Detections

Yara:

AgentTeslaV2

Auto Tasks

#17815: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 13:44:11 2020-06-30 13:49:48 337 seconds Show Options Show Log
route = tor
2020-05-13 09:11:36,907 [root] INFO: Date set to: 20200630T13:35:43, timeout set to: 200
2020-06-30 13:35:43,015 [root] DEBUG: Starting analyzer from: C:\tmp52sk_on6
2020-06-30 13:35:43,031 [root] DEBUG: Storing results at: C:\HynUXLZVY
2020-06-30 13:35:43,031 [root] DEBUG: Pipe server name: \\.\PIPE\HSViUUi
2020-06-30 13:35:43,031 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-30 13:35:43,031 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 13:35:43,031 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 13:35:43,046 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 13:35:43,062 [root] DEBUG: Imported analysis package "exe".
2020-06-30 13:35:43,062 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 13:35:43,062 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 13:35:43,109 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 13:35:43,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 13:35:43,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 13:35:43,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 13:35:43,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 13:35:43,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 13:35:43,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 13:35:43,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 13:35:43,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 13:35:43,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 13:35:43,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 13:35:43,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 13:35:43,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 13:35:43,187 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 13:35:43,187 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 13:35:43,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 13:35:43,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 13:35:43,187 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 13:35:43,187 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 13:35:43,187 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 13:35:43,187 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 13:35:44,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 13:35:44,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 13:35:44,343 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 13:35:44,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 13:35:44,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 13:35:44,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 13:35:44,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 13:35:44,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 13:35:44,359 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 13:35:44,359 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 13:35:44,359 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 13:35:44,359 [root] DEBUG: Started auxiliary module Browser
2020-06-30 13:35:44,375 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 13:35:44,375 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 13:35:44,375 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 13:35:44,375 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 13:35:44,375 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 13:35:44,375 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 13:35:44,375 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 13:35:44,375 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 13:35:44,656 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 13:35:44,656 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 13:35:44,671 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 13:35:44,671 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 13:35:44,671 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 13:35:44,671 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 13:35:44,687 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 13:35:44,687 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 13:35:44,687 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 13:35:44,687 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 13:35:44,687 [root] DEBUG: Started auxiliary module Human
2020-06-30 13:35:44,687 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 13:35:44,687 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 13:35:44,687 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 13:35:44,687 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 13:35:44,687 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 13:35:44,687 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 13:35:44,687 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 13:35:44,687 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 13:35:44,687 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 13:35:44,687 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 13:35:44,703 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 13:35:44,703 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 13:35:44,703 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 13:35:44,703 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 13:35:44,703 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 13:35:44,703 [root] DEBUG: Started auxiliary module Usage
2020-06-30 13:35:44,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 13:35:44,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 13:35:44,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 13:35:44,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 13:35:44,734 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe" with arguments "" with pid 556
2020-06-30 13:35:44,734 [lib.api.process] INFO: Monitor config for process 556: C:\tmp52sk_on6\dll\556.ini
2020-06-30 13:35:44,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:35:44,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:35:44,828 [root] DEBUG: Loader: Injecting process 556 (thread 2788) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:35:44,828 [root] DEBUG: Process image base: 0x00940000
2020-06-30 13:35:44,828 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:35:44,828 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:35:44,828 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:35:44,828 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 556
2020-06-30 13:35:46,828 [lib.api.process] INFO: Successfully resumed process with pid 556
2020-06-30 13:35:46,906 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:35:46,906 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:35:46,921 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 556 at 0x6a4b0000, image base 0x940000, stack from 0x275000-0x280000
2020-06-30 13:35:46,921 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe".
2020-06-30 13:35:46,937 [root] INFO: Loaded monitor into process with pid 556
2020-06-30 13:35:46,937 [root] DEBUG: set_caller_info: Adding region at 0x00180000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 13:35:46,937 [root] DEBUG: set_caller_info: Adding region at 0x01760000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 13:35:46,984 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 13:35:47,000 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1760000
2020-06-30 13:35:47,000 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01760000 size 0x400000.
2020-06-30 13:35:47,031 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_047352130262020 (size 0xffe)
2020-06-30 13:35:47,031 [root] DEBUG: DumpRegion: Dumped stack region from 0x01760000, size 0x1000.
2020-06-30 13:35:47,031 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00180000.
2020-06-30 13:35:47,031 [root] DEBUG: set_caller_info: Adding region at 0x00540000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 13:35:47,046 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x57ffff
2020-06-30 13:35:47,046 [root] DEBUG: DumpMemory: Nothing to dump at 0x00540000!
2020-06-30 13:35:47,046 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00540000 size 0x40000.
2020-06-30 13:35:47,046 [root] DEBUG: DumpPEsInRange: Scanning range 0x540000 - 0x541000.
2020-06-30 13:35:47,046 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x540000-0x541000.
2020-06-30 13:35:47,078 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_150015048047352130262020 (size 0xffe)
2020-06-30 13:35:47,078 [root] DEBUG: DumpRegion: Dumped stack region from 0x00540000, size 0x1000.
2020-06-30 13:35:47,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x6BE30000 to global list.
2020-06-30 13:35:47,078 [root] DEBUG: DLL loaded at 0x6BE30000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 13:35:47,093 [root] DEBUG: DLL unloaded from 0x76970000.
2020-06-30 13:35:47,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x00100000 to global list.
2020-06-30 13:35:47,109 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x00100000 to global list.
2020-06-30 13:35:47,109 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:35:47,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0FFB0000 for section view with handle 0xdc.
2020-06-30 13:35:47,109 [root] DEBUG: DLL loaded at 0x0FFB0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-30 13:35:47,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E9E0000 for section view with handle 0xdc.
2020-06-30 13:35:47,125 [root] DEBUG: DLL loaded at 0x6E9E0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-30 13:35:47,140 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 556, handle 0xfc.
2020-06-30 13:35:47,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x100 amd local view 0x00100000 to global list.
2020-06-30 13:35:47,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x00110000 to global list.
2020-06-30 13:35:47,187 [root] INFO: Disabling sleep skipping.
2020-06-30 13:35:47,187 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 556.
2020-06-30 13:35:47,218 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 556.
2020-06-30 13:35:47,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b8 amd local view 0x05780000 to global list.
2020-06-30 13:35:47,249 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 556.
2020-06-30 13:35:47,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1fc amd local view 0x66080000 to global list.
2020-06-30 13:35:47,265 [root] DEBUG: DLL loaded at 0x66080000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-30 13:35:47,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 amd local view 0x6AEC0000 to global list.
2020-06-30 13:35:47,296 [root] DEBUG: DLL loaded at 0x6AEC0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-30 13:35:47,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x75CB0000 to global list.
2020-06-30 13:35:47,296 [root] DEBUG: DLL loaded at 0x75CB0000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-30 13:35:47,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x67D80000 to global list.
2020-06-30 13:35:47,343 [root] DEBUG: DLL loaded at 0x67D80000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-30 13:35:47,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A110000 for section view with handle 0x21c.
2020-06-30 13:35:47,343 [root] DEBUG: DLL loaded at 0x6A110000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-30 13:35:47,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x65360000 to global list.
2020-06-30 13:35:47,359 [root] DEBUG: DLL loaded at 0x65360000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-30 13:35:47,375 [root] DEBUG: set_caller_info: Adding region at 0x00510000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:35:47,375 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x51ffff
2020-06-30 13:35:47,375 [root] DEBUG: DumpMemory: Nothing to dump at 0x00510000!
2020-06-30 13:35:47,375 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00510000 size 0x10000.
2020-06-30 13:35:47,390 [root] DEBUG: DumpPEsInRange: Scanning range 0x510000 - 0x511000.
2020-06-30 13:35:47,390 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x510000-0x511000.
2020-06-30 13:35:47,406 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_2653714467362130262020 (size 0x51f)
2020-06-30 13:35:47,406 [root] DEBUG: DumpRegion: Dumped stack region from 0x00510000, size 0x1000.
2020-06-30 13:35:47,421 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\system32\uxtheme (0x40000 bytes).
2020-06-30 13:35:47,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 amd local view 0x64E60000 to global list.
2020-06-30 13:35:47,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 amd local view 0x64B80000 to global list.
2020-06-30 13:35:47,468 [root] DEBUG: DLL loaded at 0x64B80000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-30 13:35:47,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c amd local view 0x68CB0000 to global list.
2020-06-30 13:35:47,484 [root] DEBUG: DLL loaded at 0x68CB0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-06-30 13:35:47,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 amd local view 0x71160000 to global list.
2020-06-30 13:35:47,500 [root] DEBUG: DLL loaded at 0x71160000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-30 13:35:47,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05C80000 for section view with handle 0x224.
2020-06-30 13:35:47,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x64440000 for section view with handle 0x22c.
2020-06-30 13:35:47,515 [root] DEBUG: DLL loaded at 0x64440000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-06-30 13:35:47,531 [root] DEBUG: DLL loaded at 0x76B60000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-30 13:35:47,531 [root] DEBUG: DLL loaded at 0x757A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:35:47,531 [root] DEBUG: set_caller_info: Adding region at 0x00130000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:35:47,546 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x13ffff
2020-06-30 13:35:47,546 [root] DEBUG: DumpMemory: Nothing to dump at 0x00130000!
2020-06-30 13:35:47,546 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00130000 size 0x10000.
2020-06-30 13:35:47,546 [root] DEBUG: DumpPEsInRange: Scanning range 0x130000 - 0x131000.
2020-06-30 13:35:47,546 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x130000-0x131000.
2020-06-30 13:35:47,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_2292350407362130262020 (size 0x14)
2020-06-30 13:35:47,578 [root] DEBUG: DumpRegion: Dumped stack region from 0x00130000, size 0x1000.
2020-06-30 13:35:47,578 [root] DEBUG: DLL loaded at 0x75310000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-30 13:35:47,593 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:35:47,593 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:35:47,609 [root] DEBUG: DLL loaded at 0x582F0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32 (0x84000 bytes).
2020-06-30 13:35:47,625 [root] DEBUG: set_caller_info: Adding region at 0x00140000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-30 13:35:47,625 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x14ffff
2020-06-30 13:35:47,625 [root] DEBUG: DumpMemory: Nothing to dump at 0x00140000!
2020-06-30 13:35:47,625 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00140000 size 0x10000.
2020-06-30 13:35:47,640 [root] DEBUG: DumpPEsInRange: Scanning range 0x140000 - 0x14a000.
2020-06-30 13:35:47,640 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x140000-0x14a000.
2020-06-30 13:35:47,656 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_20753681927362130262020 (size 0x94e3)
2020-06-30 13:35:47,656 [root] DEBUG: DumpRegion: Dumped stack region from 0x00140000, size 0xa000.
2020-06-30 13:35:47,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 amd local view 0x740F0000 to global list.
2020-06-30 13:35:47,968 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-30 13:35:47,984 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x288 amd local view 0x00590000 to global list.
2020-06-30 13:35:48,000 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\GDIPFONTCACHEV1.DAT
2020-06-30 13:35:48,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x284 amd local view 0x00590000 to global list.
2020-06-30 13:35:48,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x294 amd local view 0x005A0000 to global list.
2020-06-30 13:35:48,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:48,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:48,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:48,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:48,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:48,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:48,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:48,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:48,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:48,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:48,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:49,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:49,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:49,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:49,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:49,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:49,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:49,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E00000 for section view with handle 0x294.
2020-06-30 13:35:49,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:49,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E00000 for section view with handle 0x294.
2020-06-30 13:35:49,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:49,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E00000 for section view with handle 0x294.
2020-06-30 13:35:50,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:50,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:50,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:50,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x015D0000 for section view with handle 0x294.
2020-06-30 13:35:50,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:50,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:50,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:50,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x015D0000 for section view with handle 0x294.
2020-06-30 13:35:50,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:50,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x015D0000 for section view with handle 0x294.
2020-06-30 13:35:50,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:50,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:50,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:50,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:50,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:50,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:50,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:50,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:50,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:50,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:51,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:51,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:51,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:51,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:51,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:51,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:51,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:51,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:51,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:51,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:51,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:51,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:51,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:51,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:51,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:51,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:51,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:52,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:52,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:52,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:52,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:52,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:52,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:52,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:52,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:52,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:52,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:52,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:53,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:53,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:53,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:53,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x031A0000 for section view with handle 0x294.
2020-06-30 13:35:53,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:53,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:53,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:53,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:53,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:53,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x015D0000 for section view with handle 0x294.
2020-06-30 13:35:53,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:53,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:53,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:54,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:54,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:54,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05A50000 for section view with handle 0x294.
2020-06-30 13:35:54,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:54,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:55,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:55,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:55,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:55,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:55,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:55,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:55,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:55,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:55,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:56,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:56,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:56,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:56,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:56,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:56,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:56,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:56,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:56,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:56,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:57,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:57,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:57,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:57,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:57,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:57,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:57,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:57,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:58,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:58,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:58,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:58,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:58,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:58,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:58,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:58,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:58,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:58,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:58,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:58,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:58,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:58,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:58,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:59,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:59,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:35:59,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:59,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08DD0000 for section view with handle 0x294.
2020-06-30 13:35:59,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:59,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08DD0000 for section view with handle 0x294.
2020-06-30 13:35:59,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:59,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08DD0000 for section view with handle 0x294.
2020-06-30 13:35:59,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:35:59,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:59,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:35:59,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:35:59,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x015D0000 for section view with handle 0x294.
2020-06-30 13:36:00,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:36:00,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00750000 for section view with handle 0x294.
2020-06-30 13:36:00,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:36:00,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:36:00,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06070000 for section view with handle 0x294.
2020-06-30 13:36:00,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:36:00,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x015D0000 for section view with handle 0x294.
2020-06-30 13:36:00,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:36:00,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:36:00,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:36:00,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x294.
2020-06-30 13:36:00,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00790000 for section view with handle 0x294.
2020-06-30 13:36:01,015 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:36:01,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2a8 amd local view 0x061B0000 to global list.
2020-06-30 13:36:01,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2a4 amd local view 0x065F0000 to global list.
2020-06-30 13:36:01,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2ac amd local view 0x00750000 to global list.
2020-06-30 13:36:11,593 [root] DEBUG: DLL loaded at 0x73B20000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-30 13:36:11,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2c0 amd local view 0x00900000 to global list.
2020-06-30 13:36:11,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00910000 for section view with handle 0x2c0.
2020-06-30 13:36:11,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00920000 for section view with handle 0x2c0.
2020-06-30 13:36:11,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2cc amd local view 0x67BA0000 to global list.
2020-06-30 13:36:12,000 [root] DEBUG: DLL loaded at 0x67BA0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-06-30 13:36:14,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2c4 amd local view 0x06360000 to global list.
2020-06-30 13:36:15,281 [root] DEBUG: set_caller_info: Adding region at 0x02C70000 to caller regions list (ntdll::NtDelayExecution).
2020-06-30 13:36:15,281 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x2c7ffff
2020-06-30 13:36:15,296 [root] DEBUG: DumpMemory: Nothing to dump at 0x02C70000!
2020-06-30 13:36:15,296 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02C70000 size 0x10000.
2020-06-30 13:36:15,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x2c70000 - 0x2c71000.
2020-06-30 13:36:15,296 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2c70000-0x2c71000.
2020-06-30 13:36:15,328 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_4848122088382130262020 (size 0x591)
2020-06-30 13:36:15,328 [root] DEBUG: DumpRegion: Dumped stack region from 0x02C70000, size 0x1000.
2020-06-30 13:36:21,031 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 13:36:25,390 [root] DEBUG: DLL loaded at 0x744C0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-06-30 13:36:25,390 [root] DEBUG: DLL loaded at 0x75B60000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-06-30 13:36:25,453 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Roaming\uZqSwbKtyNUePA.exe
2020-06-30 13:36:25,500 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp
2020-06-30 13:36:25,515 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-30 13:36:25,515 [root] DEBUG: DLL loaded at 0x74620000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-30 13:36:25,531 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:36:25,531 [root] DEBUG: DLL loaded at 0x76130000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-30 13:36:25,546 [root] DEBUG: DLL loaded at 0x6BF80000: C:\Windows\System32\ieframe (0xaba000 bytes).
2020-06-30 13:36:25,562 [root] DEBUG: DLL loaded at 0x75AD0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-30 13:36:25,562 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:25,562 [root] DEBUG: DLL loaded at 0x75870000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:25,562 [root] DEBUG: DLL loaded at 0x6BF70000: C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:25,578 [root] DEBUG: DLL loaded at 0x75830000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:25,578 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-30 13:36:25,578 [root] DEBUG: DLL loaded at 0x77910000: C:\Windows\system32\normaliz (0x3000 bytes).
2020-06-30 13:36:25,578 [root] DEBUG: DLL loaded at 0x75E40000: C:\Windows\system32\iertutil (0x215000 bytes).
2020-06-30 13:36:25,625 [root] DEBUG: DLL loaded at 0x76530000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-06-30 13:36:25,625 [root] DEBUG: DLL loaded at 0x75A00000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-06-30 13:36:25,625 [root] DEBUG: DLL loaded at 0x75840000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-06-30 13:36:25,640 [root] DEBUG: DLL unloaded from 0x76B60000.
2020-06-30 13:36:25,640 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\system32\urlmon (0x124000 bytes).
2020-06-30 13:36:25,656 [root] DEBUG: DLL loaded at 0x75AC0000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-30 13:36:25,656 [root] DEBUG: DLL loaded at 0x766D0000: C:\Windows\system32\WININET (0x1c4000 bytes).
2020-06-30 13:36:25,671 [root] DEBUG: DLL loaded at 0x75480000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-30 13:36:25,687 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3192
2020-06-30 13:36:25,687 [lib.api.process] INFO: Monitor config for process 3192: C:\tmp52sk_on6\dll\3192.ini
2020-06-30 13:36:25,703 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:25,718 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:25,718 [root] DEBUG: Loader: Injecting process 3192 (thread 2564) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:25,718 [root] DEBUG: Process image base: 0x00AF0000
2020-06-30 13:36:25,718 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:25,734 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:36:25,734 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:25,734 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3192
2020-06-30 13:36:25,750 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3192, ImageBase: 0x00AF0000
2020-06-30 13:36:25,750 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3192
2020-06-30 13:36:25,750 [lib.api.process] INFO: Monitor config for process 3192: C:\tmp52sk_on6\dll\3192.ini
2020-06-30 13:36:25,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:25,765 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:25,765 [root] DEBUG: Loader: Injecting process 3192 (thread 2564) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:25,765 [root] DEBUG: Process image base: 0x00AF0000
2020-06-30 13:36:25,765 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:25,765 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:36:25,781 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:25,781 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3192
2020-06-30 13:36:25,843 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:25,843 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:36:25,843 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:25,859 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:36:25,875 [root] INFO: Loaded monitor into process with pid 3192
2020-06-30 13:36:25,890 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\System32\VERSION (0x9000 bytes).
2020-06-30 13:36:25,890 [root] DEBUG: DLL unloaded from 0x00AF0000.
2020-06-30 13:36:25,906 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc amd local view 0x02810000 to global list.
2020-06-30 13:36:25,906 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\System32\CRYPTBASE (0xc000 bytes).
2020-06-30 13:36:25,921 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 3192).
2020-06-30 13:36:25,921 [root] INFO: Stopping Task Scheduler Service
2020-06-30 13:36:26,968 [root] INFO: Stopped Task Scheduler Service
2020-06-30 13:36:27,000 [root] INFO: Starting Task Scheduler Service
2020-06-30 13:36:27,046 [root] INFO: Started Task Scheduler Service
2020-06-30 13:36:27,062 [lib.api.process] INFO: Monitor config for process 836: C:\tmp52sk_on6\dll\836.ini
2020-06-30 13:36:27,062 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:27,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:27,078 [root] DEBUG: Loader: Injecting process 836 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:27,078 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 964, handle 0xa0
2020-06-30 13:36:27,078 [root] DEBUG: Process image base: 0x00280000
2020-06-30 13:36:27,078 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-30 13:36:27,078 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 13:36:27,093 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:27,093 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:36:27,109 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:27,109 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 836 at 0x6a4b0000, image base 0x280000, stack from 0x1527000-0x1530000
2020-06-30 13:36:27,109 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-06-30 13:36:27,125 [root] INFO: Loaded monitor into process with pid 836
2020-06-30 13:36:27,125 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:36:27,125 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:36:27,125 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:29,125 [root] DEBUG: DLL loaded at 0x76130000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-30 13:36:29,125 [root] DEBUG: DLL loaded at 0x73E40000: C:\Windows\system32\taskschd (0x7d000 bytes).
2020-06-30 13:36:29,515 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3192
2020-06-30 13:36:29,531 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00AF0000.
2020-06-30 13:36:29,531 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:36:29,531 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00AF0000.
2020-06-30 13:36:29,531 [root] DEBUG: DumpProcess: Module entry point VA is 0x00017683.
2020-06-30 13:36:29,562 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2b400.
2020-06-30 13:36:29,562 [root] DEBUG: DLL unloaded from 0x75C80000.
2020-06-30 13:36:29,578 [root] INFO: Process with pid 3192 has terminated
2020-06-30 13:36:29,656 [root] INFO: Announced 32-bit process name: l3lFwB83s41.exe pid: 5060
2020-06-30 13:36:29,656 [lib.api.process] INFO: Monitor config for process 5060: C:\tmp52sk_on6\dll\5060.ini
2020-06-30 13:36:29,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:29,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:29,750 [root] DEBUG: Loader: Injecting process 5060 (thread 6104) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:29,750 [root] DEBUG: Process image base: 0x00940000
2020-06-30 13:36:29,750 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:36:29,781 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:36:29,781 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:29,796 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5060
2020-06-30 13:36:29,843 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5060, ImageBase: 0x00940000
2020-06-30 13:36:29,875 [root] INFO: Announced 32-bit process name: l3lFwB83s41.exe pid: 5060
2020-06-30 13:36:29,875 [lib.api.process] INFO: Monitor config for process 5060: C:\tmp52sk_on6\dll\5060.ini
2020-06-30 13:36:29,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:29,921 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:29,937 [root] DEBUG: Loader: Injecting process 5060 (thread 6104) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:29,937 [root] DEBUG: Process image base: 0x00940000
2020-06-30 13:36:29,937 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:36:29,937 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:36:29,953 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:29,953 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5060
2020-06-30 13:36:29,968 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 5060 (ImageBase 0x400000)
2020-06-30 13:36:29,968 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 13:36:29,968 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0470B330.
2020-06-30 13:36:30,031 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x4a200.
2020-06-30 13:36:30,031 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x470b330, SizeOfImage 0x50000.
2020-06-30 13:36:30,031 [root] INFO: Announced 32-bit process name: l3lFwB83s41.exe pid: 5060
2020-06-30 13:36:30,031 [lib.api.process] INFO: Monitor config for process 5060: C:\tmp52sk_on6\dll\5060.ini
2020-06-30 13:36:30,031 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:30,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:30,046 [root] DEBUG: Loader: Injecting process 5060 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,062 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:30,062 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:30,062 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,062 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 5060, error: 4294967281
2020-06-30 13:36:30,078 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0461A4D8 (size 0x49800) injected into process 5060.
2020-06-30 13:36:30,140 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_72571234853392130262020 (size 0x49772)
2020-06-30 13:36:30,140 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 13:36:30,140 [root] INFO: Announced 32-bit process name: l3lFwB83s41.exe pid: 5060
2020-06-30 13:36:30,140 [lib.api.process] INFO: Monitor config for process 5060: C:\tmp52sk_on6\dll\5060.ini
2020-06-30 13:36:30,140 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:30,171 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:30,171 [root] DEBUG: Loader: Injecting process 5060 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,171 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:30,171 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:30,187 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,187 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 5060, error: 4294967281
2020-06-30 13:36:30,187 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0359A644 (size 0x600) injected into process 5060.
2020-06-30 13:36:30,249 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_213766468453392130262020 (size 0x545)
2020-06-30 13:36:30,265 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 13:36:30,265 [root] INFO: Announced 32-bit process name: l3lFwB83s41.exe pid: 5060
2020-06-30 13:36:30,265 [lib.api.process] INFO: Monitor config for process 5060: C:\tmp52sk_on6\dll\5060.ini
2020-06-30 13:36:30,265 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:30,296 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:30,296 [root] DEBUG: Loader: Injecting process 5060 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,312 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:30,312 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:30,312 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,312 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 5060, error: 4294967281
2020-06-30 13:36:30,312 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0359AC50 (size 0x200) injected into process 5060.
2020-06-30 13:36:30,421 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\556_45950873653392130262020 (size 0x9)
2020-06-30 13:36:30,437 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 13:36:30,437 [root] INFO: Announced 32-bit process name: l3lFwB83s41.exe pid: 5060
2020-06-30 13:36:30,453 [lib.api.process] INFO: Monitor config for process 5060: C:\tmp52sk_on6\dll\5060.ini
2020-06-30 13:36:30,453 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:30,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:30,500 [root] DEBUG: Loader: Injecting process 5060 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,500 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:30,500 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:30,500 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,500 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 5060, error: 4294967281
2020-06-30 13:36:30,500 [root] INFO: Announced 32-bit process name: l3lFwB83s41.exe pid: 5060
2020-06-30 13:36:30,515 [lib.api.process] INFO: Monitor config for process 5060: C:\tmp52sk_on6\dll\5060.ini
2020-06-30 13:36:30,531 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:30,546 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:30,546 [root] DEBUG: Loader: Injecting process 5060 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,546 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:30,546 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-30 13:36:30,562 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,562 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 5060, error: 4294967281
2020-06-30 13:36:30,562 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0004B76E (process 5060).
2020-06-30 13:36:30,562 [root] INFO: Announced 32-bit process name: l3lFwB83s41.exe pid: 5060
2020-06-30 13:36:30,562 [lib.api.process] INFO: Monitor config for process 5060: C:\tmp52sk_on6\dll\5060.ini
2020-06-30 13:36:30,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:30,625 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:30,625 [root] DEBUG: Loader: Injecting process 5060 (thread 6104) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,640 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:36:30,640 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:36:30,640 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:36:30,640 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:30,656 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5060
2020-06-30 13:36:30,656 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:36:30,687 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 556
2020-06-30 13:36:30,687 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:30,687 [root] DEBUG: GetHookCallerBase: thread 2788 (handle 0x0), return address 0x005125BF, allocation base 0x00510000.
2020-06-30 13:36:30,687 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:36:30,687 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00940000.
2020-06-30 13:36:30,687 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00942000
2020-06-30 13:36:30,718 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:30,734 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5060 at 0x6a4b0000, image base 0x400000, stack from 0x176000-0x180000
2020-06-30 13:36:30,734 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe".
2020-06-30 13:36:30,765 [root] INFO: Loaded monitor into process with pid 5060
2020-06-30 13:36:30,765 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-30 13:36:30,765 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:36:30,765 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00940000, dumping memory region.
2020-06-30 13:36:30,812 [root] DEBUG: set_caller_info: Adding region at 0x01720000 to caller regions list (kernel32::GetSystemTime).
2020-06-30 13:36:30,812 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-30 13:36:30,828 [root] DEBUG: DLL unloaded from 0x743C0000.
2020-06-30 13:36:30,859 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 13:36:30,890 [root] DEBUG: DLL unloaded from 0x75C80000.
2020-06-30 13:36:30,890 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1720000
2020-06-30 13:36:30,906 [root] DEBUG: DLL unloaded from 0x744C0000.
2020-06-30 13:36:30,953 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01720000 size 0x400000.
2020-06-30 13:36:30,953 [root] DEBUG: DLL unloaded from 0x0FFB0000.
2020-06-30 13:36:30,953 [root] DEBUG: DumpPEsInRange: Scanning range 0x1720000 - 0x1721000.
2020-06-30 13:36:30,953 [root] DEBUG: DLL unloaded from 0x6BE30000.
2020-06-30 13:36:30,984 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1720000-0x1721000.
2020-06-30 13:36:31,000 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 556
2020-06-30 13:36:31,031 [root] DEBUG: DLL unloaded from 0x72070000.
2020-06-30 13:36:31,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0FFB0000 for section view with handle 0xd0.
2020-06-30 13:36:31,093 [root] DEBUG: DLL loaded at 0x0FFB0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-30 13:36:31,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E9E0000 for section view with handle 0xd0.
2020-06-30 13:36:31,156 [root] DEBUG: DLL loaded at 0x6E9E0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-30 13:36:31,171 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5060, handle 0xf0.
2020-06-30 13:36:31,218 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x00560000 to global list.
2020-06-30 13:36:31,218 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00570000 to global list.
2020-06-30 13:36:31,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 amd local view 0x6A230000 to global list.
2020-06-30 13:36:31,281 [root] DEBUG: DLL loaded at 0x6A230000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-30 13:36:31,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c0 amd local view 0x75CB0000 to global list.
2020-06-30 13:36:31,296 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:36:31,312 [root] DEBUG: DLL loaded at 0x75CB0000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-30 13:36:31,359 [root] DEBUG: set_caller_info: Adding region at 0x05AA0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:36:31,375 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x5abffff
2020-06-30 13:36:31,375 [root] DEBUG: DumpMemory: Nothing to dump at 0x05AA0000!
2020-06-30 13:36:31,375 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x05AA0000 size 0x20000.
2020-06-30 13:36:31,390 [root] DEBUG: DumpPEsInRange: Scanning range 0x5aa0000 - 0x5ab1000.
2020-06-30 13:36:31,390 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5aa0000-0x5ab1000.
2020-06-30 13:36:31,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\5060_135871685051362130262020 (size 0x10b0b)
2020-06-30 13:36:31,437 [root] DEBUG: DumpRegion: Dumped stack region from 0x05AA0000, size 0x11000.
2020-06-30 13:36:31,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x66A10000 to global list.
2020-06-30 13:36:31,500 [root] DEBUG: DLL loaded at 0x66A10000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-30 13:36:31,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68C10000 for section view with handle 0x218.
2020-06-30 13:36:31,531 [root] DEBUG: DLL loaded at 0x68C10000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-30 13:36:31,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x63FC0000 to global list.
2020-06-30 13:36:31,546 [root] DEBUG: DLL loaded at 0x63FC0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-30 13:36:31,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x6E440000 to global list.
2020-06-30 13:36:31,578 [root] DEBUG: DLL loaded at 0x6E440000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-30 13:36:31,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x05AC0000 for section view with handle 0x21c.
2020-06-30 13:36:31,593 [root] DEBUG: DLL loaded at 0x76B60000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-30 13:36:31,609 [root] DEBUG: DLL loaded at 0x757A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:36:31,609 [root] DEBUG: set_caller_info: Adding region at 0x00590000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:36:31,640 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x59ffff
2020-06-30 13:36:31,640 [root] DEBUG: DumpMemory: Nothing to dump at 0x00590000!
2020-06-30 13:36:31,640 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00590000 size 0x10000.
2020-06-30 13:36:31,656 [root] DEBUG: DumpPEsInRange: Scanning range 0x590000 - 0x591000.
2020-06-30 13:36:31,656 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x590000-0x591000.
2020-06-30 13:36:31,718 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\5060_1517240051362130262020 (size 0x14)
2020-06-30 13:36:31,718 [root] DEBUG: DumpRegion: Dumped stack region from 0x00590000, size 0x1000.
2020-06-30 13:36:31,734 [root] DEBUG: DLL loaded at 0x75310000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-30 13:36:31,750 [root] DEBUG: set_caller_info: Adding region at 0x005B0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-30 13:36:31,750 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x5bffff
2020-06-30 13:36:31,750 [root] DEBUG: DumpMemory: Nothing to dump at 0x005B0000!
2020-06-30 13:36:31,765 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x005B0000 size 0x10000.
2020-06-30 13:36:31,765 [root] DEBUG: DumpPEsInRange: Scanning range 0x5b0000 - 0x5bc000.
2020-06-30 13:36:31,765 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5b0000-0x5bc000.
2020-06-30 13:36:31,812 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\5060_50513210451362130262020 (size 0xb4e3)
2020-06-30 13:36:31,812 [root] DEBUG: DumpRegion: Dumped stack region from 0x005B0000, size 0xc000.
2020-06-30 13:36:31,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x264 amd local view 0x67FB0000 to global list.
2020-06-30 13:36:31,859 [root] DEBUG: DLL loaded at 0x67FB0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-30 13:36:31,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 amd local view 0x67DD0000 to global list.
2020-06-30 13:36:31,875 [root] DEBUG: DLL loaded at 0x67DD0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-06-30 13:36:31,937 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:36:31,953 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:36:32,062 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:36:32,078 [root] DEBUG: DLL loaded at 0x76130000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-30 13:36:32,093 [root] DEBUG: DLL loaded at 0x6B610000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-30 13:36:32,109 [root] DEBUG: DLL loaded at 0x6AEE0000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-30 13:36:32,109 [root] DEBUG: DLL loaded at 0x75D50000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-30 13:36:32,109 [root] DEBUG: DLL loaded at 0x779C0000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-30 13:36:32,125 [root] INFO: Stopping WMI Service
2020-06-30 13:36:32,156 [root] DEBUG: DLL unloaded from 0x6F300000.
2020-06-30 13:36:32,218 [root] DEBUG: set_caller_info: Adding region at 0x6EC50000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:36:32,234 [root] DEBUG: set_caller_info: Calling region at 0x6EC50000 skipped.
2020-06-30 13:36:32,281 [root] DEBUG: set_caller_info: Adding region at 0x6E6A0000 to caller regions list (ntdll::NtCreateEvent).
2020-06-30 13:36:32,281 [root] DEBUG: set_caller_info: Calling region at 0x6E6A0000 skipped.
2020-06-30 13:36:32,296 [root] DEBUG: set_caller_info: Adding region at 0x6D590000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:36:32,296 [root] DEBUG: set_caller_info: Calling region at 0x6D590000 skipped.
2020-06-30 13:36:32,312 [root] DEBUG: set_caller_info: Adding region at 0x6E640000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:36:32,312 [root] DEBUG: set_caller_info: Calling region at 0x6E640000 skipped.
2020-06-30 13:36:34,671 [root] DEBUG: DLL unloaded from 0x6ED30000.
2020-06-30 13:36:34,687 [root] DEBUG: set_caller_info: Adding region at 0x70CC0000 to caller regions list (ntdll::NtClose).
2020-06-30 13:36:34,703 [root] DEBUG: set_caller_info: Calling region at 0x70CC0000 skipped.
2020-06-30 13:36:34,750 [root] INFO: Added new file to list with pid None and path C:\Windows\Temp\fwtsqmfile00.sqm
2020-06-30 13:36:37,187 [root] DEBUG: DLL unloaded from 0x6F300000.
2020-06-30 13:36:37,203 [root] DEBUG: set_caller_info: Adding region at 0x6F1E0000 to caller regions list (ole32::CoCreateInstance).
2020-06-30 13:36:37,203 [root] DEBUG: set_caller_info: Calling region at 0x6F1E0000 skipped.
2020-06-30 13:36:37,218 [root] DEBUG: DLL loaded at 0x73CE0000: C:\Windows\system32\es (0x47000 bytes).
2020-06-30 13:36:37,218 [root] DEBUG: set_caller_info: Adding region at 0x73CE0000 to caller regions list (ole32::CoGetClassObject).
2020-06-30 13:36:37,218 [root] DEBUG: set_caller_info: Calling region at 0x73CE0000 skipped.
2020-06-30 13:36:37,359 [root] DEBUG: set_caller_info: Adding region at 0x6D7F0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-06-30 13:36:37,359 [root] DEBUG: set_caller_info: Calling region at 0x6D7F0000 skipped.
2020-06-30 13:36:37,359 [root] DEBUG: set_caller_info: Adding region at 0x73550000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:36:37,375 [root] DEBUG: set_caller_info: Calling region at 0x73550000 skipped.
2020-06-30 13:36:37,390 [root] DEBUG: set_caller_info: Adding region at 0x6D790000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-06-30 13:36:37,406 [root] DEBUG: set_caller_info: Calling region at 0x6D790000 skipped.
2020-06-30 13:36:37,421 [root] DEBUG: set_caller_info: Adding region at 0x6E0B0000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-06-30 13:36:37,421 [root] DEBUG: set_caller_info: Calling region at 0x6E0B0000 skipped.
2020-06-30 13:36:37,421 [root] DEBUG: DLL unloaded from 0x6E6A0000.
2020-06-30 13:36:37,437 [root] DEBUG: DLL unloaded from 0x73CE0000.
2020-06-30 13:36:37,437 [root] DEBUG: DLL unloaded from 0x71150000.
2020-06-30 13:36:37,437 [root] DEBUG: DLL unloaded from 0x74C80000.
2020-06-30 13:36:37,453 [root] DEBUG: DLL unloaded from 0x73550000.
2020-06-30 13:36:37,453 [root] DEBUG: DLL unloaded from 0x6E640000.
2020-06-30 13:36:37,453 [root] DEBUG: DLL unloaded from 0x6D590000.
2020-06-30 13:36:37,468 [root] DEBUG: DLL unloaded from 0x6DF50000.
2020-06-30 13:36:37,515 [root] DEBUG: DLL unloaded from 0x70CC0000.
2020-06-30 13:36:37,562 [root] DEBUG: DLL unloaded from 0x6F300000.
2020-06-30 13:36:39,703 [root] INFO: Stopped WMI Service
2020-06-30 13:36:39,968 [lib.api.process] INFO: Monitor config for process 584: C:\tmp52sk_on6\dll\584.ini
2020-06-30 13:36:39,984 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:40,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:40,015 [root] DEBUG: Loader: Injecting process 584 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:40,015 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2172, handle 0xa0
2020-06-30 13:36:40,031 [root] DEBUG: Process image base: 0x00280000
2020-06-30 13:36:40,031 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-30 13:36:40,031 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 13:36:40,046 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:40,046 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:36:40,046 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:40,062 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 584 at 0x6a4b0000, image base 0x280000, stack from 0xf26000-0xf30000
2020-06-30 13:36:40,062 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k DcomLaunch.
2020-06-30 13:36:40,078 [root] INFO: Loaded monitor into process with pid 584
2020-06-30 13:36:40,078 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:36:40,078 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:36:40,093 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:42,093 [root] INFO: Starting WMI Service
2020-06-30 13:36:44,203 [root] INFO: Started WMI Service
2020-06-30 13:36:44,234 [lib.api.process] INFO: Monitor config for process 2756: C:\tmp52sk_on6\dll\2756.ini
2020-06-30 13:36:44,249 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:36:44,265 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:36:44,265 [root] DEBUG: Loader: Injecting process 2756 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:44,281 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:36:44,281 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:36:44,296 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:36:44,312 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:36:44,312 [root] INFO: Disabling sleep skipping.
2020-06-30 13:36:44,328 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2756 at 0x6a4b0000, image base 0x280000, stack from 0x6e6000-0x6f0000
2020-06-30 13:36:44,328 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-06-30 13:36:44,343 [root] INFO: Loaded monitor into process with pid 2756
2020-06-30 13:36:44,359 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:36:44,359 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:36:44,359 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:36:46,468 [root] DEBUG: DLL loaded at 0x6EDB0000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-30 13:36:46,468 [root] DEBUG: DLL loaded at 0x6F170000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-06-30 13:36:46,484 [root] DEBUG: DLL loaded at 0x6E180000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-30 13:36:46,531 [root] DEBUG: DLL loaded at 0x6F1E0000: C:\Windows\system32\VSSAPI (0x116000 bytes).
2020-06-30 13:36:46,531 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\system32\ATL (0x14000 bytes).
2020-06-30 13:36:46,531 [root] DEBUG: DLL loaded at 0x6F160000: C:\Windows\system32\VssTrace (0x10000 bytes).
2020-06-30 13:36:46,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x003A0000 to global list.
2020-06-30 13:36:46,578 [root] DEBUG: DLL loaded at 0x736D0000: C:\Windows\system32\samcli (0xf000 bytes).
2020-06-30 13:36:46,578 [root] DEBUG: DLL loaded at 0x742D0000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-06-30 13:36:46,609 [root] DEBUG: DLL loaded at 0x73F20000: C:\Windows\system32\netutils (0x9000 bytes).
2020-06-30 13:36:46,640 [root] DEBUG: DLL loaded at 0x73CE0000: C:\Windows\system32\es (0x47000 bytes).
2020-06-30 13:36:46,656 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-30 13:36:46,687 [root] DEBUG: DLL loaded at 0x6E6A0000: C:\Windows\system32\wbem\wbemcore (0xf1000 bytes).
2020-06-30 13:36:46,718 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:36:46,734 [root] DEBUG: DLL loaded at 0x6E640000: C:\Windows\system32\wbem\esscli (0x4a000 bytes).
2020-06-30 13:36:46,734 [root] DEBUG: DLL loaded at 0x6EC50000: C:\Windows\system32\wbem\FastProx (0xa6000 bytes).
2020-06-30 13:36:46,750 [root] DEBUG: DLL loaded at 0x6EBF0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-06-30 13:36:46,750 [root] DEBUG: DLL unloaded from 0x6E6A0000.
2020-06-30 13:36:46,750 [root] DEBUG: DLL loaded at 0x6E600000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-06-30 13:36:46,765 [root] DEBUG: DLL loaded at 0x6E600000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-06-30 13:36:46,781 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\system32\authZ (0x1b000 bytes).
2020-06-30 13:36:46,796 [root] DEBUG: DLL loaded at 0x6E180000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-30 13:36:46,796 [root] DEBUG: DLL loaded at 0x6E0B0000: C:\Windows\system32\wbem\repdrvfs (0x47000 bytes).
2020-06-30 13:36:46,828 [root] DEBUG: DLL loaded at 0x753C0000: C:\Windows\system32\Wevtapi (0x42000 bytes).
2020-06-30 13:36:46,843 [root] DEBUG: DLL unloaded from 0x753C0000.
2020-06-30 13:36:47,343 [root] DEBUG: DLL loaded at 0x6D7F0000: C:\Windows\system32\wbem\wmiprvsd (0x91000 bytes).
2020-06-30 13:36:47,343 [root] DEBUG: DLL loaded at 0x6D790000: C:\Windows\system32\NCObjAPI (0xf000 bytes).
2020-06-30 13:36:47,359 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 584, handle 0x2c8.
2020-06-30 13:36:47,375 [root] DEBUG: DLL loaded at 0x6ED50000: C:\Windows\system32\wbem\wbemess (0x5b000 bytes).
2020-06-30 13:36:47,593 [root] DEBUG: DLL loaded at 0x75700000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-30 13:36:47,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2ec amd local view 0x008B0000 to global list.
2020-06-30 13:36:47,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2f0 amd local view 0x6EBB0000 to global list.
2020-06-30 13:36:47,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73560000 for section view with handle 0x2f0.
2020-06-30 13:36:47,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00910000 for section view with handle 0x2f0.
2020-06-30 13:36:47,890 [root] DEBUG: DLL unloaded from 0x0FFB0000.
2020-06-30 13:36:48,000 [root] DEBUG: DLL loaded at 0x71100000: C:\Windows\system32\wbem\ncprov (0x12000 bytes).
2020-06-30 13:36:48,062 [root] DEBUG: DLL unloaded from 0x6E6A0000.
2020-06-30 13:36:48,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x67CA0000 for section view with handle 0x2f0.
2020-06-30 13:36:48,249 [root] DEBUG: DLL loaded at 0x67CA0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni (0x123000 bytes).
2020-06-30 13:36:48,265 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:36:48,281 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:36:48,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x338 amd local view 0x6F300000 to global list.
2020-06-30 13:36:48,312 [root] DEBUG: DLL loaded at 0x6F300000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2020-06-30 13:36:50,062 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:36:53,000 [root] DEBUG: set_caller_info: Adding region at 0x6F330000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-30 13:36:53,000 [root] DEBUG: set_caller_info: Calling region at 0x6F330000 skipped.
2020-06-30 13:36:56,265 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:37:00,171 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-30 13:37:00,390 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:37:23,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3d8 amd local view 0x02B30000 to global list.
2020-06-30 13:37:23,765 [root] DEBUG: set_caller_info: Adding region at 0x00650000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-30 13:37:23,781 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x65ffff
2020-06-30 13:37:23,781 [root] DEBUG: DumpPEsInRange: Scanning range 0x650000 - 0x652000.
2020-06-30 13:37:23,781 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x650000-0x652000.
2020-06-30 13:37:23,859 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HynUXLZVY\CAPE\5060_11457540643552130262020 (size 0x1996)
2020-06-30 13:37:23,859 [root] DEBUG: DumpRegion: Dumped stack region from 0x00650000, size 0x2000.
2020-06-30 13:37:23,875 [root] DEBUG: DLL loaded at 0x73420000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-30 13:37:23,890 [root] DEBUG: DLL unloaded from 0x75D90000.
2020-06-30 13:37:24,390 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-30 13:37:24,406 [lib.api.process] INFO: Monitor config for process 460: C:\tmp52sk_on6\dll\460.ini
2020-06-30 13:37:24,406 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:37:24,421 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:37:24,421 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:37:24,437 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:37:24,437 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:37:24,453 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:37:24,468 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:37:24,468 [root] INFO: Disabling sleep skipping.
2020-06-30 13:37:24,468 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 460 at 0x6a4b0000, image base 0x9a0000, stack from 0xb46000-0xb50000
2020-06-30 13:37:24,468 [root] DEBUG: Commandline: C:\Windows\System32\services.exe.
2020-06-30 13:37:24,500 [root] INFO: Loaded monitor into process with pid 460
2020-06-30 13:37:24,500 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:37:24,500 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:37:24,515 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:37:25,531 [root] INFO: Announced 32-bit process name: lsass.exe pid: 5956
2020-06-30 13:37:25,531 [lib.api.process] INFO: Monitor config for process 5956: C:\tmp52sk_on6\dll\5956.ini
2020-06-30 13:37:25,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:37:25,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:37:25,578 [root] DEBUG: Loader: Injecting process 5956 (thread 5412) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:37:25,578 [root] DEBUG: Process image base: 0x00DD0000
2020-06-30 13:37:25,578 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:37:25,593 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:37:25,593 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:37:25,593 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5956
2020-06-30 13:37:25,593 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-30 13:37:25,609 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5956, ImageBase: 0x00DD0000
2020-06-30 13:37:25,609 [root] INFO: Announced 32-bit process name: lsass.exe pid: 5956
2020-06-30 13:37:25,609 [lib.api.process] INFO: Monitor config for process 5956: C:\tmp52sk_on6\dll\5956.ini
2020-06-30 13:37:25,625 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\PLKciFW.dll, loader C:\tmp52sk_on6\bin\fahIfcz.exe
2020-06-30 13:37:25,640 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\HSViUUi.
2020-06-30 13:37:25,640 [root] DEBUG: Loader: Injecting process 5956 (thread 5412) with C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:37:25,640 [root] DEBUG: Process image base: 0x00DD0000
2020-06-30 13:37:25,656 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:37:25,656 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:37:25,656 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\PLKciFW.dll.
2020-06-30 13:37:25,656 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5956
2020-06-30 13:37:25,656 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5956.
2020-06-30 13:37:25,671 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:37:25,687 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:37:25,687 [root] INFO: Disabling sleep skipping.
2020-06-30 13:37:25,687 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:37:25,703 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5956 at 0x6a4b0000, image base 0xdd0000, stack from 0x1f6000-0x200000
2020-06-30 13:37:25,703 [root] DEBUG: Commandline: C:\Windows\System32\lsass.exe.
2020-06-30 13:37:25,718 [root] INFO: Loaded monitor into process with pid 5956
2020-06-30 13:37:30,281 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:37:30,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3e8 amd local view 0x00920000 to global list.
2020-06-30 13:37:30,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3e4 amd local view 0x00930000 to global list.
2020-06-30 13:37:30,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00920000 for section view with handle 0x3e4.
2020-06-30 13:37:30,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00930000 for section view with handle 0x3e8.
2020-06-30 13:37:30,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3f4 amd local view 0x00920000 to global list.
2020-06-30 13:37:30,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3ec amd local view 0x00920000 to global list.
2020-06-30 13:37:30,312 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:37:55,671 [root] INFO: Process with pid 5956 has terminated
2020-06-30 13:38:10,890 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:38:12,046 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:38:12,531 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:38:12,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x400 amd local view 0x00920000 to global list.
2020-06-30 13:38:12,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x434 amd local view 0x6BBE0000 to global list.
2020-06-30 13:38:12,656 [root] DEBUG: DLL loaded at 0x6BBE0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\525efaf5640ad98a0c52aa43658767b9\System.Security.ni (0xcf000 bytes).
2020-06-30 13:38:12,765 [root] DEBUG: DLL loaded at 0x758D0000: C:\Windows\system32\crypt32 (0x122000 bytes).
2020-06-30 13:38:12,765 [root] DEBUG: DLL loaded at 0x75810000: C:\Windows\system32\MSASN1 (0xc000 bytes).
2020-06-30 13:38:44,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x40c amd local view 0x6A130000 to global list.
2020-06-30 13:38:44,906 [root] DEBUG: DLL loaded at 0x6A130000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-06-30 13:39:06,859 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 13:39:06,859 [lib.api.process] ERROR: Failed to open terminate event for pid 556
2020-06-30 13:39:06,859 [root] INFO: Terminate event set for process 556.
2020-06-30 13:39:06,859 [lib.api.process] INFO: Terminate event set for process 836
2020-06-30 13:39:06,937 [root] DEBUG: Terminate Event: Attempting to dump process 836
2020-06-30 13:39:06,984 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00280000.
2020-06-30 13:39:11,906 [lib.api.process] INFO: Termination confirmed for process 836
2020-06-30 13:39:11,906 [root] INFO: Terminate event set for process 836.
2020-06-30 13:39:11,906 [lib.api.process] INFO: Terminate event set for process 5060
2020-06-30 13:39:12,843 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:39:12,906 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00280000.
2020-06-30 13:39:16,906 [lib.api.process] INFO: Termination confirmed for process 5060
2020-06-30 13:39:16,906 [root] INFO: Terminate event set for process 5060.
2020-06-30 13:39:16,906 [lib.api.process] INFO: Terminate event set for process 584
2020-06-30 13:39:18,843 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002104.
2020-06-30 13:39:20,125 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00280000.
2020-06-30 13:39:20,140 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x5200.
2020-06-30 13:39:21,906 [lib.api.process] INFO: Termination confirmed for process 584
2020-06-30 13:39:21,906 [root] INFO: Terminate event set for process 584.
2020-06-30 13:39:21,953 [lib.api.process] INFO: Terminate event set for process 2756
2020-06-30 13:39:26,843 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:39:26,890 [root] DEBUG: Terminate Event: Shutdown complete for process 836 but failed to inform analyzer.
2020-06-30 13:39:26,984 [lib.api.process] INFO: Termination confirmed for process 2756
2020-06-30 13:39:26,984 [root] INFO: Terminate event set for process 2756.
2020-06-30 13:39:26,984 [lib.api.process] INFO: Terminate event set for process 460
2020-06-30 13:39:31,984 [lib.api.process] INFO: Termination confirmed for process 460
2020-06-30 13:39:31,984 [root] INFO: Terminate event set for process 460.
2020-06-30 13:39:31,984 [root] INFO: Created shutdown mutex.
2020-06-30 13:39:32,906 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5060.
2020-06-30 13:39:32,906 [root] DEBUG: Terminate Event: Attempting to dump process 2756
2020-06-30 13:39:32,984 [root] INFO: Shutting down package.
2020-06-30 13:39:32,984 [root] INFO: Stopping auxiliary modules.
2020-06-30 13:39:38,015 [root] DEBUG: Terminate Event: Attempting to dump process 460
2020-06-30 13:39:38,093 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3704, ImageBase: 0x00FD0000
2020-06-30 13:39:38,140 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3f000.
2020-06-30 13:39:38,156 [root] DEBUG: Terminate Event: Shutdown complete for process 460 but failed to inform analyzer.
2020-06-30 13:39:38,203 [lib.common.results] WARNING: File C:\HynUXLZVY\bin\procmon.xml doesn't exist anymore
2020-06-30 13:39:38,203 [root] INFO: Finishing auxiliary modules.
2020-06-30 13:39:38,218 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 13:39:38,406 [root] DEBUG: DLL loaded at 0x73430000: C:\Windows\system32\tschannel (0x8000 bytes).
2020-06-30 13:39:38,531 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3460, ImageBase: 0x00FD0000
2020-06-30 13:39:38,656 [root] WARNING: Folder at path "C:\HynUXLZVY\debugger" does not exist, skip.
2020-06-30 13:39:38,671 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-06-30 13:44:11 2020-06-30 13:49:48

