnQP_K
jezruck
_}GZKRV
xU\@}V
GTGF[k\t]LXP
@UViI[)
LnW53&1hmcZ
_m!1 tas-bbu~dnecg~
?~]A^M
^DfUBBY_Lpr
\@zGKG[XR\GU
xU\@}U
EPTXFZGA
pSVcWIP13
dpptapi
ZsBUQDU QNIuN\t296&
~UDsBQOTKBEN}LK^U
jz`j~_[BGR[
W@vG_K
tqxuekt
dishmnca	)3=
]IkA@gG
~{K=1,46
W^PGBV>#
BPl(_\YSYUKdgTR
EDpIE\Cm^bUYT
xRYC|P
~GVvHQLgG
2QUQ'0.aiq
jii{33
{[56'*<
0>,"-E
=>)=;&-u_Cvw
M^[pIE
ThPCA	
%((X[xP_G
U@xUTB]CC
vUR7HY
U^{UKuHg
1*'6AX
]]]_GH
oK^VDR[wN@M+ 
RaG}0;&g
^YCDB[
%1H{Nf
\@'\F^G
VTq\Y^MTCPMBvHCR
ZxU\@|U
JNcE]VIA
G@IgX\LTuH`
f{usvq
]sUVUHU
!(qgsr|cj
_GaWNi
UMP79*8
6176=VzGP_K
%9-E[]
}Q^QWU
^@gX\LT~QZP
}GRUuK@GsIF
!(jW\AtU
^GVZDBPU
tMNFRwZ{
^G!(:8'+g
cwoa)#
C@WGbC
.HGnQ]
_CYDY^
^@gX\LT~QZP
qAXDcPIVBHbCXJjhfR
E\EEQEAN
awoa764K_VB
bUWiEG^[>*	
ceszqq
@RqY@#.
bQ_Nx^VXaZA
xUYAcP
aRUsYG
C@WGiZ?iI[~ks;ucc
Di		{_\
XtCAG.
G 4j[TTpSV_C
}RURaG
y\TDoI
6 !*tMNE
ceaog?#dENGbC
.HGXFD
^@gX\LT~QZP
}OE{UVhP@sFL
/BG^@|\
R^MRVDE
VIv[EWCH
^G4<077*q
aEUBIfXXWIg
'qXC!!
'!!6Q_
ThPCA	
%((X[xP_G
zU]I}\
fPY@oI
{R^RaG\
Di6,n}u+c
\InC@W	>2
iKMOGB@~r
`UVhE\CIfVYFWuVb
%jEF70-aHYq
{|s{sn
(o&0,li
/>LHM$&c
W^PGBV>.
DQ^$gY^\_W	V
!(NBfPUE\
aU^TDQVIrD^QG_QjhfR
K\EEQEAN
qya1 4:QXP[
IfQ\EU$Hu
oh$GJU
ZStQLQ
pT^wDGBi
$V^[dmk
PICVIi
Zcessuc5
@cER{U
-!'-)-oLIj{~t
]@cMR{PH
jvdxuparjoEA:
FCU@kqW^P
2Fpd)--)'
KHFGB~;
*.lr|Z=:
\GcR^EK{W]G
r^QmNH-
CKRPJV^[
`bqaiq!GKKQXP
[W)EUBIfQ
AGiZ;RzC*4,
1A_WG/
!(NBcD[{\H
k_VAFOG\eoEAC\DYDX~
P^G]CdG^Q
M^G 92<
wdCN7010g^Y
~zw{sa
6q77*v
UHgWNi
_oEcETKIoP\E]uHb
jlaogb`
lMO7HY
wxyudbu
6WNiT@
EdyV@I
kTWsJUQATeP@|Z{
6N\oUVUHU
DM<9<{sa
*DXUC^G4
VDlgY^
~^bG^\
_UUUBK
fPZ@oI
{R^RaG\
WIg*2E
@fQ\EU/
hF'VlxVG@
]FdIHU
URhCER
PCE4 $?	
