Detections

Yara:

AgentTeslaV2

Auto Tasks

#17886: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 17:32:14 2020-06-30 17:37:10 296 seconds Show Options Show Log
route = tor
2020-05-13 09:29:25,542 [root] INFO: Date set to: 20200630T17:30:05, timeout set to: 200
2020-06-30 17:30:05,078 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-06-30 17:30:05,078 [root] DEBUG: Storing results at: C:\GdPEFN
2020-06-30 17:30:05,078 [root] DEBUG: Pipe server name: \\.\PIPE\CdstCYWg
2020-06-30 17:30:05,078 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-30 17:30:05,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 17:30:05,093 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 17:30:05,093 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 17:30:05,156 [root] DEBUG: Imported analysis package "exe".
2020-06-30 17:30:05,156 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 17:30:05,156 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 17:30:05,328 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 17:30:05,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 17:30:05,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 17:30:05,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 17:30:05,453 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 17:30:05,468 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 17:30:05,468 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 17:30:05,484 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 17:30:05,484 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 17:30:05,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 17:30:05,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 17:30:05,515 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 17:30:05,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 17:30:05,546 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 17:30:05,546 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 17:30:05,546 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 17:30:05,546 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 17:30:05,546 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 17:30:05,546 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 17:30:05,546 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 17:30:05,546 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 17:30:06,468 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 17:30:06,484 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 17:30:06,500 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 17:30:06,500 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 17:30:06,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 17:30:06,515 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 17:30:06,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 17:30:06,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 17:30:06,531 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 17:30:06,531 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 17:30:06,531 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 17:30:06,531 [root] DEBUG: Started auxiliary module Browser
2020-06-30 17:30:06,531 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 17:30:06,546 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 17:30:06,546 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 17:30:06,546 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 17:30:06,546 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 17:30:06,546 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 17:30:06,546 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 17:30:06,546 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 17:30:07,390 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 17:30:07,390 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 17:30:07,406 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 17:30:07,406 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 17:30:07,406 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 17:30:07,406 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 17:30:07,421 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 17:30:07,421 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 17:30:07,421 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 17:30:07,421 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 17:30:07,421 [root] DEBUG: Started auxiliary module Human
2020-06-30 17:30:07,421 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 17:30:07,437 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 17:30:07,437 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 17:30:07,437 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 17:30:07,437 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 17:30:07,437 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 17:30:07,437 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 17:30:07,437 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 17:30:07,437 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 17:30:07,437 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 17:30:07,437 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 17:30:07,453 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 17:30:07,453 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 17:30:07,453 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 17:30:07,453 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 17:30:07,453 [root] DEBUG: Started auxiliary module Usage
2020-06-30 17:30:07,453 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 17:30:07,453 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 17:30:07,453 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 17:30:07,453 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 17:30:07,968 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe" with arguments "" with pid 2108
2020-06-30 17:30:07,968 [lib.api.process] INFO: Monitor config for process 2108: C:\tmp558c2t_g\dll\2108.ini
2020-06-30 17:30:08,000 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wzRvMuV.dll, loader C:\tmp558c2t_g\bin\dsPynGN.exe
2020-06-30 17:30:08,343 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:08,343 [root] DEBUG: Loader: Injecting process 2108 (thread 4768) with C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:08,343 [root] DEBUG: Process image base: 0x00400000
2020-06-30 17:30:08,343 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:08,359 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 17:30:08,359 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:08,390 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2108
2020-06-30 17:30:10,390 [lib.api.process] INFO: Successfully resumed process with pid 2108
2020-06-30 17:30:10,500 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 17:30:10,500 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 17:30:10,515 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 17:30:10,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2108 at 0x6f8e0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-30 17:30:10,531 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe".
2020-06-30 17:30:10,593 [root] INFO: Loaded monitor into process with pid 2108
2020-06-30 17:30:10,593 [root] INFO: Disabling sleep skipping.
2020-06-30 17:30:10,593 [root] INFO: Disabling sleep skipping.
2020-06-30 17:30:10,593 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2108, handle 0xd0.
2020-06-30 17:30:10,625 [root] INFO: Disabling sleep skipping.
2020-06-30 17:30:10,625 [root] INFO: Disabling sleep skipping.
2020-06-30 17:30:10,625 [root] DEBUG: set_caller_info: Adding region at 0x03670000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 17:30:10,625 [root] DEBUG: set_caller_info: Adding region at 0x01E10000 to caller regions list (kernel32::GetSystemTime).
2020-06-30 17:30:10,640 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1e10000
2020-06-30 17:30:10,656 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01E10000 size 0x400000.
2020-06-30 17:30:10,656 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e10000 - 0x1e11000.
2020-06-30 17:30:10,656 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e10000-0x1e11000.
2020-06-30 17:30:10,734 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\2108_1274077680105011372020 (size 0xffe)
2020-06-30 17:30:10,734 [root] DEBUG: DumpRegion: Dumped stack region from 0x01E10000, size 0x1000.
2020-06-30 17:30:10,812 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\2108_2000132772105011372020 (size 0x958e)
2020-06-30 17:30:10,812 [root] DEBUG: DumpRegion: Dumped stack region from 0x03670000, size 0xa000.
2020-06-30 17:30:10,828 [root] DEBUG: set_caller_info: Adding region at 0x03BB0000 to caller regions list (ntdll::memcpy).
2020-06-30 17:30:10,875 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\2108_273864424105011372020 (size 0x1a)
2020-06-30 17:30:10,875 [root] DEBUG: DumpRegion: Dumped stack region from 0x03BB0000, size 0x1000.
2020-06-30 17:30:10,906 [root] INFO: Announced 32-bit process name: yyyyyy.exe pid: 3008
2020-06-30 17:30:10,906 [lib.api.process] INFO: Monitor config for process 3008: C:\tmp558c2t_g\dll\3008.ini
2020-06-30 17:30:10,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wzRvMuV.dll, loader C:\tmp558c2t_g\bin\dsPynGN.exe
2020-06-30 17:30:10,937 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:10,937 [root] DEBUG: Loader: Injecting process 3008 (thread 4868) with C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:10,937 [root] DEBUG: Process image base: 0x00400000
2020-06-30 17:30:10,937 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:10,953 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 17:30:10,953 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:10,953 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3008
2020-06-30 17:30:10,953 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 17:30:10,984 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-30 17:30:10,984 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe" .
2020-06-30 17:30:10,984 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3008, ImageBase: 0x00400000
2020-06-30 17:30:10,984 [root] INFO: Announced 32-bit process name: yyyyyy.exe pid: 3008
2020-06-30 17:30:10,984 [lib.api.process] INFO: Monitor config for process 3008: C:\tmp558c2t_g\dll\3008.ini
2020-06-30 17:30:10,984 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wzRvMuV.dll, loader C:\tmp558c2t_g\bin\dsPynGN.exe
2020-06-30 17:30:11,000 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:11,000 [root] DEBUG: Loader: Injecting process 3008 (thread 4868) with C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,015 [root] DEBUG: Process image base: 0x00400000
2020-06-30 17:30:11,015 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,015 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 17:30:11,015 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,015 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3008
2020-06-30 17:30:11,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11c amd local view 0x03D10000 to global list.
2020-06-30 17:30:11,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11c to target process 3008.
2020-06-30 17:30:11,031 [root] INFO: Announced 32-bit process name: yyyyyy.exe pid: 3008
2020-06-30 17:30:11,031 [lib.api.process] INFO: Monitor config for process 3008: C:\tmp558c2t_g\dll\3008.ini
2020-06-30 17:30:11,031 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wzRvMuV.dll, loader C:\tmp558c2t_g\bin\dsPynGN.exe
2020-06-30 17:30:11,062 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:11,062 [root] DEBUG: Loader: Injecting process 3008 (thread 0) with C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,062 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 4868, handle 0xbc
2020-06-30 17:30:11,062 [root] DEBUG: Process image base: 0x00400000
2020-06-30 17:30:11,125 [root] DEBUG: InjectDllViaIAT: Executable DOS header zero.
2020-06-30 17:30:11,125 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,140 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3008
2020-06-30 17:30:11,156 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x000A24D0 (process 3008).
2020-06-30 17:30:11,187 [root] INFO: Announced 32-bit process name: yyyyyy.exe pid: 3008
2020-06-30 17:30:11,187 [lib.api.process] INFO: Monitor config for process 3008: C:\tmp558c2t_g\dll\3008.ini
2020-06-30 17:30:11,187 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wzRvMuV.dll, loader C:\tmp558c2t_g\bin\dsPynGN.exe
2020-06-30 17:30:11,265 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:11,265 [root] DEBUG: Loader: Injecting process 3008 (thread 4868) with C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,265 [root] DEBUG: Process image base: 0x00400000
2020-06-30 17:30:11,265 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,265 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 17:30:11,265 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,281 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3008
2020-06-30 17:30:11,281 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-30 17:30:11,281 [root] DEBUG: DumpProcess: Module entry point VA is 0x000A24D0.
2020-06-30 17:30:11,359 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x30400.
2020-06-30 17:30:11,359 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-06-30 17:30:11,359 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:30:11,359 [root] DEBUG: DumpSectionViewsForPid: Shared section view found with pid 3008, local address 0x03D10000.
2020-06-30 17:30:11,359 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3d10000
2020-06-30 17:30:11,359 [root] DEBUG: DumpSectionViewsForPid: Dumping PE image from shared section view, local address 0x03D10000.
2020-06-30 17:30:11,359 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 17:30:11,359 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x03D10000.
2020-06-30 17:30:11,375 [root] DEBUG: DumpProcess: Module entry point VA is 0x000A24D0.
2020-06-30 17:30:11,375 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000.
2020-06-30 17:30:11,390 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x30400.
2020-06-30 17:30:11,390 [root] DEBUG: DumpSectionViewsForPid: Dumped PE image from shared section view.
2020-06-30 17:30:11,390 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3d10001-0x3db4000.
2020-06-30 17:30:11,406 [root] INFO: Announced 32-bit process name: yyyyyy.exe pid: 656
2020-06-30 17:30:11,406 [lib.api.process] INFO: Monitor config for process 656: C:\tmp558c2t_g\dll\656.ini
2020-06-30 17:30:11,468 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 17:30:11,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wzRvMuV.dll, loader C:\tmp558c2t_g\bin\dsPynGN.exe
2020-06-30 17:30:11,468 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 17:30:11,484 [root] INFO: Disabling sleep skipping.
2020-06-30 17:30:11,484 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 17:30:11,484 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3008 at 0x6f8e0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-30 17:30:11,484 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe".
2020-06-30 17:30:11,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:11,500 [root] DEBUG: Loader: Injecting process 656 (thread 3656) with C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,500 [root] DEBUG: Process image base: 0x00400000
2020-06-30 17:30:11,500 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,500 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 17:30:11,515 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,531 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 656
2020-06-30 17:30:11,531 [root] INFO: Loaded monitor into process with pid 3008
2020-06-30 17:30:11,546 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\mscoree (0x4a000 bytes).
2020-06-30 17:30:11,562 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe" 2 3008 9982203.
2020-06-30 17:30:11,578 [root] DEBUG: CreateProcessHandler: Injection info set for new process 656, ImageBase: 0x00400000
2020-06-30 17:30:11,578 [root] DEBUG: DLL loaded at 0x72600000: C:\Windows\system32\sxs (0x5f000 bytes).
2020-06-30 17:30:11,578 [root] INFO: Announced 32-bit process name: yyyyyy.exe pid: 656
2020-06-30 17:30:11,578 [lib.api.process] INFO: Monitor config for process 656: C:\tmp558c2t_g\dll\656.ini
2020-06-30 17:30:11,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\wzRvMuV.dll, loader C:\tmp558c2t_g\bin\dsPynGN.exe
2020-06-30 17:30:11,593 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:11,609 [root] DEBUG: Loader: Injecting process 656 (thread 3656) with C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,609 [root] DEBUG: Process image base: 0x00400000
2020-06-30 17:30:11,609 [root] DEBUG: DLL loaded at 0x70230000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-06-30 17:30:11,609 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,609 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 17:30:11,609 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wzRvMuV.dll.
2020-06-30 17:30:11,609 [root] DEBUG: DLL loaded at 0x750D0000: C:\Windows\syswow64\SHELL32 (0xc4c000 bytes).
2020-06-30 17:30:11,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 656
2020-06-30 17:30:11,625 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2020-06-30 17:30:11,640 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2108
2020-06-30 17:30:11,640 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-30 17:30:11,640 [root] DEBUG: GetHookCallerBase: thread 4396 (handle 0x0), return address 0x03670102, allocation base 0x03670000.
2020-06-30 17:30:11,640 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-30 17:30:11,640 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-30 17:30:11,640 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 17:30:11,656 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-30 17:30:11,656 [root] DEBUG: DumpProcess: Module entry point VA is 0x000921F0.
2020-06-30 17:30:11,671 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 17:30:11,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x6F6B0000 to global list.
2020-06-30 17:30:11,671 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 17:30:11,718 [root] DEBUG: DLL loaded at 0x6F6B0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\Gdiplus (0x192000 bytes).