File Details

File Name l3lFwB83s41
File Size 512000 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-30 03:50:23
MD5 aa250511bf99e715a6b37fc643f355d8
SHA1 4ee5f574ed4c49a269d257e353baf736e50210d2
SHA256 fd512bcb35f6f9b41f33ec961e46e3b80a774d8038a03abb1b693064a84f8f1a
SHA512 c1df88c46297ddd410dbcc874f6c43c396650e5e596e1fd246aea22ec2a2a4f8553ebed4a24a5aae511f082d8c5343c0511389c945d7eb4effcd190b66b014b9
CRC32 F7A79EDD
Ssdeep 12288:g1cWFUkk+EJqyQtmoq2NDTpnuYXOGOYO:S50Foq29Tp0GO
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 556 trigged the Yara rule 'AgentTeslaV2'
Hit: PID 556 trigged the Yara rule 'embedded_win_api'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: l3lFwB83s41.exe tried to sleep 672.975 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipCreateFontFamilyFromName
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyA
DynamicLoader: KERNEL32.dll/RegCloseKey
DynamicLoader: KERNEL32.dll/RegCreateKeyExW
DynamicLoader: KERNEL32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/RegEnumValueW
DynamicLoader: gdiplus.dll/GdipCreateFont
DynamicLoader: gdiplus.dll/GdipGetFontSize
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCID
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCIDW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: USER32.dll/GetDC
DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
DynamicLoader: mscoreei.dll/ND_RU1
DynamicLoader: gdiplus.dll/GdipGetFontUnit
DynamicLoader: gdiplus.dll/GdipGetFontStyle
DynamicLoader: gdiplus.dll/GdipGetFamily
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: gdiplus.dll/GdipCreateFromHDC
DynamicLoader: gdiplus.dll/GdipGetDpiY
DynamicLoader: gdiplus.dll/GdipGetFontHeight
DynamicLoader: gdiplus.dll/GdipGetEmHeight
DynamicLoader: gdiplus.dll/GdipGetLineSpacing
DynamicLoader: gdiplus.dll/GdipDeleteGraphics
DynamicLoader: gdiplus.dll/GdipDeleteFont
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetSysColorW
DynamicLoader: OLEAUT32.dll/OleCreatePictureIndirect
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: USER32.dll/GetIconInfo
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: USER32.dll/CopyImage
DynamicLoader: USER32.dll/LoadCursor
DynamicLoader: USER32.dll/LoadCursorW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: USER32.dll/CreateIconFromResourceEx
DynamicLoader: gdiplus.dll/GdipGetFamilyName
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/GetCurrentObject
DynamicLoader: GDI32.dll/SaveDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetMapMode
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: USER32.dll/DrawTextExW
DynamicLoader: USER32.dll/DrawTextExWW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: CRYPTSP.dll/CryptGetProvParam
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: KERNEL32.dll/Wow64SetThreadContext
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/Wow64GetThreadContext
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: ntdll.dll/ZwUnmapViewOfSection
DynamicLoader: KERNEL32.dll/CreateProcessA
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/SetFileAttributes
DynamicLoader: KERNEL32.dll/SetFileAttributesW
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaLookupNames2
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: ADVAPI32.dll/LsaLookupSids
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/UnregisterClass
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/DestroyWindowW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: GDI32.dll/RestoreDC
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: USER32.dll/DestroyIcon
DynamicLoader: USER32.dll/DestroyCursor
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: pcwum.dll/PerfDeleteInstance
DynamicLoader: pcwum.dll/PerfStopProvider
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: PROPSYS.dll/PropVariantToVariant
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: wbemcore.dll/Shutdown
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: kernel32.dll/RegDeleteValueW
DynamicLoader: tschannel.dll/DllGetClassObject
DynamicLoader: tschannel.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: KERNEL32.dll/GetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/SetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/BindMoniker
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsLookupClrGuid
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: MSCOREE.DLL/GetTokenForVTableEntry
DynamicLoader: MSCOREE.DLL/SetTargetForVTableEntry
DynamicLoader: MSCOREE.DLL/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry
DynamicLoader: KERNEL32.dll/GetLastError
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/FindFirstFile
DynamicLoader: KERNEL32.dll/FindFirstFileW
DynamicLoader: KERNEL32.dll/FindClose
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: KERNEL32.dll/GetSystemTimeAsFileTime
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetDynamicTimeZoneInformation
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/GetFileMUIPath
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: KERNEL32.dll/FreeLibraryW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: KERNEL32.dll/FindNextFile
DynamicLoader: KERNEL32.dll/FindNextFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/ZeroMemory
DynamicLoader: KERNEL32.dll/ZeroMemoryA
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: crypt32.dll/CryptUnprotectData
DynamicLoader: crypt32.dll/CryptUnprotectDataW
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: cryptbase.dll/SystemFunction041
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/SetClipboardViewerW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleGetClipboard
DynamicLoader: KERNEL32.dll/GlobalLock
DynamicLoader: KERNEL32.dll/GlobalUnlock
DynamicLoader: KERNEL32.dll/GlobalFree
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/SetWindowsHookEx
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
A process created a hidden window
Process: l3lFwB83s41.exe -> schtasks.exe
Process: l3lFwB83s41.exe -> C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe
CAPE extracted potentially suspicious content
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: AgentTeslaV2 Payload: 32-bit executable
l3lFwB83s41.exe: AgentTeslaV2
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: Injected Shellcode/Data
l3lFwB83s41.exe: Unpacked Shellcode
l3lFwB83s41.exe: AgentTeslaV2 Payload
l3lFwB83s41.exe: AgentTeslaV2
l3lFwB83s41.exe: Injected Shellcode/Data
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.62, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0007c400, virtual_size: 0x0007c378
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZqSwbKtyNUePA" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp"
command: schtasks.exe /Create /TN "Updates\uZqSwbKtyNUePA" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp"
Behavioural detection: Injection (Process Hollowing)
Injection: l3lFwB83s41.exe(556) -> l3lFwB83s41.exe(5060)
Executed a process and injected code into it, probably while unpacking
Injection: l3lFwB83s41.exe(556) -> l3lFwB83s41.exe(5060)
Sniffs keystrokes
SetWindowsHookExW: Process: l3lFwB83s41.exe(5060)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (460) called API GetSystemTimeAsFileTime 2667609 times
Steals private information from local Internet browsers
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
file: C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
CAPE detected the AgentTeslaV2 malware family
Creates a copy of itself
copy: C:\Users\Rebecca\AppData\Roaming\uZqSwbKtyNUePA.exe
Harvests credentials from local FTP client softwares
file: C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
Harvests information related to installed mail clients
file: C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe.config
C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\xZPefPbCCp\*
C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Rebecca\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\calibrili.ttf
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\Program Files\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\cambria.ttc
C:\Windows\Fonts\Candara.ttf
C:\Windows\Fonts\consola.ttf
C:\Windows\Fonts\constan.ttf
C:\Windows\Fonts\corbel.ttf
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\cambriab.ttf
C:\Windows\Fonts\cambriai.ttf
C:\Windows\Fonts\cambriaz.ttf
C:\Windows\Fonts\Candarab.ttf
C:\Windows\Fonts\Candarai.ttf
C:\Windows\Fonts\Candaraz.ttf
C:\Windows\Fonts\consolab.ttf
C:\Windows\Fonts\consolai.ttf
C:\Windows\Fonts\consolaz.ttf
C:\Windows\Fonts\constanb.ttf
C:\Windows\Fonts\constani.ttf
C:\Windows\Fonts\constanz.ttf
C:\Windows\Fonts\corbelb.ttf
C:\Windows\Fonts\corbeli.ttf
C:\Windows\Fonts\corbelz.ttf
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\xZPefPbCCp.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\xZPefPbCCp.resources\xZPefPbCCp.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\xZPefPbCCp.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\xZPefPbCCp.resources\xZPefPbCCp.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Local\Temp\en\xZPefPbCCp.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\xZPefPbCCp.resources\xZPefPbCCp.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\xZPefPbCCp.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\xZPefPbCCp.resources\xZPefPbCCp.resources.exe
C:\Windows\Fonts\staticcache.dat
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\Cyrus.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\Cyrus.resources\Cyrus.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\Cyrus.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\Cyrus.resources\Cyrus.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\Cyrus.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\Cyrus.resources\Cyrus.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\Cyrus.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\Cyrus.resources\Cyrus.resources.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Rebecca\AppData\Roaming\uZqSwbKtyNUePA.exe
C:\Users\Rebecca\AppData\Roaming\
C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp
\??\MountPointManager
\Device\KsecDD
C:\Windows\System32\Tasks
C:\Windows\System32\Tasks\*
C:\Windows\System32\Tasks\AutoKMS
C:\Windows\System32\Tasks\Updates\uZqSwbKtyNUePA
C:\Windows\System32\Tasks\Updates
C:\Windows\System32\Tasks\Updates\
C:\Windows\Temp\fwtsqmfile00.sqm
C:\Windows\Temp
C:\Windows\assembly\NativeImages_v4.0.30319_32\UWGGvjFDgGGaa53ba4d#\*
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\OLEAUT32.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
C:\%insfolder%\%insname%
C:\Users\Rebecca\AppData\Local\CocCoc\Browser\User Data
C:\Users\Rebecca\AppData\Local\Amigo\User Data
C:\Users\Rebecca\AppData\Local\Elements Browser\User Data
C:\Users\Rebecca\AppData\Local\Vivaldi\User Data
C:\Users\Rebecca\AppData\Local\7Star\7Star\User Data
C:\Users\Rebecca\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Rebecca\AppData\Local\Chedot\User Data
C:\Users\Rebecca\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Rebecca\AppData\Local\Comodo\Dragon\User Data
C:\Users\Rebecca\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Rebecca\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Rebecca\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Rebecca\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Rebecca\AppData\Local\CentBrowser\User Data
C:\Users\Rebecca\AppData\Local\Chromium\User Data
C:\Users\Rebecca\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Rebecca\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Rebecca\AppData\Local\Torch\User Data
C:\Users\Rebecca\AppData\Local\Iridium\User Data
C:\Users\Rebecca\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Rebecca\AppData\Roaming\Postbox\profiles.ini
C:\Storage\
C:\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\Rebecca\AppData\Roaming\Claws-mail
C:\Users\Rebecca\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Local\UCBrowser\*
C:\Users\Rebecca\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Rebecca\AppData\Local\Temp\Folder.lst
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Local\Microsoft\Edge\User Data
C:\Users\Rebecca\AppData\Local\Temp\vaultcli.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\Rebecca\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\*
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\525efaf5640ad98a0c52aa43658767b9\System.Security.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\525efaf5640ad98a0c52aa43658767b9\System.Security.ni.dll.aux
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Local State
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\crypt32.dll
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Login Data
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\logins.json
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\signons.sqlite
C:\Program Files\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Rebecca\AppData\Roaming\Pocomail\accounts.ini
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe.config
C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Rebecca\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\cambria.ttc
C:\Windows\Fonts\Candara.ttf
C:\Windows\Fonts\consola.ttf
C:\Windows\Fonts\constan.ttf
C:\Windows\Fonts\corbel.ttf
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\cambriab.ttf
C:\Windows\Fonts\cambriai.ttf
C:\Windows\Fonts\cambriaz.ttf
C:\Windows\Fonts\Candarab.ttf
C:\Windows\Fonts\Candarai.ttf
C:\Windows\Fonts\Candaraz.ttf
C:\Windows\Fonts\consolab.ttf
C:\Windows\Fonts\consolai.ttf
C:\Windows\Fonts\consolaz.ttf
C:\Windows\Fonts\constanb.ttf
C:\Windows\Fonts\constani.ttf
C:\Windows\Fonts\constanz.ttf
C:\Windows\Fonts\corbelb.ttf
C:\Windows\Fonts\corbeli.ttf
C:\Windows\Fonts\corbelz.ttf
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp
\Device\KsecDD
C:\Windows\Temp\fwtsqmfile00.sqm
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Users\Rebecca\AppData\Roaming\Postbox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\Rebecca\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\525efaf5640ad98a0c52aa43658767b9\System.Security.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\525efaf5640ad98a0c52aa43658767b9\System.Security.ni.dll
C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Local State
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Users\Rebecca\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Rebecca\AppData\Roaming\uZqSwbKtyNUePA.exe
C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp
C:\Windows\Temp\fwtsqmfile00.sqm
\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\l3lFwB83s41.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\x6810\x17cEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\l3lFwB83s41.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\45E302F7
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|l3lFwB83s41.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|l3lFwB83s41.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|l3lFwB83s41.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x24a0\x18cEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\uZqSwbKtyNUePA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\uZqSwbKtyNUePA\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\uZqSwbKtyNUePA\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\DynamicInfo
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\EnableFileTracing
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\FileTracingMask
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\EnableConsoleTracing
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\ConsoleTracingMask
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\MaxFileSize
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\FileDirectory
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0000000C-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0000000c-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0000000c-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PreviousServiceShutdown
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\winmgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{987A7D63-4169-466C-AB80-45D77E9611A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{987A7D63-4169-466C-AB80-45D77E9611A1}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{987A7D63-4169-466C-AB80-45D77E9611A1}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{E5CCCA15-2DA5-4066-80A1-85AC8C5EF079}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{E5CCCA15-2DA5-4066-80A1-85AC8C5EF079}\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6BA5162-00C9-46A2-BF12-795F2A4764AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6BA5162-00C9-46A2-BF12-795F2A4764AA}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6BA5162-00C9-46A2-BF12-795F2A4764AA}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{17BFF8AC-42F9-42D0-B89D-F65BF66ADB95}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\ProfileImagePath
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Environment
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Volatile Environment
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Volatile Environment\0
\x4038\x184EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\x6810\x17cEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\45E302F7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x24a0\x18cEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\DynamicInfo
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\EnableFileTracing
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\FileTracingMask
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\EnableConsoleTracing
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\ConsoleTracingMask
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\MaxFileSize
\xaad0\x371EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IpHlpSvc\FileDirectory
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0000000c-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{987A7D63-4169-466C-AB80-45D77E9611A1}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{987A7D63-4169-466C-AB80-45D77E9611A1}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{E5CCCA15-2DA5-4066-80A1-85AC8C5EF079}\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6BA5162-00C9-46A2-BF12-795F2A4764AA}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6BA5162-00C9-46A2-BF12-795F2A4764AA}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002\ProfileImagePath
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-479431668-4257340731-3059248302-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
\x4038\x184EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\uZqSwbKtyNUePA\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\uZqSwbKtyNUePA\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15F462BB-5778-4495-8311-8BDA84553AC0}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PreviousServiceShutdown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{987A7D63-4169-466C-AB80-45D77E9611A1}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{E5CCCA15-2DA5-4066-80A1-85AC8C5EF079}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6BA5162-00C9-46A2-BF12-795F2A4764AA}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{17BFF8AC-42F9-42D0-B89D-F65BF66ADB95}
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.GetFullPathNameW
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.CompareStringOrdinal
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
ntdll.dll.NtQuerySystemInformation
kernel32.dll.GetFileAttributesExW
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
bcrypt.dll.BCryptGetFipsAlgorithmMode
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
user32.dll.GetSystemMetrics
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.WideCharToMultiByte
kernel32.dll.LoadLibraryExW
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
kernel32.dll.DeactivateActCtx
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateFontFamilyFromName
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
kernel32.dll.RegEnumValueW
gdiplus.dll.GdipCreateFont
gdiplus.dll.GdipGetFontSize
kernel32.dll.GetSystemDefaultLCID
gdi32.dll.GetObjectW
user32.dll.GetDC
gdiplus.dll.GdipCreateFontFromLogfontW
kernel32.dll.RegQueryInfoKeyW
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
mscoree.dll.ND_RU1
mscoreei.dll.ND_RU1
gdiplus.dll.GdipGetFontUnit
gdiplus.dll.GdipGetFontStyle
gdiplus.dll.GdipGetFamily
user32.dll.ReleaseDC
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipGetDpiY
gdiplus.dll.GdipGetFontHeight
gdiplus.dll.GdipGetEmHeight
gdiplus.dll.GdipGetLineSpacing
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipDeleteFont
user32.dll.GetUserObjectInformationA
kernel32.dll.SetConsoleCtrlHandler
user32.dll.GetClassInfoW
user32.dll.GetSysColor
oleaut32.dll.OleCreatePictureIndirect
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
user32.dll.GetIconInfo
gdi32.dll.DeleteObject
user32.dll.CopyImage
user32.dll.LoadCursorW
kernel32.dll.ResolveLocaleName
gdi32.dll.GetDeviceCaps
user32.dll.CreateIconFromResourceEx
gdiplus.dll.GdipGetFamilyName
gdi32.dll.CreateCompatibleDC
gdi32.dll.GetCurrentObject
gdi32.dll.SaveDC
gdi32.dll.CreateFontIndirectW
gdi32.dll.SelectObject
gdi32.dll.GetMapMode
gdi32.dll.GetTextMetricsW
user32.dll.DrawTextExW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegQueryValueExA
gdi32.dll.GetTextFaceAliasW
cryptsp.dll.CryptGetProvParam
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptSetKeyParam
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptEncrypt
ole32.dll.CoCreateGuid
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptReleaseContext
kernel32.dll.LoadLibraryA
kernel32.dll.ResumeThread
kernel32.dll.Wow64SetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.GetThreadContext
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.ReadProcessMemory
ntdll.dll.ZwUnmapViewOfSection
kernel32.dll.CreateProcessA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.SetNamedSecurityInfoW
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.CopyFileW
advapi32.dll.GetUserNameW
kernel32.dll.SetFileAttributesW
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupNames2
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
advapi32.dll.LsaLookupSids
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.WriteFile
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
ole32.dll.CoWaitForMultipleHandles
kernel32.dll.DeleteFileW
user32.dll.SetClassLongW
user32.dll.PostMessageW
user32.dll.UnregisterClassW
advapi32.dll.EventUnregister
user32.dll.IsWindow
user32.dll.DestroyWindow
gdiplus.dll.GdipDisposeImage
gdi32.dll.RestoreDC
gdi32.dll.DeleteDC
user32.dll.DestroyIcon
user32.dll.DestroyCursor
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.QueryActCtxW
sspicli.dll.GetUserNameExW
pcwum.dll.PerfDeleteInstance
pcwum.dll.PerfStopProvider
propsys.dll.PropVariantToVariant
ole32.dll.CoDisconnectObject
wbemcore.dll.Shutdown
ole32.dll.CoUninitialize
kernel32.dll.RegDeleteValueW
tschannel.dll.DllGetClassObject
tschannel.dll.DllCanUnloadNow
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
cryptsp.dll.CryptCreateHash
ole32.dll.CreateBindCtx
ole32.dll.MkParseDisplayName
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
ole32.dll.BindMoniker
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
sxs.dll.SxsLookupClrGuid
oleaut32.dll.#9
oleaut32.dll.#4
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
mscoreei.dll.GetTargetForVTableEntry
kernel32.dll.GetLastError
kernel32.dll.CreateEventW
kernel32.dll.SetEvent
ole32.dll.IIDFromString
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
oleaut32.dll.#500
oleaut32.dll.#149
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
kernel32.dll.GetComputerNameW
kernel32.dll.GetEnvironmentVariableW
oleaut32.dll.#200
ntdll.dll.NtQueryInformationThread
kernel32.dll.CreateWaitableTimerExW
kernel32.dll.SetWaitableTimerEx
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptExportKey
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
vaultcli.dll.VaultEnumerateVaults
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetDynamicTimeZoneInformation
kernel32.dll.GetFileMUIPath
kernel32.dll.FreeLibrary
user32.dll.LoadStringW
user32.dll.GetLastInputInfo
kernel32.dll.FindNextFileW
oleaut32.dll.#204
oleaut32.dll.#203
oleaut32.dll.#179
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
crypt32.dll.CryptUnprotectData
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.NdrClientCall2
cryptbase.dll.SystemFunction041
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
user32.dll.SetClipboardViewer
ole32.dll.OleInitialize
ole32.dll.OleGetClipboard
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalFree
user32.dll.SendMessageW
user32.dll.SetWindowsHookExW
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.WaitMessage
vssapi.dll.CreateWriter
oleaut32.dll.#6
oleaut32.dll.#2
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
ole32.dll.StringFromCLSID
oleaut32.dll.#7
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegSetValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoRevertToSelf
sspicli.dll.LogonUserExExW
ole32.dll.CoGetCallContext
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoSwitchCallContext
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZqSwbKtyNUePA" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp"
schtasks.exe /Create /TN "Updates\uZqSwbKtyNUePA" /XML "C:\Users\Rebecca\AppData\Local\Temp\tmpB048.tmp"
"C:\Users\Rebecca\AppData\Local\Temp\l3lFwB83s41.exe"
taskeng.exe {E5CCCA15-2DA5-4066-80A1-85AC8C5EF079} S-1-5-18:NT AUTHORITY\System:Service:
taskeng.exe {17BFF8AC-42F9-42D0-B89D-F65BF66ADB95} S-1-5-21-479431668-4257340731-3059248302-1002:Rebecca-PC\Rebecca:Interactive:[1]
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\lsass.exe
VaultSvc