1C^VW\
]IfX]EUyT^W
{SFG^q^^EgTVjhfR
C@QXG\
bUEcR	
x.%)f`kF@N
!(JyUH
qzuihy|qqbj{qadkxt
WHF6MJVFXJQ~aK
G^Q/.'
=)KOKG_~-3
BL-9gTUn}spuotpsxq~u
Z@jWNiTJ
M_MUCnuEL
>AEG 	
;5?<PIP
}}u{sacc`gbv
qY@z\A
.4KOP=
$~oW!'&-1
l`_\YS
_[:iHS}qeckuweoekub
Z@jWNiTJ
M_MUCnuEL
2Qpg>1%#'77
ZAdC@W-+
fIQZMWDkBK1
c\WhDUBAfQYDKsKn
wr~zw~gjINRaGF.
CVION\t-
LL7.lIV
:,'g^Y
YFvK@GxP_G
B\VYCLBI
dV^m\G_xROgTujIN6
HY!81+&nca
+<gTuN\q&7
&<~mqCDD
QBUl}Y
?9.DP,$2*
:13)19
&::'*Lpr
PhVo[SCVCVWDltz~
xUYAcS
aRUm\G
&6PUtQ
{~,oecub
VQ]K\T^NCerEBJU^AgKD@PMB~a\[_AEG;9)
KTWYDAAK
dUEcRS_yGUg02N\o#o,40pi
JW;?7 }`m
*DXUC^G4
}QlfI@
tlfWW~PTU
~_hB_ET\BZ\Qa[r\ZFWXG:GazoW
\PQYQXPO
y}nyp#K@GQUQ
9 8+)	*-)
*5&;QtyVW]
lqT\@uU
F[fT@^DGHc+
"=+g~kph`gmfPhmKADC@
bUPzCW^ePOuZ{
HM181<2nca
qmjv;1
ngxwtvfclKICATC
ejINA~R
GTGjIN
NIlRZW
G@IgX\LTuH`
vo|{epi
]sUVUHU
 52O|G4","!3"GxMa^G	?
)_Q+.6*}AEas|ntqzyy~}
]^eF[iI[
dYDXU)
MJVo`[LHM
gTR*.;)'pH(
KHF(KBK\LUrPIG?
=GOVqXIawcb
7k+,:w
3M_M5!
,=7M[Ql;BD
^DfUP_K
42/.&4\fAF
V^[pIE
^eDFGPKUe|YSEZ@]VZit
qUUA}U
ESEEQ<
*RILxRKgTcPIE/2=>,pi
vd1"pi~!
V[oPAY^WljYU\Ts_XAOBZ[K@KEJkwR\N!
$-G@R~R
GTGQtyVW]
u^QT{\Q@Q\Lv
qjIN@5R
vxx|eju
:c$;-kbg
YL*MJV%
1Vpu:;',2 
^DfUBC
!/  1$>}@Kazy
\@d@QyUW
	cMJVAP@Gpa$
BURX]BA@
cVPyRIL
IZ6woavda
WYCDBI
Z\@cERzUM
0<> 0.*+
*&-!2Qpa
.&=o>(/8
jIN8(	^(
pii{3<
]MqblVEQC\lz]QCDP@
xP]^{V
%7+iI[gTuJgG*x}
}`ms9|o}qsy{zg
 -7M_M
\O}kV[RXUYMHl
ZZUVE]jH
`AUTYJ0
`UVv@\_{UNpKe
deaogeb
0U\@}U
di7<8%<735}ac
5GBi		
#3&2C^G~aK
mNKnm}pzxp
\Eb[Tx\[
b\QBUMP-9!