2020-06-30 17:30:11,734 [root] INFO: Disabling sleep skipping.
2020-06-30 17:30:11,734 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xec600.
2020-06-30 17:30:11,750 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 17:30:11,750 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-06-30 17:30:11,750 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 656 at 0x6f8e0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-30 17:30:11,843 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe" 2 3008 9982203.
2020-06-30 17:30:11,875 [root] INFO: Process with pid 2108 has terminated
2020-06-30 17:30:11,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F5C0000 for section view with handle 0xec.
2020-06-30 17:30:11,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73510000 for section view with handle 0xec.
2020-06-30 17:30:11,921 [root] DEBUG: DLL loaded at 0x73510000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-30 17:30:11,921 [root] DEBUG: set_caller_info: Adding region at 0x00690000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 17:30:12,015 [root] DEBUG: set_caller_info: Adding region at 0x01DD0000 to caller regions list (kernel32::GetSystemTime).
2020-06-30 17:30:12,031 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1dd0000
2020-06-30 17:30:12,078 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01DD0000 size 0x400000.
2020-06-30 17:30:12,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F470000 for section view with handle 0xec.
2020-06-30 17:30:12,109 [root] DEBUG: DLL loaded at 0x6F470000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks (0x14f000 bytes).
2020-06-30 17:30:12,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70030000 for section view with handle 0xec.
2020-06-30 17:30:12,343 [root] DEBUG: DLL loaded at 0x70030000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Culture (0xd000 bytes).
2020-06-30 17:30:12,359 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\656_772278970125011372020 (size 0xffe)
2020-06-30 17:30:12,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x036E0000 for section view with handle 0xec.
2020-06-30 17:30:12,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F410000 for section view with handle 0xec.
2020-06-30 17:30:12,781 [root] DEBUG: DLL loaded at 0x6F410000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc (0x5f000 bytes).
2020-06-30 17:30:12,781 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\656_1780639817125011372020 (size 0x1a)
2020-06-30 17:30:12,812 [root] DEBUG: DumpRegion: Dumped stack region from 0x006B0000, size 0x1000.
2020-06-30 17:30:12,812 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 17:30:12,828 [root] DEBUG: set_caller_info: Adding region at 0x01ED0000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 17:30:12,843 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1ed0000
2020-06-30 17:30:12,843 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01ED0000 size 0x400000.
2020-06-30 17:30:12,875 [root] DEBUG: DumpPEsInRange: Scanning range 0x1ed0000 - 0x1ed1000.
2020-06-30 17:30:12,921 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1ed0000-0x1ed1000.
2020-06-30 17:30:13,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\3008_1449573769125011372020 (size 0xffe)
2020-06-30 17:30:13,640 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 17:30:13,718 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c amd local view 0x72660000 to global list.
2020-06-30 17:30:13,718 [root] DEBUG: DLL loaded at 0x72660000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-30 17:30:14,015 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3008, handle 0x130.
2020-06-30 17:30:14,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x134 amd local view 0x002F0000 to global list.
2020-06-30 17:30:14,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x138 amd local view 0x00300000 to global list.
2020-06-30 17:30:14,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:30:14,125 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:30:14,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 amd local view 0x6E070000 to global list.
2020-06-30 17:30:14,625 [root] DEBUG: DLL loaded at 0x6E070000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-30 17:30:14,750 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:30:15,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x23c amd local view 0x6DFF0000 to global list.
2020-06-30 17:30:15,500 [root] DEBUG: DLL loaded at 0x6DFF0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-30 17:30:15,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x238 amd local view 0x75DE0000 to global list.
2020-06-30 17:30:15,562 [root] DEBUG: DLL loaded at 0x75DE0000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-30 17:30:15,875 [root] DEBUG: set_caller_info: Adding region at 0x01EA0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 17:30:15,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\3008_117705797355011372020 (size 0xfb1d)
2020-06-30 17:30:16,000 [root] DEBUG: DumpRegion: Dumped stack region from 0x01EA0000, size 0x10000.
2020-06-30 17:30:17,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x250 amd local view 0x6D5E0000 to global list.
2020-06-30 17:30:17,484 [root] DEBUG: DLL loaded at 0x6D5E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-30 17:30:17,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x24c amd local view 0x6D440000 to global list.
2020-06-30 17:30:17,562 [root] DEBUG: DLL loaded at 0x6D440000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-30 17:30:17,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 amd local view 0x6C720000 to global list.
2020-06-30 17:30:17,671 [root] DEBUG: DLL loaded at 0x6C720000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-30 17:30:17,859 [root] DEBUG: set_caller_info: Adding region at 0x03750000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-30 17:30:17,984 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x375ffff
2020-06-30 17:30:17,984 [root] DEBUG: DumpMemory: Nothing to dump at 0x03750000!
2020-06-30 17:30:18,031 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x03750000 size 0x10000.
2020-06-30 17:30:18,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\3008_1475299062385011372020 (size 0x2af)
2020-06-30 17:30:18,125 [root] DEBUG: DumpRegion: Dumped stack region from 0x03750000, size 0x1000.
2020-06-30 17:30:18,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x254 amd local view 0x6FD10000 to global list.
2020-06-30 17:30:18,359 [root] DEBUG: DLL loaded at 0x6FD10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-30 17:30:18,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x254.
2020-06-30 17:30:18,453 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 17:30:18,562 [root] DEBUG: set_caller_info: Adding region at 0x008B0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 17:30:18,562 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x8bffff
2020-06-30 17:30:18,562 [root] DEBUG: DumpMemory: Nothing to dump at 0x008B0000!
2020-06-30 17:30:18,578 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x008B0000 size 0x10000.
2020-06-30 17:30:18,578 [root] DEBUG: DumpPEsInRange: Scanning range 0x8b0000 - 0x8b1000.
2020-06-30 17:30:18,578 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8b0000-0x8b1000.
2020-06-30 17:30:18,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\3008_946999402385011372020 (size 0x14)
2020-06-30 17:30:18,640 [root] DEBUG: DumpRegion: Dumped stack region from 0x008B0000, size 0x1000.
2020-06-30 17:30:18,671 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-30 17:30:18,875 [root] DEBUG: set_caller_info: Adding region at 0x008C0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-30 17:30:18,875 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x8cffff
2020-06-30 17:30:18,875 [root] DEBUG: DumpMemory: Nothing to dump at 0x008C0000!
2020-06-30 17:30:18,890 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x008C0000 size 0x10000.
2020-06-30 17:30:18,890 [root] DEBUG: DumpPEsInRange: Scanning range 0x8c0000 - 0x8cc000.
2020-06-30 17:30:18,921 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8c0000-0x8cc000.
2020-06-30 17:30:19,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\3008_1359206429385011372020 (size 0xb0bb)
2020-06-30 17:30:19,031 [root] DEBUG: DumpRegion: Dumped stack region from 0x008C0000, size 0xc000.
2020-06-30 17:30:19,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x288 amd local view 0x6BF40000 to global list.
2020-06-30 17:30:19,328 [root] DEBUG: DLL loaded at 0x6BF40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-30 17:30:19,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x284 amd local view 0x6BD60000 to global list.
2020-06-30 17:30:19,375 [root] DEBUG: DLL loaded at 0x6BD60000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-06-30 17:30:31,812 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 656, handle 0x280.
2020-06-30 17:30:31,875 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-06-30 17:30:31,906 [root] INFO: Process with pid 656 has terminated
2020-06-30 17:30:31,953 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 17:30:31,984 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 17:30:32,156 [root] DEBUG: DLL loaded at 0x73920000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 17:30:32,171 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-30 17:30:32,328 [root] DEBUG: DLL loaded at 0x6F8A0000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-30 17:30:32,500 [root] DEBUG: DLL loaded at 0x6BD00000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-30 17:30:32,562 [root] DEBUG: DLL loaded at 0x76B20000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-30 17:30:32,687 [root] INFO: Stopping WMI Service
2020-06-30 17:30:40,562 [root] INFO: Stopped WMI Service
2020-06-30 17:30:41,546 [lib.api.process] INFO: Monitor config for process 588: C:\tmp558c2t_g\dll\588.ini
2020-06-30 17:30:41,562 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\wsjRzWC.dll, loader C:\tmp558c2t_g\bin\NLCErfdB.exe
2020-06-30 17:30:41,593 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:41,593 [root] DEBUG: Loader: Injecting process 588 (thread 0) with C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:30:41,593 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 17:30:41,609 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 17:30:41,609 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 17:30:41,625 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 17:30:41,640 [root] INFO: Disabling sleep skipping.
2020-06-30 17:30:41,640 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 588 at 0x000000006BC00000, image base 0x00000000FF500000, stack from 0x0000000001766000-0x0000000001770000
2020-06-30 17:30:41,656 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2020-06-30 17:30:41,718 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 17:30:41,718 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 17:30:41,781 [root] INFO: Loaded monitor into process with pid 588
2020-06-30 17:30:41,781 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 17:30:41,781 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 17:30:41,796 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:30:43,812 [root] INFO: Starting WMI Service
2020-06-30 17:30:43,937 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3016, handle 0x5f0.
2020-06-30 17:30:46,031 [root] INFO: Started WMI Service
2020-06-30 17:30:46,046 [lib.api.process] INFO: Monitor config for process 3016: C:\tmp558c2t_g\dll\3016.ini
2020-06-30 17:30:46,062 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\wsjRzWC.dll, loader C:\tmp558c2t_g\bin\NLCErfdB.exe
2020-06-30 17:30:46,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:30:46,093 [root] DEBUG: Loader: Injecting process 3016 (thread 0) with C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:30:46,093 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 17:30:46,109 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 17:30:46,125 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 17:30:46,125 [root] INFO: Disabling sleep skipping.
2020-06-30 17:30:46,140 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 3016 at 0x000000006BC00000, image base 0x00000000FF500000, stack from 0x00000000011C6000-0x00000000011D0000
2020-06-30 17:30:46,140 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-30 17:30:46,187 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 17:30:46,187 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 17:30:46,218 [root] INFO: Loaded monitor into process with pid 3016
2020-06-30 17:30:46,218 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 17:30:46,218 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 17:30:46,218 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:30:48,249 [root] DEBUG: DLL loaded at 0x6FD00000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-30 17:30:48,249 [root] DEBUG: DLL loaded at 0x6BB90000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-06-30 17:30:48,296 [root] DEBUG: DLL loaded at 0x6F880000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-30 17:30:48,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2f4 amd local view 0x6BA60000 to global list.
2020-06-30 17:30:48,718 [root] DEBUG: DLL loaded at 0x6BA60000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni (0x123000 bytes).
2020-06-30 17:30:48,921 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:30:49,000 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:30:49,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x344 amd local view 0x6F850000 to global list.
2020-06-30 17:30:49,093 [root] DEBUG: DLL loaded at 0x6F850000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2020-06-30 17:30:49,249 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:30:52,500 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:30:52,531 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:31:09,015 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-06-30 17:31:11,156 [root] DEBUG: DLL loaded at 0x730C0000: C:\Windows\SysWOW64\wshom.ocx (0x21000 bytes).
2020-06-30 17:31:11,187 [root] DEBUG: DLL loaded at 0x730A0000: C:\Windows\SysWOW64\MPR (0x12000 bytes).
2020-06-30 17:31:11,218 [root] DEBUG: DLL loaded at 0x73070000: C:\Windows\SysWOW64\ScrRun (0x2a000 bytes).
2020-06-30 17:31:11,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3c4 amd local view 0x06AE0000 to global list.
2020-06-30 17:31:11,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3b0 amd local view 0x06AF0000 to global list.
2020-06-30 17:31:11,718 [root] DEBUG: set_caller_info: Adding region at 0x06B30000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 17:31:11,718 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x6b3ffff
2020-06-30 17:31:11,718 [root] DEBUG: DumpMemory: Nothing to dump at 0x06B30000!
2020-06-30 17:31:11,718 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06B30000 size 0x10000.
2020-06-30 17:31:11,718 [root] DEBUG: DumpPEsInRange: Scanning range 0x6b30000 - 0x6b31000.
2020-06-30 17:31:11,718 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6b30000-0x6b31000.
2020-06-30 17:31:11,750 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\GdPEFN\CAPE\3008_179079937250021372020 (size 0x743)
2020-06-30 17:31:11,750 [root] DEBUG: DumpRegion: Dumped stack region from 0x06B30000, size 0x1000.
2020-06-30 17:31:11,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3c8 amd local view 0x70670000 to global list.
2020-06-30 17:31:11,890 [root] DEBUG: DLL loaded at 0x70670000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-06-30 17:31:12,437 [root] DEBUG: DLL loaded at 0x73060000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-30 17:31:12,453 [root] DEBUG: DLL unloaded from 0x764D0000.
2020-06-30 17:31:12,859 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-30 17:31:12,859 [lib.api.process] INFO: Monitor config for process 472: C:\tmp558c2t_g\dll\472.ini
2020-06-30 17:31:12,875 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\wsjRzWC.dll, loader C:\tmp558c2t_g\bin\NLCErfdB.exe
2020-06-30 17:31:12,890 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:31:12,890 [root] DEBUG: Loader: Injecting process 472 (thread 0) with C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:12,890 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 17:31:12,890 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 17:31:12,906 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 17:31:12,906 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 17:31:12,906 [root] INFO: Disabling sleep skipping.