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x0047e372 0x00000000 0x000874ee 4.0 2020-06-30 03:50:23 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x0007c378 0x0007c400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.62
.rsrc 0x0007c600 0x00080000 0x00000680 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.61
.reloc 0x0007ce00 0x00082000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x00080090 0x000003ee LANG_NEUTRAL SUBLANG_NEUTRAL 3.42 None
RT_MANIFEST 0x00080490 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name xZPefPbCCp
Version 1.32.0.5

Assembly References

Name Version
mscorlib 4.0.0.0
System.Windows.Forms 4.0.0.0
System 4.0.0.0
System.Drawing 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute Spec
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute Speccy is the place to start if you need to know what\x2019s inside your P
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute Piriform L
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute Spec
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 2005-2018 Piriform L
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 5D7C8531-56C4-4049-99A0-24225ECBE2
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.32.0
FieldDef Speccy.LingoNotesAttribute Specifies the resource name of the large image that appears on the screen when the user solves a leve
FieldDef Speccy.LingoNotesAttribute Used in the \x201cFile type\x201d drop-down in the \x201cSave\x201d dialog to refer to text files, i.e. files with the *.txt extensio
FieldDef Speccy.LingoNotesAttribute Used in the \x201cFile type\x201d drop-down in the \x201cSave\x201d dialog to refer to all file
FieldDef Speccy.LingoNotesAttribute Displayed in the main window\x2019s title bar to signify that the current level file has not yet been named (i.e. it has no filename
FieldDef Speccy.LingoNotesAttribute Displayed in the main window\x2019s title bar if the player has not chosen a name ye
FieldDef Speccy.LingoNotesAttribute Displayed when the user clicks \x201cNew comment
FieldDef Speccy.LingoNotesAttribute Displayed when the user clicks \x201cEdit comment
FieldDef Speccy.LingoNotesAttribute Displayed in the status bar while editing a level. See the next two strings for reasons why a level may be invali
FieldDef Speccy.LingoNotesAttribute Button in many dialogs; goes together with the \x201cCancel\x201d button belo
FieldDef Speccy.LingoNotesAttribute Button in many dialogs; goes together with the \x201cOK\x201d button abov
FieldDef Speccy.LingoNotesAttribute Button in dialogs where the user has a choice to save or discard their changes to a level or to the level fil
FieldDef Speccy.LingoNotesAttribute Button in dialogs where the user has a choice to save or discard their changes to a level or to the level fil
FieldDef Speccy.LingoNotesAttribute Button in dialogs where the user has a choice to give up the level they are currently playin
FieldDef Speccy.LingoNotesAttribute Title ba
FieldDef Speccy.LingoNotesAttribute Title ba
FieldDef Speccy.LingoNotesAttribute This is displayed in a box in the About dialog. Please feel free to add a line to credit yourself for your translation wor
FieldDef Speccy.LingoNotesAttribute Title bar of the dialog in which the player can type a nam
FieldDef Speccy.LingoNotesAttribute Main window title ba
FieldDef Speccy.LingoNotesAttribute Describes the main menu ba
FieldDef Speccy.LingoNotesAttribute Describes the toolbar which contains commands for editing a leve
FieldDef Speccy.LingoNotesAttribute Describes the toolbar which contains commands for editing a level fil
FieldDef Speccy.LingoNotesAttribute Describes the toolbar which contains commands for handling level file
FieldDef Speccy.LingoNotesAttribute Describes the toolbar which contains commands for playing the gam

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Object
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
System.Windows.Forms System.Windows.Forms.Form
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.PictureBox
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.TableLayoutPanel
System.Windows.Forms System.Windows.Forms.FlowLayoutPanel
mscorlib System.Version
mscorlib System.EventArgs
System System.ComponentModel.ComponentResourceManager
System.Windows.Forms System.Windows.Forms.ComboBox
System.Windows.Forms System.Windows.Forms.TextBox
mscorlib System.Enum
mscorlib System.Nullable`1
mscorlib System.Exception
mscorlib System.Reflection.Assembly
mscorlib System.Type
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
mscorlib System.IComparable`1
mscorlib System.Collections.Generic.Dictionary`2
mscorlib System.Collections.Generic.List`1
System.Drawing System.Drawing.Size
mscorlib System.Collections.Generic.Dictionary`2/KeyCollection
mscorlib System.Collections.Generic.Dictionary`2/KeyCollection/Enumerator
System.Windows.Forms System.Windows.Forms.PaintEventArgs
mscorlib System.Attribute
System.Drawing System.Drawing.Point
System System.Collections.Generic.Queue`1
mscorlib System.EventHandler
System.Drawing System.Drawing.Brush
System.Drawing System.Drawing.Pen
System System.Collections.Generic.Stack`1
System.Drawing System.Drawing.Drawing2D.GraphicsPath
mscorlib System.Collections.Generic.List`1/Enumerator
System.Drawing System.Drawing.Rectangle
System.Drawing System.Drawing.RectangleF
System.Drawing System.Drawing.Graphics
System.Drawing System.Drawing.Image
System.Windows.Forms System.Windows.Forms.MouseEventArgs
System.Windows.Forms System.Windows.Forms.KeyEventArgs
System.Windows.Forms System.Windows.Forms.KeyPressEventArgs
System.Windows.Forms System.Windows.Forms.ListBox
System.Drawing System.Drawing.Color
System.Windows.Forms System.Windows.Forms.DrawItemEventArgs
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.MeasureItemEventArgs
mscorlib System.IO.StreamReader
mscorlib System.IO.StreamWriter
mscorlib System.Collections.IEnumerator
mscorlib System.IDisposable
System.Windows.Forms System.Windows.Forms.SaveFileDialog
System.Windows.Forms System.Windows.Forms.DialogResult
System.Drawing System.Drawing.Bitmap
mscorlib System.DateTime
mscorlib System.Collections.Generic.KeyValuePair`2
mscorlib System.Collections.Generic.Dictionary`2/Enumerator
System.Drawing System.Drawing.PointF
mscorlib System.IEquatable`1
System.Windows.Forms System.Windows.Forms.ToolStrip
System.Windows.Forms System.Windows.Forms.Panel
System.Windows.Forms System.Windows.Forms.ToolStripButton
System.Windows.Forms System.Windows.Forms.MenuStrip
System.Windows.Forms System.Windows.Forms.ToolStripMenuItem
System.Windows.Forms System.Windows.Forms.ToolStripSeparator
System.Windows.Forms System.Windows.Forms.ToolStripContainer
System.Windows.Forms System.Windows.Forms.Splitter
System.Windows.Forms System.Windows.Forms.Timer
System.Windows.Forms System.Windows.Forms.StatusStrip
System.Windows.Forms System.Windows.Forms.ToolStripStatusLabel
System.Windows.Forms System.Windows.Forms.ContextMenuStrip
System.Windows.Forms System.Windows.Forms.FormClosingEventArgs
System.Windows.Forms System.Windows.Forms.OpenFileDialog
mscorlib System.STAThreadAttribute
mscorlib System.Threading.Mutex
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System System.ComponentModel.EditorBrowsableState
System System.ComponentModel.EditorBrowsableAttribute
System.Windows.Forms System.Windows.Forms.Control
mscorlib System.RuntimeTypeHandle
mscorlib System.String
mscorlib System.IO.Path
mscorlib System.Reflection.AssemblyName
System System.Diagnostics.Process
System System.ComponentModel.ISupportInitialize
System.Windows.Forms System.Windows.Forms.Padding
System.Windows.Forms System.Windows.Forms.PictureBoxSizeMode
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Drawing System.Drawing.ContentAlignment
System.Windows.Forms System.Windows.Forms.AnchorStyles
System.Windows.Forms System.Windows.Forms.Cursors
System.Windows.Forms System.Windows.Forms.Cursor
System.Drawing System.Drawing.SystemColors
System.Windows.Forms System.Windows.Forms.AutoSizeMode
System.Windows.Forms System.Windows.Forms.TableLayoutColumnStyleCollection
System.Windows.Forms System.Windows.Forms.ColumnStyle
System.Windows.Forms System.Windows.Forms.TableLayoutControlCollection
System.Windows.Forms System.Windows.Forms.DockStyle
System.Windows.Forms System.Windows.Forms.TableLayoutRowStyleCollection
System.Windows.Forms System.Windows.Forms.RowStyle
System.Windows.Forms System.Windows.Forms.SizeType
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Windows.Forms System.Windows.Forms.FlowDirection
System.Windows.Forms System.Windows.Forms.IButtonControl
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Windows.Forms System.Windows.Forms.FormBorderStyle
System.Drawing System.Drawing.Icon
System.Windows.Forms System.Windows.Forms.FormStartPosition
mscorlib System.InvalidOperationException
System.Windows.Forms System.Windows.Forms.ComboBoxStyle
System.Windows.Forms System.Windows.Forms.ListControl
System.Windows.Forms System.Windows.Forms.ButtonBase
mscorlib System.Math
mscorlib System.Double
mscorlib System.Console
mscorlib System.ConsoleKeyInfo
System.Windows.Forms System.Windows.Forms.MessageBox
mscorlib System.MidpointRounding
mscorlib System.Reflection.MethodInfo
mscorlib System.Reflection.MethodBase
mscorlib System.Environment
mscorlib System.Convert
mscorlib System.Int32
System.Windows.Forms System.Windows.Forms.TableLayoutStyleCollection
System.Windows.Forms System.Windows.Forms.BorderStyle
System.Windows.Forms System.Windows.Forms.PaintEventHandler
mscorlib System.Boolean
mscorlib System.Collections.Generic.IEnumerable`1
mscorlib System.Delegate
mscorlib System.Threading.Interlocked
System.Drawing System.Drawing.SolidBrush
System System.Media.SoundPlayer
System.Drawing System.Drawing.Drawing2D.SmoothingMode
System.Drawing System.Drawing.Drawing2D.InterpolationMode
mscorlib System.NotImplementedException
mscorlib System.Threading.Thread
System.Windows.Forms System.Windows.Forms.Keys
System.Windows.Forms System.Windows.Forms.ListBox/ObjectCollection
System.Windows.Forms System.Windows.Forms.MeasureItemEventHandler
System.Windows.Forms System.Windows.Forms.DrawItemEventHandler
System.Windows.Forms System.Windows.Forms.KeyEventHandler
System.Windows.Forms System.Windows.Forms.MouseEventHandler
System.Windows.Forms System.Windows.Forms.DrawMode
System.Windows.Forms System.Windows.Forms.MouseButtons
System System.ComponentModel.Component
System.Windows.Forms System.Windows.Forms.DrawItemState
System.Drawing System.Drawing.Drawing2D.LinearGradientBrush
mscorlib System.Text.Encoding
mscorlib System.IO.TextReader
mscorlib System.IO.TextWriter
System.Windows.Forms System.Windows.Forms.FileDialog
System.Windows.Forms System.Windows.Forms.CommonDialog
mscorlib System.Array
System.Windows.Forms System.Windows.Forms.Application
System.Windows.Forms System.Windows.Forms.Screen
mscorlib System.Char
System.Windows.Forms System.Windows.Forms.ToolStripItem
System.Windows.Forms System.Windows.Forms.Clipboard
System System.ComponentModel.Container
System.Windows.Forms System.Windows.Forms.ToolStripPanel
System.Windows.Forms System.Windows.Forms.ToolStripContentPanel
System.Windows.Forms System.Windows.Forms.ToolStripItemCollection
System.Windows.Forms System.Windows.Forms.ToolStripGripStyle
System.Windows.Forms System.Windows.Forms.CheckState
System.Windows.Forms System.Windows.Forms.ToolStripItemDisplayStyle
System.Windows.Forms System.Windows.Forms.ToolStripItemImageScaling
System.Windows.Forms System.Windows.Forms.ToolStripDropDownItem
System.Windows.Forms System.Windows.Forms.ScrollableControl
mscorlib System.GC