VpuZYVM[Q.&
$~iZ#9,1 !q/&
dishmnca	)3=
]IkA@gG
/Ywqstjc
0|7=+vsw`r`
8QCD'	
*+7<U_~s
BBU^DgV
AW+" *
	73-#-(3aEClw
\IbER|PJ
}ZQDUMPSmqNMQ;
CKQZJV^[
tcen'7"K_VPU
^{UIuHn
$?&GbC]
~_s^Z@PCN8*
EAgko}vsx}o}vv{{~k
N\qCSyGU
9oEACVK[DX~1**ZQyx[
kU^~@UV{ULtVa
jG@R%.K
U[jggjh~moc>:*(0<;7g
T{+8DXU2'&
:0PCQ_
DlgY^UZCQpa
.7*6#!
#3$"*-:
bVVMFQBRi~[S\ZD_DX~u~
/BG^@|\
PIEX@CD[
w1&": V^[
@\ViI[-32[
p~g~,oecub
*?+;.1$
$"1':!#Vpu
89:XL!
KRaePWB
yWN\o-K	
K]SK_V
%[zC? &
dq1|ebu
0{uio|
zynso-3
("0GbC
PhVa^QBJUJms|d|w
xP]^{V
56=iI[u
qJgGIU
x{uinu/c
*'YFQD\q
['JBCWVDn
4N_ny_iBVRcUJFUG
pT^iAG^[$
06![zCNYG-32[
c-ssucc
AKU6Q]U
b|&fnt	
}R\RaG
jV[BoI
	G_[BM]Y
NIupIE
cesste0
vY\U~Q
)(*28-,5*''
\@cER{UI
VIO8$!
PhncQSTJC
wuypa{sqgrqf
x\]@}]
sYGANdC@W
2QUQ'0.aiq
GMFdEN
iI[~ks;ucc
{\N\oT
jTUHyG
EEQGEK
2GUg*2EcR#/
diu!o|
sq}i.coj!
( ~NEo
{RZRaGf
.tMN&0
ws;ucc
Fx{uio}y c`}!1
)%; lMO	]m''
OQ]rslaW`
AG\VJM
8N@M1 
")&6gTu
c7qsucc
U@xUTBRF@
vUR7HY
U^{UKuHg
1*'6AX
xrtiot
st}q{wzjelt
6!6vioodWVYROhgM@I
oXBDBT_s\BZTuZ
6N\oUVUH
[VbBSPUt
\@fC@W
qG|VWFIP6
NbiCFY^Wd@AU
!(PWWXJDKH
bUR`[SD@tMNDVrNu
,$76P|CD
CQWX^DBI
bUWb3U^{HIuHg
cesws.q/&
ditjhzmoc
NCdG@gG
HY:*'&<opq7
?RhdiWItAg
]IkA@gG
_oEcETKIoP\E]uHb
elaogb`
lMO7HY
#KXK<;aNOqa
xU\@+W
c\WhDUBAfQYDKsNn
qjINRaGF.
2O|C!!*7,<=
ztgkh~	UWYAEFI
bUWb@U^{H:uHg
cessucc
f}s`}`mrr{ioma
6WNiVN
.4KOP=
$~oW!'&-1
lcUDEA
NFbG@gG1HR9#
6G^TTK
!(PWWXJDKH
bUR`[SD@tMNDVrNu
 UiqCW4",
ZAdC@W-+
PCAb\JBG^
@GjcQFBH
cUWiEUGHxWZLGiZf
GTGJgGJ
-!:g/&
GCO]Fz
PhmKADC@
@P_eSO|Z{
6N\oUVUHU
DM<9<{sn
B_C_VEj2KBF
]F3C@W	>2
f[*HL?
PWrl~J
jIN8(	^(
QXP+GKs'
JiI[EuU
XR?LP{cAW`PZ[j^EB[U`TEF
pT^wDGBi
$V^[dmk
RILiI[-32[
c-ssucc
\@cER)Q[
*+=3)=psnRGcqxxwu
\HcEWzKO
qCDEDVDGpo!