2020-06-30 17:31:12,906 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 472 at 0x000000006BC00000, image base 0x00000000FFF50000, stack from 0x0000000001106000-0x0000000001110000
2020-06-30 17:31:12,906 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-06-30 17:31:12,953 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 17:31:12,953 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 17:31:12,953 [root] INFO: Loaded monitor into process with pid 472
2020-06-30 17:31:12,968 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 17:31:12,968 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 17:31:12,968 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:14,062 [root] INFO: Announced 64-bit process name: lsass.exe pid: 2440
2020-06-30 17:31:14,062 [lib.api.process] INFO: Monitor config for process 2440: C:\tmp558c2t_g\dll\2440.ini
2020-06-30 17:31:14,078 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\wsjRzWC.dll, loader C:\tmp558c2t_g\bin\NLCErfdB.exe
2020-06-30 17:31:14,078 [root] DEBUG: DLL loaded at 0x000007FEF6790000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2020-06-30 17:31:14,093 [root] DEBUG: DLL loaded at 0x000007FEFAD80000: C:\Windows\system32\ATL (0x19000 bytes).
2020-06-30 17:31:14,093 [root] DEBUG: DLL loaded at 0x000007FEF6700000: C:\Windows\system32\VssTrace (0x17000 bytes).
2020-06-30 17:31:14,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:31:14,093 [root] DEBUG: Loader: Injecting process 2440 (thread 896) with C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:14,093 [root] DEBUG: Process image base: 0x00000000FFDB0000
2020-06-30 17:31:14,109 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:14,109 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 17:31:14,109 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:14,109 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2440
2020-06-30 17:31:14,125 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-30 17:31:14,125 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2440, ImageBase: 0x00000000FFDB0000
2020-06-30 17:31:14,125 [root] INFO: Announced 64-bit process name: lsass.exe pid: 2440
2020-06-30 17:31:14,125 [lib.api.process] INFO: Monitor config for process 2440: C:\tmp558c2t_g\dll\2440.ini
2020-06-30 17:31:14,125 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\wsjRzWC.dll, loader C:\tmp558c2t_g\bin\NLCErfdB.exe
2020-06-30 17:31:14,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:31:14,140 [root] DEBUG: Loader: Injecting process 2440 (thread 896) with C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:14,156 [root] DEBUG: Process image base: 0x00000000FFDB0000
2020-06-30 17:31:14,156 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:14,156 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 17:31:14,156 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:14,203 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2440
2020-06-30 17:31:14,218 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2440.
2020-06-30 17:31:14,218 [root] DEBUG: DLL loaded at 0x000007FEFA440000: C:\Windows\system32\samcli (0x14000 bytes).
2020-06-30 17:31:14,234 [root] DEBUG: DLL loaded at 0x000007FEFB520000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2020-06-30 17:31:14,249 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 17:31:14,249 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 17:31:14,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b0 amd local view 0x0000000002A20000 to global list.
2020-06-30 17:31:14,484 [root] DEBUG: DLL unloaded from 0x000007FEF6700000.
2020-06-30 17:31:15,218 [root] DEBUG: DLL unloaded from 0x000007FEFE9A0000.
2020-06-30 17:31:22,562 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:31:22,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x38c amd local view 0x06B20000 to global list.
2020-06-30 17:31:22,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x358 amd local view 0x06B20000 to global list.
2020-06-30 17:31:22,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x398 amd local view 0x06B20000 to global list.
2020-06-30 17:31:22,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3a0 amd local view 0x06B20000 to global list.
2020-06-30 17:31:22,750 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:31:29,500 [root] INFO: Process with pid 2440 has terminated
2020-06-30 17:31:29,640 [root] INFO: Announced starting service "b'WerSvc'"
2020-06-30 17:31:29,703 [root] INFO: Announced 64-bit process name: svchost.exe pid: 4284
2020-06-30 17:31:29,703 [lib.api.process] INFO: Monitor config for process 4284: C:\tmp558c2t_g\dll\4284.ini
2020-06-30 17:31:29,734 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\wsjRzWC.dll, loader C:\tmp558c2t_g\bin\NLCErfdB.exe
2020-06-30 17:31:29,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:31:29,796 [root] DEBUG: Loader: Injecting process 4284 (thread 4356) with C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:29,875 [root] DEBUG: Process image base: 0x00000000FF500000
2020-06-30 17:31:29,875 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:29,921 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 17:31:29,921 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:29,953 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4284
2020-06-30 17:31:29,953 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup.
2020-06-30 17:31:29,953 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4284, ImageBase: 0x00000000FF500000
2020-06-30 17:31:29,953 [root] INFO: Announced 64-bit process name: svchost.exe pid: 4284
2020-06-30 17:31:29,953 [lib.api.process] INFO: Monitor config for process 4284: C:\tmp558c2t_g\dll\4284.ini
2020-06-30 17:31:29,953 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\wsjRzWC.dll, loader C:\tmp558c2t_g\bin\NLCErfdB.exe
2020-06-30 17:31:30,000 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\CdstCYWg.
2020-06-30 17:31:30,000 [root] DEBUG: Loader: Injecting process 4284 (thread 4356) with C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:30,000 [root] DEBUG: Process image base: 0x00000000FF500000
2020-06-30 17:31:30,046 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:30,046 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 17:31:30,046 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\wsjRzWC.dll.
2020-06-30 17:31:30,046 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 4284
2020-06-30 17:31:30,062 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4284.
2020-06-30 17:31:30,078 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 17:31:30,078 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 17:31:30,078 [root] INFO: Disabling sleep skipping.
2020-06-30 17:31:30,078 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 17:31:30,078 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 4284 at 0x000000006BC00000, image base 0x00000000FF500000, stack from 0x00000000001F5000-0x0000000000200000
2020-06-30 17:31:30,093 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k WerSvcGroup.
2020-06-30 17:31:30,125 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 17:31:30,125 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 17:31:30,140 [root] INFO: Loaded monitor into process with pid 4284
2020-06-30 17:31:30,140 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 4284).
2020-06-30 17:31:30,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 amd local view 0x0000000002630000 to global list.
2020-06-30 17:31:30,187 [root] DEBUG: DLL loaded at 0x000007FEFBB10000: c:\windows\system32\wersvc (0x18000 bytes).
2020-06-30 17:31:30,249 [root] DEBUG: DLL unloaded from 0x000007FEFBB10000.
2020-06-30 17:31:30,249 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 4284).
2020-06-30 17:31:30,281 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 472, handle 0x41c.
2020-06-30 17:31:43,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3d0 amd local view 0x72F60000 to global list.
2020-06-30 17:31:49,000 [root] DEBUG: DLL loaded at 0x72F60000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-06-30 17:31:49,343 [root] DEBUG: DLL loaded at 0x72ED0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32 (0x84000 bytes).
2020-06-30 17:32:00,343 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:32:37,046 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:32:43,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3008.
2020-06-30 17:33:30,640 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4284
2020-06-30 17:33:30,734 [root] DEBUG: GetHookCallerBase: thread 4356 (handle 0x0), return address 0x00000000FF501D42, allocation base 0x00000000FF500000.
2020-06-30 17:33:30,750 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-06-30 17:33:30,750 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 17:33:31,203 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 17:33:31,203 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-06-30 17:33:31,203 [lib.api.process] INFO: Terminate event set for process 3008
2020-06-30 17:33:31,203 [root] DEBUG: Terminate Event: Attempting to dump process 3008
2020-06-30 17:33:31,437 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-30 17:33:31,437 [root] DEBUG: DLL loaded at 0x000007FEFCD60000: C:\Windows\System32\cryptbase (0xf000 bytes).
2020-06-30 17:33:31,546 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-30 17:33:31,546 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x45a00.
2020-06-30 17:33:31,562 [lib.api.process] INFO: Termination confirmed for process 3008
2020-06-30 17:33:31,562 [root] INFO: Terminate event set for process 3008.
2020-06-30 17:33:31,562 [lib.api.process] INFO: Terminate event set for process 588
2020-06-30 17:33:31,593 [root] DEBUG: DLL unloaded from 0x000007FEFD640000.
2020-06-30 17:33:31,593 [root] DEBUG: Terminate Event: Attempting to dump process 588
2020-06-30 17:33:31,593 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-06-30 17:33:31,593 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3008
2020-06-30 17:33:31,593 [root] INFO: Process with pid 4284 has terminated
2020-06-30 17:33:32,046 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 17:33:32,156 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-06-30 17:33:32,156 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-30 17:33:33,015 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-30 17:33:33,015 [lib.api.process] INFO: Termination confirmed for process 588
2020-06-30 17:33:33,015 [root] INFO: Terminate event set for process 588.
2020-06-30 17:33:33,015 [lib.api.process] INFO: Terminate event set for process 3016
2020-06-30 17:33:33,062 [root] DEBUG: Terminate Event: Attempting to dump process 3016
2020-06-30 17:33:33,125 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 588
2020-06-30 17:33:33,359 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-06-30 17:33:33,406 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 17:33:33,406 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-06-30 17:33:33,421 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-30 17:33:34,156 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-30 17:33:34,156 [lib.api.process] INFO: Termination confirmed for process 3016
2020-06-30 17:33:34,156 [root] INFO: Terminate event set for process 3016.
2020-06-30 17:33:34,156 [lib.api.process] INFO: Terminate event set for process 472
2020-06-30 17:33:34,203 [root] DEBUG: Terminate Event: Attempting to dump process 472
2020-06-30 17:33:34,203 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFF50000.
2020-06-30 17:33:34,218 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 17:33:34,218 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFF50000.
2020-06-30 17:33:34,218 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000001331C.
2020-06-30 17:33:35,281 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x50000.
2020-06-30 17:33:35,296 [lib.api.process] INFO: Termination confirmed for process 472
2020-06-30 17:33:35,296 [root] INFO: Terminate event set for process 472.
2020-06-30 17:33:35,296 [root] INFO: Created shutdown mutex.
2020-06-30 17:33:35,296 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 472
2020-06-30 17:33:36,296 [root] INFO: Shutting down package.
2020-06-30 17:33:36,296 [root] INFO: Stopping auxiliary modules.
2020-06-30 17:33:36,718 [lib.common.results] WARNING: File C:\GdPEFN\bin\procmon.xml doesn't exist anymore
2020-06-30 17:33:36,718 [root] INFO: Finishing auxiliary modules.
2020-06-30 17:33:36,718 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 17:33:36,718 [root] WARNING: Folder at path "C:\GdPEFN\debugger" does not exist, skip.
2020-06-30 17:33:36,765 [root] WARNING: Monitor injection attempted but failed for process 656.
2020-06-30 17:33:36,765 [root] WARNING: Monitor injection attempted but failed for process 2440.