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
"333?"333?o
"333?"333?o
@@Ys)
@@Ys)
@[Yi}
@[Yi}
*BSJB
v4.0.30319
#Strings
#GUID
#Blob
Nullable`1
IComparable`1
IEnumerable`1
IEquatable`1
Queue`1
Stack`1
MenuRadioItem`1
MenuRadioGroup`1
LanguageHelperWinForms`1
List`1
Virtual2DArray`1
delegate1
mnuLevelSep1
mnuOptionsSep1
mnuEditSep1
mnuContextSep1
sepPlay1
Int32
Tuple`2
KeyValuePair`2
Dictionary`2
get_Item2
set_Item2
mnuLevelSep2
mnuOptionsSep2
mnuEditSep2
mnuContextSep2
sepPlay2
mnuLevelSep3
mnuOptionsSep3
mnuEditSep3
mnuContextSep3
get_file4
mnuLevelSep4
mnuOptionsSep4
get_UTF8
<Module>
sPbeA
SQJJkB
kBxRCkpiC
dxfmC
System.Drawing.Drawing2D
replaceF
RectangleF
SizeF
PointF
TxwmehG
phhGK
FHgeNK
btnEditLevelOK
ConfirmOK
Dialogs_btnOK
get_EnglishUK
set_EnglishUK
OYYhK
lblURL
DfGKdjL
System.IO
zEFUlUP
bDPaYBCuR
WWWWWWWWWWWWWWWWWWWWWWWWWW
get_X
inflateX
fromX
get_OriginX
_originX
get_pwnknX
diameterX
shiftX
amountX
get_Y
inflateY
fromY
get_OriginY
_originY
diameterY
shiftY
amountY
value__
get_WorkingArea
ctMainArea
System.Media
levelData
ContainsData
GetData
SetData
get_Magenta
XTenFsfb
FromArgb
mscorlib
System.Collections.Generic
AddArc
YclXVd
VWZNwXd
Thread
PiecePlaced
CloneForSaveThreaded
translationChanged
get_Modified
set_Modified
_modified
get_Checked
set_Checked
Interlocked
DrawImageUnscaled
get_Enabled
set_Enabled
get_SoundEnabled
set_SoundEnabled
_soundEnabled
get_LetteringEnabled
set_LetteringEnabled
set_FormattingEnabled
TranslationEnabled
get_AnimationEnabled
set_AnimationEnabled
_animationEnabled
FileName_Untitled
Mainform_Validity_NotEnclosed
add_LevelActivated
remove_LevelActivated
levelActivated
PieceSelected
PlaySelected
get_Solved
add_LevelSolved
remove_LevelSolved
LevelList_LevelSolved
levelSolved
LevelList_Message_AllSolved
IsSolved
lblStatusSolved
LevelList_JustSolved
mustBeUnsolved
LevelList_Message_NoMoreUnsolved
mnuLevelPreviousUnsolved
PlayFirstUnsolved
mnuLevelNextUnsolved
Mainform_Validity_Valid
addIfValid
<Item2>k__BackingField
<EnglishUK>k__BackingField
<Value>k__BackingField
<DimensionsByRes>k__BackingField
get_Hand
SettingsKind
Mainform_Error_HelpFileNotFound
Round
mainAreaSound
toggleSound
mnuOptionsSound
playSound
tmrBugWorkaround
bugWorkaround
DrawBackground
GetMethod
method
Dialogs_btnDiscard
Standard
Clipboard
forward
thcoMkFce
Replace
EnsureSpace
toggleReachableAreaPiece
mnuOptionsAreaPiece
get_ShowAreaPiece
set_ShowAreaPiece
_showAreaPiece
_selectedPiece
MovePiece
RemovePiece
removePiece
btnEditLevelPiece
TargetUnderPiece
IsPiece
isPiece
selectPiece
SetPiece
setPiece
mnuEditPiece
newMoveSequence
_moveSequence
_pushSequence
cellSequence
drawArrowSequence
sequence
mnuContextHide
GetHashCode
get_KeyCode
set_AutoScaleMode
set_SizeMode
set_AutoSizeMode
PictureBoxSizeMode
set_SmoothingMode
enterEditingMode
get_DesignMode
set_InterpolationMode
set_DrawMode
get_MoveDrawMode
set_MoveDrawMode
_moveDrawMode
get_PushDrawMode
set_PushDrawMode
_pushDrawMode
MenuRadioItemPathDrawMode
MenuRadioGroupPathDrawMode
fromNode
toNode
IsFree
isFree
_cachedImageAge
set_Image
_cachedImage
getScaledImage
FromImage
SokobanImage
CellRectForImage
getImage
DrawImage
get_Message
cmbLanguage
mnuOptionsChangeLanguage
imgLanguage
DefaultLanguage
relaxEdge
AddRange
InsertRange
updatePushPathAfterKeyboardSelectionChange
CompareExchange
EndInvoke
BeginInvoke
IDisposable
get_Visible
set_Visible
set_ScrollAlwaysVisible
Double
RuntimeTypeHandle
GetTypeFromHandle
roundedRectangle
FillRectangle
DrawFocusRectangle
Mainform_InvalidFile
saveLevelFile
Mainform_MessageTitle_OpenLevelFile
openLevelFile
Mainform_MessageTitle_NewLevelFile
newLevelFile
sepToolFile
toolFile
Console
LevelList_Message_AllSolved_Title
LevelList_Message_NextUnsolved_Title
LevelList_Message_PrevUnsolved_Title
Mainform_InvalidFile_Title
LevelList_Message_DeleteLevel_Title
Mainform_NoHighscores_Title
LevelList_Message_CannotSaveSettings_Title
get_Title
EditComment_Title
NewComment_Title
LevelList_Message_Next_Title
LevelList_Message_Prev_Title
get_AssemblyTitle
DockStyle
ColumnStyle
set_DropDownStyle
set_GripStyle
ToolStripGripStyle
set_BorderStyle
set_FormBorderStyle
FontStyle
RowStyle
ComboBoxStyle
set_DisplayStyle
ToolStripItemDisplayStyle
set_Name
LevelSolvedResourceName
get_FileName
Mainform_ChooseName
ProgramName
ChoosePlayerName
GetPlayerName
txtPlayerName
lblProductName
GetName
AssemblyName
GetDirectoryName
LevelFilename
DateTime
Mainform_Validity_CannotSave_btnResume
ReadLine
AddLine
WriteLine
mnuOptionsMoveLine
mnuOptionsPushLine
Combine
MoveFinderOutline
examine
Clone
imageType
SizeType
FormType
GetType
_type
compare
BestMoveScore
BestPushScore
BestSumScore
UpdateHighscore
LevelList_Message_DeleteLevel_Sure
CloseFigure
StartFigure
ctLevelPicture
get_Culture
set_Culture
resourceCulture
SettingsThreadedBase
MethodBase
get_CodeBase
ButtonBase
Close
Dispose
FillEllipse
Truncate
Invalidate
EndUpdate
BeginUpdate
MulticastDelegate
Inflate
get_State
MainAreaState
DebuggerBrowsableState
EditorBrowsableState
set_CheckState
DrawItemState
levelReaderState
LevelListBoxState
_state
LevelList_Message_DeleteLevel_btnDelete
mnuEditDelete
mnuContextDelete
get_White
Write
btnFilePaste
mnuEditPaste
mnuContextPaste
paste
STAThreadAttribute
LingoAutoGeneratedAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
LingoInGroupAttribute
LingoGroupAttribute
LingoNotesAttribute
SettingsAttribute
CompilationRelaxationsAttribute
LingoStringClassAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
priorityQueue
Dequeue
Enqueue
get_Value
set_Value
get_HasValue
defaultValue
value
btnFileSave
mnuLevelSave
Mainform_Validity_CannotSave_btnSave
Dialogs_btnSave
KeepAlive
SelectedLevelActive
mouseMove
Remove
xZPefPbCCp.exe
set_Size
get_CellSize
set_MinSize
set_AutoSize
get_ClientSize
set_ClientSize
clientSize
ISupportInitialize
initialize
_size
add_Resize
levelListPanelResize
resize
set_Tag
System.Threading
set_Padding
MidpointRounding
Encoding
mayDestroyEverything
set_ImageScaling
ToolStripItemImageScaling
Ceiling
Mainform_Status_PiecesRemaining
System.Runtime.Versioning
Mainform_Validity_CannotSave_Warning
getRendering
toggleLettering
MeasureString
ToString
TrString
GetString
DrawString
set_ShortcutKeyDisplayString
Substring
formClosing
disposing
PlayerNameMissing
add_LevelActivating
remove_LevelActivating
levelActivating
Mainform_MessageTitle_FinishEditing
LevelList_Message_DeleteLevel_CurrentlyEditing
LevelList_CurrentlyEditing
System.Drawing
LevelList_Message_DeleteLevel_CurrentlyPlaying
LevelList_CurrentlyPlaying
forceDialog
SaveFileDialog
OpenFileDialog
SaveWithDialog
CommonDialog
ShowDialog
SeDtgWNh
TargetsPiecesMismatch
Refresh
mnuEditFinish
executePush
_editInvalidBrush
SolidBrush
_backgroundBrush
_moveBrush
_pushBrush
_movePathBrush
_pushPathBrush
LinearGradientBrush
AddPath
ValidPath
get_ExecutablePath
LinePath
updatePushPath
clearPushPath
FillPath
SelectorPath
GraphicsPath
DrawPath
_path
get_Width
_cachedWidth
get_CellWidth
_cellWidth
_clientWidth
LevelListWidth
_width
get_Length
_moveLength
_pushLength
PathLength
_pathLength
UpdateWith
nXUmzi
RERgdmj
KDaPYoVk
LoadLevelPack
SaveLevelPack
AsyncCallback
callback
get_Black
get_HotTrack
add_Tick
add_Click
mainAreaClick
add_DoubleClick
doubleClick
okClick
processEditorClick
set_Dock
columnBlank
rowBlank
General
set_Interval
ToolStripStatusLabel
btnEditLevelCancel
Dialogs_btnCancel
mnuEditCancel
System.ComponentModel
get_BottomToolStripPanel
get_ContentPanel
ToolStripContentPanel
TableLayoutPanel
FlowLayoutPanel
get_Level
get_SelectedLevel
EditSelectedLevel
Mainform_ChooseName_SolvedLevel
btnPlayNextUnsolvedLevel
nextUnsolvedLevel
btnPlayPrevUnsolvedLevel
prevUnsolvedLevel
mnuEditCreateLevel
createLevel
btnFileEditDeleteLevel
add_MustSaveLevel
remove_MustSaveLevel
saveLevel
get_ActiveLevel
SelectActiveLevel
setActiveLevel
finishEditingLevel
cancelEditingLevel
get_TrivialLevel
SokobanLevel
Mainform_MessageTitle_OpenLevel
btnPlayOpenLevel
LevelList_Message_NoOtherLevel
SetLevel
setLevel
ToolEditLevel
toolEditLevel
btnFileEditEditLevel
mnuEditEditLevel
editLevel
paintLevel
get_TestLevel
btnPlayNextLevel
nextLevel
mnuLevel
btnPlayPrevLevel
prevLevel
btnFileEditNewLevel
mnuContextNewLevel
playLevel
Mainform_MessageTitle_RetryLevel
retryLevel
_level
CellFromPixel
pixel
congratulateIfAll
btnEditLevelWall
mnuEditWall
SokobanCell
RenderCell
_mouseOverCell
SetCell
setCell
DrawCell
set_AutoScroll
lblStatusNull
get_Tool
set_Tool
MenuRadioItemMainAreaTool
MenuRadioGroupMainAreaTool
LastUsedTool
changeEditingTool
changeEditTool
grpEditTool
_tool
get_Control
ScrollableControl
IButtonControl
ContainerControl
mnuOptionsLetterControl
ListControl
clickUrl
Program
get_Item
set_Item
get_SelectedItem
MayDeleteSelectedItem
add_MeasureItem
measureItem
UndoMoveItem
UndoPushItem
ToolStripDropDownItem
UndoItem
ToolStripItem
AddLevelListItem
RemoveLevelListItem
dummyItemToolStripMenuItem
add_DrawItem
drawItem
System
MovedFrom
MovedPieceFrom
cellFrom
MovedSokobanFrom
pFrom
renderFrom
sFrom
get_Bottom
Confirm
encodedForm
ManagedForm
ChoosePlayerNameForm
HighscoresForm
Mainform
QpaPpZn
resourceMan
toggleReachableAreaSokoban
mnuOptionsAreaSokoban
get_ShowAreaSokoban
set_ShowAreaSokoban
_showAreaSokoban
btnEditLevelSokoban
_cellSeqSokoban
mnuEditSokoban
Boolean
op_LessThan
SetColumnSpan
SetRowSpan
get_MoveLen
_moveLen
get_PushLen
_pushLen
_editInvalidPen
_movePen
_pushPen
_movePathPen
_pushPathPen
_cursorPen
Widen
get_PrimaryScreen
btnFileOpen
mnuLevelOpen
Mainform_Validity_CannotOpen
set_TextAlign
pnlMain
mnuMain
set_Margin
margin
set_Icon
set_ShowIcon
tracePolygon
GetFileNameWithoutExtension
get_Version
lblVersion
get_AssemblyVersion
Application
get_Location
set_Location
ChoosePlayerNameTranslation
HighscoresFormTranslation
MainformTranslation
ContextMenuTranslation
AboutBoxTranslation
translation
toggleAnimation
mnuOptionsAnimation
normalConfirmation
System.Globalization
System.Reflection
TableLayoutColumnStyleCollection
TableLayoutStyleCollection
TableLayoutRowStyleCollection
TableLayoutControlCollection
ToolStripItemCollection
ObjectCollection
KeyCollection
set_FlowDirection
direction
set_StartPosition
FormStartPosition
changeMovePathOption
changePushPathOption
specialOption
MoveFinderOption
changeEndPosOption
caption
NotImplementedException
InvalidLevelException
InvalidOperationException
get_Description
get_AssemblyDescription
get_Button
set_CancelButton
ToolStripButton
set_AcceptButton
Mainform_ChooseName_FirstRun
add_MouseDown
_origMouseDown
mouseDown
origDown
add_KeyDown
mainAreaKeyDown
_origKeyDown
levelListKeyDown
keyDown
reheapifyDown
mnuOptionsMoveNo
mnuOptionsPushNo
MovedTo
MovedPieceTo
CompareTo
cellTo
MovedSokobanTo
renderTo
mnuLevelRedo
_redo
mnuLevelUndo
_undo
MethodInfo
CultureInfo
ConsoleKeyInfo
ctLogo
VXSyjo
WUNmo
xZPefPbCCp
mouseUp
MainArea_Message_GiveUp
Dialogs_btnGiveUp
reheapifyUp
specialHeap
Bitmap
btnEditLevelSep
Sleep
SetClip
set_SizingGrip
ToolStrip
StatusStrip
set_ContextMenuStrip
mnuHelpHelp
mnuHelp
get_Top
set_TabStop
TranslationGroup
TitleBar
toggleStatusBar
mnuOptionsStatusBar
ctStatusBar
DisplayStatusBar
set_ShowInTaskbar
togglePlayingToolbar
mnuOptionsPlayingToolbar
DisplayPlayingToolbar
toggleEditLevelToolbar
mnuOptionsEditLevelToolbar
DisplayEditLevelToolbar
toggleFileEditToolbar
Clear
Mainform_Validity_WrongNumber
StreamReader
TextReader
renderCellAsPartOfCompleteRender
sender
reinitMoveFinder
_moveFinder
PushFinder
_pushFinder
finder
paintBuffer
get_ResourceManager
ComponentResourceManager
other
MouseEventHandler
MeasureItemEventHandler
DrawItemEventHandler
ConfirmEventHandler
PaintEventHandler
KeyEventHandler
System.CodeDom.Compiler
Timer
IContainer
ctMainToolStripContainer
_translationHelper
Renderer
_renderer
StreamWriter
TextWriter
set_Filter
ctLevelListSplitter
get_Silver
SoundPlayer
mnuLevelChangePlayer
changePlayer
ChoosePlayer
oppositeDir
origDownDir
nodeToDir
preferDir
GetDir
getDir
set_Anchor
_solvedColor
get_ForeColor
set_ForeColor
_editingColor
_playingColor
set_BackColor
set_UseVisualStyleBackColor
_neutralColor
set_ImageTransparentColor
Floor
set_Cursor
_predecessor
ToolStripSeparator
IEnumerator
GetEnumerator
.ctor
.cctor
moveKeySelector
saveLevelFileAs
mnuLevelSaveAs
get_Graphics
System.Diagnostics
get_Bounds
get_DimensionsByRes
set_DimensionsByRes
IgnorePieces
ignorePieces
get_RemainingPieces
lblStatusPieces
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
Speccy.ChoosePlayerNameForm.resources
Speccy.HighscoresForm.resources
Speccy.Mainform.resources
Speccy.Properties.Resources.resources
Speccy.AboutBox.resources
stopIfFourSides
DebuggingModes
MainArea_Message_SaveChanges
LevelList_Message_SaveChanges
Mainform_Status_Pushes
get_Pushes
lblStatusPushes
_pushes
Speccy.Properties
Save_FileType_AllFiles
Save_FileType_TextFiles
EnableVisualStyles
get_ColumnStyles
AnchorStyles
get_RowStyles
mnuLevelHighscores
pnlHighscores
Mainform_NoHighscores
mnuContextHighscores
showHighscores
highscores
CloseAllFigures
GetCustomAttributes
GetValues
Mainform_Status_Moves
get_Moves
lblStatusMoves
_moves
_cachedMaxSizes
_cachedRenderings
calculateLetterings
_letterings
LevelList_Message_CannotSaveSettings
ChoosePlayerNameFormSettings
MainFormSettings
HighscoresFormSettings
MouseEventArgs
FormClosingEventArgs
MeasureItemEventArgs
DrawItemEventArgs
ConfirmEventArgs
KeyPressEventArgs
PaintEventArgs
KeyEventArgs
boolsToPaths
Equals
ufANEbls
lstLevels
RenderCells
ClippingRectForCells
_cells
get_Controls
tmrUpdateControls
updateControls
get_Items
RefreshItems
get_DropDownItems
System.Windows.Forms
System.Collections
grpMovePathOptions
grpPushPathOptions
mnuOptions
MouseButtons
lblFlowButtons
mnuOptionsEndPos
get_ShowEndPos
set_ShowEndPos
_showEndPos
initialPos
fromPos
get_SokobanPos
SetSokobanPos
_sokobanPos
nodeToPos
posDirToPos
toPos
_cursorPos
startPos
mnuOptionsFileToolbars
DisplayFileToolbars
get_Chars
threeIntegers
get_Modifiers
_soundPlayers
SystemColors
Cursors
Process
keyPress
lblCredits
components
SetContents
mnuOptionsMoveDots
mnuOptionsPushDots
mnuUnusedCTRLShortcuts
Focus
mnuLevelPrevious
SokobanLevelStatus
mnuOptionsMoveArrows
mnuOptionsPushArrows
get_Keys
set_ShortcutKeys
mnuLevelUnusedHotkeys
mnuOptionsUnusedHotkeys
mnuEditUnusedHotkeys
RemoveAt
Concat
Extract
CellRect
GetObject
object
Deselect
get_Product
get_AssemblyProduct
ShowNextLetterControlSet
showNextLetterControlSet
btnEditLevelTarget
PieceOnTarget
findPieceOrTarget
mnuEditTarget
Offset
get_Left
pnlFlowLeft
get_Shift
get_Right
pnlFlowRight
get_Height
set_Height
set_IntegralHeight
get_CellHeight
_cellHeight
get_ItemHeight
set_ItemHeight
_clientHeight
_height
get_Copyright
lblCopyright
get_AssemblyCopyright
op_Implicit
ToolFileEdit
toolFileEdit
SetLevelEdit
Mainform_Validity_CannotOpen_btnEdit
lblStatusEdit
mnuContextEdit
mnuEdit
EndInit
BeginInit
GraphicsUnit
Mainform_MessageTitle_Exit
mnuLevelExit
get_Alt
SetCompatibleTextRenderingDefault
GetValueOrDefault
IAsyncResult
set_DialogResult
result
_element
btnFileEditAddComment
mnuEditAddComment
addComment
deleteLevelOrComment
mnuContextNewComment
ContentAlignment
Environment
InitializeComponent
get_Transparent
get_Current
add_Paint
paint
IndexFromPoint
get_Font
set_Font
get_Count
set_ColumnCount
set_RowCount
pivot
EditAccept
EditComment_Prompt
NewComment_Prompt
lblPrompt
Start
Insert
ByteConvert
toggleLevelList
pnlLevelList
mnuOptionsLevelList
showLevelList
DisplayLevelList
NewList
btnFileCut
mnuEditCut
mnuContextCut
mnuHelpAbout
helpAbout
SuspendLayout
ResumeLayout
pnlLayout
PerformLayout
input
set_DefaultExt
MoveNext
mnuLevelNext
mnuOptionsLetterControlNext
findPrevNext
PlayNext
System.Text
get_Text
set_Text
ContainsText
GetText
mnuContext
LevelMenu
HelpMenu
OptionsMenu
EditMenu
ContextMenu
PlayPrev
btnFileNew
mnuLevelNew
get_Now
CZKicow
visitedUpArrow
get_Index
set_TabIndex
get_SelectedIndex
set_SelectedIndex
nodeIndex
get_editingIndex
set_editingIndex
get_playingIndex
set_playingIndex
_activeLevelIndex
arrIndex
xIndex
yIndex
_index
Mutex
Mainform_Validity_CannotOpen_Fix
MessageBox
PictureBox
set_MinimizeBox
set_MaximizeBox
ComboBox
LevelListBox
AboutBox
TextBox
ToolPlay
toolPlay
mnuContextPlay
ToArray
FromBase64CharArray
ToCharArray
Speccy
get_Key
ReadKey
ContainsKey
get_Assembly
GetExecutingAssembly
dummy
MayDestroy
btnFileCopy
mnuEditCopy
mnuContextCopy
LastOpenSaveDirectory
set_InitialDirectory
mnuLevelRetry
get_Validity
op_Equality
op_Inequality
Accessibility
get_Empty
IsNullOrEmpty
WrapNonExceptionThrows
Speccy
ISpeccy is the place to start if you need to know what
s inside your PC.
Piriform Ltd
#Copyright
2005-2018 Piriform Ltd
$5D7C8531-56C4-4049-99A0-24225ECBE213
1.32.0.5
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
gSpecifies the resource name of the large image that appears on the screen when the user solves a level.
{Used in the
File type
drop-down in the
dialog to refer to text files, i.e. files with the *.txt extension.
UUsed in the
File type
drop-down in the
dialog to refer to all files.
Displayed in the main window
s title bar to signify that the current level file has not yet been named (i.e. it has no filename).
SDisplayed in the main window
s title bar if the player has not chosen a name yet.
1Displayed when the user clicks
New comment
2Displayed when the user clicks
Edit comment
sDisplayed in the status bar while editing a level. See the next two strings for reasons why a level may be invalid.
IButton in many dialogs; goes together with the
Cancel
button below.
EButton in many dialogs; goes together with the
button above.
oButton in dialogs where the user has a choice to save or discard their changes to a level or to the level file.
^Button in dialogs where the user has a choice to give up the level they are currently playing.
Title bar.
|This is displayed in a box in the About dialog. Please feel free to add a line to credit yourself for your translation work.
<Title bar of the dialog in which the player can type a name.
Main window title bar.
Describes the main menu bar.
BDescribes the toolbar which contains commands for editing a level.
GDescribes the toolbar which contains commands for editing a level file.
GDescribes the toolbar which contains commands for handling level files.
CDescribes the toolbar which contains commands for playing the game.
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
IconData
IconSize
System.Drawing.Size
System.Drawing.Size
width
height
ADER
2}"Jn
90,:9/+D7*%I
T2($`5'"S(
G44{
djj{[qq
bbzz__ww
FFdxRRq
//8;==JX""*1??Nl<<Lm99Jm77Hc
WOC>}
/ACDo
``rQEET4
''3&GG`Y>>WH
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
TVqQ,M,,E,,//8,Lg,,,,AQ,,,,,,,,,,,,,,,,,,,,,,,Ag,,A4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ,,,,ABQRQ,TAEDAJqX6l4,,,,,O,AiELAT,AK4,,G,,,,3sw,,g,,,,,,E,g,,Ag,B,,,,,E,,,,,AgAQ,Ag,,,,MAQIU,B,AB,,,E,AE,,,,B,,,,,,,AITM,BX,,AO,,AE,,,,,,,,,,,,,AB,w,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,AI,AC,,,,,,,ACC,AEg,,,,,,,C50ZXh0,,5Kw,,g,,rg,,I,,,,,,,,,C,AGAucnNyYw,,AE,,4,,AQ,ACw,,,,,,,,,B,ABALnJlbG9j,AM,,,AB,AC,,t,,,,,,,,,AQ,AQg,,,,,,,,,,DAz,,,,Eg,,C,UAbKU,Bgn,AD,,,,ABSl,BY,,,,,,,,,,,,,,,,,,,,,,,,,,,,ABMwAQAH,,AQ,EQAUCisABioAEzAEAD0D,AC,AR,A4wgI,AYfIGEKOF0C,AHHxphCzg8Ag,CB8hYQw4rwE,AkfIWENOGEB,ARBB8fYRMEOBAB,ARBR8gYRMFON0,,RBh8bYRMGOLc,,RBx8oYRMHOH4,,RCB8oYRMIK1kRCR8bYRMJKyMRCh8nYRMKKxQRCx8lYTiiAg,EQsfKFk4ZQI,B8MEwsr5hk4MwI,B8PEwsr2hEKHyRZOP0B,AfDRMLK8orvxEJHx5ZOLcB,AYEworsBs4lAE,BcTCiulK5oRCB8aWDhiAQ,GhMJK4sfHCg4,AGOCUB,AfOxMJOHb///84aP///xEHHxpYONc,,fzxMIOFX///8fJSg4,AGOKo,,fwBMIOED///84L////x8kKDg,AYrbh/AEwc4Hf///xEGHydYKzIfzhMHOA3///84/P7//x4TBR/AEwY48P7//xEFHydZRQM,,j,,Ow,AGI,,rE0UD,,y////9f///8L,,K7sfwhMGOLz+//84q/7//x8dKDg,AYTBCsEEwYrjh8JEwU4k/7//xEEHx5YRQM,,W,,OQ,AG,,ArBxMHOE////8dEwU4bP7//zhb/v//Gg0rFkUD,,O////03///9d////OBP///8f+xMEODj+//8JHyVZRQM,,X,,Sw,AF0,,rBxMIONT+//8f/RMEOBH+//84Av7//wgfIFlFAw,ADY,ABY,,j,,CsWRQM,ACs/v//v/7//9T+//84iP7//x0NOM79//8WDCsHEwk4Zf7//xwNOLz9//84rf3//x85CysWRQM,ABK/v//Wf7//27+//84M/7//xkMOIv9//8HHyJZRQM,,k,,Nw,AGw,,rFkUD,,+v3//wn+//8U/v//OO39//8XDDhX/f//OEj9//8ZCisHEwo4xv3//x8+Czg1/f//Bh8jWUUD,,JQ,AEM,ABL,,KxZFAw,AJD9//+c/f//rP3//ziF/f//HzgLOAD9//848fz//wIWmgIXmgIYmigF,AGKwcTCzhX/f//Ggo40/z//wAbCjjL/P//Kg,ABMwBQDCB,,w,EQ,OOEB,ARDR8hYRMNOMQB,ARDx8ZYRMPOGgB,AREB8hYRMQOCcB,ARER8dYRMROAEB,AREh8mYRMSOLY,,REx8cYRMTOH0,,RFB8jYRMUK1ARFR8kYRMVKzMRFh8eYRMWKxQRFx8ZYTgwB,AERcfJ1k48gM,B8+Excr5hEWHx1YOLYD,AfMRMXK9YfJig4,AGOIwD,AfMBMXK8QruR8mKDg,AY4TQM,B/7ExYrpxEVHyNYOAgD,Af/RMWK5crjB8eKDU,AY45QI,B/7ExU4d////xEUHxlYOLMC,Af+RMVOGT///84Vv///x8nKDg,AY4igI,B/KExQ4Qf///xETHx5YOFMC,AfxBMUOC7///84Hf///xESHydYOB0C,AVExM4C////x8dKDg,AY4+QE,B/4ExM49v7//zjl/v//HyIoO,ABhMRH/0TEjjT/v//EREfJFhFAw,,0,,a,,OQ,ABUTEji1/v//OKT+//8fPBMQH8MTETiX/v//ERAfHVlFAw,,4,,t,,OQ,AB/BExE4eP7//zhn/v//EQ8fHFlFAw,ABo,,l,,Yw,AB8/ExA4SP7//xoTDx8+ExA4PP7//zgr/v//GRMNHRMPOCD+//8RDR8cWUUL,,DQ,ABs,,q,,OQ,AEk,ABS,,YQ,AGw,AB4,,gQ,AI0,,bEw844v3//zjR/f//BwdaGloMFhMNOMP9//8RBjlpAQ,FxMNOLT9//8RBznq,,GxMNOKX9//8CbwE,AoLHz0TDTiV/f//ABgTDTiM/f//CI0E,ABDRoTDTh9/f//FgofPhMNOHL9//8WEwcfPxMNOGb9//8AHRMNOF39//8WEwYfPBMNOFH9//8rKREMHyZhEwwRDB8oWEUG,,Cw,ABE,,g,,Ow,AE0,ABU,,HyEoO,ABhMMK8wAFRMMK8YGGlgKHyYoO,ABhMMK7cSCCgC,AKKAM,AoWCQYaKAQ,Aof/hMMK5wCEQYRB28F,AKEwgf/BMMK4oAH/sTDCuDEQcXWBMHKwcTEjgA/v//EQcH/gQTCSsWRQM,AD0/f//Bv7//yT+//84zf3//xEJLAIrGCsZRQM,ACq/f//vP3//9H9//84l/3//xcrAxYrADoV////ACsHExM4b/3//xEGF1gTBisWRQM,ABK/f//X/3//3L9//84N/3//xEGB/4EEworBxMUOBT9//8RCiwCKxgrGUUD,,7/z//wT9//8X/f//OOL8//8XKwMWKwA6hf7//wkWKAY,AoTBCs7EQ4fJmETDisHExU4rPz//xEOHyNYRQY,,U,,Ng,AGU,ABv,,ig,AJU,,rBxMWOG38//8fHyg4,AGEw4ruhEFEwsrFkUD,,U/z//2X8//91/P//ODT8//8fxxMOK5gJGhEFFhEFjmkoB,ACisWRQM,,D/P//E/z//yX8//84+Pv//x/5Ew44af///wAf+xMOOF////8RBI0E,ABEwUrBxMXOMn7//8f+BMOOET///8rCR/EEw44Of///xELKg,EzADAGwD,AC,AR,I4UgM,,4DQM,AYfIWEKOHcC,AHHythCzhFAg,CB8vYQw49gE,AkfMWENOGYB,ARBB8qYRMEOCQB,ARBR8rYRMFOOc,,RBh8xYRMGOMY,,RBx8uYRMHOHw,,RCB8oYRMIK2URCR8rYRMJKygRCh8lYRMKKxQRCx8qYTiaAg,EQsfI1g4aAI,B8vKDo,AYTCyvhHzEoOg,BjgiAg,H/UTCyvPEQofMVg43QE,B/3Ewsrvyu0EQkfKFk4ngE,B/1EworpBg4fgE,B/0EwormCuNHzIoNQ,Bjg+AQ,FxMJOHn///8RCB8xWDgDAQ,GRMJOGf///84Wf///xEHHyNZOLI,,f+BMIOEb///8fCjh7,,H/kTCDg2////OCX///8fFitRHwsTBzgY////EQYfJllFAw,,4,,a,,Pw,AB8NEwc4+f7//zjo/v//GxMFHxkTBjjc/v//EQUfLVlFAw,ABQ,,p,,Xw,ACsEEwYrqx8XEwY4t/7//zim/v//HxsTBCsHEwc4fv///xoTBTiR/v//EQQfMVlFAw,ACU,ABb,,dQ,ACsWRQM,ABb////aP///4f///84OP///xwTBThb/v//OEr+//8JHzFYRQM,AB,,AZg,AIk,,rFkUD,,+f7//wz///8c////OOf+//8fGBMEOBT+//8fJyg4,AGDSsHEwg4u/7//x8ZEwQ4+v3//zjr/f//CB8xWUUD,,OQ,AGE,ACH,,KwcTCTh7/v//H+ENOMX9//8fHQwrFkUD,,Zf7//3n+//+L/v//OEz+//8f4A04ov3//ziT/f//Hy4oNQ,BgsrFkUD,,Gv7//yr+//82/v//OA3+//8fHAw4a/3//wcfJVhFAw,ABY,ABP,,a,,CsHEwo41/3//x8eDDhF/f//ODb9//8GHx9YRQQ,,+,,T,,FU,ABx,,KxZFAw,AJL9//+k/f//tP3//ziC/f//H/cLOP38//8fIyg1,AGCisHEws4X/3//x/2Czjk/P//ONX8//8AHy0oNQ,Bgo4x/z//wAfwgo4vvz//wMEBSgF,AGKwooBw,Cjik/P//H8AKOKL8//8qEzADALUD,AE,AR,A42gI,AgfJmEMOIAC,AJHy1hDTjwAQ,EQQfMmETBDiTAQ,EQUfMmETBThRAQ,EQYfJ2ETBjgUAQ,EQcfKWETBzjy,,EQgfI2ETCDiv,,EQkfOmETCTh8,,EQofLmETCitfEQsfLWETCys4EQwfOWETDCsUEQ0fOWE4HQM,BENHzZYOOcC,AfMCg6,AGEw0r4REMHzBZOJ8C,Af8hMNK9EfCTh5Ag,H/UTDSvEK7kRCx84WDglAg,HhMMK6ofPCg6,AGOPsB,AfCxMMK5grjRY4tgE,B/nEws4fv///xEKHy1ZOHsB,Af5RMLOGv///84Xf///xg4OwE,BcTCjhP////EQkfOFk48g,ABkTCjg9////OCz///8RCB8tWDiy,,GRMJOBr///8fOSg6,AGK3oWEwk4Cf///zj4/v//Hw0TBx/2Ewg46/7//xEHHyNZRQM,,O,,I,,D8,,f8BMIOMz+//84u/7//x8uKDU,AYTBh8MEwc4qf7//xEGHypYRQM,,O,,Iw,AFo,,fChMHOIr+//84ef7//x8VEwUrBxMIOH////8VEwY4ZP7//xEFHyZZRQM,,m,,Sg,AHI,,rFkUD,,W////2j///+H////ODj///8f8RMGOC3+//84HP7//xgTBCsWRQM,,K////HP///y3///84+P7//x8aEwU4+P3//xEEHzBZRQM,,X,,T,,GU,,rBxMJOL7+//8fFBMFOND9//84v/3//wkfI1hFAw,AD4,ABw,,m,,CsWRQM,ACC/v//kP7//6L+//84b/7//xkTBDiK/f//Hy4oNQ,Bg0rBxMKOEP+//8WEwQ4cf3//zhi/f//CB8pWEUG,,Pg,AGw,ACU,,nQ,AMY,ADk,,KwcTCzj+/f//H/MNODD9//8fHSg4,AGDCsWRQM,ADj/f//8v3//wX+//84xf3//x/yDTgI/f//OPn8//8oC,ACgdvCQ,Cm8K,AKFowM,ABFG8L,AKJisHEww4gP3//x/6DDjL/P//AgQoBw,BgorFkUD,,Zf3//3T9//+G/f//OEv9//8f/Qw4o/z//wAf/gw4mvz//yDog,AKAw,AorFkUD,,E/3//yP9//8w/f//OAP9//8VDDhx/P//BigD,AGAygG,AGCysHEw043Pz//x/xDDhT/P//Kg,ABMwBQBcB,ABQ,EQ,OBQC,ARCB8xYRMIOPEB,ARCh8tYRMKOK8B,ARCx8vYRMLOG4B,ARDB8tYRMMODMB,ARDR8xYRMNOOE,,RDh87YRMOOME,,RDx8tYRMPOJ,,AREB8zYRMQK2ARER8wYRMRKzgREh88YRMSKxQREx86YTjMAw,ERMfO1g4lAM,B80KD8,AYTEyvhERIfL1k4UQM,B/8ExMr0R8TOA8D,Af/RMTK8QruRERHzNYON8C,AfDBMSK6kfISg4,AGOLkC,AfDRMSK5crjBEQHzNZOIkC,Af/hMROHn///8WOHAC,AVExE4a////zhd////EQ8fOVk4MQI,B0TEDhL////Hxc4DQI,BwTEDg8////OCv///8fCTjiAQ,HxYTDzgb////EQ4fMlk4rAE,B8UEw84CP///zj3/v//EQ0fNFlFAw,ABk,,3,,S,,B4TDjjZ/v//GxMNHw8TDjjN/v//OLz+//8RDB83WEUD,,Hg,AD0,ABP,,GhMNOJ7+//8fPCg6,AGEwwdEw04jf7//zh8/v//EQsfNFhFAw,AC,,A/,,UQ,AB/nEww4Xf7//x84KD8,AYTCx/mEww4S/7//zg6/v//EQofOVhFAw,AC,,At,,b,,B/iEws4G/7//x86KD8,AYTCh/hEws4Cf7//zj4/f//Hw8TCB/kEwo46/3//xEIHzdZRQs,,O,,JQ,ADk,ABO,,ZQ,AHk,ACD,,qw,AL4,ADW,,+g,AB/qEwo4rP3//zib/f//BgNvDQ,ChfaQOE,,fcBMIOIT9//8CjmkX1o0E,ABDR8MEwg4cP3//ygO,AKA28P,AKCx8KEwg4W/3//wkRBQIRBZEIYQcGkWG0nBwTCDhE/f//AgKOaRfakR9wYQwfCRMIODD9//8AHwsTCDgm/f//Ao5pF9oTBCsWRQM,ABR/v//b/7//3v+//84Pv7//x9xEwg4/vz//xYKKwcTDjgX/v//HhMIOOv8//8RBSwCKwkrbBMPOOz9//8fDRMIONP8//8WEwUrFkUD,,2v3//+r9///9/f//OLn9//8fDhMIOK/8//8WKwMGF9YKKwcTEDiJ/f//ACsWRQM,ACC/f//lP3//6P9//84Yf3//xEFF9YTBSsHExE4QP3//xEFEQT+Ahb+ARMGKxZFAw,ACr9//89/f//S/3//zgL/f//EQYsAisJKwoTEjjq/P//FysDFisAOgr///8JAo5pGNoX1o0E,ABKB,,p0AQ,Gw0rTREJHzxhEwkrFkUD,,s/z//8P8///V/P//OJn8//8RCR84WEUD,,Iw,ACs,,9,,KxZFAw,AGb8//92/P//g/z//zhW/P//HzcoOg,BhMJK6grGB/2EwkroAkTBysHExM4Lfz//x/0EwkrjhEHKhMwAgCWAw,Bg,EQ,OBwD,AIHzthDDi6Ag,CR8uYQ04WgI,BEEHy9hEwQ49wE,BEFHzRhEwU4lAE,BEGHzNhEwY4OQE,BEHHy1hEwc4+,,BEIHzhhEwg4yQ,ABEJHy1hEwk4fQ,ABEKHzphEworYBELH0VhEwsrIxEMHz1hEwwrFBENHzxhONEC,ARDR9BWTiWAg,H34TDSvmHycoO,ABjhwAg,H38TDSvUEQwfPVg4IQI,B99Ew0rxCu5EQsfQ1g45gE,B/5EwwrqR9EKDY,AY4qAE,B/4EwwrlyuMH0YoPw,Bjh5AQ,H/oTCzh3////EQofL1g4KgE,B/4Ews4ZP///zhW////EQkfLVk46,,B/oEwo4Q////xY4r,,B/pEwo4NP///zgj////EQgfMFgrbRkTCTgU////HzUoPw,BisyGBMJOAP///848v7//xEHHzFZRQM,,h,,W,,HM,,f6RMIONP+//8fHBMHKwQTCCvKH+oTCDjA/v//OK/+//8RBh8wWEUD,,QQ,AHg,ACi,,KxZFAw,AKD///+/////0v///zh9////Hx8TBzh4/v//HzgoPw,BhMGKwcTCThN////Hx4TBzhd/v//OEz+//8RBR8yWEUD,,U,,Hg,ACT,,KxZFAw,ACT///8z////RP///zgC////H+ITBjgV/v//HyYoO,ABhMFKxZFAw,ANP+///m/v//9f7//zjA/v//H+ETBjjr/f//ONr9//8RBB80WEUD,,Mg,AGg,ACR,,KwcTCjiA/v//H/sTBTiy/f//HzgoPw,BhMEKwcTCzhR/v//H+QTBTiX/f//OIb9//8JHzFYRQM,ABP,,eQ,AJs,,rFkUD,,I/7//zj+//9L/v//OAT+//8f4hMEOFD9//8fOyg/,AGDSsWRQM,ADW/f//5v3///j9//84yf3//x/hEwQ4J/3//zgY/f//CB8zWUUE,,O,,FY,AB4,,gg,ACsHEww4if3//x/+DTju/P//Hw8MKxZFAw,AF/9//9x/f//gf3//zhU/f//FQ04zPz//zi9/P//BgJvEQ,CnQH,ABCysHEw04KP3//x8ODDif/P//AyDWVw,KAk,AYoEg,CigT,AKcxQ,AoKHgw4ffz//ysIHw0MOHP8//8HKg,EzAEAFo,,H,ARKBU,AoU/gYK,AGcww,Aa,g,BH4C,AEIMo2df0gyjZ1/VkgBw,AGJlIAc,ABjbw0,AZvFg,CigV,AG/g4,HMS,AG/gw,CgR,AGgAE,AQqoigX,AKfgE,ARvG,ACnQT,AB/gk,IwM,ABbxk,Ap0Dg,ASoAEzAFAMM,,I,ARcgE,HAoGg,Cjih,,/gw,I5p/g4BADgw,,/gw,P4MAQD+D,A/gwBAJMg+mVAISCeHLQJWCB11cPYYSBjVzfyYWH+CQ,YdGd/gwBACAekFLoII0L0ehhIG3GBxxYZiBNt5zvYSD1FOsJWCCfP9MWWSAD,,Y1kl/g4BACCUVskIINf+EQdYIIgwqARhZiDgjT7sWCAE2DQfWGU8BQ,ADgO,,OG7////+Dg,OFb////+D,Acxs,AoqKv4J,AoBw,Cio,BMwCADgK,ACQ,EQAgIldE2iANXoDsWWYgbva312EgAg,AGMgalONB2FlIBFyKCBZIPzc5+hhIAU,ABiIAc,ABj/g4,Dha,,/gwWACDQCrq8IAM,ABjZmZmIATyQgpZIEHJJf5hIAQ,ABjYThnK,A/gwWACAsoFUMINaEXPdYIHOSaOlZZiA75aIZYWUgqNQC3llmIJJcF9phWDgIIQ,IMXTIvRmZSDC0yL0WWb+DhYAOI/////+DAEAIHaO5UMgEY+q+VhlICMQAeNZIM4tkSBY/gwBACDfZlfxIJdmV/FhIAE,ABjkSBCoMPWIPQcWw1hIIhDZyRYZWZh0pw4P,,P4MGgAgu8vc8yBZy9zzWWE47R8,P4MGgAgG3twMCB2bbkTYSConIgqWSDFbkD5YSAG,,Y1g4Xh8,CBQ/P//IAQ,ABjZmX+DhoAOK7////+DAEAIO2YWgNmIBOZWgNY/gwBACCdUe7uIEwTkOZYIKQBYv5ZIOTCoCJhIAI,ABiIKGG8tZhkSDMIivmZiBrprPfWSAD,,Y2UglXv012Egbbk++Vgg9N8dKmEgQ3xs/Vhh0jg5Hg,IAGdnR1mIH5/YuJZIAc,ABj/g4aADgp/////gwBACC7gjUGIHeOnRpYZiDi7yzfYWYgAw,AGJlIAY,ABj/gwBACDZ////ZpEg3uhbrSDg6bHxWCBPzHwoWCBJE7QcYSD6PXsEWCAlG1jWYSD0Lh72WGHSnCB7FAwdIGKRRPpYIK7FLOtYIJYA1RhZZiC6aqjpWP4OGgA4p/7//yBNLZHPZSCzUarxYWUg7uv6IVkgF5FAHGFm/g4WACBZDKcRIE8gyw1hIJTbDQRZZiBUcEHtYWUgm1lB3VllIAHH3RdY/g4aADha/v//OJf9///+DAEAIA4UUQwggftgH1kgWlsyD1kgkZgL72Egepjt41ggFL6jFmH+DAEAIBFEkQkgGUSRCVllkSBRHC0LIEiL//lhIDRct+xYZiDUsY7pWGUgMICEHFkgKD+JJlhh0pz+DAEAIGAQ2Q8gg0Q9CFhmIBOr6edZ/gwBACCC3IchIPa52hFYIAM,ABjZiC+Vn7XWSAB,,Y2UgQqsKEViRIJdqp9ZlIA+ww/1YZiA9uuPYWWZlYdKc/gwBACAPFiy0ZiAE,,Y2UgAg,AGIgf/r0EmFlIAE,ABi/gwBACB0tmgCIAQ,ABiIAQ,ABjIAM,ABiZiCP5NoOYSA6V58dWJEgHPvl7SC1BBoSWGZh0pwgCbrRXyAJ5HjqWSAIaK0FWSAD,,YyDCE6EIWCAzCR/zYWYgV3d2Gln+DhYAOFD8///+DAMA0A4,AEoH,ACm8d,AK/gwDACCWugslIGlF9NpYZY0Z,ABJSA1dc/2ZSCt0krmWSDRM8kjYWUgMXTT/mEgB,,GMgBg,AGLQEg,ASgc,AKom8e,AK/gwDACAtuRD0ZiA6uXASWSCQjX75YSAD,,YyC,,AZSAD,,YyAE,,Y2YgB,,GJyDQ,cG8f,AKJiATd1nbZiD9dlnbWP4OFgA4nfv///4MAQAgzIEkuGUgAQ,AGMg8rgb4lggabcGCGEgJ/BD6Fggrr9T9llm/gwBACD3sV9uZSCb9wHyWCDMEG/jYSAIc7gQWSB/pm/WWCAgkYQmWWYgBg,AGORIIR+Dy4ghNEU1lgg88RMJlkgkCgV/2Eg+o8A+2FlIHzTPSZZYdKc/gwBACAPAUnlIF5+EiJhIKGzT9xZIGPnFABhID/Pmv5YZSDMA0YWYf4MAQAg4VKFA2UgXwQUImEgYMshBlggAQ,AGNmIBZtyOFZIMcVkw1ZIFC9o+FYkSCgVZHDIIU8oORhIBYoOhRYIGIwINZYZWYg40nMB1llINh3vwlYYdKc/gwBACBzKPvvIMTHU99ZIET2Sv1YINBW8g1h/gwBACB277KWZSC6k2YeYSAE,,Y2VmILSTF+JYIMNLiulZkSDMW8sEZiDBb1vwWCAsFJDrWWVh0pwgfNkFQyBMw30qWSDO6XfnYf4OFgA4LPr///4MAQAg/1,AGYgBg,AGMgAQ,AGIgAw,AGNmIAI,ABjZSAB,,Ymb+DAEAIGmIp8ogebFlImFlIC2l9x9hZWYgtZSZ/lkgADHP9ViRIC6xJtoghGh7AlggttPYAFllIPdFydtYIAQ,ABiZWHSnP4MAQAgoe8T7yDJYlkZWCAB,,YyCsciYQWSAK5jYVWCC7HEcJYf4MAQAgcLymIGUgZWo3KVlmIGDfqyNZICDBUNlYZSBE93wAYZEgHgsd1yBCzrPfYSAC,,YyBTsSsCWWHSnP4MAQAgRDNMIiAC2737WCDeG04pWSBwC3nwYSAzxa7oWGYgdL5x7VhmZf4MAQAgCtDI02Ygloc5BmFmZSDDAxgpYWYgcVTp/GGRIPRhJO1mIPhhJO1YYdKcIJqbSv5mIOR6VvNYIDnfC/VZZv4OFgA43/j//3IR,BwKC,,r+DgEA/gwBACDIHNQzIGNbIRJZZSBFwbIhWCAF,,Y2b+DAEAIL/0ly0gJDTr42Eg879K7FggbCJ02Vkg3aGsHmFmIAY,ABikSCKHQMAIAFJNg5YZmUgAw,AGIgAg,AGMgBs1yHGFh0pz+DAEAIHG8iPZmIKYlNPlYZiDNllT9WWb+DAEAICWHPNlmIAE,ABjIDSMEuJhIJtqXiJYZiAEWg74YWYgAQ,AGMgeuDv9VlmkSAcrpXcZiBn1PEbYSD8Bs8bWSA6x9kQYSCL7+bxWCA9BEwiYWYgUg3JH1llIPZFhgBhZmHSnCDfSDMVIEaFNNZYIGmSHgxhIMxleedZIAc,ABj/g4WADjD9///0BI,AEoH,ACv4MAgAgi53XJSBzvwIDYSD7zMAJWSDBTbUZYSBSGKEEWSAB,,Y2aaIDYdqiAgM8da/1gg4yO3AWFlZiC6qrfcYSARmCciWSAW1dzaYRQgsdhDByCRyLUjYWYgcqf1/mEgT4xY7lhlIAFprQpYINqnCeVZZSDWE7HuWWaNGQ,ARQoIQ,Cv4ODQA4Ww,AP4MG,gUJio3yAUZrQFWWVmIGHNCyZYZmH+DhgA/gwYACCg8CzUZSBIwg7dWSBojNjeWCAoYykkYSAB,,YiANi5TsWFlFB,,Bs,,PAQ,wAE,OUB,AgFHtI+GUgSX1k41gg+AEc61n+DhgAOIr////QCQ,ASgc,AK/gwCACCfzWorINgcBdZYZSCFFZD+YZog6d3QECBT0+ANWCAzfyQqWSAB,,YiCNKSnwWWUg+2usDGEgTK6iC1kUIAwCZrMgVCJ3/2FmIIBbOhdhICBQoedZZWZlIAE,ABjIP9lZiFhjRk,AElIAcWkk8gWhuI9mFmIMPzlPtYIAGKUAFhILi8zyJZZiBTUKXfYdAO,ABKBw,AqiJSA20MTQZmUgtleaKGFlIP94oQdhIAc,ABj0AE,AEoH,ACqIUKCE,Ar+Dg8AIK+WU7hlIA09qN5YICKmVCZZ/g4YADiW/v//0Ak,AEoH,ACv4MAgAgez2X4SCQwmgeWGVlmiAK+/z8IPPCwfNZIAE,ABiZmUgxU5b1lhlIDRBLhdhFCCeE+zwIAE,ABiICjgy9thIPVwBORZZiAE,,YyCeCp/6WSAD,,YyAE,,Yo0Z,ABFCgh,AK/g4OACAY3dS7IHFEVeJYZiD1KY0QYWZlIMn1KRFhIHLVrSBZIEtDpOJYIOhvZyJZ/g4YADjl/f//IMbmqwBmIMPmqwBY/g4WACB//v//ZiAH,,Y/4OG,4wP3//zjk9P///gwBACANb1kHIE3TOe1ZZiA6ZODlWf4MAQAgFw,AGYgAg,AGNmkSBzGMnbIFuOnPNZZiB9tO0ZWCC4Jd4oWSAuBMv+YSAq/Sf2WSAD,,Y2HSnP4MAQAg/HQNCmUgvwa6FlkgCa9PH2Eg,eqDlllIAE,ABjIHtG3whhIBS3CfZYILUfMNphIAc,ABjZf4MAQAg4MMO3CCiTo8BWSCIEd0KWCAB,,YyA7+c/qWCBRw4EiYWYgAw,AGORICh8p8hlIKcezuFhZiAvnZbWYWVh0pz+DAEAILP5Zv0g/72BBFggmdm+HVhlIFKRpx9Y/gwBACCUi1AOINauSABYIGw6mQ5ZIAI,ABiZpEgWtX0DyDaHxbZWWYgLU6h/GEgGqk7F1lmINCku+FhYdKcICTQA+Egw9qNEFhlZiD0HF3uWSDzjTQDWf4OFgA4kPP///4MAQAgvFUJ2iAgDXIGWGUgGZ2EH1n+DAEAIDBhRNkgmbE29llmZSAC,,YyBzujfqWSCLFfckYSCb3owMWWYgjDkQ4lkgAQ,AGORIAmkkywg+plcAVllILTH5+ZYIO9cCuhZIB1fiClhZSB/8MoaWWUgHdAG61hh0pz+DAEAIMIyH+dmIH3M4BhZIAQ,ABj/gwBACBwE7oRZSAC,,Y2ZlIAss7wBZZSAmT6L6WJEglZ7NdCCPv6AbYSAB,,Y2YgAtaD3GFmINVGNethYdKc/gwBACC0DFHnZiBNtr7hWSBkK9/aWCAyIKf8WCCwiHYOWSAB,,Y2b+DAEAICaxBeBlIM1O+h9ZkSDVy04EICQiXeZYIPPtq+pZZWZlZmHSnCCp6WXVZmUg8IeE+VkgALNCElggVuvbEWH+DhYAOEjy///+DAEAIApjwAQgUiizIlggmq+VElkgftvdFFn+DAEAIJDWpw5mIIOOUO5ZZSAC,,YyD/5sEAWJEgUDY3SmUg26dsHlggARVT2FlmIBOjHQRhYdKcKCI,Ar+DAEAbyM,AogLps0AyCxK0kgWSBkbE4XWCDg2zn6WY0j,ABJSDc9lagZSAC,,YyC3vRXoWGUgAvyFASClURAOYSC58pr9WCAB,,YyALUJgGYZ1vJ,ACv4OAgD+CQEAcoQCAHD+D,AbyU,Ar+DgMAIE00q80gjy9r3VkgTvu/D1hm/g4WADhd8f///gwBACA0oQwYZiAm8M4iWCDljDogWSDERzzWWSBfeksUYf4MAQAg0qIlDSAwGOTxYWVmZSD93EQIWSDpbvgKWCD01vEFWZEgg/mA9SDT+FYjYWUgKALW1lhh0pz+DAEAIERJueIgb2078FggJxZI22EghF9D9lj+DAEAIJVXqgkgtqk151hlIP4Pgd9ZZWYg1Tvj+WEgtSqCKViRINrIPxhmIFU6ECJZIAE,ABiZSCkQugLWSAC,,Y2YgUA/S5WFh0pz+DAEAIFvEahYgEcflClggFD8PAVlmIFGd6dthZSDv5aDeYSCTJdrkWCAB,,YiAWSzvsYWb+DAEAIERXMQllIHbaGtxZINP8igdhZiB9MjkdWGWRIEXaqBQg8iVX61hh0pwgMl2F3mYg36J6IVn+DhYAOCDw///+DAEAIO3MDfdmID+qIeNZZmYgM3cv2lggAw,AGL+DAEAIIk7GdplIHfK5iVZIAU,ABjZZEgHDRqIiAuZPoAWCAwTsgPYWUgNDD3+lkg2wakJ1hh0pz+DAEAIGqUVvVmZSAC,,YiAB,,YyA438kNWCA/CHf4Yf4MAQAgstu61mVmIH8kRSlhZpEgRP7Q5WYgAQ,AGIgHAue4GEg/cABDVlmIAE,ABjIIsj3+NYZmHSnP4MAQAgRS3KuCAZgyXYWWUgmlVbH1n+DAEAIOAPQTJlIAE,ABjZSD2BTD1WSB8fg/cWGUgAQ,AGNmkSCqKJHUZiAB,,YiABmSL4WSAK9ijnYWUgES3T4lggQUk/KVlh0pwg,I,CAG,,Y2b+DhYAOPHu///QEw,ASgc,AKIFAE2aAgLLP9JlggJHlaGFhmIM0ol9hYILZLW/hhIOr4CAVZIIS6NfthFCAIe8H9IKH6A/lhZiAB,,Yy,XAX9WCDtxUkTWSDFHPUOWCADck/2YY0Z,ABFCgm,AK/g4KADhg,,/gwZACCvJ3jIIHYb4+9hICrs+SZZIO2uXv9YZmH+DhkA/gwZACC4P3TuIOAJ6Q9hIIi74u5YIAU,ABjZmUgZueo1VkgMegk11hYRQQ,,0,,d,,E4B,DfAQ,IOgAFTog+HUWEVgg58OAKlkgAQ,AGIgQQBx8FhlIKAoZ9tZZiAOjy0NWf4OGQA4bP///yDGFekhIELqFt5YZf4OFgAgX427RWVmIFLHFhhhIKz4WQ9ZIAM,ABjIK3Il+BZZWYgs6EyKVn+DhkAOCz////QEw,ASgc,AK/gwCACDh4cPVZSAfSGDsYSDrZDjZWWVmIGwT3BJYIAc,ABjmiBsriwWZSCHUdPpWSAC,,YhQgc4ukBiCYBOH4WSAneTzyWI0Z,ABJS,,,ZSAD,,YtAB,ABKBw,AqiJSCrg4D9IK7MKN5hZWYggw9v/2Eger84I1jQAQ,ASgc,AKohQoIQ,Cv4OD,g8bwO/yAD,,YiCUEQXcWCAl26z2YWUgXNrOFVhmIEA8ouRhIASIWhZYZSAE,,Y/4OGQA4Uv7//9Al,ABKBw,Ar+DAIAIH52jFYgbYRCE2EgNJ3IHVkg31AGKGEgBw,AGOaIFM/gt4g9Z2l1WEgAg,AGJlIPZthQNYZmUg1RwZKVgUIDLvZAQgklPFEGFlIJex6AdYZmUg+PRG82EgBQ,AGONGQ,ARQoIQ,Cv4OCwAgVp36D2Ugb536D2H+DhkAOMH9//84Ouz///4MAgAgJpGPJCDG9LfcYWUgIJrHB1llIAY,ABiZmYgBQ,AGKaKCc,Ar+DgQA/gwEAP4MAgAgYAnJVGUgFpYtJFhlIFYw5SdZIPVCtghhmiBhFsjvIKLWvyNYZWYgmtBX7Vgg/b25FVkgJ07vE2EgAQ,AGNlIGSlmgNZIAM,ABjFCB3OLUfIInHSuBYZY0Z,ABFG8h,AK/g4FAP4MBAD+DAIAIG5IkfkguF9bH1kgthfKJWFlIAc,ABjmiC/kq0ZIJ5EbtdYZSAC,,YiBlxqjlWCDFaDkhYRQggP///yAH,,Y2aNGQ,ARRvIQ,Cv4OBgAgAtCfz2YgEFlI3GEg1XYo7Fll/g4WADgk6////gwBACBneQ48ILlzYeRhID4+E/9YIJEaoyphZSDx/p8bYSB+yr7mWCAE,,YiAH,,YyAB,,YiAG,,Y/4MAQAgHbm7BCAB,,YmUgI5517lggzCv+5FmRILJDEc5mZSDAipMSYSBxyYLcYWHSnP4MAQAgOfVz1WYgSgqMKlkgAg,AGP+DAEAIO2VzDYgSKzrI1kgTlCmD2FmZSDNuUYdWZEgT4HJvGUgna8uKFggknkj5mFlIKUP3B1ZZiAH,,YyBLRVb/WWZh0pz+DAEAIOF0ENYgKRcKDVgg0adXAVlmID7kwuFYIAM,ABi/gwBACBJXZD5IFe6TxBZILBtXhJhZiCdMOEEWZEgTc6WCGUgbyBl6mEgAQ,AGMgawiGDmFh0pwg5wK6eWVmIMFDf/VYIA/pvfphIAI,ABjIAaNh+FZZSAB,,YyDKJsQTWCClqCjuYf4OFgA4vun///4MAQAgF2e6BSC+nKoSWCDzZlIJYSAS3qoXYSAC,,YyCNbfURYSDt/K3vWP4MAQAgOk0CsCAX4zb+YWVmID++Cg9ZIGbR9SJhIF4+3B1ZkSBv7Y4gIOuLfgpZIJds/PdhIDn+3fRYIFQMytZZIAM,ABjZWHSnP4MAQAgwAU,CAC,,YiAH,,Y/4MAQAgzOGVFiBPl/AaWWYgZGq+DFkgobpjCFhmZSAF,,Y5EgNoet4WUgMnjEDFggGRKi+lggs/xG2mFlYdKc/gwBACAPxF/rZiAD,,Y2UgrQeUAlj+DAEAIHCJRycgAg,AGNmIKw0YAtYIGBSjgFhkSBMOCwGIIdxVvBYIBypgvZhYdKcIBxFqdogmcseAmEgWREGAVllIGYQ7dthZmUg5PidD2EgAHGa/FggXdvY+GFm/g4WADhy6P///gwBACAZ,,ZmX+DAEAIKJS5B8gnntC3lggBQ,AGNlIGq/QdlZIOJFdP5hZSADHJPiWCBXzNkJWWWRIHwS2C5lIAnMrQZhZmUgjBxWH2EgMwEGFlgghT3i3lkgAQ,AGNh0pz+DAEAINg,,gAw,AGP+DAEAIFM+xbBmIDhGmd1YIOZMif9ZIMMtdt5hZiC5J2r6YSAC,,YmYgCMJaJWGRIHQu7Bwg6NET41ggAg,AGNh0pz+DAEAIPCDGAllIAE,ABiIIW4k+RhIKmTlAxZIAE,ABiID5QzRpZIKYJxN5h/gwBACDX5rDNZSBYiygQWSBLctndWJEgeNj//2UgAw,AGNlZiAE,,Y2HSnCCjWP3zIOOkAgxhIAY,ABjZWYgAg,AGIgAg,AGP+DhYAODXn///+DAEAIJYu7vtlIIdneP9hIM5jmwBZIDVTzvph/gwBACBc+yDxZmUgiATfDmFmkSDCn0EXIMZfvuhYZmVmZWZh0pz+DAEAIBpiEH4gDqYY6VhlIEWMvf9YIGV9uSdhIJOBsN9ZZiAO8mwYWSBalhUIYSAG,,YiAH,,Y/4MAQAgP0SRDiCBUGfkYSAB,,YiAGYasEWGUgqoqX2mFlZWaRIO25d1Qg/9HP5GEg284H2FllID/P7wxZIDRooOVYZWHSnP4MAQAgzh212yCIe9cCYWUghmheFVkgLH9/BVggB,,GMgzhSU/lhl/gwBACA5WJQHIDKRzSZYIObnFhRhZSCK96XnYSDNBi0iWZEgygrCBmUgAw,AGIg9UGlFlhlIMor9edhZSApW6YDYWYgrpvHBFhh0pwg/o2s8yCF8SDxYWYgoT0612EgNL5JKln+DhYAONnl///+DAEAIGja/x8gfhDfAVkg12n8+1kg73V37lkgkIerI1kgmmIBEGH+DAEAIL7ztwYgUAxI+ViRIEK4aIIgkNr3F1hmIE55Q9hYZiBiMbMpYSCk1lEUWGVh0pz+DAEAIKbSzOkgZJt29GEgTbZF4lj+DAEAIIe5Hb8gUjjw2FkgUI1IHlggdg52BFmRIL0q6QggYCFp31kgc2VB8Fggx5A+5lhlYdKc/gwBACCTJ3ELIBoocQtZZWYgAw,AGNm/gwBACDSiycEIM2MqhtZZiAV/3zoYWaRID5e9hwgA4YX6WFmIN8+KylhIJ0PNSNZIAY,ABjYdKcIOgVF/UgUzdKKFhlIDiLtR1YIPHlyxVhIOAnYOphIAQ,ABiIAE,ABjZSAD,,Y2b+DhYAOKfk///+DAEAIAu8HwNmIPJD4PxZ/gwBACAI,,ZSAC,,Y2WRIFcC+t8g0gH631lh0pz+DAEAIL5xiv8ggEXA1mEgQTRKKVll/gwBACCHBYmkZmVmZWYgAQ,AGMgkIMSDFkgWAZX3liRIKLtkPog2ywXCVggvmPC91lmZSDltuULYWHSnP4MAQAg3z0z9SD0O0rwWSAC,,YiDsB6QTYSAE,,Y/4MAQAgjwq6wSDcVF/5YWUgGXThG1ggthRV2lllZWYg6/5Y91mRIJUGiRFlINF3E9pZINJ8RwVYIHS8EO9ZIPhBmiphYdKcIKLsPCIgAQ,AGMglpOUFlllZSDZZFkNWSDlfTDtYWX+DhYAOJPj///+DAEAIE4peVAgWnhEFGFlIJ3CPSBYZiC2j/8jWWUgB,,GP+DAEAIPkyuAQgeTH/H2EgiO7L1VggIgzfCWEgGNo5AlhmZSCNmvIcYSC6QvXnWZEgcZDdOCAwnLIdWSBEshkHWCDFoEQiWSAG,,Y2VmYdKc/gwBACCS/JItIAE,ABiIPy2SQdZINhP4R5hIAQ,ABjZSD00NMEWP4MAQAg813f+WYgDFtBDFkgAg,AGJmICkcfedhIAE,ABjZZEg3ao3DyAtv8cJYSCNYTUVWWUgb7jp/FkgmSWoH2EgirbzDmFh0pz+DAEAIJH6yMQgKAnICVggVR717FkgcuWb4WH+DAEAINkn9xZmZmUgOGVIAGEgCb1A6VmRIFgS8tpmZSDS7Q0lWGHSnCDxKLhIIOdHNPdYIAM,ABjZSDldAL4WSAG,,Y/4OFgA4PuL///4MAQAgBO9bEmUg6xCk7Vn+DAEAIDjMV9llILczqCZZkSAVbI0iIB5sjSJhYdKc/gwBACDu////Zf4MAQAg0Yxv8GYgYUXFAWFmIA3Rw+9YIJ2ZbuFZIAQ,ABjkSDfmEgLZiAcLJbkYWYgvrTe71lh0pz+DAEAINxfbwUgwOmLAlkgLHfjAmEgB,,GP+DAEAICgzRuwg0YL8/2Eg8313FlkgCS3E3lggBJ/4I1iRIHopbOQgHdaTG1hmYdKcIP6jpxAgG5XA3lgg0caXEFj+DhYAOGXh///QDg,ASgc,AK/gwCACB850XXIN3IeAZYICUV8/hZZSDTZDQbWWWaIKFXbLEgGghe21lmIFlQDtZYZWYgAg,AGMUIG,,AgBQ,AGNlZo0Z,ABJSC3QbD2ZSBJvk8JYSAE,,Y9AO,ABKBw,AqiJSBTMB78ZmYgU3JQ9GEgBg,AGMgInP6JlkgEjrZJlggAg,AGNm0CY,AEoH,ACqIUKCE,Ar+DgcAOGo,AD+DBcAILjXXAhlIAaWsPlYZSAkpln0YWVmIPHn9fpZZmH+DhcA/gwXACBiyc0KZSDVxE7zWGYgbenHAmEgT+qM21hlILYnug5hWUUE,,P,,Pc,,5AQ,RQI,DgG,,nDjB4f//IC1zQRkg7WAX6VkgBQ,AGMg34GyKVlmIOBzPgdZZmVmZiDQQg3fWP4OFwA4Zf///9AS,ABKBw,Ar+DAIAIBehx+tmIOJB19ZYZiA6aIAXWSAGCZACWCAC,,YpogmLlDAmYgSLlDAmFmIAI,ABjFCDOBljAIBGenyJYIPK+IhVhZSAtGtX3WI0Z,ABFCgh,AK/g4IADga,,RQQ,ACj4P//KOH//6rh///34f//OIjg//8gBOz4MCA3lZcYWCB0xGwlWSBHWtzbYSAC,,YiAE,,YyAF,,Y2X+DhcAOKr+//8g72yxDGUgVFWLHFggc+jZD1n+DhYAOAk,AD+DhoAOArg//8g26wZy2VmIAE,ABjZiBf1ozlYWb+DhcAOGj+///QJQ,ASgc,AKIL9WTeBlILRWWSpZZSDsuq4GWCDZ1ATxWSBNbK/fYWYUIHCDlvsgXVqiIWFmINMmyyVhjRk,AElILosZRIggtHB/Fgg9C9+5VkgpxvJ22Eg8NVh8llm0BI,AEoH,ACqIUKCY,Ar+DgkAOGo,ABFG,,Kre//+i4P//6eH//5zi//8N5P//WuX//3bm//9V6f//qer///Hr///c7P//Ge7//0jv////8f//FfP//3v0///H9f//BPf//2D4//+S+f//pvr///v7///U/P//MQ,ADiO3v//IM6XPGggYaFrCmEgMR0i3FhlIAM,ABjILjVMPhh/g4XADhc/f//OAje///+DAMAbyg,Aol0Aw,AEoH,ACm8p,AKJiX+DAQAbyk,AomJdAp,ABKBw,ApvKQ,CiYl0CU,AEoH,ACm8p,AKJiXQEw,ASgc,AKbyk,AomJdAO,ABKBw,ApvKQ,CiYl0A4,AEoH,ACm8p,AKJiVvKg,Cv4OE,lbyo,Ar+DhEAJW8q,AK/g4SACVvKg,Cv4OEwAlbyo,Ar+DhQA/gwCACBL0A4AIAM,ABiIAI,ABjZiCrbhnvYWUgM84E72GaKCs,Ar+DhUAJX4s,AK/gwVAG8t,AKJX4u,AKby8,Aolfj,,r+DAUAbzE,AolfjI,ApvLw,CiV+Mw,Cm8v,AKJX40,AK/gwQAG81,AKJX4z,AKby8,AolfjY,Ar+DAYAbzE,Aolfjc,AogBQ,AGZlby0,Aolfjg,AogKafiyyAdoHbVWWYgAw,AGJlIAM,ABjIAcHbPZZby0,Aolfjk,Ar+DAIAIEaH9iVmZSDqEqkYWSCxi7LyWJpvOg,CiV+Ow,Cm8v,AKJX42,AK/gwHAG8x,AKJX48,AKby8,Aolfj0,Ar+DBEAbzU,Aolfjg,Aog0pqAGCA6ZX/nYWUgAg,AGNvLQ,CiV+OQ,Cv4MAgAgdvl3FiAryA4JWSCfOgMiYWVmIBSbhBpZZmUglbG0ClkgJL8wCmGabzo,Aolfjs,ApvLw,CiV+Ng,Cv4MBwBvMQ,CiV+P,ACm8v,AKJX49,AK/gwRAG81,AKJX44,AKIPy1p1UgzbG1G2FmZiA5BccmWSD9/konYWZlby0,Aolfjk,Ar+DAIAID8,ABmIAU,ABiZSAH,,Y5pvOg,CiV+Ow,Cm8v,AKJX42,AK/gwHAG8x,AKJX48,AKby8,Aolfj0,Ar+DBEAbzU,Aolfjg,Aogc00anyA6Gg7eWSDwOIMmWGUg0ZNwGFlvLQ,CiV+OQ,Cv4MAgAglLKbOmYgBg7qKGEgodxID1hlID33KOhhIEYpkhhYIAE,ABiIBmkJAdZmm86,AKJX47,AKby8,AolfjY,Ar+DAcAbzE,Aolfjw,ApvLw,CiV+Pg,Cv4MEABvNQ,CiX+DBEAbz8,Aolfk,,pvLw,CiV+Lg,Cm8v,AKJf4MEABvPw,CiV+QQ,Cm8v,AKJX42,AK/gwIAG8x,AKJX5C,AKby8,AolfkE,ApvLw,CiV+Qw,Cv4MCQBvR,ACiV+RQ,Cm8v,AKJX5D,AK/gwKAG9E,AKJX43,AKIGmYXjVmIG+Xfe1hIGzGUyBZZSAC,,YiDcVdvhWSAC,,Y2VvLQ,CiV+Rg,Cm8v,AKJX42,AK/gwLAG8x,AKJX43,AKIDZ8aP4gyfxGGGFlZiAjqvb0WSAC,,YiAKKtH/WSDZpX4bWGUgwChzH2FvLQ,CiV+O,ACiCIy+ATIHw0H+xYby0,Aolfjw,ApvLw,CiV+Rw,CtAM,ABKBw,ApvS,ACiV+O,ACiBpphj3ZWYgVYm8IVllIE3ioyphIAU,ABjby0,AolfjY,Ar+DAwAbzE,Aolfkk,ApvLw,CiV+N,ACv4MEgBvNQ,CiV+Sg,Cv4MEwBvNQ,CiX+DBQAbz8,Aolfjg,AogDKsh+yD8qiH7WSAC,,Y28t,AKJX5B,AKby8,AolfjY,Ar+DA0AbzE,Aolfks,ApvLw,CiV+L,ACiDW/BkmIHE1cuBYZiB8MowGWG8t,AKJX5M,AKby8,Aolfkk,ApvLw,CiV+TQ,Cm8v,AKJX5H,AK0Aw,AEoH,ACm9I,AKJX5G,AKby8,AolfjY,Ar+DAsAbzE,AolfjY,Ar+DAwAbzE,Aol/gwTAG8/,AKJX5B,AKby8,AolfjY,Ar+DA0AbzE,Aolfk4,ApvLw,CiV+Tw,Cv4MFABvNQ,CiX+DBIAbz8,Aolfj,,r+DA4AbzE,Aolfjg,AogJFzo6SBZMHIYWGUg5Yx8C2FmIJ4AJglZZW8t,AKJX44,AKIHsJ5d9mIHgJ5d9YZW8t,AKJX42,AK/gwPAG8x,AKJX44,AKICc72OcgL8+V+VlmIP5rQu5Yby0,Ap+U,ACm8v,AKOAk,AD+DhYAOJDX///+DAMAKhMwCQBIAQ,Cg,ESgX,AKc1E,Ar+Dg,/gw,HKEAgBwb1I,Ar+D,AINilMckgNQt9GFggx3777WFlIC4EwNVhII+2TSNZZiCLfRwDWG9T,AKcoQCAHBvV,ACnKEAgBwIAht5Bsgi1og/1kgUzCT7FlmIHSiJChYZSBJwPP3WG9V,AKOBM,AD+CQ,/gwBACgQ,AGJjgJ,,/g4BADjk/////gwBAG9W,AKcoQCAHAgR9sMRyDJkd0SWWZlIBXIhdhYIAI,ABiIMfsniBhIPQ7XwFZIHWSFO9YFBQgtrz11yBlAK/9WCDNZKTbWSA8pIUlWCAqI7gnYSBj6FgnWWZlILLXNhVhZiDulJMlYSCcS77fWY0B,ABJSBb7a00IIb+cvxZZWYgP/FCHlllIFoGrPZhZSAxBKQQWP4JAQCib1c,Ap0Dg,ASoTMAMAkwU,As,BE,,4OgM,P4M,AgNc9D7GYgkc9D7FhlZmH+Dg,OP8B,D+DAEAIKZKpSRlIPi0WttZYf4OAQA4dwE,P4MAgAg8mPr1WYgm2Lr1WFlZmVmIAI,ABjZmH+DgIAOLo,AD+DAMAIKbkRgwgeg+581ggBQ,AGNlYf4OAwA4Mw,AP4MB,gp1cvJWZlIPJXLyVhYTjMB,A/gwEACCYJ8fxZSAlmsT6WCApcv0IWVg4cQQ,CDpJ/8QIPjiMx9YIAXrpdhhIAE,ABiZSDLs/sPWSDMdynhWGb+DgQAOJ/////+DAMAIHFufQRmIHj8CxVYIFmOjhBhWTjgAw,IKF4WhJlIILHGgJYZiAaT8DvWGb+DgQAOGb///8gqrF1BCA2zfv8YSCcfI74WTh8Aw,IO787wQgAw,AGJmIOm9V/VZIOmIOhFYIBfjYvRZIAE,ABjZf4OB,4Iv///zj9/v///gwCACDbOcXqIGhAvQhhIO6Fhx1YZVk48wI,CAX9hseIKdZRuVhIAQ,ABiICdNSAtYZSDQyL0bWSDx7h4jYSAD,,Y/4OAwA4rv7//yABg3cqIGQHotVYIMcpsvRZIFd+ht1ZZiAB,,YyDlX08MWSAnL8DcYSAD,,Y/4OAgAg+c752CDodO/qWCDdAkfrYSA+U0zoWGYgt3d6AGFmZSAB,,YiDYxwEhWP4OAwA4Rf7//zgb/v//IAd8mQMgmKT5BmFlIJJ6tBBZZSDQlS4FYSBcAdH0WCACyAwIWWX+DgEAINOzxO1lZmUgIwhuCVggFlSpG1n+DgIAONT9///+DAEAIAw+nAYgAQ,AGMgY/cv8VllIP8dreBhICEzrAFZICQJQ+pYZiBMm+P1WGZYRQM,,m,,lg,AOg,,g60kDCSAytzAUYSAZADQdWSAG,,Y2X+DgIAOHH9//84Uv3///4M,Agx,,CAD,,YiAE,,Y1hFCg,AIQ,AC7,,/Q,ACkB,BZAQ,kwE,MQB,ALAg,SgI,H0C,AgNXwwGyCFVQoSWCBdGqnXYSBN9u0LWGYg7IpzJWEgo0jyI1j+DgEAOOL8//8gRG596SCWPiIGWGUgwqyf71ggAg,AGIgB,,GP+Dg,IFf4f6kg2A68GWFmIP3w3yhhIKla3NlYZiAVgiPjWWYgFtbjJFll/g4BADiQ/P//OG/8//8,CDJBvIdZiCLkmrwYWVmIN/9PQFZIBgSsghYIH0RVQxZIAE,ABiIAsj8+RY/g4,Dg4/P//,AgodT5ECBK1sbmWCCtMs4BWSCvXyX6WGYgAQ,AGJlIA4yh/dZIC6CVxdhIAQ,ABjIAI,ABi/g4,Dj2+///,AggMNfFCAC,,Y2ZmIAU,ABjZSCymN7uWGUgKdm17mH+Dg,OMr7//8,CCQsO5DIAM,ABjIO0ngvdhZiAH,,Y2UgAQ,AGIgAw,AGP+Dg,OJr7//8,DgW,,RQM,ACd/f//5P3//0f+//849/z//yA8j1NDIA3dZSFZZWVmIPSx7SFY/g4,Dhg+///,A4CQ,AP4OAwA4e/z//yALTo48ZSDUOvMYWCDPCF7ZYSD4G8X6WP4O,A4L/v//w,OBY,ABFAw,AHX8///E/P//Lf3//zgK/P//IBxNIaogdBjgKFllIAI,ABjIDJNUOBYZSAC,,Y2Zl/g4,Djo+v//,A4Fg,AEUD,,rPv//+X7//8p/P//OHn7//8giETm6yAB,,Y2VmIAE,ABiIHu7GRRh/g4,Dip+v//,A4CQ,AP4OB,4K/v//yAh6/RaZmYg8syj7VhmIAI,ABjIMotJhJY/g4,Dh2+v//KgATMAYAyg,,w,BEAGo0E,ABgAM,AQrBgc4i,,B8RKD0,AYLK/B+Aw,BBkfMStYHxAoPQ,Bgsr3H4E,AEGR8yKygcCyvOfgM,AQWfgQ,AQWH1IlCpwGnBsLK7cajQQ,AGAB,ABCsDnCvVGAsro34D,AEGH4E,AEGB9BJQqcBpwrA5wrpRYLK4d+Aw,BBd+B,ABBcfUyUKnAacKyZFBw,AGH///91////g////5r///+u////yv///ww,,4Uv///xoLOEX///8q,AbMAYAqQM,A0,BE,nNY,AKCisHERU4YwM,B8ZKD0,AYTFSvuEQ84LgM,B0TFSviFjgLAw,FhMVK9dzWQ,CgsaExUrzAiNB,,Q0cExUrwAZvWg,CgwZExUrtBqNB,,RMEHhMVK6cGCRYIb1s,AomGxMVK5gJEQ8JEQ+REQQRDxpdkWHSnB8hKD0,AYTFTh5////BhEEFhpvWw,CiYXExU4Zv///xEPF1gTDxEPCDLDCRZzX,ACnNY,AKEwUrNxEURQw,,L,,GQ,ACg,,1,,Sg,AFo,ABr,,f,,Ic,ACY,,qQ,ALs,,fJCg9,AGExQrvhEFb10,AoTBx4TFCuwEQVvXQ,ChMKHwoTFCuhEQo5jw,AB8LExQrlBEFEQkWEQhvWw,CiYXExQ4f////xEFb14,AomHBMUOG////8RCI0E,ABEwkZExQ4Xv///xEFb10,AoTBhYTFDhN////FBMNGBMUOEL///8RBW9f,AKEwgbExQ4Mf///xELjQQ,AETDB0TFDgg////EQVvY,AChMLHwkTFDgO////FysDFisAOo0,,oFQ,Cm9h,AKb2I,AoTEBEQLAMWKwMXKwAtCxEQjmkgo,,C4Gc2M,Ap6ERAfDBEMFhELKGQ,AorExEWRQM,,L,,Ig,AC4,,fGyg9,AGExYr4hEMG48E,ABJUcgg,,GDSUhcTFivLc2U,AoTDRgTFiu/EQ0RECgY,AGb2Y,AoRBiwDFisDFysALUgRCiwDFisDFysALQ0RBREMFhELb1s,AomEQVvY,AChMRERGNB,,RMSEQUREhYREW9b,AKJgcREm9n,AKBxEMb2g,ApzaQ,ChMOEQYsAxYrAxcrAC1KBm9q,AKB29r,AKFnNs,AKExMRBywDFisDFysALQsRExEOKDs,AbeRxETEQ4oFw,Bt48ERMsAxYrAxcrAC0HERNvbQ,CtwRBywDFisDFysALQ8Gb2o,AoRDig7,AGKw0Gb2o,AoRDigX,AGEQ0sAxYrAxcrAC07EQ4Wam9u,AKKwcTDzju/P//EQ0RDhEJKBo,AYsAisMKw05VP3//zjI/P//FysDFisALQZzYw,CnoRDhZqb24,AorMkUK,,e/z//4f8//+S/P//nfz//6n8//+1/P//wvz//9H8///w/P//A/3//zhr/P//EQ4q,,AR,,IAxAIi5gIU,,ABMwBQA0,,Dg,EQIrKxYrAxcrAC0IAo5pAwRYKwsUKgSNB,,QorBC/1K/ECAwYWBCgE,AKKwQs1ivRBioTMAQALQ,,8,BEgAB,AI0E,ABKw4CBhYGjmlvbw,CgsrAwor7wcWMAEqAwYWB29w,AKK98,,TMAQAhQM,B,ABECjmkgo,,P4BOGUD,AGOEAD,AWKwMXKwAtJQJ+Aw,BB8UKBk,AY4DQM,BcrAxYrAC0LEgT+FTg,AERBCoGLAMXKwMWKwAtIQJ+B,ABB4oGQ,BiwDFysDFisALQsSBP4VO,,REEKhIB/hU4,ABBiwDFysDFisALQMeKwIfFAwrLxEGRQo,,L,,F,,C,,Aw,,Rg,AF0,ABr,,dw,AIE,ACY,,HxYoPQ,BhMGK8YICVgMGxMGK70GOYE,,fCRMGK7EHe3E,Aoocg,ChYTBiuhB3tz,AKKHI,AofECg9,AGEwYrixIBAggJKBY,AZ9cQ,ChgTBjh0////II,,ANHhMGOGb///8IHlgMHRMGOFr///8aDRoTBjhQ////EgECCAkoFg,Bn1z,AKGRMGODn///8WKwMXKwAtAgcqCAlYDCtnEQVFG,,As,,c,,Mw,AD8,ABT,,Zw,AH4,ACR,,nQ,ALU,ADE,,0Q,AOU,AD8,,EAE,BwB,AnAQ,PwE,EwB,BXAQ,ZAE,IgB,CgAQ,vAE,B8aKD4,AYTBSuOH0ANHx0oPg,BhMFOH3///8SAQIICSgW,AGfXQ,AoaEwU4Zv///x9ADR8UEwU4Wv///wd7dQ,Cihy,AKHxcTBThG////B3t0,AKKHI,AofChMFODL///8SAQIICSgW,AGfXY,AocEwU4G////wd7dg,Cihy,AKHRMFOAj///8ICVgMGBMFOPz+//8SAQIICSgW,AGfXc,AofDRMFOOT+//8gg,,A0fDBMFONX+//8ICVgMHwkTBTjI/v//B3t4,AKKHI,AofFRMFOLT+//8SAQIICSgW,AGfXU,AoZEwU4nf7//wd7dw,Cihy,AKHxETBTiJ/v//H0ANHxATBTh9/v//H0ANGxMFOHL+//8SAQIICSgW,AGfXk,AofFhMFOFr+//8ICVgMHw4TBThN/v//H0ANFxMFOEL+//8ICVgMHxITBTg1/v//EgECCAkoFg,Bn14,AKKwo58fz//zjp/P//HwsTBTgR/v//CAlYDCsKOb78//84tvz//xYTBTj5/f//B3t5,AKKHI,AorBgo4lfz//x8TEwU43f3//wcq,,EzADAFI,,R,ARABYKKwMHKzUfGyg9,AGCyvzBisaFwsr7AIGBFiRAwaRLgYYCyveFioGF1gKKwQsAiviBgOOaTICKxUr3EUD,,xP///8v////Z////K7gXKg,EzAEABg,,O,ARc3o,AoDb3s,AolCgoCBhQEb3w,AoqHgIoBw,CioTMAMAlwc,AI,BE,,rBxEJOBgH,AfJSg9,AGEwkr7n4I,AEHw8YnisHEQs41wY,B8QKD0,AYTCyvufgg,AQfERc4sQY,BgTCyvcfgg,AQfEB8OnhYTCyvNHBMJHxEoPQ,BhMLK78roB8TjQw,AGAC,ABH4I,AEFh8Qnn4I,AEFx8Rnh8NEwk4ef///34J,AEGh2efgk,AQbHp5+CQ,BBwfCZ4fExMJOFf///8WCwc5bQI,AYaXTlQAg,HxQTCTg+////fgk,AQfDR8Xnn4J,AEHw4fG55+CQ,BB8PHx+eGxMJOBj///9+CQ,BB8QHyOefgk,AQfER8rnn4J,AEHxIfM54fERMJOPH+//9+C,ABB8SHw+eHx2ND,,YAJ,AEfgk,AQWGZ4fDBMJOMr+//8,CAgAQ,jQs,AKABQ,BB8gjQs,AKABg,BBcTCTil/v//fgk,AQfHCACAQ,nh8djQw,AGACg,BB4KGRMJOIL+//9+C,ABB8MHwyefgg,AQfDRmefgg,AQfDh8NnhYTCThd/v//fgk,AQfCh8Pnn4J,AEHwsfEZ5+CQ,BB8MHxOeGhMJODf+//9+CQ,BB8WH2Oefgk,AQfFx9znn4J,AEHxgggw,AJ4fEhMJOA3+//9+CQ,BBcann4J,AEGBuefgk,AQZHJ4YEwk47f3//34I,AEGB8Snn4I,AEGh6efgg,AQbHZ4fDxMJOMv9//9+C,ABB8JG55+C,ABB8KHwuefgg,AQfCxqeHwkTCTim/f//fgg,AQcHwmefgg,AQdHJ5+C,ABB4fCp4fDhMJOIP9//8,,,,dEwk4df3//34J,AEHxMfO55+CQ,BB8UH0Oefgk,AQfFR9Tnh8LEwk4Tv3//34J,AEHxkgow,AJ5+CQ,BB8aIMM,ACefgk,AQfGyDj,,nh4TCTgf/f//fgk,AQdHwqefgk,AQeHwuefgk,AQfCR8Nnh8KEwk4+vz//xcrAxYrAC0EBxdYC34K,AEBgeeBhdYCgYfHD+L/f//Hx6ND,,YAL,AEK08RCkUS,,Cw,ACI,ABE,,Zw,AIk,ACs,,y,,Nk,ADv,,CAE,CAB,BIAQ,agE,IYB,CpAQ,xgE,N4B,,Ag,HyEoPQ,BhMKK6Z+Cw,BBwfCZ5+Cw,BB0fDZ4bEworj34L,AEHxYgAQg,J5+Cw,BB8XIAEM,CeGhMKOG3///9+Cw,BB8OIIE,ACefgs,AQfDyDB,,nh8KEwo4Sv///34L,AEHxQgAQQ,J5+Cw,BB8VIAEG,CeFxMKOCj///9+Cw,BB8YIAEQ,Cefgs,AQfGSABG,Anh8NEwo4Bf///34L,AEHh8Rnn4L,AEHwkfGZ4fDhMKOOn+//8WDQk5TQE,B8REwo42P7//x8ejQw,AGAD,ABBoMHBMKOML+//9+Cw,BBgZnn4L,AEGRqeHw8TCjip/v//fgs,AQWF55+Cw,BBcYnh4TCjiR/v//fgs,AQfECABAQ,nn4L,AEHxEggQE,J4fJSg9,AGEwo4af7//34L,AEHxwgAU,AJ5+Cw,BB8dIAFg,CeHRMKOEf+//9+Cw,BB8MH0Gefgs,AQfDR9hnhgTCjgr/v//fgs,AQfGiABI,Ann4L,AEHxsgAT,AJ4fCxMKOAj+//9+Cw,BB8KHyGefgs,AQfCx8xnh8MEwo46/3//34L,AEGhuefgs,AQbHZ4WEwo40/3//34L,AEHxIgAQI,J5+Cw,BB8TIAED,CeGRMKOLH9//8IGF0sAxcrAxYrAC0ECRdYDX4M,AECAmeCBdYDAgfHjLeFhMEEQQsLn4F,AEEQSPCw,Ah8wEQRYfRE,AR+BQ,BBEEjws,AIefRI,AQRBBdYEwQRBCCP,,Mckgk,,BMFEQUtOH4F,AEEQWPCw,AiCQAQ,EQVYIJ,,BZfRE,AR+BQ,BBEFjws,AIfCX0S,AEEQUXWBMFEQUg/w,ADG/I,B,ATBhEGLTF+BQ,BBEGjws,AIRBi,AQ,WX0R,AEfgU,AQRBo8L,ACHX0S,AEEQYXWBMGEQYgFwE,DHGIBgB,ATBxEHLTd+BQ,BBEHjws,AIgw,,BEHWCAYAQ,WX0R,AEfgU,AQRB48L,ACHn0S,AEEQcXWBMHEQcgHwE,DHAFhMIEQgsT34G,AEEQiPCw,AhEIfRE,AR+Bg,BBEIjws,AIbfRI,AQrBp44Sfn//xEIF1gTCCsaRQQ,,f+f//Mfn//0D5//9O+f//OA/5//8RCB8fMQIrYCunRRU,ACa+P//6Pj//w/5//8x+f//Svn//3D5//+X+f//vvn//+P5//8G+v//K/r//1H6//97+v//m/r//736///i+v//Bfv//xP7//86+///afv//477//84ivj//34F,AEfgY,AQoIQ,BoAH,AEKgATMAQAZg,ABI,BEAFgorAwgrRR8QKD0,AYMK/MHKyoYDCvsFisWHxsoPQ,Bgwr3wYCB5QDB5RaWAorAwsr5xkMK8wHF1gLKwQsAivSBwKOaTICKxkr2UUE,,sP///7f////E////1////yukBio,BMwBADk,,Cw,EQAWCisGCTi9,,HxAoPQ,Bg0r8Ac4n,,BgNK+YWOIE,,WDSvcBgIHlH4F,AEB48L,ACexI,ARaWAofESg9,AGDSu7BxdYCwcCjmky1SsXEQRFB,,As,,Y,,I,,EQ,,fGyg9,AGEwQr3hYMHxAoPQ,BhMEK9EILDYYEwQryQYDCJR+Bg,BAiPCw,AnsS,AEWlgKKwYLOHn///8ZEwQrpQgXWAwrByyVOF3///8IA45pMgIrHCvFRQQ,,4////Qv///0z///9t////OCn///8GKhMwAwB4,,Ew,EQACjmmNCw,AgorAwgrUB8QKD0,AYMK/MHKzcYDCvsFisjFgwr5QYHjws,AICB5R9Eg,BB8RKD0,AYMK8wHF1gLKwMLK9oHAo5pMgIrBivULPQrxQYoI,ABisXRQQ,ACl////rP///7P////M////K5kGKhMwBADeAQ,F,AEQACFo8L,ACexI,AQKKwcRCjilAQ,HxAoPQ,BhMKK+4RBDiBAQ,GBMKK+IXOGAB,AWEwor1wYCEQSPCw,AnsS,AELxMZEworwgIRBI8L,ACexI,AQKEQQXWBMEEQQCjmky0AYXWI0M,ABCysXEQtFB,,As,,o,,Nw,AD8,,fGSg9,AGEwsr3gcCEQWPCw,AnsS,AEjww,AElShdYVBkTCyvBEQUsGR8bKD0,AYTCyuyFhMFFxMLK6oRBRdYEwURBQKOaTK/BhdYjQw,AEMKyMRCUUH,,Cw,ABs,,k,,LQ,AD0,ABE,,T,,B8kKD0,AYTCSvSCBEGCZ4fFig9,AGEwkrwgcWFp4bEwkruREGLSoZEwkrsAkHEQYXWZRYF2INFhMJK6AWDRcTCSuZFxMGGBMJK5ERBhdYEwYRBgYx1hYTBxEHOX,,ACEQePCw,AnsS,AEEwgRCCwDFisDFysALTMCEQePCw,AggRCJR9EQ,BCsHEwQ4mf7//wgRCI8M,ABJUoXWFQrCjqz/v//OHX+//8RBxdYEwcrGkUE,,Uf7//13+//9o/v//ff7//zhB/v//EQcCjmkyiSp6czk,AYlAigi,AGfRc,AQlAygi,AGfRg,AQq,,EzAEAPo,,V,AR,KOaY0J,ACCisHEQU4uw,AB8kKD0,AYTBSvuCDiW,,HxAoPQ,BhMFK90CCI8L,ACexI,AQWOG8,,YEwUrxhID/hUJ,ACGxMFK7kWDBYTBSuyFgsZEwUrqysTEQRFAw,,s,,e,,L,,B8bKD0,AYTBCviEgMCCKML,ACfQ0,AQXEwQrzxIDCNF9Dg,BBgTBCvBBgclF1gLCaQJ,ACKwQxAiuNCBdYDCsHLAU4Y////wgCjmkyAisnOGH///9FBg,ADP///9E////W////2j///9v////dv///zgj////BgcWFigj,AGKg,EzAGAMEB,AW,AR,ONCQ,AgorBxEHOHQB,AfGSg9,AGEwcr7hY4RQE,B8JEwcr4ggXOCYB,AbEwcr1gONCQ,AgsfChMHK8kWJRMEDRYTByu/EQZ7DQ,BHsR,AEBEBv,,FxMHK6gIEQZ7Dg,BH0U,AEHwsTByuVAhEFowk,AITBh4TByuGCBZ9Ew,BB8RKD0,AYTBzhx////EQZ7DQ,BHsS,AEBTMkGhMHOFr///8RBSxrHBMHOE7///9zNw,BgwdEwc4QP///ytNEQZ7DQ,BHsR,AEEQZ7DQ,BHsS,AEBVkXWR8fX2MXXxb+AywDFisDFysALQ8HCSUXWA0RBqQJ,ACKw8GEQQlF1gTBBEGpAk,AIRBRdYEwURBQM/Tv///wh7Ew,BCwDFysDFisAOoU,,RBBYxIAgGEQQEF2IFF1goIw,Bn0V,AEKwp9Ew,BDjQ/v//CRYxAisJK1gTBTi0/v//CAcJBBdiF2AFF1goIw,Bn0W,AEKzpFD,,GL+//9u/v//ev7//4f+//+R/v//qP7//7v+///K/v//3/7///b+//8C////EP///zhS/v//CCp+A34J,AEAiABAQ,WZRUBH4K,AEAiABAQ,WZRUKg,ABMwBABr,,EQ,EX4J,AEAigB,ArK1YGFis/BmYXWSsfAwYgAQE,FhUKxcHRQM,,P,,J,,DY,,rAwor3h8bKD0,AYLK98EAn4J,AEBpRZVCsEL8UrvRcLK8oFfgo,AQGlFQrAworpxgLK7gqABMwBABl,,EQ,EX4L,AEAigB,ArK1AGFis5BmYXWSsZAwZUKxcHRQM,,P,,J,,DY,,rAwor5B8bKD0,AYLK98EAn4L,AEBpRZVCsEL8srwxcLK8oFfgw,AQGlFQrAworrRgLK7gqIgIDKCw,AYqJgIfDygs,AGKn4CHxBZRQM,,C,,B,,AY,,rBhgqGSodKhYqEzAFAM8B,AX,ARczI,AYKFji2AQ,BzieAQ,AgMHWJQ4fgE,BcrAxYrADqz,,FgwIF1gMKxcRBkUE,,Cw,ABw,,q,,Nw,AB8bKD0,AYTBiveBwhYBC8uHxkoPQ,BhMGK80CAwdYCFiULBUZEwYrvwggig,AC8NFxMGK7IWKwMXKwAtpAgZLxoIFzIIBhZvMw,BiYIGDI4BhZvMw,BiYrLggfCy8VBh8RbzM,AYmBggZWW8z,AGJisUBh8SbzM,AYmBggfC1lvMw,BiYHCFgLON0,,CAwclF1gLWJQNKxcRBUUE,,Cw,ABg,,m,,Lw,AB8bKD0,AYTBSveBglvMw,BiYXEwUr0RYTBB8ZKD0,AYTBSvDEQQsCxkTBSu6EQQXWBMEBxEEWAQvWBEEHC9TAgMHWBEEWJQJLuMrFxEHRQQ,,L,,GQ,AC8,ABH,,HxkoPQ,BhMHK94GHxBvMw,BiYXEwcr0AYRBBlZbzM,AYmHxEoPQ,BhMHK7oRBBkyAisMKx05gP7//zh4/v//FhMHK6IHEQRYCysHLAU4W/7//wcEMgIrCzhQ/v//CzhE/v//Bm80,AGKh4TMAUAqAE,Bg,BE,o5pjQw,AEKKwcRCDh0AQ,HxsoPQ,BhMIK+4CjmmND,,ThKAQ,FxMIK9wWOCsB,AfESg9,AGEwgrywYRBhEGnhoTCCvAEQYsCxgTCCu3EQYXWBMGEQYGjmky3wIHAo5pKH8,AorFxEJRQQ,,L,,Fw,AB8,,s,,HxsoPQ,BhMJK94HBigC,ArGBMJK9IILBYZEwkryhYMHxAoPQ,BhMJK70IF1gMCAeOaS8NBwiULAMWKwMXKwAt6QeOaQhZjQw,AENBwgJFgmOaSgE,AKCY4sAxcrAxYrAC0KFo0M,ABEwQrHQmOaRczDheND,,SUWF54TBCsJCQMoLQ,BhMEAo5pjQw,AETBSsXEQpFB,,As,,U,,H,,Dg,,fECg9,AGEwor3hEHLDcYEwor1RYTBxYTCivNEQUGEQcIWJQRBBEHlJ4rBxMGOM7+//8ZEworsREHF1gTBysGCziw/v//EQcRBI5pMgIrICvKRQU,AB+/v//kP7//6H+//+s/v//tf7//zhu/v//EQUqEzAGAP8B,AZ,AR,KOaQorBxEOOMkB,AfECg9,AGEw4r7ggRBQIRBRhalAIRBRhaF1iUWDiYAQ,HBMOK9IDjQI,Bs4egE,BsTDivCFhMFGRMOK7oRBSwqFhMOK7ECjmkYW40M,ABDB8ZKD0,AYTDiubBxYCohoTDiuSEQUXWBMFEQUIjmkylxcTBhEGOpU,,IAigu,AGEwcrHxEPRQY,,L,,F,,CU,,/,,TQ,AFg,,fJCg9,AGEw8r1hEILE8YEw8rzREHjmkYW40M,ABDBkTDyu8CBEIEQcRCBhalBEHEQgYWhdYlFieGxMPK6IWEwgfGyg9,AGEw8rlAcRBhEHohcTDyuJEQgXWBMIEQgIjmkywBEGF1gTBhEGAz9j////Bo0M,ABDSsTERBFAw,,s,,V,,Hw,AB8bKD0,AYTECviBhdZEwQXExAr2AMXWRMJGBMQK84raAcRCZoTChYTCxYTDBYTDRENLDMRDAKOaS8gAhEMlBEKEQ2UMxUJEQyPD,,SVKF1hUEQwXWBMMKwYRCxdYEwsRDRdYEw0RDREEGFoyxRELEwQrBgs4gP7//xEJF1kTCSsGnjhi/v//EQkWLwIrKCuPRQc,,h/v//Pf7//03+//9V/v//Xv7//3T+//99/v//OBH+//8JKgATMAYA7g,ABo,BE,o5pA45pWI0M,ABCisHEQQ4rw,AB8bKD0,AYTBCvuFjiO,,GhMEK+MWOGg,,fGSg9,AGEwQr0gksPBsTBCvKBgklF1gNAgclF1gLlJ4cEwQrtxYMFxMEK7ACB5QDCJQvBxkTBCujKw4GCSUXWA0DCCUXWAyUngcCjmkvGwgDjmky1ysTBgklF1gNAgclF1gLlJ4rAw0rlQcCjmky5ysWBgklF1gNAwglF1gMlJ4rBgs4bP///wgDjmkyAisoK+BFBw,ADv///9G////V////1////9y////ef///4b///84K////wYqHgJ7E,ABComAnsP,AEA5QqUgIoBw,CgIfEI0M,ABfQ8,AQq,,EzAFAFk,,b,ARAnsQ,AEAnsP,AEjmkzKQJ7E,ABBhajQw,AEKAnsP,AEFgYWAnsQ,AEKAQ,AoCBn0P,AEAnsP,AEAnsQ,AEA54CAnsQ,AECwcXWH0Q,AEByo,,TMAUAIg,ABw,BECex,,SND,,QoCew8,AQWBhYCex,,QoB,ACgYq,ATMAMA+w,AB0,BH+CQ,/g4,P4M,AgmH7BImYgvH7BIlg9OQ,AP4M,AgALaNRyAF,,YyCRtJ4MYSD9Jl3xWDtk,,/gw,CDAj4skIJ2PiyRZO10,,4kw,AP4M,Agdn9e3GUgoO821mEgfkW1/VgghbRM82FZRQI,,7,,S,,P4M,AgvyIrAmYgNRQ17FhlILkO9hVhOz4,,4S,,CCgAQ,IAM,ABjZiogaX9J4GYgLX9J4FgqIL6AK/ZmIISAK/ZYKiDKOEHqIP/hyRVYIDnl9P9hKiB8yhf9ZmUgZMoX/WFlKiCkpt7mIFQy2/RZIK+L/A1hKgATMAMAUQ,AB0,BH+CQ,/g4,P4M,AgRdzkziBZb98YWCCY49X2YSC1V+7uWGZAFQ,ACDF3JD7ZiAB,,Y2UgXm7I/VllKiBgbw8mIFhvDyZZIAM,ABjZSoeAigTMAMAJQE,B0,BH+CQ,/g4,P4M,Agf/z//2YgBQ,AGNZRQw,ABU,,BQ,AMo,ACN,,yg,AGc,ACg,,yg,ACM,ABC,,g,,Lg,,4xQ,ACCuzuQBIEURXQ1ZIAkBR+RhIF0QD+1ZIP9TTtxhKiAXfeAcIKiSH+NYZiAG,,YyAE,,YiAE,,YyogLWMy2iBThM0lWCAH,,Yyoggklf9iAeSV/2WWUgAQ,AGMqICVjBSlmIOV72PtYIEJvrQ9hIACIgSJYKiD,,AIAU,ABjZSogB/XS3mYgAg,AGMg+EJLCFkqIJjT26ggAg,AGMgBvU26lkgAQ,AGIqIKWAse0grYCx7VkgAg,AGMqIN4ZzukgI+YxFlhlKh4CKBMwAwDb,,HQ,Ef4J,D+Dg,/gw,CD8dnnLIHRuACVYIEHlefBZWUUD,,Sg,AHc,,9,,/gw,CDI////ZmVlWUUD,,b,,Hs,,6,,/gw,CD3ZbkIIMK96vhZIAdYMfBYOzg,,4X,,CBpzCraZiCsM9UlWSogyzlS82UgOcatDGFlKiBc0/X+IGZHY/BZILCeXPthILHqMQpYKiAc,,ZSog81ODHyAqyoXzYWYgzZkG7FgqIHMoLe5lIHsoLe5hZWYqIBBvexllIHBvexlhIAc,ABjKgATMAQAYg,AB4,BEgAB,AI0E,ABK0wCc0,,YLBwYWBo5pb0E,AYMKwMJKxUfECg9,AGDSvzAwYWCG9w,AKKxNFAw,AOT///8G,,FQ,ACvYGA0r0QgWMQIrBSsJCiuxFg0rwiuyKh4CEzADAGYB,Ad,AR/gk,P4O,D+D,AII,,AgB,,GMgBw,AGIgBg,AGNZRQc,ABs,,Y,,LE,,IAQ,CAE,AgB,Ce,,/gw,CCsz6CyIBhoRwhYIAE,ABjIMkbdN1ZWUUD,,TQ,ANs,ABf,,/gw,CBGwaMmZiBowaMmWFlFBg,AJ8,ACt,,rQ,AHg,ABk,,j,,Dio,,IFM1zOggUDXM6FkqIHBftNhmIHFftNhhZiogHzvUDSDKm7YHWCAZKXXqWCogqepSHiCl9JL2WSAE9r8nWSog7L3y+yBLIbr+YSCunEgFWWYqIO+1f+ZmZiAYSoAZWCogYOn64yAfFwUcWGZlIAM,ABjKiDw1H4JZSBv1H4JYWYgBQ,AGMqIAYjYCkgBiZgKVkgBw,AGNmKiBtn9LqZiBkn9LqWGYqILa7rxsgRONl5VggI8kJ5mEg2Vcc51lmKg,EzADAHo,,d,AR/gk,P4O,D+D,AINyzLw9lIJtADhRYIKWM3gRhOxo,AD+D,AIGzMsw4gdjNM8VhmOxc,,4Kg,ACDCN1zSIDPTUNZhIOLkDARZKiDizhTWILh/sPZhIJtGSP1YIP337B1hKiBMrmDVIEqJyfdhZSAFJ6kiWCo,BMwAwDY,,HQ,Ef4J,D+Dg,/gw,CD7WuAGZSDFz6cXWSB01XfhYVlFC,,D8,ABi,,gQ,AIE,,y,,gQ,ABo,ABN,,/gw,CConPkZZiARYwbmYTta,,OGc,,g17ypDSAdQ1byYSAC,,YiAD,,YyogAmXuAiDlZO4CWWUqIIgchxsgduN45FhmZSogfw8,GVmIAE,ABjZiAG,,YyogHq1vFmUgBq1vFlgqILvwHu0gOwXhEmEgBw,AGMqIEIIb8sgXET+22EgH0yREGFlKt4CIAG,ABzU,ABn0Z,AEAhUrDwIVfR0,AQCKAc,AorB30c,AEK+oCA3NM,AGfRo,AQqEzAFANw,,S,ARBTjK,,FisDFysALRMCeyI,AQ4og,ABYrAxcrAC0CFioWOH0,,GOZY,,CAihC,AGFv4BfSI,AQCexw,AQWLxACeyI,AQsAxYrAxcrAC3YAnsi,AELAMXKwMWKwA6c,,AIDBAZYBQZZKEM,AYLKxIIRQM,,K,,Eg,ACQ,,fECg9,AGDCvkBgdYChgMK9wHFjECKwgrDAo4ff///xYMK8orEwIVfRw,AQrCjlc////OFT///8GBTICKw84bv///zk0////OCz///8GKhMwBABhB,AHw,Ef4J,B7Hg,BDg3B,AIOcLzw0g5wvPDWFlOBY,,gnFBVVSAB,,YyBNqKoqWTg,,AOg0,,gk+5PIGYglO5PIFgq/gk,P4J,B7Gg,BHsp,AEfS,,Q4CQ,AP4MAwA4jwM,CBo6qfiZSCCFVgdWSg9,AG/g4DADjd/////gk,Hsa,AEODQD,AgAP///yAG,,Y2X+DgMAOLr////+CQ,exw,AQggP///yAF,,Y2VATwE,CBfWjvZIE6TQiJhIO82hgRY/g4DADiG/////gk,P4MAgB9Hw,BCB2CU4dZiCE9rHiWf4OAwA4ZP////4J,AgwhfJH2UgP+g24GF9J,ABCD7aysCIPNrKwJZ/g4DADg7/////gk,Hsa,AEIGzIuUAgu0A/31ggFwn5H1lvTQ,BiBIOwcAIAI,ABiIAU,ABjYf4OAgAgL/QF6SDTC/oWWP4OAwA48v7///4J,AUfRs,AQg/f///2X+DgMAONn+///+CQ,/gk,Hsa,AEIPm2txAg+7a3EFlmb00,AYgtZbPKSC1ls8pWWX+An0e,AEIEvpeSkgXel5KVllKD0,Ab+DgMAOI7+///+CQ,/gk,Hsa,AEILaJ8PdlIEl2Dwhhb00,AZ9H,ABCCwM84jIE/MMdxhZf4OAwA4Vv7//zgXAg,/gk,Hsc,AEIPj///8gAg,AGNlQOY,AB+BQ,BP4O,A4HQ,AP4MBQBFBQ,AB8,ABN,,bw,AJg,AC2,,IBAB,AgAw,AGIgBw,AGMoPQ,Bv4OBQA4xP////4J,AgqsNzFSBHqgP3YSATlo8dWH0f,AEIAQw2wcgBTDbB2H+DgUAOJb////+CQ,fgc,AR9Gw,BCDn////ZSg9,AG/g4FADh0/////gk,CA7aK8NIDtorw1ZIAM,ABjfSQ,AQg/P///2X+DgUAOEv///9+Bg,BP4OAQAgnYLIGmYgnoLIGlj+DgUAOC3///84FwE,P4J,B7H,ABCDu640cICsJePJZID4d6tVYQPg,AD+CQ,/gk,Hsa,AE/g0,P4NAQAoSg,BjgV,,/gwEAEUD,,Hw,AEg,AB8,,IDNAkA8gFN+65lkg/J4q11goPQ,Bv4OB,4zP////4J,AgDqnJFSAOqckVYX0f,AEIPj///9lIAM,ABj/g4EADij/////gk,P4M,D+DAEAKCE,AZ9Gw,BDgK,,b04,AY4wvz//yD9////Zv4OB,4b/////4J,Ag/////2YgBg,AGN9J,ABDgu,,RQk,ABi/P//hfz//7n8///b/P//BP3//039//9m/f//sf3//+n9//84Q/z///4J,D+CQ,exo,AR7KQ,BH0h,AEOAo,,51fv//zi/+///IHwaPAogXWMnDlgg2H1jGFkq,,EzAEAHME,Ag,AR/gkCADhXB,A/gk,Hsc,AEIAbozxwgn7UfEmEga6Iv8Vg4EgQ,P4J,B7Hw,BCBxms0UIHGazRRZZTjPAw,/gkDAP4J,B7Hw,BCiC,AK/g4BADgh,,/gwFAEUG,,Gg,ADw,ABq,,lg,AMU,ADw,,IPOAVudmIASBVudYKD0,Ab+DgUAOMX////+CQMA/gwBAFn+CwMAIK660xVlILC60xVY/g4FADij/////gk,Hsa,AE/gkBAP4JAgD+DAEAb08,AYgG,,CAD,,Y/4OBQA4df////4JAgD+DAEAWP4LAgAgiatMKSD8uYH2WCCjZc4fYSg9,AG/g4FADhJ/////gk,HsZ,AE/gkBAP4JAgD+DAEAb1I,AYgBLGyGCAJsbIYWWb+DgUAOBr////+CQ,/gk,Hsf,AE/gwBAFl9Hw,BCCfiN/lIJ+I3+VZ/g4FADjv/v//ONEC,D+CQ,eyQ,AQ5EQ,ACAk4fQSICbh9BJZZjgW,,IPhuqTYgAFi712Eg+DYS4Vk4,,ADqXAg,/gk,Hsj,AEIAYhS+wgBiFL7GE+FQ,AP4J,D+CQEA/goCAP4KAwAoR,ABv4JAwAgtXXo8CC1dejwYT5VAg,/gk,Hsa,AE/gk,Hsb,AEexc,AQoRw,Bv4OAgD+CQ,/gwCACB/YejcIH9R6NxZIAQ,ABj/gF9J,ABP4J,B7J,ABDkR,,ILXFiiFlIEo6dd5hOBY,,gtgFr0yCAMJnmWSDKLi4TWDg,,AOtsB,D+DAIAIBJREOwgxic1/mEg1HUlElk8mg,AP4JAQD+CQIAJSD+////Zlj+CwIA/gwCANKcOBU,AD+DAcARQM,,a,,PQ,AGE,,gr0is9SA2t1MKWGUoPQ,Bv4OBwA40f////4J,B7GQ,BP4MAgDSb1E,AYg,,AGZl/g4HADiu/////gkDACALmxDpIAqbEOlhWf4LAwAgAw,AGVm/g4HADiK////OP4,AD+DAIAIJslKgEgSNnV/lhlPek,AD+CQ,exo,AT+DAIAKEg,Ab+DgMAOBk,AD+DAYARQQ,,a,,Ng,AH,,CR,,IHeTXCpmIHhso9VZKD0,Ab+DgYAOM3////+CQ,/gwDAH0j,AEIP3///9l/g4GADix/////gk,Hsa,AE/gk,Hsb,AEexg,AQoSQ,Bv4OB,g4aFUH2YgB16r4GEoPQ,Bv4OBgA4d/////4J,D+DAQAfR0,AQgGsXg/CAaxeD8Wf4OBgA4Vv////4J,D+CQEA/goCAP4KAwAoR,ABjgK,,Pi4,,4J/z///4JAwAg+4Sz7SAFe0wSWGU9BQ,ADgP,,OLX9//9ANP3//zjk+////gk,P4J,B7Gg,BHsp,AEfSE,AQ4CQ,AP4O,A4oPv///4JAgD+D,AWSoAEzAFADwB,Ah,AR,J7Iw,BAVKKII,AoKKwYJOAUB,AfECg9,AGDSvwBQVKBlk43g,ABgNK+ICexk,AQCex0,AQGAnsd,AEKII,ApvUw,BjiX,,HxsoPQ,Bg0rtgICeyM,AQGWX0j,AEGQ0rpCtRBxYDBEoHjmkoB,ACisSCEUD,,Cg,ABQ,,g,,HxAoPQ,Bgwr5AYHjmlZChgMK9oEBEoHjmlYVBYMK84Cexk,AQHFgeOaW9S,AGBgeOaTCpBxYDBEoGKAQ,AorGxEERQM,,T,,Lg,AFU,,rBgs4Y////x8QKD0,AYTBCvaAnsZ,AEBxYGb1I,AYrBlQ4HP///xgTBCu/BARKBlhUKxpFB,,PD+///+/v//Kv///zz///844f7//xYTBCuYKhMwBQB,,ADw,ES,B,AjQQ,AEKKwUDB1krIAMWMSICBhYg,Q,AMogg,CihB,AGJQsWMAIrCCvb/gsBACvaAxb+Ahb+ASoTMAQAH,,A4,BEg,Q,I0E,ABCgIGFi,B,AKEE,AYWMPAqAzACAF,,,,,KxoCF29N,AGFisxA3sV,AEKw8DexY,AQrBwMsAisIKwn+CwEAK/MWKwMXKwAtGAN7Ew,BCwCKwYrBzDVK8sWKwMXKwAtuQN7F,ABCoTMAMAIg,ABE,BEDEgASASsIBxYxAisJKxEoJ,ABivxBgIHb00,AZYKgYq,ATMAIAew,,s,BE,gMoRw,BgorBBEEK0YfESg9,AGEwQr8QIIb00,AYrIBoTBCvjfgw,AQGlAwfGSg9,AGEwQr0AgWMQIrBSs2DSvdFhMEK8B+Cw,BAaUCysbRQU,ACs////uv///83////d////Bw,ACufFxMEK5YHCVgqByoAEzAEAOsB,Ai,AR,Mbb00,AYgAQE,FgKKwcRCjihAQ,HxYoPQ,BhMKK+4RBzh8AQ,HxEoPQ,BhMKK9x+C,ABDhUAQ,GxMKK80WEwcWEworxREECREHlAMZb00,AaeHRMKK7IDGm9N,AGGlgMFxMKK6MfE40M,ABEwQYEworlQMbb00,AYXWAsaEworhhEHF1gTBxEHCDK2EQQoHw,Bigi,AGEwUrHxELRQY,,L,,KQ,ADs,ABD,,T,,Fk,,fECg9,AGEwsr1gRQEQiPCw,AhEGEQiUfRI,AQfJig9,AGEwsruAMRBQYHWChL,AGEwYaEwsrphYTCBkTCyueEQgsGBYTCyuVBAaNCw,AlEYEwsriBEIF1gTCBEIBjKnBFAoI,ABisbEQxFBQ,,s,,e,,Jw,AEE,ABR,,HxsoPQ,BhMMK9oFB40L,ACUR8RKD0,AYTDCvHEQksQRgTDCu+BVARCY8L,ACEQYRCQZYlH0S,AEGhMMK6QWEwkrBg04pv7//xcTDCuUEQkXWBMJKwo55v7//zh6/v//EQkHMgIrLCu7RQg,ABF/v//V/7//2b+//9u/v//gf7//5D+//+e/v//rf7//zg1/v//BVAoI,ABioAEzAFAHIB,Aj,AR,SND,,QorBxEIOD0B,AfGSg9,AGEwgr7ggfEDgVAQ,GhMIK+ECAyhH,AGOPg,,WEwgr0BYLGRMIK8kHOfw,,fECg9,AGEwgruAYHCJ4bEwgrrzjT,,CB8QQGg,,CGG9N,AGGVgNKxcRB0UE,,Cw,ABM,,c,,Mg,AB8bKD0,AYTByveFhMEFxMHK9YRBCwhGBMHK80GBxEEWAYHF1mUnh8RKD0,AYTByu3EQQXWBMEEQQJMt8HCRdZWAsrYwgfETM+KxMRCUUD,,Cw,ABs,,n,,HxsoPQ,BhMJK+ICGW9N,AGGVgTBRcTCSvSBxEFF1lYCxgTCSvGKyAIHxIzGwIdb00,AYfC1gTBgcRBhdZWAsrBgw4Av///wcXWAsrCjwi////OOH+//8HBDICKyc42/7//0UG,,sf7//77+///P/v//1v7//+f+///w/v//OKH+//8GKjoCKAc,AoCA30o,AEKg,ABMwBQDv,,EQ,EQICeyk,AQDalgrVQMCeyc,AQCeyY,ARZWQorOwICeyU,AQCeyg,ARvgw,CrgCeyc,AQfH19iYCsUAgJ7Jw,BB5YfSc,AQGHlkKKwd9JQ,BCvlBhYwAisJK719KQ,BCukAnsl,AEAnsm,AEHx9fZBcDHx9fYhdZXwICeyY,AQDWH0m,AEAnsn,AEAnsm,AEMxgCAhYlC30m,AEB30n,AEAhZ9JQ,BCoCeyY,AQeMjACAnsl,AEAnsm,AEHx9fZH0l,AEAgJ7Jw,BAJ7Jg,BFl9Jw,BAIWfSY,AQqABMwBABH,,HQ,EQJ7Jw,BAJ7Jg,BCstAgJ7KQ,BAJ7Jw,BAJ7Jg,BFlqWH0p,AEAgIWJQp9Jg,BAZ9Jw,BCsELuwrzwIWfSU,AQqABMwB,h,,HQ,EQJ7K,ABAMEBW9v,AKCgICeyk,AQGGWJqWH0p,AEKmoCKAc,AoCA30s,AEAgONB,,X0q,AEKhMwBABE,,HQ,EQJ7Kg,BAICeys,AQKBhdYfSs,AQGAysXAnsr,AEAnss,AEMgwCFn0r,AEKwOcK+YCAnst,AEF2pYfS0,AQqEzAFAI8B,AL,AR,ICey0,AQFalh9LQ,BCsHEQQ4UAE,B8bKD0,AYTBCvuBQJ7L,ABDgbAQ,GBMEK90CFjjp,,GRMEK9EDBAJ7Kg,BBYCeyw,AQoB,ACh8QKD0,AYTBCuyKgJ7Kw,BAVYAnss,AEPoc,,Ceyw,AQCeys,ARZCisaCEUF,,Cg,ABU,,q,,Qg,AFw,,fESg9,AGDCvcAgd9Kw,BBoMK9EDBAZYAnsq,AEFgcoB,AChYMK7wDBAJ7Kg,BAJ7Kw,BAYoB,AChcMK6QCeys,AQFWAJ7L,ABFkLHxkoPQ,BgwriioDBAJ7Kg,BAJ7Kw,BAUoB,ACiseCUUD,,Fg,ADY,ABk,,Kwp9Kw,BDgN////HxAoPQ,Bg0r2AJ7Kw,BAJ7L,ABDMCKwwrQz8R////ONv+//8YDSu4AgJ7Kw,BAVYfSs,AQrGkUE,,pv7//7f+///D/v//4v7//ziW/v//Fg0rigIWfSs,AQqABMwBgD0,,J,AEQAEjQQ,AEKKwYJOMw,,fECg9,AGDSvwAnsq,AEAnsr,AEA1kGFgQ4h,,BgNK9YCeys,AQDK2cWDSvJOKw,,DAnsr,AEWQsrFghFB,,Ao,,q,,RQ,AFs,,fGSg9,AGDCvgAnsq,AEAnss,AEB1kGFgcoB,ACh8QKD0,AYMK8ACeyo,AQWBgcEB1koB,ACisEMqArlRkMK6UHBC8CKwwrECgE,AKOHL///8WDCuPKy4Ceyo,AQCeyw,AQHWQYWBCgE,AKKxZFAw,AC3///9H////VP///zge////BipT,,JQCp05Xgk4rIwOSJuLKjvvyDor/9i7K1yJK7YbbHqiSCeaMv/MdGor/8g2AB6uaKOdJ3NSEzdUIc6BWp3PZrDSUKPiUAIh7ShItuD41UY7pJed4AQlNKQgE,Q,,,D,,HY0LjAuMzAzMTk,,ABQBs,,jB,ACN+,D4E,AiAw,CNTdHJpbmdz,,AIAd,CIAg,I1VT,gg,AQ,,I0dVSUQ,,YI,,Ac,CNCbG9i,,,,,I,AFXFaIJCQs,ABapAEAFg,AQ,AFI,,R,,LQ,AFM,AB3,,kg,ABE,,k,,Ag,,M,,E,,Ag,,E,,E,,AQ,,c,,C,,,DFBQE,,,AYAzAkjBgoAKQgpBQoA4AEpBQYAtwQjBgYAGAgjBgYAdgojBgoA/AYpBQYAjAHPBAYAbAYjBgYA4QqXBgYA4QaXBgYAY,jBgYAuQKXBgYAIgUjBgYA4AQ9Cg4AWwmiCAYA2AfpCAYAEwbm,YACAJhCQYA8gIjBgYA+wkjBgYAfQUjBgYAEQmXBgYAdAfkCQYArgIjBgYA7AaXBgYAsQXkCQYAEgIjBgYAqQfkCQYAMQmXBgYAJwojBgYATgmXBgYAygeXBgYA6AeXBgYACQcjBgYAkAfkCQYAGwfm,YA0AYjBgYAMgjkCQYAnAfkCQYAiwAjBgYA+gjkCQYAswHkCQYAWwKXBgYAugfkCQYAoQnkCQYAggfkCQYAIgmXBgYAWweRCgYAQgeRCgYADQbm,Y,AaRCgYAtgYjBgYA0QcjBgYAxgCRCgYAdAmRCgYAKgaRCgYASwaRCgYAugGRCgYA/AEjBgYAKAeRCgYAPQaRCgYAwAOXBgYAkwIjBgYAEQSXBgYAXAUjBgYAKATJCAYAlQTJCAYAGANwCBcBAgk,AYAQAOXBgYA9AOXBgYA1QOXBgYAfASXBgYASASXBgYAYQSXBgYAVwOXBgYALAODCAYACgODCAYAowOXBgYAcgPpBAYAiwPJC,,AC9,,,AB,E,QAQANoC+gcF,E,Q,AQ,Tw,,U,QAI,MB,AWCw,UQAD,w,wEQABoL,AF,MAE,,,AFgs,AU,wAU,AB,AaCw,BQAFABw,wEQABYL,AF,0AL,LAR,Ggs,AEBDQAw,,E,iCw,BQAPAD,CAEQACoL,ABAREANw,AR,Lgs,AUAEwA3,ABE,yCw,BQAXADk,AEQADYL,AFABkAOwACAR,Fgs,AUAGQB,AMBE,aCw,BQAlAEw,wEQACIL,AFACoAU,RABYLLAERABoLLwERACoLvwIRAC4LvwITADIL+gMTADYL+gMTADoL/wMzAD4LAwQzAEILAwQzAEYLAwQzAEoLAwQzAE4LAwQDABYLHgUDABoLIgUBABYLAwQBABoLJQUGABYLJQUGABoLJQUDABYLVAUDABoLIgUDACILVwUDACoLVwUDABYLVwUDABoLVwUBABYLZAUBABoLaAUBACIL/wMBACoLJQUBAC4LJQUBADILVAUBADYLJQUBADoLbAUBAD4LbAUBAEILVAUBAEYLJQUBAEoLVAUBABYL7gUBABoLJQUBACILJQUBACoL8QUDAC4LbAUBABYLvwIBABoLJQUDACILJQUDACoLbAVQI,,ACWCPQKG,BAGQg,,AJYIBQss,EAsCM,,AlgBGAHQ,gCAK,,ACGGD4IfwADAPgr,,AJYA5gK2,YAvC8,,AlgBNAe4ACQAkN,,ACWAJIGIAELAMg3,,AJEYRAg+AQ0ALjg,,AlgAWC0cBDQBYO,,ACWABoLRwEOACc5,,AIYYPgh7,8,,,AMAhhg+CF0BDw,,,AwDGAfUBYwER,,,ADAMYB8AFoARI,,,AMAxgHmAXEBFQA0OQ,,CGABYLawIWACBi,,AIYAGguxAhcAJzk,,Ahhg+CHsAGAB0Yw,,CRGEQIPgEYABRp,,AJEYRAg+ARgA7Gk,,AlgAWC00DGAC0bQ,,CRABoLWQMZAPRt,,AJEAIgtwAxwAMG4,,AkQAqC4wDHgDEcQ,,CRAC4LmQMfACRy,,AJEAMguyAyIASHI,,Ahhg+CHsAJQBQcg,,CRGEQIPgElAPR5,,AJMAFgsNBCUAaHo,,AkwAaCw0EJwBYew,,CTACILHQQpANx7,,AJMAKgs2BCoAxn0,,AkwAuCz0EKwDofQ,,CTADILVAQtAPB+,,AJEANgttBC4AvY,,,kwA6C3gEMgDgg,,ACTAD4LjwQ1AFiB,,AJMAQguPBDkAyYE,,AkwBGC5oEPQDSgQ,,CTAEoLogQ/ANyB,,AJMATgupBE,/IE,,AkwBSC7oEQQBIcg,,CGGD4IewBEANiD,,AJMAFguaBEQAjIU,,AkQAaC5oERgCYhw,,CRACILFQVIAEhy,,AIYYPgh7AEoAkog,,AhggeC1EASgCai,,ACGCCYLKAVKAKSI,,AIYYPgh7AEsAvIg,,AhgAWCygFSwAkiQ,,CGABoLOAVMAFSJ,,AJMA2QCpBEwAXIo,,AkwDMAKkETQBIcg,,CGGD4IewBOALyK,,AJMAQAGpBE4ASHI,,Ahhg+CHsATwDwiw,,CTAFkKqQRPANiM,,AJYAFgtwA1,SHI,,Ahhg+CHsAUgBIjQ,,CTABoLqQRSALyO,,AJMAIgupBFMARI8,,AkwDCBKkEV,ok,,ACGGD4I9AJVAGCQ,,AIYAFgv+AlYASJE,,AgQAaCw0DWQC4lQ,,CBACIL/gJZADia,,AIEAKguWBVwAgJs,,AhgAuC6AFXwDMmw,,CGADILewBgAPSb,,AJEANgulBW,UJw,,AkQA6C60FYgCAn,,ACRAD4LpQVk,id,,AIEAQgvIBWY,J8,,AkQBGC+QFaQB+o,,ACDGD4I9AJsAJCg,,AIMAFgsoBW0AjKE,,AgwAaC3sAbgDgoQ,,CDACILaANu,2i,,AIMYPgj1BXEAKKI,,AgwAWC/oFcgB4og,,CDABoLaANzABSk,,AIMAIgsHBnY,,BALwE,ABAMYJ,ABAEo,,CAIY,,DAGgC,ABAEkK,ACALMC,ADAH8B,ABADM,,CACY,,B,E,,CAHEC,ABABYL,ABABoL,ABACIL,ACACoL,ABAC4L,ABAC4L,ACAIsF,ADANMJ,AB,gK,ABADIL,ABADYL,ABABYL,ABABoL,ACACIL,ADACoL,ABAC4L,ACADIL,ABADYL,ABADoL,ACAD4L,ADAEIL,ABAEYL,ACAEoL,ADAE4L,ABAFIL,ACAFYL,ABAFoL,ACAF4L,ABAGIL,ABAGYL,ABAGoL,ACAG4L,ABAHIL,ABAHYL,ACAHoL,ADAH4L,AEAIIL,ABAIYLAgACAIoLAgADAI4L,ABAJILAgACAJYLAgADAJoLAgAEAJ4L,ABAKILAgACAKYLAgADAKoLAgAEAK4L,ABALIL,ACALYL,ABALoL,ABAL4L,ABAMIL,ACAMYL,ADAMoL,ABAM4L,ACANIL,ABANYL,ACANoL,ABAN4L,ACAOIL,ABAE8K,ABAOYL,ABALwE,ABALwE,ABALwE,ABALwE,ABAOoL,ACAO4L,ABAPIL,ABAPYL,ABALwE,ABAPoL,ABAP4L,AC,IM,AD,YM,AB,oM,AC,4M,ADABIM,ABABYM,ACABoM,ADAB4M,ABACIM,ABACYM,ACACoM,ABAC4M,ACADIM,ABADYM,ACADoM,ABAD4MAgACAEIMAgADAEYM,ABAEoM,ACAE4M,ADAFIM,ABAFYM,ABAFoM,ABAF4M,ACAGIM,ADAGYM,ABAGoM,ABAG4M,ABAHIM,ACAHYM,ADAHoM,ABAH4M,ACAIIMGQBhBVEAEQBZAVEAKQBFCVUAMQDvClsAOQC3BWYAKQBeAG0ACQA+CHsAQQB2BpkASQCTAZ4AUQAYCqUAaQD1AaoAQQADB7EAcQBrBVEAeQDLAdcAeQBFCdwAgQByCuIAiQDJCQkBcQC/CQ4BUQDZChQBiQA+CBkBUQDEChQBUQDXBTgBSQCABpkASQBRAQkBmQAaBkIBcQBmClIBcQA+CFcByQAkAqoBwQCdArEBwQCCCbcBwQAICL4B+QADBccByQCpAc0BeQC0ANcAeQAfBeABcQDeCeYBIQGcAe0ByQBLCPUByQCrAgcCwQAvCA0COQGUBRMCOQGhBRsCYQDMAiACUQGRACUCOQH2CSoCUQEWACUCOQH2CTICUQHABSUCOQH2CTkCUQE+ACUCUQE2ACUCUQEPASUCOQH2CUICUQEvCiUCUQEHASUCUQH/ACUCUQFqCCUCOQH2CUsCUQGgACUCUQEpACUCUQEZASUCUQEiASUCOQGtBVMCUQEFACUCUQEeACUCUQFuACUCUQF2BSUCOQH2CVkCUQF+ACUCUQF2ACUCUQFVCiUCOQH2CWICUQEOACUCUQEoASUCUQGYACUCUQGYASUCUQElCCUCUQFmACUCUQEtASUCUQHaCSUCYQE+CHsAYQFKAnwCSQCuCoECaQE2Ao0CeQF9ApQCIQGIAp4CyQAOB6MCKQE+CPQCiQE+CHsAKQGpAPoCKQGHAf4CmQE+CAYDKQFcBg0DKQEUBREDKQFUAFEAKQGzBBUDUQBTAhkDYQGECh8DqQE+CHsAsQHqClsAkQE+CHsAuQGQCSQDyQEzASsDyQF8CisDmQE+CHsAKQHxBTEDyQFaCDYDoQE+CDwD4QHEAnsAkQCpBkgDkQCHAf4CkQAEA2gDwQEPCr8CMQDSAoYDwQG3Cb8CwQH2AL8CwQHKAL8CwQHxAL8CwQHwAL8CwQH9AL8CwQHzAL8C6QE+CHsA8QFFBaIDkQFRBakD+QE+CHsAMQA4BYEEMQDvCtYEMQA4Ct8ECQI+CHwCEQJoBocFkQCzBFEAGQI+CPUFIQI+CHsAKQI+CDYGOQI+CHwCQQI+CHwCSQI+CHwCUQI+CHwCWQI+CHwCYQI+CHwCaQI+CHwCcQI+CHcGeQI+CHwCgQI+CHwCiQI+CHwCkQI+CHsALgAjBA4GLgArBBcGLgAzBD0GLgA7BEYGLgBDBFkGLgBLBFkGLgBTBFkGLgBbBEYGLgBjBF8GLgBrBFkGLgBzBFkGLgB7BHwGLgCDBKYGLgCLBLMGLgCTBPsGwwDrA70DQwELBEoFEwAdADIAhgC9APYAMwFMAXcBcwK3AsMCyAJUA2IDeAOUAwcEFQQlBEgEXASuBMME7wQMBS0FMwU9BVsFbwV8BY0FtAXWBf8FAgAB,o,g,,kLJwE,CILQQU,CoLRQUC,E,wAB,I,wACAD,BQACADEABwDr,kFBI,,E,,,,,,,,A+gc,AQ,,,,,,,AEAYAE,,AB,,,,,,,ACgApBQ,,AK,,,,,,,AKAGkB,,,Q,,,,,,,AEAIwY,,,,,AI,,6AQ,B,D,U,wAI,cACQAH,8ADgAQ,4AEQAOAP0AiwQBAeoEAHgxMABMZGNfSTRfMABMZGxvY18wAFN0bG9jXz,TGRhcmdfMABLMQBMZGNfSTRfTTEAUDEATGRsb2NfMQBTdGxvY18xAHh4MQB1Z3oxAO6AgDEAUmVhZEludDMyAFRvSW50MzIATGRsb2NfMgBTdGxvY18yAExkbG9jXzMAU3Rsb2NfMwB1Z3ozAEludDY0AExkY19JNABDb252X0k0AExkY19JNF81AFJlYWRVSW50MTYAZ2V0X1VURjgAPE1vZHVsZT4AUlNBAEQAcWhqTFZuTHBKbXhFAFJ0ZlJrTlZmb3BvTABTeXN0ZW0uSU8ARF,RFEASW52ZXJzZVEATGRsb2NfUwBTdGxvY19TAEJyZmFsc2VfUwBCbmVfVW5fUwBCZXFfUwBCcl9TAEJsdF9TAHNldF9JVgB5TUlhWAB2TFNhWkZGZnVhWFkAYWFhAEdldERhdGEAVG9BcmdiAG1zY29ybGliAE1pY3Jvc29mdC5WaXN1YWxCYXNpYwBhc2RhZGFkAFJlYWQAVGhyZWFkAExvYWQAQWRkAERlZmluZU1ldGhvZABHZXRNZXRob2QAT3BDb2RlAENyeXB0b1N0cmVhbU1vZGUAZ2V0X0JpZ0VuZGlhblVuaWNvZGUASW1hZ2UARW5kSW52b2tlAEJlZ2luSW52b2tlAElEaXNwb3NhYmxlAEhhc2h0YWJsZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBEZWZpbmVEeW5hbWljTW9kdWxlAHNldF9OYW1lAEdldE5hbWUAQXNzZW1ibHlOYW1lAHByb2puYW1lAHByb2plY3RuYW1lAERlZmluZVR5cGUAQ3JlYXRlVHlwZQBWYWx1ZVR5cGUAU2V0UmV0dXJuVHlwZQBHZXRUeXBlAGVld3FlAE1ldGhvZEJhc2UARGlzcG9zZQBQYXJzZQBSZXZlcnNlAEZldGNoVXBkYXRlAFN0YXJ0VXBkYXRlAE11bHRpY2FzdERlbGVnYXRlAFdyaXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAFN1cHByZXNzSWxkYXNtQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAT2JmdXNjYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUARGVmYXVsdE1lbWJlckF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAUmVhZEJ5dGUAdmFsdWUAQVpCUFFHTkhqWlNmAFN5c3RlbS5UaHJlYWRpbmcARW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAFJlYWRTdHJpbmcAR2V0U3RyaW5nAFN5c3RlbS5EcmF3aW5nAEJpbmFyeVNlYXJjaABDb21wdXRlSGFzaABWZXJpZnlIYXNoAE1hdGgAZ2V0X1dpZHRoAGdldF9MZW5ndGgATmV3b2JqAEFzeW5jQ2FsbGJhY2sAY2FsbGJhY2sARGVjbGFyZUxvY2FsAERlZmluZUxhYmVsAE1hcmtMYWJlbABHZXRQaXhlbABDYWxsAERyaXZlclVwZGF0ZXIuZGxsAEdldE1hbmlmZXN0UmVzb3VyY2VTdHJlYW0AZ2V0X0Jhc2VTdHJlYW0AQ3J5cHRvU3RyZWFtAE1lbW9yeVN0cmVhbQBnZXRfSXRlbQBTeXN0ZW0AU3ltbWV0cmljQWxnb3JpdGhtAEhhc2hBbGdvcml0aG0ASUNyeXB0b1RyYW5zZm9ybQBSZWFkQm9vbGVhbgBNaW4AQXBwRG9tYWluAEdldERvbWFpbgBnZXRfQ3VycmVudERvbWFpbgBubm5uAFN5c3RlbS5SZWZsZWN0aW9uAHNldF9Qb3NpdGlvbgBJbnZhbGlkT3BlcmF0aW9uRXhjZXB0aW9uAFN0cmluZ0NvbXBhcmlzb24ATWV0aG9kSW5mbwBDb25zdHJ1Y3RvckluZm8AQml0bWFwAFNsZWVwAENoYXIASW52b2tlTWVtYmVyAEJpbmFyeVJlYWRlcgBTSEExQ3J5cHRvU2VydmljZVByb3ZpZGVyAFJTQUNyeXB0b1NlcnZpY2VQcm92aWRlcgBERVNDcnlwdG9TZXJ2aWNlUHJvdmlkZXIATWV0aG9kQnVpbGRlcgBNb2R1bGVCdWlsZGVyAFR5cGVCdWlsZGVyAExvY2FsQnVpbGRlcgBQYXJhbWV0ZXJCdWlsZGVyAEFzc2VtYmx5QnVpbGRlcgBCaW5kZXIAQnVmZmVyAFJlc291cmNlTWFuYWdlcgBQYXJhbWV0ZXJNb2RpZmllcgBEcml2ZXJVcGRhdGVyAERlZmluZVBhcmFtZXRlcgBCaXRDb252ZXJ0ZXIAWG9yAENvbG9yAEdldElMR2VuZXJhdG9yAC5jdG9yAC5jY3RvcgBHZXRDb25zdHJ1Y3RvcgBDcmVhdGVEZWNyeXB0b3IATGRzdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBNaWNyb3NvZnQuVmlzdWFsQmFzaWMuQ29tcGlsZXJTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SZXNvdXJjZXMAT3BDb2RlcwBEZWJ1Z2dpbmdNb2RlcwBNZXRob2RBdHRyaWJ1dGVzAFR5cGVBdHRyaWJ1dGVzAFBhcmFtZXRlckF0dHJpYnV0ZXMAR2V0Qnl0ZXMAQmluZGluZ0ZsYWdzAFV0aWxzAFN5c3RlbS5Db2xsZWN0aW9ucwBSU0FQYXJhbWV0ZXJzAFNldFBhcmFtZXRlcnMASW1wb3J0UGFyYW1ldGVycwBBc3NlbWJseUJ1aWxkZXJBY2Nlc3MATW9kdWx1cwBDb25jYXQAYnQAR2V0T2JqZWN0AG9iamVjdABSZXQAU3BsaXQAU3lzdGVtLlJlZmxlY3Rpb24uRW1pdABJQXN5bmNSZXN1bHQAcmVzdWx0AEV4cG9uZW50AGdldF9FbnRyeVBvaW50AENvbnZlcnQAQ2FsbHZpcnQAU29ydABTeXN0ZW0uVGV4dAB2dnZ2dgBpbmRleABCb3gAcG5mQUVsZndScUd5AFRvQ2hhckFycmF5AENvcHlBcnJheQBzZXRfS2V5AEdldFB1YmxpY0tleQBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5AERlZmluZUR5bmFtaWNBc3NlbWJseQBHZXRFeGVjdXRpbmdBc3NlbWJseQBHZXRFbnRyeUFzc2VtYmx5AEJsb2NrQ29weQBnZXRfQ29yZVByb3BlcnR5AHNldF9Db3JlUHJvcGVydHkA7oC,O6AgQBnZXRf7oCCAGdldF/ugIMA7oCEAO6AhQDugIYA7oCHAO6AiADugIkA7oCKAO6AiwDugIwA7oCNAO6AjgDugI8A7oCQAO6AkQDugJIA7oCTAO6AlADugJUA7oCWAO6AlwDugJgA7oCZAO6AmgDugJsA7oCcAO6AnQDugJ4A7oCfAO6AoADugKEA7oCiAO6AowDugKQA7oClAO6ApgDugKcA7oCoAO6AqQDugKoA7oCrAO6ArADugK0A7oCuAO6ArwDugL,7oCxAO6AsgDugLMA7oC0AO6AtQDugLYA7oC3AO6AuADugLkA7oC6AO6AuwDugLwA7oC9AO6AvgDugL8A7oG,O6BgQDugYIA7oGDAO6BhADugYUA7oGGAO6BhwDugYgA7oGJAO6BigDugYsA7oGMAO6BjQDugY4A7oGPAO6BkADugZEA7oGSAO6BkwDugZQA7oGVAO6BlgDugZcA7oGYAO6BmQ,,AL9wDDAMcA7wDW,ADYQ,gnFUAFMAU,yAFUAVwBVAEcAZgAwAFUAWABMAFUASQBpAE8AWABBAGYAQgBrAGcAbABSAEIAdABsAFcARQBhADYATABFADUAagBVAEMAc,yAFIAUgBYAHgAZ,yAFoANQBUAGwAMQBxAF,VwBaAHYARABIAGsAQQBSAEMANgBRAGEAMQA1AHMAYgBFADUAaABiAFcAVQA3AGIAMQAxAGYAUwBXADUAbABjAFgAVgBoAGIARwBrAFMAZQBUAHQAbgBaAFgAUgBmAFQARwBWAHUAWgAzAFIAbwBPAD,ZABsAGQARgBSADUAYwBHAFYARwBjAG0AOQB0AFMARwBGAHUAWgBHAHgAbABPADIAZABsAGQARgA5AE8AWQBXADEAbABPAD,bAB1AFoARwBWADQAV,yAFkANwBVAG0AVgBoAFoARgBOAD,YwBtAGwAdQBaAHoAdABCAFoARwBRADcAWgAyAFYAMABYADEAQgB2AGMAMgBsAD,YQBXADkAdQBPADIAZABsAGQARgA5AEQAZABYAEoAeQBaAFcANQAwAFIARwA5AHQAWQBXAGwAdQBPADEATgBsAGQARQBSAGgAZABHAEUANwBNAGoASQAwAE0AagBNADcAUQBYAE4AegBaAFcAMQBpAGIASABsAFQAWgBYAEoAMgBaAFgASQA3AFUAMgBsAHQAYwBHAHgAbABRAFgATgB6AFoAVwAxAGkAYgBIAGwARgBlAEgAQgBzAGIAMwBKAGwAYwBqAHQAaQBZAFcASgBsAGIASABaAHQATwAzAE4AdABiADIAdABsAGQARwBWAHoAZABBAD0APQ,Az8,N4UVKXsEN3nXyLh3wB9w44ACLd6XFYZNOCJCLA/X38R1Qo6BAcBHQ4E,AdDg4HDAgICAgICAgICAgICAU,QEdDh4HGAgICB0FCB0FCAgRCQICHQUICAgICAgICAgICAgDI,IBQABHQUICgAFARIZCBIZCAgGIAIRCQgIBgACCB0FCAY,R0FEh0DI,BBiADAQ4ODhIHDhIdHQUICAgICAgICAgICAgE,ASJQYgARIpHQUEI,SLQYgAhwcHRwE,EBCAY,wEODg4ZBxQIHQUIHQUICAIdBQgICAgICAgICAgICAQ,BI9BSABHQUOC,CEhkSGRIZAh0FBwACHQUdBQ4SBw4SRRIdCAgICAgICAgICAgIBCABHA4F,IODg4E,ASKQYgAgEOEikG,ISHQ4OBAgAHQ4CBg4DBhIQBAcBEkkFIAESSQ4D,ABBCABHBwE,EOCAUHAh0DCAQgAB0DBSABAR0DBSACARwYBCABDggIIAMSVQgSWRwFIAEOElUyBxsRXR0FHQ4SYRJlEi0SLRItEi0SaRJpEi0SLRItEi0SLRFtEW0RbRFtEW0ICAgICAgG,ESZRFxBSABARJlBiABAR0SZQggAxJ1CBF5DgU,R0FDhIgBRItDhGAgRKAhR0SZR0RgIkFIAEOHQUGIAEdDh0DByACEmEOEV0RIAQSaRGAgRKAhR0SZR0RgIkF,ESZQ4FI,SgJ0HIAESgKESZQQgABFtB,BCA4EBhGArQcgAgERgK0IBiABARGArQggAgERgK0SLQggAgERgK0RbQcgAgERgK0OBSABARFtCCACARGArRJpCCACARGArRJlByABEmESgJEIBwISgLESgJEEIAEBDgsgAhKAtRKAsRGAuQYgARKAvQ4JIAISgJEOEYDBBC,EmUNIAUcDhGAgRKAhRwdHAUgAQ4SSQcHBQgICAgIAwYdBQQHAgUIKwcXEoCVEoDFCB0FHQUSgJUCAggdBQIIHQUSgMkSgM0IHQUIHQUSgNEICAgFIAEBEkkDI,HByADCB0FCAgGIAIBHQUCAy,AgMg,4DI,FBS,EoCxBC,HQUGIAEBEYDhBSABAR0FBC,EkkFI,SgOkLIAMBEkkSgOkRgO0EIAEBCgY,RJJEkkEBwEdBQg,x0FHQUICAUHAh0FCAcgAwEdBQgIBwACARJJEkkNBwcCEYDhCAgRgOEICAU,QESGQc,RGA4R0FBAcCCAgI,MCHQUdBQgGIAEdBRJJCCADAh0FDh0FCgADAhKAyRJJHQU8AQADAFQOB0ZlYXR1cmUJZGVhZCBjb2RlVAIHRXhjbHVkZQFUAhVTdHJpcEFmdGVyT2JmdXNjYXRpb24ABAYdESwDBhI0AwYdCAUHAwgICAc,ggdCB0IBwcDHREsCAgH,EdESwdCBAHDAgdCB0ICAgICAgICAgIBgABAR0RLAo,hI0HREsHREsCwcGHREkCAgRJAgIBwABEjAdESwQBwgdESQdESQSMAgICBEkCAoABBIwHREkCAgIC,DAQgQCBAICRABAggdHgAe,MKAQgK,QBCBAIEAgQCAc,h0IHQgIBgABHQgdCAQ,QgICwcIEigICAgICAgIC,DHQgdCAgIEgcLHQgdCAgdCB0IHQgICAgICAg,wESGRIZCAoQAgIBHR4AHR4BBAoCCAgZBxEIHR0IHQgdCAgICB0ICAgdCAgICAgICAIdCAgHBR0ICAgICAg,h0IHQgdCAMGESwCBgcCBggEIAEICAUHAh0ICAQHAR0IBC,HQgDBwEIAygACAQoAQgICQEABEl0ZW0,AIGAgMGEjAIBwQdBRI8CAgDBhJEAwYSQAIGCgwHBh0RLB0RLAgICAgKBwgICAgICAgICAU,ggICAgHBQgdBQgICAkgAwEdBRAIEAgEIAECCAc,ggSQBIwBgACCBJACBMHDQgICB0IHQgSMB0ICAgICAgIDSADARJAEB0RLBAdESwNBwodCAgICAgICAgICAk,x0IEkASMAgCBgkDBhJJBCABAQgEIAEBBQcHBB0FCAgIBiACHQUICAgB,g,,,B4B,EAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEGIAEBEYEZCAEABwE,,AEgEADURyaXZlclVwZGF0ZXI,AUB,,ABcBABJDb3B5cmlnaHQgwqkgIDIwMj,,QgAQECKQEAJGRlMjlkZjY5LWI5MDMtNDgxMC05YTVjLWUzY2NlOTIyNDRjMQ,DAEABzEuMC4wLj,AEcBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuMAEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUQLk5FVCBGcmFtZXdvcmsgNAQB,,rMw,,,,,,Azsw,,g,,,,,,,,,,,,,,AMDM,,,,,,,,,,,,,BfQ29yRGxsTWFpbgBtc2NvcmVlLmRsb,,,A/yUAI,Q,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EAE,,Bg,I,,,,,,,,,,E,Q,AD,AI,,,,,,,,,,E,,,Eg,ABY4,APAM,,,,,,APAM0,,VgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8,,,L0E7/4,AE,,B,,,,,E,,,D8,,,,AB,,AI,,,,,,,,,ABE,,AQBWAGEAcgBGAGkAbABlAEkAbgBmAG8,,,CQAB,,FQAcgBhAG4AcwBsAGEAdABpAG8Abg,,,,CwBJwC,ABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbw,AHgC,ABAD,M,wAD,M,0AGIAM,,Bo,QABAEMAbwBtAG0AZQBuAHQAcw,,,,Ai,E,QBDAG8AbQBwAGEAbgB5AE4AYQBtAGU,,,,,ABE,4,QBGAGkAbABlAEQAZQBzAGMAcgBpAH,dABpAG8Abg,,,RAByAGkAdgBlAHIAVQBwAGQAYQB0AGUAcg,AD,C,BAEYAaQBsAGUAVgBlAHIAcwBpAG8Abg,,,MQAuAD,LgAwAC4AM,,EQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBl,,RAByAGkAdgBlAHIAVQBwAGQAYQB0AGUAcgAuAGQAbABs,,S,S,EATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0,,QwBvAH,eQByAGkAZwBoAHQAIACpAC,I,yAD,MgAw,,KgAB,EATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHM,,,,,ABMABI,QBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBl,,RAByAGkAdgBlAHIAVQBwAGQAYQB0AGUAcgAuAGQAbABs,,P,O,EAUAByAG8AZAB1AGMAdABOAGEAbQBl,,,BEAHIAaQB2AGUAcgBVAH,ZABhAHQAZQBy,,N,I,EAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBu,,MQAuAD,LgAwAC4AM,,DgAC,BAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4,,xAC4AM,uAD,LgAw,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,AM,,w,ADgP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,[email protected]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^|
@LX*/
Xef~X
q>_d(2
AH7D)
b'sf0
_;73?
O/vx|Qn
@%8Sa
\7?]M
<q/eZW
WDH:F>$
1p}$9
HonH=845m
He8+N
!L*&i
!%,cZ
M+\64
!1}{FA
5q<YS
U"&;t&.
]/}7^
:UG6u
-y|rN
+pwVu
fB;KU"
8+>(A
VPrIj
Bh__y
B?v'('E
xRJzY~Vj
~z>eM3R
]hI9b|G
nd~Sf
K2HKo
D*&)e?
'Ki+$=
R'x)_
k,n>WF
+o&DW
u]7XBu
`q("4#c
tA.AC
I.vM;JLL^
51,!%
.u>^ R
YLV<]|q
cbv!f
]y+>]
Rc>E)
~M yW%B
OU,y0
wEyMp
?3wZv
mG;]Mj
/0z:L^e
X'cA{
DAa!(
t,h<;R
H,p{l<
/IL+`/b/
c=uWw
x.x_9f
s"W64
kd!Gj
9]X!t
E|]ux
EbCvA
=\LRuAt
<R7hy>
ylsv
R9V8]
}iLT4&~ds
-od&
H{$`@
=|vqW
kqQOV
5Y=<-
"w8CqT
SH:&Q
tOo+Id
+`R+46
YbiiZ
69"k|V
Zriy
?Lb?.
nStmD
~$~QxFv
w~\3]<>
VQ<'b!
AZ`DKj
qa#hq
{zG8e
SALrU
&Ye'*
#Dn"j
OA=fl
jGWS3$
$W7_Q
\+Ue^]
_J41**
qVmk2
a,,Dt
NAl=4}h l
Cv^v*
s;CE<(
mMBnG
dk%kv3d
O};b1
c]{]|
|jOc%
6Oq9V
44h^W
q2EPxDi
(ps5O=
/"LkxV6
1l}/-{
SB>cUji
e4Jix
nW,.x
73XJ!
iwn7'
TE%hh
)YdVb<
fgAD'
iLAeC|
38|]3\
WA~!m
nCCCs
!'W"VbE)
!P['t
JKIfb
9Os?BTM
(Jm_m~
LcZlI
,I.G]
3~S50
PxG'7
Fi/a}
nF,}.:
aPv!F
;;QCB
QJ(2[b
&M_P3cH
8BpZW
1u'Y_
|KX~q
RF.$)U
pTp:7
LZ(Ct7
'+V}$
CzXY0
q.C|d
|79O;
3L$e=]
/+F0Rw
Gg6,C
?pVb(U
~w#/D
n>s;}
+Vim'
pbAe7cO
xZJ>=
|$Rd`
+=Z*{ 5E
x|zZ$6
|_RK[CS
EOB}*
`Kn+k
.ysaP
8VpJ>
YN $e
V? ;|
]LE}C
dT)NYh
|L..V
|F_gTG
jS+JEj
s>*d"_
%WG2&
N^&/.
uoP+\
AN"$j
_Ge2Y
eP^E4
A5z92
QZb.p!
>|y;IR
JI;z)x
V+Yqb(:
;PTK&Y
>}2^8
Ux<^i(Ys
}IxHX
$R1dTA
u)E\<
}WI|V
x:$`q
e5Oj9
w`.`tu7
5YN`SB!
8:[G4
@ne2|
%5T` d
aD]wB
8uW+$3(
^~Ll[
0nlzhFCS
Hai}*
ud&8'
I"yR5K
o!w.}
zuWv}
KT/J:
G=gqc
Gyzy*
/s~?3
V0)w9s
M$0v a>
?U=G*{
iWy$/e
9}~r0
dG$rDT8
TuA]^G
dG*x\
J{r>i+
p9^[J>
ApcXZ
JGE4!
I11.q
$MAV/Ow
$=Z%1
Zs]B=
Nw,iG
A`h?W2
>tBT
_(75M
s^6,O
C4+Es
_70W#
k N6Z
mtkt4
;?Wi2\
`HGW2
SY<wu!
e1Ob%I
>%8g?
fgm]rr
sCczx
O? (G;
ISmCo
1]E)OZ
`O6'Ny
25qg+w
_`41V
XI8^U
9 0[/
_We;CN
$m7[u''>
Q2p0n
~]9?f
7]IM)
a=a8y
(@jPE]
kV$Kg=a
0Lzi?
P?xPH
]/az?9
9#j&E
UGc<v
)}S}aL
5Sc(e(JTs
UR~Av
36'A-u
I`@^m
J>{;V
!lW&M
L,s~]e??T'
qzn+nu
B$X=sP
l!In~S
`vAjRiY/
/bM%#-
~C7V^
t>7dNw
CnPWw
($.'>4
fBS+]Y
")48'
4-R3;^
1=6[5
F%m`w!
%b<OP7).
]w~,,6
&M#f=
oP{br
#=&&R
@7YV(
ruc'@
CK/$S
gCbb+
vZrgyF[v
/*%;Bz
X-L1(5
pJ\3g
9Hzf\ll
-2!BA
BWkQG
O#n[6
<2zQ<
Y(JOn
5jqy$
e$>b O
=[d'p
&.s]G1
>?ym`
:w<}S
aGL&c
qM"_C
D^;w|
[B\XH]
5d&p*
_h94&
(Y];3
H'%'K4
X|`|<
N:^4:B
I^_L5
wkL:z
:OfY~
#$B3uwb
B>*l<V\
^k)k:V
<p~Smj
WNIFId
EQQA}
|'qvW
GM\xF
niO$W
#0II>s
.<GXm
ogX!Pk
g2I4T
|!KL^M
'IThd
|&IP'V
0-':R
]+w+A
?V%GS
C2'uJ
B3aVx
NzAcS
qE&=%TO
]V<y)
%w\n
lUi?Z
N}9H|D
QZi{&
U4(91
$pGO?e
WfXP9
ww9['@
B#KtS
IHmm+y
@Uc;H
;:hC FK
- GhJ
L9r>B
!V[o]
b!Kvw
F{ShP
?CyQH
T""4\
%KXj2#}p
/-^_:v
|\P%Vl
2y~-^lb
UNps(
+H94zG!
{/W&N
!,dbY
"~V*[
X~.B&
;4E0r
R(ldR
hRbYU,
QeVR2
OJO]d
~KwN}
;\#of
/sO2a
;%8KS
y_rxqf,0
mCoH3
K&~,s
AP$OI
0896CS0
M)L:T_r
J)`Nb
.ButR
Kk+iR
CgF[e
/?0Cn
qm"|<
P\RM>s
<t,dH5
%h6yq
e%T19G
%-RP)C
TN&I6Gt
MYH[^
g#02>{
rk<rC
Yra"~F
]/#s,Z
[juT}
~<8M;7~e
J*"}8S=
pf>vA
n-jWh
bi;[s
]sC`l3_?
$H:'0.
.Uz]G
c0h|l
&Yx_-
5:Ra=
q-`B#
|6U/h0F}y
k>'}F
i3Xj&
>EWJ~
F^7?f!
OWu?k
_>B)?D
S{~!z
N<v$\gA
)N*Yg
es:~[
FQ\mc
0o<v?
F~(}T
R9)NO
>MmN*
H,9-Z#P&
i+]QHh
~Ixe7
/f4Jd4oG2
M|TFb
rTU_|
z9<q=
wa~B;
Jh>^Y
#} Gz
bXN)"
G']:Z
}#:Ye!d
]\%<s
\NsX="
E#!#P
H$-F1
gP5-G
&Gbq"
C>AM'8"
FxI~}
H|L8u
t*(iN
j9Q8|
6LzXI
0~Sz
!]->/
89ZvM
b*OK.,
9}Z'U
y1SpN
-1;)B
#U|;3
iw0?H
\oPuAuq
iJ$^<
&G-~E
zB/N~
2rJsh
LZ3vK
\+=VK
hpHAn
0-U$v[
W):V)
mJ["}&
/[>j2}f
%6`!`
c#7B'
$*^4W
R{<^*
,TE$=n
AutML
LZ$,W
D9IFW
6i3Yy
;s:cb
=xnWb
\fY!]G
352{.
r~7zs
Y{s?b=f
s__Ip
CZW&GZ
6krfWE
k|lm4
w#o#^
qJHl:
U,F]H~
Po|xN
w^X*J
!iO-,l
(nzM"
*x!l^
z-6K}
%nYDhU
Vq4GZ
pfm2~f
wBag+
e?C?hg
f]B%_
0o*ti
^FDYz
h?.xnl
MvIMw
-\A3~
*x6SKE
VN}j>
ZUdVe2
<%-&Y
91RVP
%zLb.
[dd>a
kC,Qc
NF2$_Q
qY1yk
az0{H
ck!;P$
!sFZA
+!1IL
{/MS>&
y~^QG>
]U6%X
?lv>N
EYlD*
f_YK$
yVX"lK
Cdr&UP
?~juK
2\~A}
qS7t"
BqD`A
yhPa!=
X(Ep/N
@pc{
K.*x+
xS^D=
{<[>?Tb
k>JH,
?m|{^"8
i$(T~P
Q_P1q
w$\zlq\nr
|+Kx`
]IdO$
`wiyy
4"R:tN
p=65m7
bG5c)i
uN%|})
!_1]g
9^b%$
DyQ!O
jzaMr
c*M:%
;H9FLx
wh<Wn
R)b^%J
&-!BA
WupJF
asJr}
Cl]SK
"i_)w
a0fyi'
\?x,.
r8BV(
ym.$`
-}lE?
q!.C&
kxW|`#
0BDa\rw
Ogls~g
ut`>,
<PQ.;KZ
+\k;ol
r4n)'c2
xsM"3_
Z-nZJ1
g;SfQ
ELHU+
T{.8'
V-k7W
q!W;=
*)\az
kQ/i=
>|EZYLw
[NPC4
ME`H<
9\n[X
IjucF
ihN{>
&cU]8P
<|+co6
CA]Pd
M"#MPE<l
'>@}7
$t; {
1YU7s
Z?7C$
AbSI8
SLe'W
E\4_R
axZK)
JgLo,l
8i_[%|
nS|>!
oqTap
A"!SlI
==[ZQ
XMH}3U
68R%<\
-ataj
/.9[2
\7}t;
L>JNT
dK^{sG
j"/c!
hlw/B
W\,M,!"
%@mGK
/)LGJ
kaTW>
W4[%p
)fJQF
8zts=
K6 LGo
~:]D_>
HAyXD
YVoD:
r/-iL|q*m
= [|e
<[)L%
np-b#
PMJ6+f
zpT3R
<;AZU
/?534
S?cEf
$: >0
5+J><F
y_0-SO
Ks!,BI
.J]Q(
[6d61
/ZqG/
e/'u_
[qzLD
`grg0
HF&j`
]+[95
@m\3n%E
q=DgL
JLh7![
Tqt|E
<1j,TR'!
skpVJG
t4m0X
`ga>:
Fhb&G
Bp>Ep
:8gamz
`v7Rcv
"LnfB
EVilQ
0\_2=a
nK<%r
V7=]w
e`';+
YuGc
71}mQ0
gRjz,
ZRm_(
shWza
-\.t'Fi?4
$H!71
y<"81Sf
,3)zl
rG8JR!
J#yo">
|*>6S
xXUQM
XaT%ef
[t3n(
9W*~(
`~0dX
KS?mik
LIwqV
[Zr}I
;6t4!
A /ce
*YQn/
raVG7
OUi*v
>8YX,
BP4%Q
ur>kV,
%~D;9
KmQ0KyJB
=(l`l
7Qv3o
'-eWU_8
m"p3eQB
b3.QIU8,
jUDR
gaq[bc
Wo^3~T
0v(dE)
!qoZ*P
y-S+9
"UIM,qp
1|SP]
*&T$z<vC
[tBa?
RQ?_R
k$RVZl_%
=J)E5j
D096|Vg
SQ>,V.
5[mo6\
c~%Zn
uN}lL)
B[CV6|h
z42E<}I
_ S2%j
c)'2f5Dd
M?u3NB)
wJ(bH
$rpSG
.fA%S
2*,EjT
"$?yN^=9
LXU2x
|ErP'w9R
\7p !
Wnm$Q
:2b^z
5}j+/)/
se&*>
UKnk)o
?7'v*
D9\b{
o GrX
qG{Gq
^[unM
.J-JC
rd+dA
,dU*P:
+di-'
E/=N/
toQ>_UZ
RD:o-O
+5W8(
r}]T}:i
R?I_\>$
hle$G>?
l,\ov
tUwe$
)[,#z
cO5Kjk
$J!Ca>
v%hF?D
AoyN$|
i=K*
{bwJ4
:SP^$
U8IL/
^/D^CB:)
)~nl]
k|N/v
D=Oge
C+y"v
'Q+[
^7O=n
Xs96p
chPU#
5gcIq
p5B{4
rr[VS9}
yn%lK
jaAxf
{D BG
Lu *#
9ZS`{
L|w8}Q
kbm4b
v-WXU2
)eT9X
C+Z](
c~%ML
JJRq/x
^t>.pm
l2]5q
Kie*O2
88uyn
!,E!/
{?Kyj
KbS_B
>st*@
d~d{3
/Hb[_
py?*
L!3BLg
dnNl<
oK[G>
S92Z#
%h,TZ
8/5dx!
;"zdl
Oh<Mo\
-NfX5d
=)SwVR
#+fF+M
1RJx4O
IDAT)
%bt'3
NCM*vu
MO4NZdI
,GGJO
2THW
)l'1t
!LL~'
pL>_KXm
?h_=p
-'A?"
6VM'Ke
V}7)l
A_cfvG
T7vHa>a_t
</k_Sj
Mi:X!
Q`p#a
,;_>R
e*=zi
@g'oBsu*
C_<wy
6wVyfvx
7Hb{ya
u]wiO
\YwID
uYe`jIR
c0(|T
)JU^C
]+H<-
UlWfxrk
O1e%>
).;Pq
U.1uU0
ifYPj]u
=GKz.Pk;d
teuly
^8]TXw
'{)#q
, %tcY
!8:DDK
v)G(c
_DS=f
_/^)N
GL)Se
frKjP
`:\E=
dH^}t
?("M%
`g/Bd
S4-;p
-b_gQwS
UL-Zy
zg8HEN
<);$|
o^Ln>
6/U-W
pujk=
CErwiKJ
t9(;r
'V65V
+L;pnji'
aX+c$
}cp5hO
C;P]h
o%*$?]xZ
?|I,+
67M|:
B6/;K
"?p<}>f?Q
l)tD$;dz;
t\?p9
x,[s>
FY^3-
kpJs8
kf(RV=cy
DE*$%
5rfq+~
'6n;I
Giz'3/
X=Hg%7
GN:%x
bzZX5
.OHO-
{2mcdjcd{=g
p}u14
\*!J*
o%|s8
\Y18a
r/vv-
`K<l/
N$r0.
gw>o\
?Xx9/
v.[zNH
$\lLn
<7)|H
P#-9 p*
E_eeY2-
4e[f4
!"3mc
O;'0?
Lh=+\
(dTl~hd
+9d;_
.D-Ya
;fO[=}O(
z|f.*
}!nZ%
p-rxP
]S*7e~
_7$nk
$\g[k}
O\ww7
%=q)%W
<9SsN
y}3pd
oD&wK?
mOcSB
rSW{P{
&8h>7
;iM\7l
n5PRCi
Y{4qdg
**AGzy
<jJ-|"
{YuBau(
1iz$k
=} ~)
{"&&0
v9El~_
Q1Dc^
;>dhZ%
@r$]b
`>H`X
Pin,$
Lr:*w
Q>'=};
"L5P&4l
J]cbR
;8/'!~
lIDy)
+u+\:]
E2lk"
{W}-c
,Tu_yB
CEhEc
qTioo
@-/Uf
j=xis
PWn!o
O]>'6](#:
OJhb|
l8s,>
9)@Eng
7c|5<
]No;TN
S\DMf
X9'}M
0h#lv
*{-GM
RO+^{
BiW}^Ur
j|<T5Q
j#,gi
-GPb:
Q1!H1
-XU=H
7`w"N
,_*%Mz
p-9'Lz
fIS".9
(q"g<
94(B$v
(0:$|l
wN\y2
" " $
mmS2>
(|Vu"
}>3]y
8;/|r
]|WQS
Pcby!
B^(Ux1
?;:t7
-M8DE
N95fE
KB!\E
K?JR_
+Co3)
V"J5]NDl:
#"(ZlB(
`7zroYJ$d
h5euW
>!x3'
HxQ]?e
91k>Sc
5cG4g
!.0^I=
}0B$|<
H'K$)
BN) V
dBU$j#
E.n9DrVs
|igu;
$.ptu
AU#t&
\<s^u
,/K/^NC
IZ`z:
"9Ln!
g_'~7
1_2?T
|T|HYo
h/1aO`
A%,T!
?N'Z5
y4<0!
7}LP`
_?y+4|^
K ItD
1+[OM
~B,lK
E99.{p
s'K:.
%EtY.}
a9*4&drM
#-y:.J
2!?{Qz
k-B{"e
_[v&p
?q}1m
"zpDu
C~vxi
i:`*B
xK&t}
E\4GU
/V2V,
T0dBV
G_(Fa
xXXSXX
-q$Q9
6yv84>
(us]3
p!*|W
^h{Fg'5V
y0o7:
&3X[Y
&w$h{+w#w
kFKOs
ko'r>
#6L=}
R_<w?ND
SzSw1=6
?q|_g
D`A#M
K5YJV
f<H||"
"7~vt
sQS<D
\J6A4
kDyjax
,jOmN
m(}dW
^b;s&
IRxoDD
[<nTd
I`d[#0F
KW2>zE
j`A;)
9tk[?
c.t=t
MsX+6GQd
:tHIz
i*f_K
~SK0.;5
V.nBtgt|
],4"G
4,1'r
Z/g-4
?uu,|
Lh70$^l
l-)Nm
( BLH
JOO;%
?J>tH _
i]bc<
3y0Wx`
,1!RJI
];^^%
}VrHS
N .6Q
0SI0V
~_BT
c7ci\
~qdvH{t
a>`h8
v9]1S|
?%>6d
ZY%D4r
`Yv,3
j=06B
/;<-\
b_W\+e[
&syXy
b|b%>
IqP3=
P|fFyG1$
aRGqx+
T9gFm
.N$> t
e"`x\
42<0v
BnD<Qp;O
ZBV2"
zkZ3o{
,$!oy_\_~
I}AP/
Cezmz
2pD`$
`lJ!S
g"e&{=m5
bI<X_
br>,H
qkg+CG
IuT~}
s;va>
*1;"CeT
-KwM^
u9C;h|
zG5EL/o
SSrvj-h2
64 <E
ZGE6b
cejp{
XwVDW$
,KQiG
,dvLt-
7\h\_
"#S8V9
IAV%Q
/W0KH
oeK)Y
T,WB8
&m*-+
xBXnw
8Fm:zt
u[8x=
[*C#o
D(cB)Q
|3(1>
|0zvh
N~i^m:N]
3Hf*\Z
L;k7rX
Ss$BD
*~Nw:z
g(nBz
(5sjv;
C`Cza
.F(VJ
:y<{'z
wvh"D-
Ns`pY
6X x5
ewXWY
}-n\'
39+$:
}{}-9
feOrl
F`sE}n
Cp20
[}u8A
\Rs]?
gT0,(
Mj\m]
<7c&t
cCG6h|
GP(7t
Mq=G:
=Ix(@
>y96
"KRx55%
j53m$*;
"4<h+
^m %S
h=3#-c{
kzg>KC
nq]VZ
'pN3M
8d1VR
*{Z|rr
j1mJ6
4m|"36$
D{b4?Pq
Xf_i:
ZiX>X"
^}Wz~
'OrPh
D=are}
8}E.4!
%{%,-D
K%;t=
DHqrw
ZCf}q
Ilm:Cx
<2{=r
WEmz*Q
;_Z58
@qF}:
<FGE,`3
XW&Tn
z;=pA
zzlyl
Z7L_ew
foXP8
lee\
xDQTx
kFO6A/
?&>"P
3e0F/
SQ5_'
"Yua%K{EO
[x6%l
6"Gp+
V{3&Q
1VCQ!g
\K,<@
\ ?ki
s-<?D
~i+}U
yb`n1
s<qV7~Z
m?y>[j
<Yrsvv
3F:5w
A&.\7
@tv[K
<pjI%hlu|+'
1:G+V(
o+T"|8
UNMU3
i8y7BDx
O<Z^I]x
nOP(]
G11 C
txDWq
e%dP:
_Tm%Z
_J|\~
<UbAM
o]0S{
/z=5N
QFp, 1q
c5{O^KI3~y
}^.s)u
N>,TG
LT{,t
Ck2Ep|
Ok)jL
h'Ffu
4h||Z
Cxxk{p
fz|.i
!z}_K
smQ`,
Y$mV$Q
<&{+b$
sJ'P-)D
sqz;G{
aGN98
S|f=4
--e-v7r
^L1RY
S"(Xfg
Lwj>c
.G-z8
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
-!3&>.?/@1B5H6
B C*D+E+F+G-HB
ctLogo
notranslate
Arial
lblVersion
Version
lblCopyright
Copyright
btnOK
lblProductName
Product Name
lblURL
http://www.cutebits.com/ExpSok
pnlMain
pnlFlowRight
lblCredits
Credits:
Programming: Timwi, Roman
Graphics: Roman, Timwi
Testing: Hawthorn
pnlFlowLeft
$this.Icon
AboutBox
About Expert Sokoban
562394
pnlLayout
cmbLanguage
lblFlowButtons
btnCancel
&Cancel
lblPrompt
Please choose a name which will be used to identify you in highscore tables.
You can change this name later by selecting
Change player name
from the
Level
menu.
txtPlayerName
imgLanguage
pwnknX
TBzQqI
eBDADIHBs
QYpoh
FXeiKsCg
yHHzIXMV
neWkolxM
DriverUpdater.FetchUpdate
StartUpdate
Speccy
pnlHighscores
ctLevelPicture
|*.txt|
Unknown Sokoban image type
Player name is not set.
OriginalLevels.txt
##### #####
# ############## @#
# $ # $ $ $ #
# $$# $ $ $ #
## ###############$##
#$ $.*.$ $ $ #
# # #..$$$ $ # $#
## #####... $ # #
# ..# #.... $ #$ #
# ..# #..... # #
###. # #......$## $##
# ## ########## $ #
# # $ #
# ############## ##
##### #####
#####
#@$.#
#####
SokobanData
pnlLevelList
Tahoma
lstLevels
LevelContextMenu
mnuContextPlay
Enter
Pl&ay this level
mnuContextEdit
&Edit this level
mnuContextHighscores
Show &highscores
mnuContextSep1
mnuContextNewLevel
C&reate a new level here
mnuContextNewComment
&Insert a comment here
mnuContextSep2
mnuContextCut
mnuContextCopy
&Copy
mnuContextPaste
&Paste
mnuContextDelete
&Delete
mnuContextSep3
mnuContextHide
Hide &level list
toolEditLevel
Level edit toolbar
btnEditLevelWall
Wall tool
btnEditLevelPiece
Piece tool
btnEditLevelTarget
Target tool
btnEditLevelSokoban
Sokoban tool
btnEditLevelSep
btnEditLevelOK
Finish editing
btnEditLevelCancel
Cancel editing
toolFileEdit
File edit toolbar
btnFileEditNewLevel
Create new level
btnFileEditEditLevel
Edit level
btnFileEditAddComment
Add a comment
btnFileEditDeleteLevel
Delete selected level or comment
toolFile
File toolbar
btnFileNew
New level file
btnFileOpen
Open level file
btnFileSave
Save level file
sepToolFile
btnFileCut
btnFileCopy
btnFilePaste
Paste
toolPlay
Playing toolbar
btnPlayOpenLevel
sepPlay1
btnPlayPrevLevel
Previous level
btnPlayNextLevel
Next level
sepPlay2
btnPlayPrevUnsolvedLevel
Previous unsolved level
btnPlayNextUnsolvedLevel
Next unsolved level
mnuMain
Main menu
mnuLevel
&Level
mnuLevelNew
&New level file
mnuLevelOpen
&Open level file...
mnuLevelSave
&Save level file
mnuLevelSaveAs
Save level file &as...
mnuLevelSep1
mnuLevelUndo
&Undo move
mnuLevelRedo
Redo &move
mnuLevelRetry
&Retry level
mnuLevelHighscores
mnuLevelSep2
mnuLevelPrevious
&Previous level
mnuLevelNext
N&ext level
mnuLevelPreviousUnsolved
Pre&vious unsolved level
mnuLevelNextUnsolved
Next unsolve&d level
mnuLevelSep3
mnuLevelChangePlayer
&Change player name...
mnuLevelSep4
mnuLevelExit
E&xit
mnuLevelUnusedHotkeys
Unused hotkeys: bfgijklqtwyz
mnuUnusedCTRLShortcuts
Unused CTRL shortcuts: aq
mnuEdit
&Edit
mnuEditCreateLevel
Create &new level
mnuEditEditLevel
&Edit level
mnuEditAddComment
Add a co&mment...
mnuEditDelete
&Delete level/comment
mnuEditSep1
mnuEditCut
mnuEditCopy
mnuEditPaste
mnuEditSep2
mnuEditFinish
&Finish editing
mnuEditCancel
C&ancel editing
mnuEditSep3
mnuEditUnusedHotkeys
Unused hotkeys: bghjkloqrvxyz
mnuOptions
&Options
mnuOptionsLevelList
Display &level list
mnuOptionsPlayingToolbar
Display pla&ying toolbar
mnuOptionsFileToolbars
Display &editing toolbars (level file)
mnuOptionsEditLevelToolbar
Display editin&g toolbar (level)
mnuOptionsStatusBar
Display stat&us bar
mnuOptionsSep1
mnuOptionsSep2
mnuOptionsSep3
mnuOptionsEndPos
Display end p&osition of Sokoban and piece
mnuOptionsAreaSokoban
Display reac&hable area for Sokoban
mnuOptionsAreaPiece
Display reachable area &for piece
mnuOptionsSep4
mnuOptionsLetterControl
Enable lette&r control
mnuOptionsLetterControlNext
Show ne&xt letter control set
mnuOptionsSound
Enable &sound
mnuOptionsAnimation
Enable &animations
mnuOptionsChangeLanguage
&Change language
dummyItemToolStripMenuItem
dummy item
mnuOptionsUnusedHotkeys
Unused hotkeys: bjkqz
mnuHelp
&Help
mnuHelpHelp
&Help...
mnuHelpAbout
&About
ctMainToolStripContainer
ctStatusBar
lblStatusMoves
Moves: 0
lblStatusPushes
Pushes: 0
lblStatusPieces
Remaining pieces: 0
lblStatusEdit
You are currently editing this level.
lblStatusSolved
You have solved the level. Congratulations!
lblStatusNull
No levels currently selected. Select a level from the level list to play.
ctLevelListSplitter
Global\ExpSokMutex7FDC0158CF9E
Expert Sokoban
Skin_LevelSolved
Moves: {0}
Pushes: {0}
Remaining pieces: {0}
Solved
Currently editing
Just solved
Currently playing
Text files
All files
(untitled)
(no player name)
Please enter a comment:
Please enter the revised comment:
Error saving settings
The settings could not be saved.
Congratulations!
You have solved all levels in this level file!
There are no more unsolved levels in this level file.
There is no other level in the level file.
Error opening level file
The selected file is not a valid Sokoban level file.
No highscores for this level
The selected level does not have any highscores associated with it yet.
New comment
Edit comment
Delete level
You have made changes to {0}. Would you like to save those changes?
You are currently editing this level.
If you delete this level now, all your modifications will be discarded.
Are you sure you wish to do this?
You are currently playing this level.
Are you sure you wish to give up and delete this level?
Are you sure you wish to delete this level?
&Delete level
Would you like to save your changes to the level you
re editing?
Are you sure you wish to give up the current level?
Please choose a name which will be used to identify you in highscore tables.
Please choose a name which will be used to identify you in highscore tables.
You can change this name later by selecting
Change player name
from the
Level
menu.
Congratulations! You
ve solved the current level.
Please choose a name which will be used to identify you in highscore tables.
If you do not choose a name now, your score for this level will not be recorded.
You can change this name again later by selecting
Change player name
from the
Level
menu.
The level could not be opened because it is invalid.
The level is valid.
The level is invalid because it is not completely enclosed by a wall.
The level is invalid because the number of pieces does not match the number of targets.
You must edit the level in order to address this issue. Would you like to edit the level now?
You cannot play this level until you address this issue. Are you sure you wish to leave the level in this invalid state?
&Save level anyway
&Resume editing
Exit Expert Sokoban
Open level
Retry level
The help file ({0}) could not be found.
Cancel
&Save changes
&Discard changes
&Give up
Highscores
Version {0}
Choose player name
&Wall tool
P&iece tool
&Target tool
&Sokoban tool
t display &move path
Display move path as li&ne
Display move path as &dots
Display mo&ve path as arrows
t display &push path
Display push path as l&ine
Display push path as do&ts
Display push path as arro&ws
Speccy.Properties.Resources
file4
$this.Icon
file4
pwnknX
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
Speccy is the place to start if you need to know what
s inside your PC.
CompanyName
Piriform Ltd
FileDescription
Speccy
FileVersion
1.32.0.5
InternalName
xZPefPbCCp.exe
LegalCopyright
Copyright
2005-2018 Piriform Ltd
LegalTrademarks
OriginalFilename
xZPefPbCCp.exe
ProductName
Speccy
ProductVersion
1.32.0.5
Assembly Version
1.32.0.5
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.4 51228 1.1.1.1 53
192.168.1.4 62350 1.1.1.1 53
192.168.1.4 137 192.168.1.255 137