$2KBF\@A~oW
QEM<94*
ihsgJg
py|bgv
xU\@|SKGTGN\qD[sQ[
stS\D\uAf
cevrkee
_GqIP$
2rMV.cDFw`u
U[nCAPUkQPZG
VUK~~PK
b\VaE]BIcPBCS|Z{
GV^[N\t3	
$ADGrMV
BEdE@gGO
nCA)	?
B]WYFE\O
~GV|GSLgG1 
6-&aiq`
ZBUWYCD
@cER{TNH
_[l5YSB_C^Q
Y_^nbQDD]
!(jW\AtU
^GVZDBPU
tMNFRwZ{
^G4<077*q
@rcen9"
C@WGbC
.HGiLY
UBsQSYR5CXJN}\C^ETwQTT
pU\E|K
pVPcWIP
Di6,n}u+c
]F3C@W
<BYFUBrV
;WoAGK
z|jxtlL
xH/@}U
_PhmKADC@
@P_eSO|Z{
6N\oUVUHU
DM<9<{sn
DGQBUm{
T_GClrB
3InayueK	
xH\@}U
BT^YJEBI
gTIgC\PUtP_BSgTujIN#
0QEcR	
&3:0G|CD
WHF,L\P^ZkQPZG
J\AexM\YKXDP^^
sGTOBStWXGId
stS\D\uAf
ffqskec
ZiI[e[\
VhGWFUIn
ce{sufb
!(PWWXJDKH
^S^{GUgNf
BP!1$-6,"c
\@cQ]U
~SURaG
y\TDoI
GKm#0-
Zvqy|eb&
2HGeuu!o|
sq}i(coj%>
WNi		~K69
 Mk~USBTe}PRB_K_VAmy_X]M[QmpBDPIL<3	
$6GXWC
BT^YJEBI
`UIy@ULgGOtJu
SB_C_V
9)Z}fM@UCe}VD^DgZZ\D]
lsro~`^^WAGjhfR
D\EEQEAN
	WIgK`
q'&$, 'PU
,*	HP{
Akwoa)#
C@WU6Q]U
}WWnIT
\^eERiI[
Whx[dQ]LU|Ig
vtxbcd|
^iI[e[\
stS\D\uAf
ffqskec
ZiI[e[\
_GeIL7
ihsgJg
py|mbu
xU\@.]
TIN!GjERW^z\I|Ig
`gsmscc
xTTBoI
yr}m}on2* 162pcm
 ;G@NU
kqV^TUBuZXG
b|dlaq`q
}V^@cS
c\_{RIL9
q$k`w:
y\\I|U
ARQK_V:
GBiVNwZm
^G4<077*q
aEUBIf
mocnso)
\@cES|
Ax~K]^
v@MX_^KlxP]^{S
GTGmaGUvDP-
@UVPCMCI
aWWaFU^iI[sIe
0<> 0.*+
*&-!2Qpa
PbyMTDmnYWU_GK
~am|FU
xU[E~W
WGTGpIE`L]F[zC
;'PMP[{
Di6,n}u+c
\@fC@W	>'
7x}-(&WciV[__J
dG]CzS
IZ-G@R|\
JK_RA[_V
&%GMV6
c-ssucc
\@vY]]~CAGEu9%
/&3 5-vsw72
m(#:23;&
;''0 !
oLFfTKCP^^lrMC^_\SBlw_GD
aJIN$E*
VYTUCLBZS[
aCVVBGjK$
;RaG}0;&g
3LR)9k$
90"7#0
ulip%3	3)4!n
7;0093%vH(/8
XtUFX[U
x-u{sa1%
;1!!*>aCF	]mE
c_^V[C
KJl/Y^T_GClsW^P
UBlcXU\\
`xlDWB
WmYVsFQPG^q!