2020-06-30 17:33:36,765 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-06-30 17:32:16 2020-06-30 17:37:10

File Details

File Name yyyyyy.exe
File Size 964608 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 1992-06-19 22:22:17
MD5 ad520c8794875fc5dfa4e5db1f97b634
SHA1 9b99a679b1d0df84f4f634ff16a182ee6086b44b
SHA256 b58248fcc771ae21b12857d72462c26ae30f3234bd5095986079c7b807791fa6
SHA512 b6792047c99a31e6d60f057f2b7b18a517fe97e7c55cdb510aa2344df283a6a5da0242887600a90fe1a6b9459fa424faeb4a6fb424fa6e3298b8ad378b428a13
CRC32 D2D9415A
Ssdeep 12288:N1JUuXUn6wUN4KSgqJ6wWska30/jgrTfz8BYnKFvkpzoMTK9tzxbz/9XYgMdNnQk:DOPXUWD6wEc0bp8RoMTKTNBYggNTx
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3008 trigged the Yara rule 'AgentTeslaV2'
Hit: PID 2108 trigged the Yara rule 'shellcode_patterns'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: yyyyyy.exe, PID 2108
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: yyyyyy.exe tried to sleep 488.277 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExA
DynamicLoader: oleaut32.dll/VariantChangeTypeEx
DynamicLoader: oleaut32.dll/VarNeg
DynamicLoader: oleaut32.dll/VarNot
DynamicLoader: oleaut32.dll/VarAdd
DynamicLoader: oleaut32.dll/VarSub
DynamicLoader: oleaut32.dll/VarMul
DynamicLoader: oleaut32.dll/VarDiv
DynamicLoader: oleaut32.dll/VarIdiv
DynamicLoader: oleaut32.dll/VarMod
DynamicLoader: oleaut32.dll/VarAnd
DynamicLoader: oleaut32.dll/VarOr
DynamicLoader: oleaut32.dll/VarXor
DynamicLoader: oleaut32.dll/VarCmp
DynamicLoader: oleaut32.dll/VarI4FromStr
DynamicLoader: oleaut32.dll/VarR4FromStr
DynamicLoader: oleaut32.dll/VarR8FromStr
DynamicLoader: oleaut32.dll/VarDateFromStr
DynamicLoader: oleaut32.dll/VarCyFromStr
DynamicLoader: oleaut32.dll/VarBoolFromStr
DynamicLoader: oleaut32.dll/VarBstrFromCy
DynamicLoader: oleaut32.dll/VarBstrFromDate
DynamicLoader: oleaut32.dll/VarBstrFromBool
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/AnimateWindow
DynamicLoader: comctl32.dll/InitializeFlatSB
DynamicLoader: comctl32.dll/UninitializeFlatSB
DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoAddRefServerProcess
DynamicLoader: ole32.dll/CoReleaseServerProcess
DynamicLoader: ole32.dll/CoResumeClassObjects
DynamicLoader: ole32.dll/CoSuspendClassObjects
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/FlushInstructionCache
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetDateFormatEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetTimeFormatEx
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/IsValidLocaleName
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleExW
DynamicLoader: kernel32.dll/SetFileInformationByHandleW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetDateFormatEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetTimeFormatEx
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/IsValidLocaleName
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleExW
DynamicLoader: kernel32.dll/SetFileInformationByHandleW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: ntdll.dll/ZwCreateSection
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetDateFormatEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetTimeFormatEx
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/IsValidLocaleName
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleExW
DynamicLoader: kernel32.dll/SetFileInformationByHandleW
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: mscoree.dll/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: kernel32.dll/GetNumaHighestNodeNumber
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: kernel32.dll/CreateBoundaryDescriptorW
DynamicLoader: kernel32.dll/CreatePrivateNamespaceW
DynamicLoader: kernel32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/DeleteBoundaryDescriptor
DynamicLoader: kernel32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: mscoree.dll/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: kernel32.dll/AddDllDirectory
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorImageUnloading
DynamicLoader: mscoree.dll/_CorValidateImage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetThreadErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: kernel32.dll/GetModuleHandle
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/OpenProcessW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/TerminateProcessW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: kernel32.dll/LoadLibrary
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: kernel32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/GetComputerName
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: kernel32.dll/CreateWaitableTimerExW
DynamicLoader: kernel32.dll/SetWaitableTimerEx
DynamicLoader: SHELL32.dll/SHGetFolderPath
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: sxs.dll/SxsLookupClrGuid
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: sxs.dll/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: sxs.dll/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindNextFile
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: kernel32.dll/GetDynamicTimeZoneInformation
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/GetFileMUIPath
DynamicLoader: kernel32.dll/LoadLibraryEx
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/FreeLibraryW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/CompareStringOrdinal
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: kernel32.dll/AddDllDirectory
DynamicLoader: kernel32.dll/LoadLibraryEx
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExA
DynamicLoader: oleaut32.dll/VariantChangeTypeEx
DynamicLoader: oleaut32.dll/VarNeg
DynamicLoader: oleaut32.dll/VarNot
DynamicLoader: oleaut32.dll/VarAdd
DynamicLoader: oleaut32.dll/VarSub
DynamicLoader: oleaut32.dll/VarMul
DynamicLoader: oleaut32.dll/VarDiv
DynamicLoader: oleaut32.dll/VarIdiv
DynamicLoader: oleaut32.dll/VarMod
DynamicLoader: oleaut32.dll/VarAnd
DynamicLoader: oleaut32.dll/VarOr
DynamicLoader: oleaut32.dll/VarXor
DynamicLoader: oleaut32.dll/VarCmp
DynamicLoader: oleaut32.dll/VarI4FromStr
DynamicLoader: oleaut32.dll/VarR4FromStr
DynamicLoader: oleaut32.dll/VarR8FromStr
DynamicLoader: oleaut32.dll/VarDateFromStr
DynamicLoader: oleaut32.dll/VarCyFromStr
DynamicLoader: oleaut32.dll/VarBoolFromStr
DynamicLoader: oleaut32.dll/VarBstrFromCy
DynamicLoader: oleaut32.dll/VarBstrFromDate
DynamicLoader: oleaut32.dll/VarBstrFromBool
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/AnimateWindow
DynamicLoader: comctl32.dll/InitializeFlatSB
DynamicLoader: comctl32.dll/UninitializeFlatSB
DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoAddRefServerProcess
DynamicLoader: ole32.dll/CoReleaseServerProcess
DynamicLoader: ole32.dll/CoResumeClassObjects
DynamicLoader: ole32.dll/CoSuspendClassObjects
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wersvc.dll/ServiceMain
DynamicLoader: wersvc.dll/SvchostPushServiceGlobals
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
CAPE extracted potentially suspicious content
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Injected PE Image: 32-bit executable
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
yyyyyy.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary contains an unknown PE section name indicative of packing
unknown section: name: CODE, entropy: 6.55, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00091400, virtual_size: 0x00091238
unknown section: name: DATA, entropy: 4.26, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000ea00, virtual_size: 0x0000e8dc
unknown section: name: BSS, entropy: 0.00, characteristics: IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00000d4d
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.49, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x0003ea00, virtual_size: 0x0003e984
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\yyyyyy.exe
Behavioural detection: Injection (Process Hollowing)
Injection: yyyyyy.exe(2108) -> yyyyyy.exe(3008)
Executed a process and injected code into it, probably while unpacking
Injection: yyyyyy.exe(2108) -> yyyyyy.exe(3008)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Tries to unhook or modify Windows functions monitored by Cuckoo
unhook: function_name: NtCreateSection, type: modification
Steals private information from local Internet browsers
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
file: C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
Network activity detected but not expressed in API logs
CAPE detected the AgentTeslaV2 malware family
File has been identified by 31 Antiviruses on VirusTotal as malicious
Bkav: W32.AIDetectVM.malware2
MicroWorld-eScan: Trojan.Delf.FareIt.Gen.4
VBA32: BScope.TrojanSpy.Swotter
FireEye: Generic.mg.ad520c8794875fc5
McAfee: Artemis!AD520C879487
Cybereason: malicious.9b1d0d
Arcabit: Trojan.Delf.FareIt.Gen.4
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
BitDefender: Trojan.Delf.FareIt.Gen.4
Paloalto: generic.ml
Rising: Spyware.Noon!8.E7C9 (CLOUD)
Endgame: malicious (high confidence)
Emsisoft: Trojan.Delf.FareIt.Gen.4 (B)
Invincea: heuristic
Trapmine: suspicious.low.ml.score
SentinelOne: DFI - Suspicious PE
Fortinet: W32/Injector.EEHO!tr
Microsoft: Trojan:Win32/Wacatac.C!ml
ZoneAlarm: UDS:DangerousObject.Multi.Generic
BitDefenderTheta: Gen:[email protected]
ALYac: Trojan.Delf.FareIt.Gen.4
MAX: malware (ai score=83)
Ad-Aware: Trojan.Delf.FareIt.Gen.4
Malwarebytes: Trojan.MalPack.DLF
ESET-NOD32: a variant of Win32/Injector.EMNR
Ikarus: Win32.Outbreak
MaxSecure: Trojan.Malware.300983.susgen
GData: Trojan.Delf.FareIt.Gen.4
CrowdStrike: win/malicious_confidence_90% (W)
Qihoo-360: HEUR/QVM05.1.417F.Malware.Gen
Harvests credentials from local FTP client softwares
file: C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\Louise\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Anomalous binary characteristics
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 13.107.42.23 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\yyyyyy.ENU
C:\Users\Louise\AppData\Local\Temp\yyyyyy.ENU.DLL
C:\Users\Louise\AppData\Local\Temp\yyyyyy.EN
C:\Users\Louise\AppData\Local\Temp\yyyyyy.EN.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorwks.dll
C:\Users\Louise\AppData\Local\Temp\mscorwks.dll
C:\Windows\System32\mscorwks.dll
C:\Windows\system\mscorwks.dll
C:\Windows\mscorwks.dll
C:\Python27\mscorwks.dll
C:\Python27\Scripts\mscorwks.dll
C:\Windows\System32\wbem\mscorwks.dll
C:\Windows\System32\WindowsPowerShell\v1.0\mscorwks.dll
C:\ProgramData\chocolatey\bin\mscorwks.dll
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\Scripts\mscorwks.dll
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\mscorwks.dll
C:\Users\Louise\AppData\Roaming\Python\Scripts\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\sxs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\shfolder.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\user32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\iphlpapi.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\advapi32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Gdiplus.dll
C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Users\Louise\AppData\Local\Temp\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsec.dll
C:\Users\Louise\AppData\Local\Temp\mscorsec.dll
C:\Windows\System32\mscorsec.dll
C:\Windows\system\mscorsec.dll
C:\Windows\mscorsec.dll
C:\Python27\mscorsec.dll
C:\Python27\Scripts\mscorsec.dll
C:\Windows\System32\wbem\mscorsec.dll
C:\Windows\System32\WindowsPowerShell\v1.0\mscorsec.dll
C:\ProgramData\chocolatey\bin\mscorsec.dll
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\Scripts\mscorsec.dll
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\mscorsec.dll
C:\Users\Louise\AppData\Roaming\Python\Scripts\mscorsec.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Culture.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\locale.nlp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorjit.dll
C:\Users\Louise\AppData\Local\Temp\mscorjit.dll
C:\Windows\System32\mscorjit.dll
C:\Windows\system\mscorjit.dll
C:\Windows\mscorjit.dll
C:\Python27\mscorjit.dll
C:\Python27\Scripts\mscorjit.dll
C:\Windows\System32\wbem\mscorjit.dll
C:\Windows\System32\WindowsPowerShell\v1.0\mscorjit.dll
C:\ProgramData\chocolatey\bin\mscorjit.dll
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\Scripts\mscorjit.dll
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\mscorjit.dll
C:\Users\Louise\AppData\Roaming\Python\Scripts\mscorjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe.config
C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\assembly\NativeImages_v4.0.30319_32\uKkdBzhzjMl029eb6e4#\*
C:\Users\Louise\AppData\Local\Temp\yyyyyy.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\OLEAUT32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
C:\%insfolder%\%insname%
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Louise\AppData\Local\7Star\7Star\User Data
C:\Users\Louise\AppData\Local\liebao\User Data
C:\Users\Louise\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Louise\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Louise\AppData\Local\Coowon\Coowon\User Data
C:\Users\Louise\AppData\Local\CentBrowser\User Data
C:\Users\Louise\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Louise\AppData\Local\Orbitum\User Data
C:\Users\Louise\AppData\Local\Chromium\User Data
C:\Users\Louise\AppData\Local\QIP Surf\User Data
C:\Users\Louise\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Louise\AppData\Local\Torch\User Data
C:\Users\Louise\AppData\Local\Amigo\User Data
C:\Users\Louise\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Louise\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Louise\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Louise\AppData\Local\Vivaldi\User Data
C:\Users\Louise\AppData\Local\CocCoc\Browser\User Data
C:\Users\Louise\AppData\Local\Iridium\User Data
C:\Users\Louise\AppData\Local\Comodo\Dragon\User Data
C:\Users\Louise\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Louise\AppData\Local\Elements Browser\User Data
C:\Users\Louise\AppData\Local\Kometa\User Data
C:\Users\Louise\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Louise\AppData\Local\Chedot\User Data
C:\Users\Louise\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Louise\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Louise\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\Users\Louise\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Louise\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\Louise\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\Users\Louise\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\Louise\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Louise\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Louise\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\*
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Login Data
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Users\Louise\AppData\Roaming\Psi\profiles
C:\Users\Louise\AppData\Roaming\Psi+\profiles
C:\Users\Louise\AppData\Roaming\Postbox\profiles.ini
C:\Storage\
C:\mail\
C:\Users\Louise\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Louise\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\Louise\AppData\Local\Temp\Folder.lst
C:\FTP Navigator\Ftplist.txt
C:\Users\Louise\AppData\Roaming\Claws-mail
C:\Users\Louise\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Louise\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Program Files (x86)\jDownloader\config\database.script
C:\Users\Louise\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
C:\Users\Louise\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Louise\AppData\Roaming\The Bat!