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-30 13:45:53.919 192.168.1.4 [VT] 49180 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-30 13:45:53.935 192.168.1.4 [VT] 49180 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.4 49180 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name schtasks.exe
PID 3192
Dump Size 177152 bytes
Module Path C:\Windows\System32\schtasks.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:20:03
MD5 95d2dff7f31f6b6b20a01469ff494db2
SHA1 80abef024b678e11b89cab4d464bb503e05aeaec
SHA256 cd118fef5df056d9b47a2b281441234075ae924790d95b0ca622bc25ad17cabb
CRC32 016C1851
Ssdeep 3072:R26ncJiJw0PGRaFXN5/RhRD+QHtn2LlnFpDgsqJ5XEO/GBGAZCx:R1ncJiJ+uL5+QB6lnQsq+GAA
Dump Filename cd118fef5df056d9b47a2b281441234075ae924790d95b0ca622bc25ad17cabb
Download Download Zip
Process Name svchost.exe
PID 836
Dump Size 20992 bytes
Module Path C:\Windows\System32\svchost.exe
Type PE image: 32-bit executable
PE timestamp 2009-07-13 23:19:28
MD5 170c8f74516c67647c3609979a4f3db3
SHA1 fe6472091b141272481dbf83e903f22f817a12cc
SHA256 ca47c990cf333bb490d479de8b3e934adf7405ef3bd29492350059b314a883c6
CRC32 92383454
Ssdeep 384:Ydnfo6z/o4+KzP7Numa2rVYYj0q0/W+lFUOLg2JUaW9C5bW9odW:GQMpDTFGYEe+lFbUaw
Dump Filename ca47c990cf333bb490d479de8b3e934adf7405ef3bd29492350059b314a883c6
Download Download Zip
Process Name services.exe
PID 460
Dump Size 258048 bytes
Module Path C:\Windows\System32\services.exe
Type PE image: 32-bit executable
PE timestamp 2015-04-13 01:58:57
MD5 a8777fb342d1026c3a210db2c3262ab8
SHA1 8fb0968eb50f0f437b451bba7f12e2a78a55f161
SHA256 35099adee59436b6d42916eae3778ab306805fb226f5cb15e0f3a73fc6d06250
CRC32 B556B646
Ssdeep 6144:pVtMUM06qQlDjOHsmdOfF85KU7EAMmcf74ZDS9sON73vF+ugrAq1QHNzuIET2P/p:btTAlI+AMbTL2r3QtzL3
Dump Filename 35099adee59436b6d42916eae3778ab306805fb226f5cb15e0f3a73fc6d06250
Download Download Zip
Defense Evasion Credential Access Collection Privilege Escalation Execution Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1003 - Credential Dumping
    • Signature - infostealer_browser
  • T1081 - Credentials in Files
    • Signature - infostealer_browser
  • T1005 - Data from Local System
    • Signature - infostealer_browser
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task