	]sUVUHU
~[D.Q]GT#K`
36!NMRRIFEuU
U@oP\ER{R_U
cUP_MXP^
NA}Y@C
0QpH2;&7167MI~}
l~#Vo]E_M`VX^DuQ^TVKD
HUuVD_PIF	
[91v~kqbfg
oE[CEKI
bRR|BU@}VIgTu
0;'7=N
_VDlgY
TM[Q84<
Bl}WWBV<
T:&"nbf
WyWsEV^UBfXTS
+essucc
Z\@rIDTD1GXW
y\\I|U
WR@KOGjIN4(
,MoM]C@M@
^G4<077*q
qF[kMoM
o:rKBFnInBufferSize->0x00000046","lpOutBuffer->0x00146030","nOutBufferSize->0x000000ee","lpBytesReturned->0x0121f374","lpOverlapped->0x00000000"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USE:
 "]CdCL(
oftwaj
Microsoft\Windows|
rrentVersion\ExplorerVMou
b-"612
e"d"0984",jrm
)rqsy"
dwOqe-Key
Q `"1M
m9Qw$6
"2019091
75320.630","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Data"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->0x000000f4","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.630","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f0","lpj@(:&
pZ\U\K
SYK5OG
zVUR6wc *='GBV
pGMUP^
vo7> '; cp
D\V^W;
M]Ilyl+
R_BTUB
C@_CYDY_^
lhQ]\DMU
BPQKKJ
ZG!!* $?~C@KEB
Y]@_@DYLX_B
YRLKS_\_B
dYK^JI
~e~scS][SjlU
CZCY@C
xKAC400l,=5KBKD
oQBB_G9VCZK
6>(,>t&?C~y
V]MKN-K
CBIf"%-&!xEN
W_	WNI
y^UEIQP_(PbI
oR\QVI
[^^DQR
DVGTWD
iV\CBI
R^C_Qu
CLLw '
oP\YLG
TKU[BCXKY_
LCL-GL
xR^M7  76l'CN
uE___9>*bcl4lnj ;='my}FETRL7
(%TRB_VQZ
C`C-~C@WTM
QSEFKBE;Z
}19"-.ssJ^GD
nFM}*KV
PQACW&
0:-7,=&G
+$(v* pa
 6$0''`afHM
W7JU0F
oz'*3moFET
ISK@BJHWP]EX
]5Q-cLTURMU]
VL6L@[r
;NCU61c7*s7M[LNCC
WV_MTB
AIBME*MCE 
4:,$h?:LG
]<%j(>ZDKKS
zo@mX^TU
3KZG|7*-j2=Q[GBVGN
U^}yqJ
PMH[vYC
B[xe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f6","hKey->HKEY_CLASSES_ROOT","lpSubKey->Directory"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f6","lpSubKey->CurVer"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f2","hKey->0x000000f6","lpSubKey->(null)"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.640","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->DontShowSuperHidden"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->0x000000f4","lpSubKey->(null)"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hK(#
>3x004000
lpValue
ame->ShellState"
"20190910075320.6
RCV_FCA
SUCCESS
"2019`|10|663
Vk50","612
,-InmvMe
."1984
"rewist2z","
eg_pen[eyAxW"-"FAMLURE",""\$hKuy-
OE[_LOCA\_MQCHINU",2lpSubKuy->SoftwareX}jcZosof
fows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612"
 HeLpMe.uxe*."1984","registry","RegOpene
W",NzVCCUSS"
!0x 00000f8","hKey
>H+k=>74RRE~
Q",2lpS5aKey->Software
pen$Uersion\Polici%s\
"20190tbfrax
jzy0","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->ForceActiveDesktopOn"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoActiveDesktop"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\System"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoWebView"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->ClassicShell"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->SeparateProcess"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoNetCrawling"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->NoSimpleStartMenu"
"20190910075320.650","612","HelpMe.exe","1984","registry","RegOpenKey
I>_FG Qt:=V/@;VTF,P
kDB >_a
N#UP-J*
=Q=)<V
DjH76kD	
5,555S#
<V#Ev^=s-
"9S	6?H|Y>D3
vKgEhV
hH?JhD,"1994*,
l$ghs|r
=m"SeoQ
z3yWadu$e9W#,*S
ERS*,3
m"oKmyF
'8/,*lJu lueNa,Fl>Eoft
Q$tuyXa-Lc
q90087l
s0/6=0
	c602*,{n$lqMm.