C:\Users\Louise\AppData\Local\UCBrowser\*
C:\Users\Louise\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Louise\AppData\Local\Microsoft\Edge\User Data
C:\Users\Louise\AppData\Local\Temp\vaultcli.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\cftp\Ftplist.txt
C:\Users\Louise\AppData\Local\falkon\profiles\profiles.ini
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\Louise\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Louise\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\logins.json
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\signons.sqlite
C:\Users\Louise\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\Temp
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Culture.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\locale.nlp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe.config
C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Users\Louise\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Louise\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\Users\Louise\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Louise\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Louise\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Users\Louise\AppData\Roaming\Postbox\profiles.ini
C:\FTP Navigator\Ftplist.txt
C:\Users\Louise\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Louise\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Louise\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Louise\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
\??\PIPE\samr
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\PIPE\samr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yyyyyy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xbfd8\x1efEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\yyyyyy.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6BAE4BD4
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Dlt
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wersvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xbfd8\x1efEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6BAE4BD4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Canada Central Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
user32.dll.GetMonitorInfoA
user32.dll.GetSystemMetrics
user32.dll.EnumDisplayMonitors
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
ole32.dll.CoCreateInstanceEx
ole32.dll.CoInitializeEx
ole32.dll.CoAddRefServerProcess
ole32.dll.CoReleaseServerProcess
ole32.dll.CoResumeClassObjects
ole32.dll.CoSuspendClassObjects
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.FileTimeToSystemTime
version.dll.GetFileVersionInfoSizeW
kernel32.dll.GetModuleHandleW
kernel32.dll.VirtualFree
kernel32.dll.LoadLibraryW
kernel32.dll.SizeofResource
kernel32.dll.GetModuleFileNameW
kernel32.dll.CreateFileW
kernel32.dll.MultiByteToWideChar
kernel32.dll.FlushInstructionCache
kernel32.dll.GetCurrentProcess
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.VirtualProtect
kernel32.dll.CloseHandle
kernel32.dll.LoadResource
kernel32.dll.FindResourceW
kernel32.dll.GetProcAddress
kernel32.dll.GetFileSize
kernel32.dll.LCMapStringW
kernel32.dll.LCMapStringA
kernel32.dll.GetStringTypeW
kernel32.dll.GetStringTypeA
kernel32.dll.HeapAlloc
kernel32.dll.GetStartupInfoW
kernel32.dll.DeleteCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.HeapFree
kernel32.dll.HeapReAlloc
kernel32.dll.HeapCreate
kernel32.dll.Sleep
kernel32.dll.ExitProcess
kernel32.dll.WriteFile
kernel32.dll.GetStdHandle
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetCommandLineW
kernel32.dll.SetHandleCount
kernel32.dll.GetFileType
kernel32.dll.GetStartupInfoA
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.InterlockedIncrement
kernel32.dll.SetLastError
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetLastError
kernel32.dll.InterlockedDecrement
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetTickCount
kernel32.dll.GetCurrentProcessId
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.TerminateProcess
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.IsDebuggerPresent
kernel32.dll.RtlUnwind
kernel32.dll.GetCPInfo
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.HeapSize
kernel32.dll.GetLocaleInfoA
kernel32.dll.WideCharToMultiByte
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
psapi.dll.EnumProcessModules
shlwapi.dll.StrStrIW
shlwapi.dll.PathFileExistsW
mscoree.dll._CorExeMain
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
ntdll.dll.ZwCreateSection
kernel32.dll.MapViewOfFile
kernel32.dll.LoadLibraryExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.GetNativeSystemInfo
mscoree.dll._CorImageUnloading
mscoree.dll._CorValidateImage
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
bcrypt.dll.BCryptGetFipsAlgorithmMode
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
user32.dll.CallWindowProcW
user32.dll.RegisterWindowMessageW
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
kernel32.dll.OpenProcess
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptCreateHash
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.MkParseDisplayName
oleaut32.dll.#200
oleaut32.dll.#2
oleaut32.dll.#7
oleaut32.dll.#6
kernel32.dll.CreateEventW
kernel32.dll.SetEvent
ole32.dll.CoWaitForMultipleHandles
ole32.dll.IIDFromString
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
ole32.dll.CoUninitialize
oleaut32.dll.#500
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
kernel32.dll.GetEnvironmentVariableW
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
ntdll.dll.NtQueryInformationThread
kernel32.dll.CreateWaitableTimerExW
kernel32.dll.SetWaitableTimerEx
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsLookupClrGuid
kernel32.dll.ReleaseActCtx
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
oleaut32.dll.#9
oleaut32.dll.#4
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.FindNextFileW
kernel32.dll.ReadFile
oleaut32.dll.#204
oleaut32.dll.#203
oleaut32.dll.#179
kernel32.dll.UnmapViewOfFile
vaultcli.dll.VaultEnumerateVaults
kernel32.dll.GetDynamicTimeZoneInformation
kernel32.dll.GetFileMUIPath
kernel32.dll.FreeLibrary
user32.dll.LoadStringW
user32.dll.GetLastInputInfo
oleaut32.dll.#201
kernel32.dll.CompareStringOrdinal
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
ole32.dll.OleInitialize
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.WaitMessage
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
ole32.dll.CoCreateGuid
sechost.dll.ConvertSidToStringSidW
ole32.dll.CoTaskMemRealloc
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
wersvc.dll.ServiceMain
wersvc.dll.SvchostPushServiceGlobals
advapi32.dll.RegGetValueW
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
"C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe"
"C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe" 2 3008 9982203
C:\Windows\system32\lsass.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
VaultSvc
WerSvc

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004921f0 0x00000000 0x000f4000 4.0 1992-06-19 22:22:17 175f794d98c9dcb0b47ae1ab1087c22c a681900680711f2f859eb47451e90917 c68702c89570054b3c9ca2561270189c

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
CODE 0x00000400 0x00001000 0x00091238 0x00091400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.55
DATA 0x00091800 0x00093000 0x0000e8dc 0x0000ea00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.26
BSS 0x000a0200 0x000a2000 0x00000d4d 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x000a0200 0x000a3000 0x000024b6 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.86
.tls 0x000a2800 0x000a6000 0x00000018 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x000a2800 0x000a7000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.21
.reloc 0x000a2a00 0x000a8000 0x0000a224 0x0000a400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.62
.rsrc 0x000ace00 0x000b3000 0x0003e984 0x0003ea00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 7.49

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_ICON 0x000b60d0 0x000010a8 LANG_ENGLISH SUBLANG_ENGLISH_US 4.61 None
RT_DIALOG 0x000b7178 0x00000052 LANG_NEUTRAL SUBLANG_NEUTRAL 2.56 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_RCDATA 0x000f17f0 0x000000f2 LANG_ENGLISH SUBLANG_ENGLISH_US 7.16 None
RT_GROUP_CURSOR 0x000f195c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f195c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f195c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f195c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f195c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f195c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f195c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_ICON 0x000f1970 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 1.92 None

Imports

0x4a3178 VirtualFree
0x4a317c VirtualAlloc
0x4a3180 LocalFree
0x4a3184 LocalAlloc
0x4a3188 GetVersion
0x4a318c GetCurrentThreadId
0x4a3198 VirtualQuery
0x4a319c WideCharToMultiByte
0x4a31a0 MultiByteToWideChar
0x4a31a4 lstrlenA
0x4a31a8 lstrcpynA
0x4a31ac LoadLibraryExA
0x4a31b0 GetThreadLocale
0x4a31b4 GetStartupInfoA
0x4a31b8 GetProcAddress
0x4a31bc GetModuleHandleA
0x4a31c0 GetModuleFileNameA
0x4a31c4 GetLocaleInfoA
0x4a31c8 GetCommandLineA
0x4a31cc FreeLibrary
0x4a31d0 FindFirstFileA
0x4a31d4 FindClose
0x4a31d8 ExitProcess
0x4a31dc WriteFile
0x4a31e4 RtlUnwind
0x4a31e8 RaiseException
0x4a31ec GetStdHandle
0x4a31f4 GetKeyboardType
0x4a31f8 LoadStringA
0x4a31fc MessageBoxA
0x4a3200 CharNextA
0x4a3208 RegQueryValueExA
0x4a320c RegOpenKeyExA
0x4a3210 RegCloseKey
0x4a3218 SysFreeString
0x4a321c SysReAllocStringLen
0x4a3220 SysAllocStringLen
0x4a3228 TlsSetValue
0x4a322c TlsGetValue
0x4a3230 LocalAlloc
0x4a3234 GetModuleHandleA
0x4a323c RegQueryValueExA
0x4a3240 RegOpenKeyExA
0x4a3244 RegFlushKey
0x4a3248 RegCloseKey
0x4a3250 lstrcpyA
0x4a3254 WriteFile
0x4a325c WaitForSingleObject
0x4a3260 VirtualQuery
0x4a3264 VirtualAlloc
0x4a3268 Sleep
0x4a326c SizeofResource
0x4a3270 SetThreadLocale
0x4a3274 SetFilePointer
0x4a3278 SetEvent
0x4a327c SetErrorMode
0x4a3280 SetEndOfFile
0x4a3284 ResetEvent
0x4a3288 ReadFile
0x4a328c MultiByteToWideChar
0x4a3290 MulDiv
0x4a3294 LockResource
0x4a3298 LoadResource
0x4a329c LoadLibraryA
0x4a32a8 GlobalUnlock
0x4a32ac GlobalReAlloc
0x4a32b0 GlobalHandle
0x4a32b4 GlobalLock
0x4a32b8 GlobalFree
0x4a32bc GlobalFindAtomA
0x4a32c0 GlobalDeleteAtom
0x4a32c4 GlobalAlloc
0x4a32c8 GlobalAddAtomA
0x4a32cc GetVersionExA
0x4a32d0 GetVersion
0x4a32d4 GetTickCount
0x4a32d8 GetThreadLocale