    Processing ( 54.598000000000006 seconds )

    • 47.465 BehaviorAnalysis
    • 5.317 Suricata
    • 0.514 Static
    • 0.513 CAPE
    • 0.198 static_dotnet
    • 0.181 NetworkAnalysis
    • 0.146 VirusTotal
    • 0.061 TargetInfo
    • 0.059 Dropped
    • 0.049 ProcDump
    • 0.036 AnalysisInfo
    • 0.026 Deduplicate
    • 0.015 Strings
    • 0.012 Debug
    • 0.006 peid

    Signatures ( 2.5809999999999946 seconds )

    • 0.311 antiav_detectreg
    • 0.117 infostealer_ftp
    • 0.109 mimics_filetime
    • 0.103 territorial_disputes_sigs
    • 0.092 stealth_timeout
    • 0.084 decoy_document
    • 0.077 antivm_generic_disk
    • 0.074 Doppelganging
    • 0.074 api_spamming
    • 0.071 masquerade_process_name
    • 0.069 infostealer_im
    • 0.063 antiav_detectfile
    • 0.062 antianalysis_detectreg
    • 0.06 NewtWire Behavior
    • 0.053 Locky_behavior
    • 0.051 reads_self
    • 0.05 virus
    • 0.048 stealth_file
    • 0.042 bootkit
    • 0.042 guloader_apis
    • 0.038 infostealer_bitcoin
    • 0.036 injection_createremotethread
    • 0.034 InjectionCreateRemoteThread
    • 0.034 antivm_vbox_keys
    • 0.033 antianalysis_detectfile
    • 0.028 infostealer_mail
    • 0.027 hancitor_behavior
    • 0.025 antivm_vbox_files
    • 0.023 InjectionInterProcess
    • 0.023 antivm_vmware_keys
    • 0.02 injection_runpe
    • 0.018 InjectionProcessHollowing
    • 0.017 Vidar Behavior
    • 0.017 antivm_parallels_keys
    • 0.017 antivm_xen_keys
    • 0.017 ransomware_files
    • 0.016 qulab_files
    • 0.015 InjectionSetWindowLong
    • 0.015 neshta_files
    • 0.015 predatorthethief_files
    • 0.014 PlugX
    • 0.013 antidebug_guardpages
    • 0.013 infostealer_browser
    • 0.013 geodo_banking_trojan
    • 0.012 antivm_generic_scsi
    • 0.012 exploit_heapspray
    • 0.011 antiemu_wine_func
    • 0.011 dynamic_function_loading
    • 0.011 kovter_behavior
    • 0.011 antivm_generic_diskreg
    • 0.011 antivm_vpc_keys
    • 0.01 exec_crash
    • 0.01 antidbg_devices
    • 0.01 ransomware_extensions
    • 0.009 hawkeye_behavior
    • 0.009 malicious_dynamic_function_loading
    • 0.009 stack_pivot
    • 0.009 antivm_vmware_files
    • 0.008 betabot_behavior
    • 0.008 infostealer_browser_password
    • 0.008 injection_explorer
    • 0.007 h1n1_behavior
    • 0.007 kibex_behavior
    • 0.007 network_tor
    • 0.007 rat_luminosity
    • 0.006 TransactedHollowing
    • 0.006 persistence_autorun
    • 0.005 antidbg_windows
    • 0.005 antivm_generic_services
    • 0.005 antivm_vbox_libs
    • 0.005 blackrat_registry_keys
    • 0.005 OrcusRAT Behavior
    • 0.005 stack_pivot_file_created
    • 0.005 antivm_xen_keys
    • 0.005 antivm_hyperv_keys
    • 0.005 antivm_vbox_devices
    • 0.005 bypass_firewall
    • 0.005 masslogger_files
    • 0.004 antiav_avast_libs
    • 0.004 exploit_getbasekerneladdress
    • 0.004 kazybot_behavior
    • 0.004 recon_programs
    • 0.004 shifu_behavior
    • 0.004 browser_security
    • 0.004 codelux_behavior
    • 0.004 rat_pcclient
    • 0.003 dyre_behavior
    • 0.003 exploit_gethaldispatchtable
    • 0.003 vawtrak_behavior
    • 0.003 antivm_generic_bios
    • 0.003 antivm_generic_system
    • 0.003 ketrican_regkeys
    • 0.003 darkcomet_regkeys
    • 0.003 disables_browser_warn
    • 0.003 limerat_regkeys
    • 0.003 obliquerat_files
    • 0.003 recon_fingerprint
    • 0.003 sniffer_winpcap
    • 0.002 antiav_bitdefender_libs
    • 0.002 antiav_bullgaurd_libs
    • 0.002 antiav_emsisoft_libs
    • 0.002 antiav_qurb_libs
    • 0.002 antiav_apioverride_libs
    • 0.002 antiav_nthookengine_libs
    • 0.002 antisandbox_sboxie_libs
    • 0.002 antisandbox_sunbelt_libs
    • 0.002 encrypted_ioc
    • 0.002 ipc_namedpipe
    • 0.002 office_com_load
    • 0.002 antisandbox_fortinet_files
    • 0.002 antisandbox_threattrack_files
    • 0.002 antivm_vpc_files
    • 0.002 banker_cridex
    • 0.002 modify_proxy
    • 0.002 network_tor_service
    • 0.002 dcrat_files
    • 0.002 warzonerat_files
    • 0.002 warzonerat_regkeys
    • 0.002 remcos_files
    • 0.002 remcos_regkeys
    • 0.002 targeted_flame
    • 0.001 Unpacker
    • 0.001 antivm_vmware_libs
    • 0.001 uac_bypass_eventvwr
    • 0.001 office_vb_load
    • 0.001 office_wmi_load
    • 0.001 office_flash_load
    • 0.001 ransomware_message
    • 0.001 rat_nanocore
    • 0.001 tinba_behavior
    • 0.001 antisandbox_cuckoo_files
    • 0.001 antisandbox_joe_anubis_files
    • 0.001 antisandbox_sunbelt_files
    • 0.001 bitcoin_opencl
    • 0.001 bot_drive
    • 0.001 browser_addon
    • 0.001 disables_system_restore
    • 0.001 disables_windows_defender
    • 0.001 arkei_files
    • 0.001 azorult_mutexes
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 office_perfkey
    • 0.001 packer_armadillo_regkey
    • 0.001 persistence_shim_database
    • 0.001 medusalocker_regkeys
    • 0.001 revil_mutexes
    • 0.001 modirat_bheavior
    • 0.001 spreading_autoruninf
    • 0.001 stealth_hiddenreg
    • 0.001 tampers_etw

    Reporting ( 31.473999999999997 seconds )

    • 19.38 BinGraph
    • 11.974 JsonDump
    • 0.072 SubmitCAPE
    • 0.046 MITRE_TTPS
    • 0.002 PCAP2CERT