^$"-"99a
c,#rmg
T5rx"$"
M&Qtezy
I-udEpW{
cSTCKE
zc,#"$"
a$y,>8x0
q010n8[
clqVil
ale%>'D.wHnnoGD1"
x0>180P
m"31:"
	elpMe
W9e%,*1
]2t{y*,
g$gQuerMc lveMxs
CESS"+"*,GQ
	q0708f{cm"
a&4$Ndmm-
(deIco
ys0/6=0Rgc602*,
$luMm.
4$","199yc,#rmg
>5rx"$"m+&Qtezy
/-udEpWMccSTCKE
c,#"$"
$y,>8x0aq010n8
}clqVilE7
31NdtLr
dp91990
ct330&6Zec,#692
ycHdlxM
x$xd"$"1ny4#,*r
0(surq"=z
amumE(
c,#S]C\
x)Kdy%>b#q01080
cc,#lxV
04eGaee
ebVies
mv5320.358"
|w12","
;-pHe&e
:c,"198
}m"seoi=
3y#,*R@
4eExW"
8-?0p0pTq01f0"
F-pWadu#+ md-6F
@Tq18011FWv5228.
Jm"Iedp
oe}e*,0[x84","k
&iwtvy","RegQu_
8VelqeExW","SUd/
c","hOe}->0x00000
y","lpValu`Nim
$rOild1
q90087
q","642*,
$lpMe.#
$"+"99k
5rx"$"
&Qtezy
-udEpW7
cSXCKE
c,"","
$y*>8x
clqVilc
1asa|e`
.cds{"
c27110
w51"$"W
s"-"@e~
c1<8<"
3egist
VelueEx
CCSW","",
qf9"$"
$->NoN
q9<087K
s0.650
c662*,
$"-"99
c,'rmg
5ry","
&OqefK&
LTRM"O
c,#hCe
qf3"$"
ucKmyi
q10011
v5320.
q"/">1
-pMe.eue*,p
x84","+
&ittzy
8Valu%ExW`,"
ILURC"("","h
901080p
s"-"dpk
-udNim
p91990
t330&6
c,#692
cHaltMe.exe","
y4',*rc
(stry"!
ajuaExW",
E ,&","hK3
l>0x002040f2",
1ValueLaie->Br
2eInPlgca"
q025;2
w50","
s"-"@e
c188<"
3efi{tB
c,#Rmg
$nNeqE
c,"FAI
)Kby%>
7`,%lxS
>s91990r8w330&6
?`,#692@<`HblxM
6'xu;n"
!z4%,*r@E+s
efOxe?h'yCxS","SU
n"4x400000fe",EC	e}-:HKEY_CLAS
_TOKT","l
S;-?Fgl
q27.>5cbn"[qp"vb
%:e","1
xv"/"ze
8`,"RegHpmnn ;E8
IKUZE!a`"
o*Ko4o>5x80O~r0fe",
"2SrbCe
[H"3099
ns017=3
gl600*,ARs2","H
2Md.mxeGn"0904
I`rdgasD
;"-"Ze
77esy^a
'EyW*,
D`"-"`K:
o>1x80
Yr0g2*,
2V`l}e
/e,>As
-ruc}t
aH"3099
Us017=3R]l640*,
Xs2#,*H
2Md.mx%Mn"0904
C`rdgas
;"-"Ze
!7esy^a
'EyW*,1!