0x4a32dc GetSystemInfo
0x4a32e0 GetStringTypeExA
0x4a32e4 GetStdHandle
0x4a32e8 GetProcAddress
0x4a32ec GetModuleHandleA
0x4a32f0 GetModuleFileNameA
0x4a32f4 GetLocaleInfoA
0x4a32f8 GetLocalTime
0x4a32fc GetLastError
0x4a3300 GetFullPathNameA
0x4a3304 GetDiskFreeSpaceA
0x4a3308 GetDateFormatA
0x4a330c GetCurrentThreadId
0x4a3310 GetCurrentProcessId
0x4a3314 GetCPInfo
0x4a3318 GetACP
0x4a331c FreeResource
0x4a3320 InterlockedExchange
0x4a3324 FreeLibrary
0x4a3328 FormatMessageA
0x4a332c FindResourceA
0x4a3330 FindFirstFileA
0x4a3334 FindClose
0x4a3340 ExitThread
0x4a3344 ExitProcess
0x4a3348 EnumCalendarInfoA
0x4a3354 CreateThread
0x4a3358 CreateFileA
0x4a335c CreateEventA
0x4a3360 CompareStringA
0x4a3364 CloseHandle
0x4a336c VerQueryValueA
0x4a3374 GetFileVersionInfoA
0x4a337c UnrealizeObject
0x4a3380 StretchBlt
0x4a3384 SetWindowOrgEx
0x4a3388 SetWindowExtEx
0x4a338c SetWinMetaFileBits
0x4a3390 SetViewportOrgEx
0x4a3394 SetViewportExtEx
0x4a3398 SetTextColor
0x4a339c SetStretchBltMode
0x4a33a0 SetROP2
0x4a33a4 SetPixel
0x4a33a8 SetMapMode
0x4a33ac SetEnhMetaFileBits
0x4a33b0 SetDIBColorTable
0x4a33b4 SetBrushOrgEx
0x4a33b8 SetBkMode
0x4a33bc SetBkColor
0x4a33c0 SelectPalette
0x4a33c4 SelectObject
0x4a33c8 SelectClipPath
0x4a33cc SaveDC
0x4a33d0 RestoreDC
0x4a33d4 RectVisible
0x4a33d8 RealizePalette
0x4a33dc PolyPolyline
0x4a33e0 PlayEnhMetaFile
0x4a33e4 PatBlt
0x4a33e8 MoveToEx
0x4a33ec MaskBlt
0x4a33f0 LineTo
0x4a33f4 IntersectClipRect
0x4a33f8 GetWindowOrgEx
0x4a33fc GetWinMetaFileBits
0x4a3400 GetTextMetricsA
0x4a340c GetStockObject
0x4a3410 GetPixel
0x4a3414 GetPaletteEntries
0x4a3418 GetObjectA
0x4a3424 GetEnhMetaFileBits
0x4a3428 GetDeviceCaps
0x4a342c GetDIBits
0x4a3430 GetDIBColorTable
0x4a3434 GetDCOrgEx
0x4a343c GetClipBox
0x4a3440 GetBrushOrgEx
0x4a3444 GetBitmapBits
0x4a3448 ExtCreatePen
0x4a344c ExcludeClipRect
0x4a3450 DeleteObject
0x4a3454 DeleteEnhMetaFile
0x4a3458 DeleteDC
0x4a345c CreateSolidBrush
0x4a3460 CreatePenIndirect
0x4a3464 CreatePalette
0x4a346c CreateFontIndirectA
0x4a3470 CreateDIBitmap
0x4a3474 CreateDIBSection
0x4a3478 CreateCompatibleDC
0x4a3480 CreateBrushIndirect
0x4a3484 CreateBitmap
0x4a3488 CopyEnhMetaFileA
0x4a348c BitBlt
0x4a3494 CreateWindowExA
0x4a3498 WindowFromPoint
0x4a349c WinHelpA
0x4a34a0 WaitMessage
0x4a34a4 ValidateRect
0x4a34a8 UpdateWindow
0x4a34ac UnregisterClassA
0x4a34b0 UnionRect
0x4a34b4 UnhookWindowsHookEx
0x4a34b8 TranslateMessage
0x4a34c0 TrackPopupMenu
0x4a34c8 ShowWindow
0x4a34cc ShowScrollBar
0x4a34d0 ShowOwnedPopups
0x4a34d4 ShowCursor
0x4a34d8 SetWindowsHookExA
0x4a34dc SetWindowTextA
0x4a34e0 SetWindowPos
0x4a34e4 SetWindowPlacement
0x4a34e8 SetWindowLongA
0x4a34ec SetTimer
0x4a34f0 SetScrollRange
0x4a34f4 SetScrollPos
0x4a34f8 SetScrollInfo
0x4a34fc SetRect
0x4a3500 SetPropA
0x4a3504 SetParent
0x4a3508 SetMenuItemInfoA
0x4a350c SetMenu
0x4a3510 SetKeyboardState
0x4a3514 SetForegroundWindow
0x4a3518 SetFocus
0x4a351c SetCursor
0x4a3520 SetClipboardData
0x4a3524 SetClassLongA
0x4a3528 SetCapture
0x4a352c SetActiveWindow
0x4a3530 SendMessageA
0x4a3534 ScrollWindowEx
0x4a3538 ScrollWindow
0x4a353c ScreenToClient
0x4a3540 RemovePropA
0x4a3544 RemoveMenu
0x4a3548 ReleaseDC
0x4a354c ReleaseCapture
0x4a3558 RegisterClassA
0x4a355c RedrawWindow
0x4a3560 PtInRect
0x4a3564 PostQuitMessage
0x4a3568 PostMessageA
0x4a356c PeekMessageA
0x4a3570 OpenClipboard
0x4a3574 OffsetRect
0x4a3578 OemToCharA
0x4a357c MessageBoxA
0x4a3580 MessageBeep
0x4a3584 MapWindowPoints
0x4a3588 MapVirtualKeyA
0x4a358c LoadStringA
0x4a3590 LoadKeyboardLayoutA
0x4a3594 LoadIconA
0x4a3598 LoadCursorA
0x4a359c LoadBitmapA
0x4a35a0 KillTimer
0x4a35a4 IsZoomed
0x4a35a8 IsWindowVisible
0x4a35ac IsWindowEnabled
0x4a35b0 IsWindow
0x4a35b4 IsRectEmpty
0x4a35b8 IsIconic
0x4a35bc IsDialogMessageA
0x4a35c0 IsChild
0x4a35c4 IsCharAlphaNumericA
0x4a35c8 IsCharAlphaA
0x4a35cc InvalidateRect
0x4a35d0 IntersectRect
0x4a35d4 InsertMenuItemA
0x4a35d8 InsertMenuA
0x4a35dc InflateRect
0x4a35e4 GetWindowTextA
0x4a35e8 GetWindowRect
0x4a35ec GetWindowPlacement
0x4a35f0 GetWindowLongA
0x4a35f4 GetWindowDC
0x4a35f8 GetTopWindow
0x4a35fc GetSystemMetrics
0x4a3600 GetSystemMenu
0x4a3604 GetSysColorBrush
0x4a3608 GetSysColor
0x4a360c GetSubMenu
0x4a3610 GetScrollRange
0x4a3614 GetScrollPos
0x4a3618 GetScrollInfo
0x4a361c GetPropA
0x4a3620 GetParent
0x4a3624 GetWindow
0x4a3628 GetMessageTime
0x4a362c GetMenuStringA
0x4a3630 GetMenuState
0x4a3634 GetMenuItemInfoA
0x4a3638 GetMenuItemID
0x4a363c GetMenuItemCount
0x4a3640 GetMenu
0x4a3644 GetLastActivePopup
0x4a3648 GetKeyboardState
0x4a3650 GetKeyboardLayout
0x4a3654 GetKeyState
0x4a3658 GetKeyNameTextA
0x4a365c GetIconInfo
0x4a3660 GetForegroundWindow
0x4a3664 GetFocus
0x4a3668 GetDoubleClickTime
0x4a366c GetDlgItem
0x4a3670 GetDesktopWindow
0x4a3674 GetDCEx
0x4a3678 GetDC
0x4a367c GetCursorPos
0x4a3680 GetCursor
0x4a3684 GetClipboardData
0x4a3688 GetClientRect
0x4a368c GetClassNameA
0x4a3690 GetClassInfoA
0x4a3694 GetCaretPos
0x4a3698 GetCapture
0x4a369c GetActiveWindow
0x4a36a0 FrameRect
0x4a36a4 FindWindowA
0x4a36a8 FillRect
0x4a36ac EqualRect
0x4a36b0 EnumWindows
0x4a36b4 EnumThreadWindows
0x4a36bc EndPaint
0x4a36c0 EnableWindow
0x4a36c4 EnableScrollBar
0x4a36c8 EnableMenuItem
0x4a36cc EmptyClipboard
0x4a36d0 DrawTextA
0x4a36d4 DrawMenuBar
0x4a36d8 DrawIconEx
0x4a36dc DrawIcon
0x4a36e0 DrawFrameControl
0x4a36e4 DrawFocusRect
0x4a36e8 DrawEdge
0x4a36ec DispatchMessageA
0x4a36f0 DestroyWindow
0x4a36f4 DestroyMenu
0x4a36f8 DestroyIcon
0x4a36fc DestroyCursor
0x4a3700 DeleteMenu
0x4a3704 DefWindowProcA
0x4a3708 DefMDIChildProcA
0x4a370c DefFrameProcA
0x4a3710 CreatePopupMenu
0x4a3714 CreateMenu
0x4a3718 CreateIcon
0x4a371c CloseClipboard
0x4a3720 ClientToScreen
0x4a3724 CheckMenuItem
0x4a3728 CallWindowProcA
0x4a372c CallNextHookEx
0x4a3730 BeginPaint
0x4a3734 CharNextA
0x4a3738 CharLowerBuffA
0x4a373c CharLowerA
0x4a3740 CharUpperBuffA
0x4a3744 CharToOemA
0x4a3748 AdjustWindowRectEx
0x4a3754 Sleep
0x4a375c SafeArrayPtrOfIndex
0x4a3760 SafeArrayPutElement
0x4a3764 SafeArrayGetElement
0x4a376c SafeArrayAccessData
0x4a3770 SafeArrayGetUBound
0x4a3774 SafeArrayGetLBound
0x4a3778 SafeArrayCreate
0x4a377c VariantChangeType
0x4a3780 VariantCopyInd
0x4a3784 VariantCopy
0x4a3788 VariantClear
0x4a378c VariantInit
0x4a3794 CoUninitialize
0x4a3798 CoInitialize
0x4a37a0 GetErrorInfo
0x4a37a4 SysFreeString
0x4a37b4 ImageList_Write
0x4a37b8 ImageList_Read
0x4a37c8 ImageList_DragMove
0x4a37cc ImageList_DragLeave
0x4a37d0 ImageList_DragEnter
0x4a37d4 ImageList_EndDrag
0x4a37d8 ImageList_BeginDrag
0x4a37dc ImageList_Remove
0x4a37e0 ImageList_DrawEx
0x4a37e4 ImageList_Draw
0x4a37f4 ImageList_Add
0x4a37fc ImageList_Destroy
0x4a3800 ImageList_Create
0x4a3808 GetOpenFileNameA
0x4a3810 MulDiv

This program must be run under Win32
`DATA
.idata
.rdata
P.reloc
P.rsrc
Boolean
False
Smallint
Integer
Cardinal
Int64
Double
Currency
String
WideString
Variant
OleVariantp
TObject|
TObjectp
System
IInterface
System
TInterfacedObject
TBoundArray
System
TDateTime
SVWUQ
Z]_^[
YZ]_^[
w;;t$
SVWUQ
Z]_^[
YZ]_^[
Uh #@
_^[YY]
;= &J
_^[Y]
YZ]_^[
Uhe'@
_^[Y]
C<"u1S
Q<"u8S
,$YXZ
~KxI[)
BkU'9
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
_^[YY]
PPRTj
YZXtp
YZXtm1
ZTUWVSPRTj
t=HtN
Uhz>@
t-Rf;
t f;J
SVWRP
Z_^[X
tVSVWU
t1SVW
t-Rf;
t f;J
SVWUQ
Z]_^[
USVW1
USVW1
kernel32.dll
GetLongPathNameA
Uh%[@
Software\Borland\Locales
Software\Borland\Delphi\Locales
Uh[]@
_^[YY]
FFF;M
^[YY]
odSelected
odGrayed
odDisabled
odChecked
odFocused
odDefault
odHotLight
odInactive
odNoAccel
odNoFocusRect
odReserved1
odReserved2
odComboBoxEdit
Windows
TOwnerDrawState
_^[Y]
_^[Y]
_^[Y]
Magellan MSWHEEL
MouseZ
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
TFileName
EAbort
EHeapException
EOutOfMemory
EInOutError
EExternal
EExternalException
EIntError
EDivByZero
ERangeErrorp{@
EIntOverflow
EMathError
EInvalidOp
EZeroDivide
EOverflow
EUnderflow
EInvalidPointer
EInvalidCast
EConvertError
EAccessViolation
EPrivilege
EStackOverflow
EControlC
EVariantError
EAssertionFailed
EAbstractError
EIntfCastError
EOSError
ESafecallException
SysUtils
SysUtils
TThreadLocalCounter
$TMultiReadExclusiveWriteSynchronizer
SWSVj
SVWUQ
Z]_^[
False
_^[Y]
$Z_^[
$Z_^[
^[YY]
<*t"<0r=<9w9i
INFNAN
QS<$t
<'t$<"t
<#t&<0t%<.t,<,t3<'t5<"t1<Et:<et6<;tF
<#t'<0t#<.t
<Et$<et <;tS
_^[YY]
_^[YY]
$YZ_^[
t%HtIHtm
AM/PM
_^[YY]
SVWUQ
$Z]_^[
_^[Y]
QQQQQQSVW3
QQQQQSVW
D$PPj
D$LPj
_^[Y]
_^[YY]
TErrorRec
TExceptRec
t<HtH
$YZ^[
$YZ^[
WUWSj
YZ]_^[
_^[Y]
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
DVCLAL
SVWUQ
Z]_^[
kernel32.dll
GetDiskFreeSpaceExA
SVWUQ
(Z]_^[
SVWUQ
;w$t|
Z]_^[
;F$t=
;C$t4
_^[Y]
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarOr
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
TCustomVariantType
TCustomVariantType
Variants
TVarDataArray
Variants
TInvokeableVariantType
EVariantInvalidOpError
EVariantTypeCastError
EVariantOverflowError
EVariantInvalidArgError
EVariantBadVarTypeError
EVariantBadIndexError
EVariantArrayLockedError
EVariantArrayCreateError
EVariantNotImplError
EVariantOutOfMemoryError
EVariantUnexpectedErrorP
EVariantDispatchError
EVariantInvalidNullOpError
t?Htb
SVWUQ
Z]_^[
_^[YY]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
UhU#A
Uh])A
Uhd*A
Uhu+A
QQQQSV
Uh*6A
UhZ7A
Uh#=A
Uh>>A
UhfDA
Uh'IA
UhjJA
QQQQSV
UhtLA
UhDMA
Uh_NA
UhePA
UhxSA
FSVWUQ
Mt0MtU
Z]_^[
Uh3[A
Uhg]A
Uh/bA
Empty
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Error
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
Int64
Uh6fA
String
Array
ByRef
Uh\lA
]_^[]
$YZ]_^[
SVWUQ
Z]_^[
UhGsA
UhavA
Variants
Uh%wA
_^[YY]
_^[Y]
SVWUQ
Z]_^[
Uhk{A
TStringDesc
Variants
t~h((J
_^[Y]
TPublishableVariantType|
EPropertyError
EPropertyConvertError
False
_^[Y]
YZ_^[
_^[Y]
_^[Y]
_^[YY]
$YZ^[
tagEXCEPINFO
TAlignment
taLeftJustify
taRightJustify
taCenter
Classes
TBiDiMode
bdLeftToRight
bdRightToLeft
bdRightToLeftNoAlign
bdRightToLeftReadingOnly
Classes
ssShift
ssAlt
ssCtrl
ssLeft
ssRight
ssMiddle
ssDouble
Classes
TShiftState
THelpContext
THelpType
htKeyword
htContext
Classesh
TShortCut
TNotifyEvent
Sender
TObject
EStreamError
EFileStreamError
EFCreateError
EFOpenErrord
EFilerError
EReadError
EWriteErrorl
EClassNotFound
EResNotFound
EListError
EBitsError
EStringListError
EComponentError
EOutOfResources
EInvalidOperation
TList
TThreadList
TBits
TPersistent
TPersistent\
Classes
TInterfacedPersistent
TInterfacedPersistentL
Classes
TCollectionItem
TCollectionItem
Classes
TCollection
TCollection
Classes
TOwnedCollection
TOwnedCollection
Classes
IStringsAdapter
Classes
TStrings
TStrings
Classes
TStringItem