^`"-"`K5
o>1x80/Dr0o2*,
2Value
/e.>Il
-wExt"
O{0?Nr0
Kq25.>5
n"612"j
:e","1
v")"ze)
1try",w
'gTumr
#lueEx
n"CAAL
	e|-60
r0000fN
n"ip^a?
'Name-d
'v`r[h
r1>011
r")">1
n"Help
leye*,
`FDIDU:
`,"","
'y(>@K
`lpSub
;-?Sgf8
#rd\Ei
-sbf|\%
,dows\:
0r`n|V$
1ion\P'
+cle{\
2lorer
H"7099X
s00753]
l640*,h
s2#,*H
2Md.mxC
n"6904
;")"ZeS
2enKey~
SS","`
r05080
`,"hKe
|HNEQ_@
RENT__
-fuwirQ
6\Vifd'
1\Buzr
6Vdr{i
1\Dxxl^
s97990
`,/692
`HelpM
'xd"$"q
z4#,*r
+surq"l
amumE8
`,#FII
E#,*"l
*Kdy%>
r01080&
`,#lxV
7eOaeem
-pHnaC2
s91990P
w330&6
`,#692r
`HdlxM
'xd"$"B
z4#,*s
6en"$"
 raryA/,*S
:721:0o
r","lp 
.eKaeef
-leautf
r75320.6op%,*6
'.bxm"
'ghs|r
n"WeoO*
,KeyEx6
n"VUKC
","0xV0s010nc
,ah\ei-
HINE"-"lpRubK%pn>Softvaze
F*c{o{oKx
COM3"9
a25110
<s07532q#u61"$"
<q"+"@e
>a108<"
11egist6ja,'Rmg
a&ryVal$q
7a,"hKe
8}0y080P&sfb"$"&g
z&-?Cgm
]-aclmd
I"3099
#r017=3
*m630*,^-r2","H
w3Mc.axe","C'{4J2ardgas
m:")"ZeUe3enKeyxR
SU3CESc","Xx76.d00
>CLBCAUQ.DLL"
"q_^UsXADYX[p]^ZDY\","612aCM$E8
A^WLFM@
I%6ry","RegOpe
xW","SUACES_","J
OCAM_MACHIND
,"lpSubKey->So5
9?icrosoft
R#,"xdlpMe.eze",+198
dgQu%syV1mueDxW","SUBcESS","","hKey-}_
\sQ@DY	
ohklp@
220.660 ,"642",
C>94",
dm"-"LoadLicRaryA","SUCCESSe^CT
"h000","
{+~T1g'
7320.662","512"
 re'kstsy","RegNPenKeyExW","SUC
*<?aCO]
^T0000f
gy->Sofvwarg\ClaRz
40"-"612","IElpMe.exe","198wMCN1
icrosoft\COM3"
"20190910075320.660"
,"Hcl3,
8-!,ArGdJuQryNX"R
COpenJe~E`O2,#SQC
DSST,"0h  01051
#,"6Iey5&HKDYWL
NAC\]NE#,*lxUub
oy-&KofuwAr
UCl7cseg6
)75#"0.76
,"`elpUe.eHe",#1=84","
dgistry","RugOpenKeyExW",
ey->Software\Microsoft\COM3"
}Z201909107@BK
0.660"
L"Help:
D,"198CU[Z
	stryU[
D55CCE[$
VV0001
?>92UTT
R0190A
G@BKB0.667
e","19O
[Uregistr~U[URegOpenKe
2xW","SUCCESS","0x00000134","
exe2,"1
84"-"vegist
y","RegOpen[eyExW","SUCCE
ftware\Clast
0917G@B
20.1AG
D,"9NOC
00007FC4","hK
	->HKEY_LOC
660:,"6
2",#HmlpMe.
ze","1984","segistry","
2HVN6O]S"
Oy?8)mxvxC
,"SUCCESS","0x0000016c","lpFileName->C:\WINDOWS\Registration\R000000000007.clb","dwDesiredAccess->GENERIC_READ"
"20190910075320.660","612","HelpMe.exe","1984","filesystem","ReadFile","SUCCESS","","hFile->0x0000016c","nNumberOfBytesToRead->22512"
"201909100#3320.660","612","HelpYc
e","1984","registj
OpenKeyExW","S
*000016c","h
a[L_MACHINE"
tware\Mic
0190910031
40')"HelpMe.