TStringListX
TStringList
Classes
TStream8
THandleStream
TFileStream$
TCustomMemoryStream
TMemoryStream
TResourceStream
TStreamAdapter
TClassFinder
TFiler
TReader
EThread
TComponentName
IDesignerNotify
Classes
TComponent
TComponent
Classes
NameT
TBasicActionLink
TBasicAction
TBasicAction
Classes
TIdentMapEntry
TRegGroup
TRegGroups
YZ]_^[
_^[Y]
_^[Y]
SVWUQ
u%CNu
Z]_^[
SVWUQ
$Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
$Z]_^[
_^[YY]
TIntConst
_^[Y]
_^[Y]
_^[YY]
_^[Y]
SVWUQ
Z]_^[
_^[Y]
%s[%d]
_^[Y]
W<CNu
Strings
_^[Y]
_^[Y]
^[YY]
S$_^[Y]
^[YY]
_^[YY]
SVWUQ
SdZ]_^[
SVWUQ
$Z]_^[
^[YY]
_^[Y]
TPropFixup
TPropIntfFixup
_^[YY]
Owner
_^[YY]
_^[Y]
C0_^[
Classes
_^[Y]
False
_^[YY]
QQQQ3
Uhc!B
%s_%d
Uh/$B
Uh[$B
Uhy%B
_^[YY]
^[YY]
UhW*B
UhD+B
Uhg.B
QQQQQQQS
Uhj5B
UhK5B
SVWUQ
Z]_^[
_^[Y]
S _^[
SVWUQ
Z]_^[
YZ_^[
SVWUQ
Z]_^[
G0_^[
;CDt:
R0_^[]
UhCAB
Uh.BB
_^[YY]
UhrDB
UhaDB
Uh?EB
TPUtilWindow
UhHHB
TColor
EInvalidGraphic
EInvalidGraphicOperation
TFontPitch
fpDefault
fpVariable
fpFixed
Graphics
TFontName
TFontCharset
TFontStyle
fsBold
fsItalic
fsUnderline
fsStrikeOut
Graphics
TFontStyles
TPenStyle
psSolid
psDash
psDot
psDashDot
psDashDotDot
psClear
psInsideFrame
Graphics
TPenMode
pmBlack
pmWhite
pmNop
pmNot
pmCopy
pmNotCopy
pmMergePenNot
pmMaskPenNot
pmMergeNotPen
pmMaskNotPen
pmMerge
pmNotMerge
pmMask
pmNotMask
pmXor
pmNotXor
Graphics
TBrushStyle
bsSolid
bsClear
bsHorizontal
bsVertical
bsFDiagonal
bsBDiagonal
bsCross
bsDiagCross
Graphics
TGraphicsObject
TGraphicsObject
Graphics
IChangeNotifier
Graphics
TFont
TFontTPB
Graphics
Charset
ColorT
Height
PitchT
Size|MB
Style
Graphics
Color
StyleT
Width
TBrush
TBrush
Graphics
Color
Style
TCanvas
TCanvas
Graphics
BrushT
CopyMode
TGraphic
TGraphic
Graphics
TPicture
TPicturelVB
Graphics
TSharedImage
TMetafileImage
TMetafile
TMetafile
Graphics
TBitmapImage
TBitmap
TBitmap
Graphics
TIconImage
TIcon
TIcon\ZB
Graphics
TResourceManager
^[YY]
UhS]B
_^[YY]
UhP^B
_^[Y]
Uhi_B
^[YY]
clBlack
clMaroon
clGreen
clOlive
clNavy
clPurple
clTeal
clGray
clSilver
clRed
clLime
clYellow
clBlue
clFuchsia
clAqua
clWhite
clMoneyGreen
clSkyBlue
clCream
clMedGray
clActiveBorder
clActiveCaption
clAppWorkSpace
clBackground
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clDefault
clGradientActiveCaption
clGradientInactiveCaption
clGrayText
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clMenu
clMenuBar
clMenuHighlight
clMenuText
clNone
clScrollBar
cl3DDkShadow
cl3DLight
clWindow
clWindowFrame
clWindowText
ANSI_CHARSET
DEFAULT_CHARSET
SYMBOL_CHARSET
MAC_CHARSET
SHIFTJIS_CHARSET
HANGEUL_CHARSET
JOHAB_CHARSET
GB2312_CHARSET
CHINESEBIG5_CHARSET
GREEK_CHARSET
TURKISH_CHARSET
HEBREW_CHARSET
ARABIC_CHARSET
BALTIC_CHARSET
RUSSIAN_CHARSET
THAI_CHARSET
EASTEUROPE_CHARSET
OEM_CHARSET
UhmhB
Default
UhQmB
Uh-pB
UheqB
UhzuB
UhUuB
Uh3uB
_^[Y]
$YZ^[
Uhz}B
Uh ~B
E$PVSj
YZ_^[
$Z_^[
_^[YY]
C ;C$s
TClipboardFormats
_^[YY]
_^[Y]
_^[YY]
S`_^[Y]
3TjdP
kD$TdP
3TjdP
kD$PdP
EMFt
?TjdR
D$LPkD$XdPV
?TjdR
D$HPkD$TdPV
|$( EMFt
^[YY]
TBitmapCanvas
TBitmapCanvas
Graphics
@pPV3
_^[YY]
<$BMt
T]_^[
s(;~ t8
D$*Ph
C(_^[Y]
\$4Vj
SVWjH
TPatternManagerSV
_^[YY]
TObjectList
TOrderedList
TStack
_^[Y]
GetMonitorInfoA
GetSystemMetrics
MonitorFromRect
MonitorFromWindow
MonitorFromPoint
>(r[j
GetMonitorInfo
DISPLAY
>(r[j
GetMonitorInfoA
DISPLAY
>(r[j
GetMonitorInfoW
DISPLAY
EnumDisplayMonitors
USER32.DLL
IHelpSelector
HelpIntfs
IHelpSystem
HelpIntfs
ICustomHelpViewer
HelpIntfs
IExtendedHelpViewer
HelpIntfs
ISpecialWinHelpViewer0
HelpIntfs
IHelpManager
HelpIntfs
EHelpSystemException
THelpViewerNode
THelpManager
R(FKu
_^[Y]
comctl32.dll
InitializeFlatSB
UninitializeFlatSB
FlatSB_GetScrollProp
FlatSB_SetScrollProp
FlatSB_EnableScrollBar
FlatSB_ShowScrollBar
FlatSB_GetScrollRange
FlatSB_GetScrollInfo
FlatSB_GetScrollPos
FlatSB_SetScrollPos
FlatSB_SetScrollInfo
FlatSB_SetScrollRange
TSynchroObject
TCriticalSection
uxtheme.dll
OpenThemeData
CloseThemeData
DrawThemeBackground
DrawThemeText
GetThemeBackgroundContentRect
GetThemePartSize
GetThemeTextExtent
GetThemeTextMetrics
GetThemeBackgroundRegion
HitTestThemeBackground
DrawThemeEdge
DrawThemeIcon
IsThemePartDefined
IsThemeBackgroundPartiallyTransparent
GetThemeColor
GetThemeMetric
GetThemeString
GetThemeBool
GetThemeInt
GetThemeEnumValue
GetThemePosition
GetThemeFont
GetThemeRect
GetThemeMargins
GetThemeIntList
GetThemePropertyOrigin
SetWindowTheme
GetThemeFilename
GetThemeSysColor
GetThemeSysColorBrush
GetThemeSysBool
GetThemeSysSize
GetThemeSysFont
GetThemeSysString
GetThemeSysInt
IsThemeActive
IsAppThemed
GetWindowTheme
EnableThemeDialogTexture
IsThemeDialogTextureEnabled
GetThemeAppProperties
SetThemeAppProperties
GetCurrentThemeName
GetThemeDocumentationProperty
DrawThemeParentBackground
EnableTheming
IShellFolder
ShlObj
TCommonDialog
TCommonDialog
Dialogs
Ctl3D
HelpContext|
OnClose|
OnShow
TOpenOption
ofReadOnly
ofOverwritePrompt
ofHideReadOnly
ofNoChangeDir
ofShowHelp
ofNoValidate
ofAllowMultiSelect
ofExtensionDifferent
ofPathMustExist
ofFileMustExist
ofCreatePrompt
ofShareAware
ofNoReadOnlyReturn
ofNoTestFileCreate
ofNoNetworkButton
ofNoLongNames
ofOldStyleDialog
ofNoDereferenceLinks
ofEnableIncludeNotify
ofEnableSizing
ofDontAddToRecent
ofForceShowHidden
Dialogs
TOpenOptions
TOpenOptionEx
ofExNoPlacesBar
Dialogs
TOpenOptionsEx
TOFNotifyEx
TIncludeItemEvent
TOFNotifyEx
Include
Boolean
TOpenDialog
TOpenDialog
Dialogs
DefaultExt
FileName
FilterT
FilterIndex
InitialDir
Options
OptionsEx
Title
OnCanClose|
OnFolderChange|
OnSelectionChange|
OnIncludeItemSVW
_^[Y]
_^[Y]
;Ght4
FileEditStyle
8Z|03
@\@t*U
u"Vh_
Cancel
Abort
Retry
Ignore
NoToAll
YesToAll
commdlg_help
commdlg_FindReplace
WndProcPtr%.8X%.8X
TTimer
TTimer
ExtCtrls
Enabled
Interval|
OnTimerSV
_^[Y]
Uht#C
TClipboard
TClipboard4$C
Clipbrd
Sh`)C
_^[Y]
_^[Y]
Uhu'C
Uha(C
_^[Y]
Uh!*C
s'h`*C
Delphi Picture
Delphi Component
TCustomIniFile
THashItem
IniFiles
TStringHash
THashedStringList
THashedStringList
IniFiles
TMemIniFileSVW
_^[Y]
Uhi1C
Uh.1C
Uh!2C
UhV3C
_^[Y]
UhS4C
_^[Y]
_^[Y]
_^[Y]
Uh,8C
SVWUQ
Z]_^[
QQQQQSV
Uh2<C
QQQQSVW
_^[Y]
RD_^[
QH_^[
Q8FKu
Uh>AC
Uh!AC
Q8FKu
UhiBC
^[YY]
UhoDC
Wh8EC
_^[YY]
UhxEC
ERegistryException
TRegistryS
UhZIC
SVWUQ
Z]_^[
SVWUQ
Z]_^[
Uh0KC
MAPI32.DLL
Uh-LC
TConversion
TConversionFormat
comctl32.dll
TThemeServices
Theme manager
2001, 2002 Mike Lischke
^[YY]
!"#$%
UhSWC
TCustomEdit
TCustomEdit
StdCtrls
TabStop
TScrollStyle
ssNone
ssHorizontal
ssVertical
ssBoth
StdCtrls
TDrawItemEvent
Control
TWinControl
Index
Integer
TRect
State
TOwnerDrawState
Uh>^C
_^[YY]
D$8PS
THintAction
THintActionHcC
StdActns
UhQdC
TWinHelpViewer
_^[YY]
_^[YY]
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
_^[Y]
JumpID("","%s")
Uh:lC
_^[YY]
_^[Y]
MS_WINHELP
#32770
Uh"oC
Ph8nC
Uh-pC
UhzqC
TCursor
TAlign
alNone
alTop
alBottom
alLeft
alRight
alClient
alCustom
Controls
TDragObjectxrC
TDragObjectDrC
Controls
TBaseDragControlObject
TBaseDragControlObject
Controls
TDragControlObject
TDragControlObjectEx
TDragDockObject
TDragDockObject
Controls
TDragDockObjectEx
TControlCanvas
TControlCanvas(vC
Controls
TControlActionLink
TMouseButton
mbLeft
mbRight
mbMiddle
Controls
TDragMode
dmManual
dmAutomatic
Controls
TDragState
dsDragEnter
dsDragLeave
dsDragMove
Controls
TDragKind
dkDrag
dkDock
Controls
TTabOrder
TCaption
TAnchorKind
akLeft
akTop
akRight
akBottom
Controls
TAnchors
TConstraintSize
TSizeConstraints
TSizeConstraintsDyC
Controls
MaxHeight
MaxWidth
MinHeight
MinWidth
TMouseEvent
Sender
TObject
Button
TMouseButton
Shift
TShiftState
Integer
Integer
TMouseMoveEvent
Sender
TObject
Shift
TShiftState
Integer
Integer
TKeyEvent
Sender
TObject
Shift
TShiftState
TKeyPressEvent
Sender
TObject
TDragOverEvent
Sender
TObject
Source
TObject
Integer
Integer
State
TDragState
Accept
Boolean
TDragDropEvent
Sender
TObject
Source
TObject
Integer
Integer
TStartDragEvent
Sender
TObject
DragObject
TDragObject
TEndDragEvent
Sender
TObject
Target
TObject
Integer
Integer
TDockDropEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
TDockOverEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
State
TDragState
Accept
Boolean
TUnDockEvent
Sender
TObject
Client
TControl
NewTarget
TWinControl
Allow
Boolean
TStartDockEvent
Sender
TObject
DragObject
TDragDockObject
TGetSiteInfoEvent
Sender
TObject
DockClient
TControl
InfluenceRect
TRect
MousePos
TPoint
CanDock
Boolean
TCanResizeEvent
Sender
TObject
NewWidth
Integer
NewHeight
Integer
Resize
Boolean
TConstrainedResizeEvent
Sender
TObject
MinWidth
Integer
MinHeight
Integer
MaxWidth
Integer
MaxHeight
Integer
TMouseWheelEvent
Sender
TObject
Shift
TShiftState
WheelDelta
Integer
MousePos
TPoint
Handled
Boolean
TMouseWheelUpDownEvent
Sender
TObject
Shift
TShiftState
MousePos
TPoint
Handled
Boolean
TContextPopupEvent
Sender
TObject
MousePos
TPoint
Handled
Boolean
TControl
TControl
Controls
LeftT
WidthT
Height
Cursor
Hint,
HelpType
HelpKeyword
HelpContext
TWinControlActionLink
TImeName
TBorderWidth
IDockManager
Controls
TWinControl
TWinControlH
Controls
TCustomControl
TCustomControl$
Controls
THintWindow
THintWindow
Controls
TDockZone
TDockTree
TMouse
crDefault
crArrow
crCross
crIBeam
crSizeNESW
crSizeNS
crSizeNWSE
crSizeWE
crUpArrow
crHourGlass
crDrag
crNoDrop
crHSplit
crVSplit
crMultiDrag
crSQLWait
crAppStart
crHelp
crHandPoint
crSizeAll
crSize
TSiteList
_^[YY]
tPHt8
_^[Y]
S$_^[]
;B0t'
;B8t=
CQ tA
YZ_^[
YZ]_^[
YZ_^[
t%Jt?Jt[
%s (%s)
Z:Pjt
YZ]_^[
$:Cat
u$;~|u
;CLtX3
Qh_^[
YZ_^[
YZ_^[
V:P\t
GP t;
_^[YY]
CH+D$
CL+D$
;s0t=;
:_Wt+
f;Pxt
KHQRP
Ht7Ht
IsControl
_^[YY]
YZ_^[
_^[YY]
_^[Y]
8]_^[
,]_^[
YZ_^[
^[YY]
RD;PD
:_[up
SVWUQ
Z]_^[
C$PVj
C$_^[
:GauOFKu
_^[Y]
DesignSize
_^[YY]
_^[Y]
t2HtY
,;=,+J
]_^[
_^[Y]
_^[Y]
$Z_^[
_^[YY]
_^[Y]
^[YY]
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
_^[YY]
;XDt#
SVWUQ
Z]_^[
t&j7j
YZ]_^[
YZ]_^[
YZ]_^[
t4VS
R|FOu
UhT,D
YZ]_^[
Uhz.D
^[YY]
S8_^[]
+CH+E
+SL+U
Uh"9D
Uhm?D
_^[Y]
f;Pht
_^[Y]
t9;wlt4
YZ_^[
;Bdt*
;Bh|3
@88kD
R|_^[
^dVhXaD
^dVhXaD
_^[Y]
Y_^[]
UhsXD
Y[YY]
Uhx[D
t$;C8u
QQQQSVW
Uhm`D
;Fdu;
^[YY]
Q8FKu
;Xdt>
t#;^dt
YZ_^[
Y_^[]
^[YY]
+W$;U
+G$;E
_^[Y]
BP_^[]
Uh^rD
USER32
WINNLSEnableIME
imm32.dll
ImmGetContext
ImmReleaseContext
ImmGetConversionStatus
ImmSetConversionStatus
ImmSetOpenStatus
ImmSetCompositionWindow
ImmSetCompositionFontA
ImmGetCompositionStringA
ImmIsIME
ImmNotifyIME
YZ_^[
UhlvD
Delphi%.8X
ControlOfs%.8X%.8X
USER32
AnimateWindow
TContainedAction
TContainedAction
ActnList
Category
TCustomActionList
TCustomActionList(yD
ActnList
TShortCutList
TShortCutList
ActnList
TCustomAction
TCustomAction {D
ActnList
TActionLinkSV
^[YY]
u*;~8u
R0GNu
SVWUQ
Z]_^[
QLGNu
R0Z_^[
QPFOu
_^[Y]
$:Cjt_
QTGNu
R0Z_^[
Q`FOu
R0]_^[
$;Ctt?