WgBkstry","RA
yU -"SUCCESwR^M7B)@Btw0YEy1120016c"J
SDEEBVersi
GxmhA^"\::P!U
64220.660"{{`bn}'*
8wwS;"dye","1984
w57r}&z(}F\
~uualAllocEQ
J|T[HT`
bqx00b10000"ja
&+4oUD->612","sz}COmD_IU=O
(pMe.exe","lpA(,8.]J
x00000000","dwSiUT
w>"536","flAllocationTl@X->0x00002000","flProtect->0x00000001"
"20190910075320.6
2",6szEPeFime%>Help
d.exe","lpAderess->0x00
5XXZ.@OH"
e>#d,ufn8[MC"
]bS=++E		x,zh 0|||0x
,"if-K
?<,q?#S)>
N]C(7-D
"i0bab4
t0xex0
0y{0"faI2w190}1001532u.68
"He+pMe
exej,"1'84"e"re
t8y",'Reg
%)nWcyE?W",gSUC@ESSd,"0
0w017a"," Key
>0xy000{16eh,"l
ey-9Inp
tve532"K
"21190~100
"He&pMeRexei,"1
"`"reaist
uer1ValpeEx
"",ihKe
->04000
7(","mpVa"ueN`me-j
icS"rve;32"
"2z190
0|532f.68|","
12"a"He
1v84","registry","RegOpenKeyExW"
AILURE","","hK
000016e","lp
nprocServe
909100753
","HelpM
,"regis
0eyExW",@%%,*2:,HGNOLLhKey->e.ghijtjjS
SubKe1dt
*E&4 `f"
pxsstr"
q80","6
|PZGu\
^De","198
UMNCXl^T
,"RegOpewQ~eX|Q<3
rwCCESS","0w !"#$$!r:,"hKey->0x0789:::h,,"lpSubKey->IlsvjeServer32"
"20190910075320.680","612","HelpMe
aDueNyme-
(numl	"
"2P890910075320.680","612","HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016e","lpSubKey->InprocHandler32"
"20190910075320jr|&fhf
>"HelpMe.exe","1984","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000016!fh
lerX86"
"20190910075320.680","612","HelpMe.exe","1984","registr?dj
y->0x0000016e","lpSubKey->LocalServer32"
"201909100
^jKeyExW","FAILURE","","hKey->0x0000016e",X
#Y)exe","1984","registry","RegOpenKeyEx/ZT
2G:0021401-0000-0000-C000-000000000
MikgQueryValueExW","FAILURE",""
RsvlpMe.exe","1984","regist
>CLSID\{00021401-0000-0000-C
Ia","RegOpenKeyExW","SUCCE
-C000-000000000046}"
4oT","0x0000017e","
vs.exe","1984","regist
_fngModel"
"2019091007532
","0x0000016e","hKey->HKEY_CLASS
"20190910075320.680","612","HelpM
8000016e","lpSubKey->TreatAs"
"20190
7/OpenKeyExW","SUCCESS","0x0000017c","hKey->HK
;Yft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volu
r4"HelpMe.exe","1984","registry","RegOpenKeyExW","SUCCESS","0x00000180
;+,"lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20190910075320.680","612"
-~lpMe.exe","1984","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000180","lpValueName->Generation"
"20190910075320.680","612","He
p{ubKqy->lrivd\Shelle
ZFolderExtensions"
v910075320