Q\GNu
R0Z_^[
QhGNu
R0Z_^[
QlGNu
R0Z_^[
SVWQf
QpGNu
R0Z_^[
QtFOu
R0]_^[
SVWUQ
$Z]_^[
TChangeLink
TImageIndex
TCustomImageList
TCustomImageList
ImgList
Rd_^[
s8VV3
S0_^[]
R ;C0|
R,;C4}!
S`]_^[
Bitmap
_^[Y]
comctl32.dll
comctl32.dll
ImageList_WriteEx
EMenuError
TMenuBreak
mbNone
mbBreak
mbBarBreak
Menus
TMenuChangeEvent
Sender
TObject
Source
TMenuItem
Rebuild
Boolean
TMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
ARect
TRect
Selected
Boolean
TAdvancedMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
ARect
TRect
State
TOwnerDrawState
TMenuMeasureItemEvent
Sender
TObject
ACanvas
TCanvas
Width
Integer
Height
Integer
TMenuItemAutoFlag
maAutomatic
maManual
maParent
Menus
TMenuAutoFlag
Menus
TMenuActionLink
TMenuItem
TMenuItem
Menus
Action
AutoCheckt
AutoHotkeyst
AutoLineReduction
Bitmap
Break
Caption
Checkedt
SubMenuImages
Default
Enabledl
GroupIndex
HelpContext
ImageIndex
RadioItemd
ShortCut
Visible|
OnClick
OnDrawItem
OnAdvancedDrawItem
OnMeasureItem
TMenu
TMenu,
Menus
Items
TMainMenu
TMainMenu
Menus
AutoHotkeys
AutoLineReduction
AutoMerge4
BiDiModet
Images
OwnerDraw
ParentBiDiMode
OnChange
TPopupAlignment
paLeft
paRight
paCenter
Menus
TTrackButton
tbRightButton
tbLeftButton
Menus8
TMenuAnimations
maLeftToRight
maRightToLeft
maTopToBottom
maBottomToTop
maNone
Menus
TMenuAnimation
TPopupMenu
TPopupMenu
Menus
Alignment
AutoHotkeys
AutoLineReduction
AutoPopup4
BiDiMode
HelpContextt
Images
MenuAnimation
OwnerDraw
ParentBiDiMode
TrackButton
OnChange|
OnPopup
TPopupList
TMenuItemStack
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
_^[YY]
f;B`t
CPPVj
Q<]_^[
SVWUQ
:X?s&
X?ENu
Z]_^[
ShortCutText
_^[Y]
_^[Y]
P?:S?u
:^8tB
:^9tg
Q<_^[
:^?t1
f;P`t
:]:tJ
Q<]_^[
@?:F?v
Q<]_^[
Q<_^[
W<CNu
SpFOu
$YZ]_^[
_^[Y]
_^[Y]
SVWUQ
Z]_^[
_^[YY]
S0^[]
_^[Y]
_^[Y]
Ih;J4u
_^[Y]
YZ]_^[
S0_^[
S<&uO
^[YY]
TScrollBarInc
TScrollBarStyle
ssRegular
ssFlat
ssHotTrack
Forms
TControlScrollBar
TControlScrollBar
Forms
ButtonSize
Colorl
Increment
Margin
ParentColorT
PositionT
Range
SmoothT
StyleT
ThumbSize
Tracking
Visible
TWindowState
wsNormal
wsMinimized
wsMaximized
Forms
TScrollingWinControl
TScrollingWinControl
Forms
HorzScrollBar8
VertScrollBarD
TFormBorderStyle
bsNone
bsSingle
bsSizeable
bsDialog
bsToolWindow
bsSizeToolWin
Forms
TBorderStyle
Forms
IDesignerHook
Forms
IOleForm
Forms
TFormStyle
fsNormal
fsMDIChild
fsMDIForm
fsStayOnTop
Forms
TBorderIcon
biSystemMenu
biMinimize
biMaximize
biHelp
Forms
TBorderIcons
TPosition
poDesigned
poDefault
poDefaultPosOnly
poDefaultSizeOnly
poScreenCenter
poDesktopCenter
poMainFormCenter
poOwnerFormCenter
Forms
TDefaultMonitor
dmDesktop
dmPrimary
dmMainForm
dmActiveForm
Forms
TPrintScale
poNone
poProportional
poPrintToFit
Forms
TCloseAction
caNone
caHide
caFree
caMinimize
Forms
TCloseEvent
Sender
TObject
Action
TCloseAction
TCloseQueryEvent
Sender
TObject
CanClose
Boolean
TShortCutEvent
TWMKey
Handled
Boolean
THelpEvent
Command
Integer
CallHelp
Boolean
Boolean
TCustomForm
TCustomForm
Forms
TForm
TForm
FormsU
Action
ActiveControl
Align
AlphaBlendl
AlphaBlendValue
Anchors
AutoScroll
AutoSize4
BiDiMode
BorderStyle
BorderWidthlxC
CaptionT
ClientHeightT
ClientWidth
Color
TransparentColor
TransparentColorValuelyC
Constraints
Ctl3D
UseDockManager
DefaultMonitor
DockSite xC
DragKind
DragMode
Enabled
ParentFont
Font4
FormStyleT
Height
HelpFile8
HorzScrollBar
KeyPreviewh
OldCreateOrder
ObjectMenuItem
ParentBiDiModeT
PixelsPerInchT
PopupMenu
Position
PrintScale
Scaled
ScreenSnap
ShowHintT
SnapBuffer8
VertScrollBar
VisibleT
Width
WindowState
WindowMenu|
OnActivateT
OnCanResize|
OnClickl
OnClose
OnCloseQuery
OnConstrainedResizeP
OnContextPopup|
OnCreate|
OnDblClick|
OnDestroy|
OnDeactivate
OnDockDrop
OnDockOver
OnDragDrop
OnDragOver
OnEndDock
OnGetSiteInfo|
OnHide0
OnHelp
OnKeyDownP{C
OnKeyPress
OnKeyUp(zC
OnMouseDown
OnMouseMove(zC
OnMouseUpT
OnMouseWheel
OnMouseWheelDown
OnMouseWheelUp|
OnPaint|
OnResize
OnShortCut|
OnShow|~C
OnStartDock
OnUnDock
TCustomDockForm
TCustomDockForm|!E
Forms
PixelsPerInch
TMonitor
TScreen
TScreen
Forms
TApplication
TApplication
Forms
Uhp&E
t:GNu
^[YY]
Uha*E
;S$t6
;S0t6
]_^[
Uhj<E
Uhh?E
Uh0?E
_^[Y]
UhmCE
_^[Y]
Uh*GE
Sh$HE
PixelsPerInch
TextHeight
IgnoreFontProperty
_^[YY]
S,_^[]
Uh3QE
SVWUQ
$Z]_^[
;Cpu'
F(Z_^[
ShPRE
MDICLIENT
Uh}eE
_^[Y]
_^[Y]
;ADti
Uh.mE
f#CTf
UhGrE
_^[Y]
_^[YY]
t"GNu
$Z_^[
_^[YY]
_^[Y]
Y_^[]
_^[Y]
_^[Y]
_^[YY]
Ch;Ctt
Cd;Cpt
C\_^[
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
layout text
f;sDtsf
PWj W
CHYZ]_^[
RD;PD
_^[YY]
TApplication
MAINICON
XD;PHu
sx;P`u
;B0uGj
_^[YY]
vcltest3.dll
RegisterAutomation
SVWUQ
$Z]_^[
~D_^[Y]
_^[Y]
_^[Y]
_^[Y]
;{HtK
YZ_^[
Y_^[Y]
;^`u0
]_^[
^[YY]
YZ]_^[
User32.dll
SetLayeredWindowAttributes
TaskbarCreated
TEditMask
SVWUQ
Z]_^[
SVWUQ
$Z]_^[
_^[YY]
SVWUQ
Z]_^[
EDBEditError
TCustomMaskEdit
TCustomMaskEdith
>'u f
^[YY]
QQQQSV
^[YY]
_^[Y]
SVWUQ
Z]_^[
^[YY]
EInvalidGridOperation
TInplaceEdit
TInplaceEditx
Grids
TCustomGridX
TCustomGrid8
Grids
TabStop
_^[Y]
C4_^[
^[YY]
YZ_^[
_^[YY]
ColWidths
RowHeights
Y_^[Y]
G8;G<}@
C,_^[YY]
;p4}:U
;p4~!
Y^[YY]
;D$ ~
;D$P~
UhR+F
Uh5+F
_^[YY]
^[YY]
YZ_^[
_^[Y]
_^[Y]
Ht<Ht
R|_^[
^[YY]
_^[YY]
Uh>RF
_^[Y]
UhLSF
^[YY]
^[YY]
_^[Y]
p]_^[
D$DPj
6;D$$~0
;D$D}
;D$T~
OutlineError
EOutlineError
TOutlineNode
TOutlineNode
Outline
EOutlineChange
Sender
TObject
Index
Integer
TOutlineStyle
osText
osPlusMinusText
osPictureText
osPlusMinusPictureText
osTreeText
osTreePictureText
Outline
TOutlineType
otStandard
otOwnerDraw
Outline
TOutlineOption
ooDrawTreeRoot
ooDrawFocusRect
ooStretchBitmaps
Outline
TOutlineOptions
TCustomOutline
TCustomOutline
Outline
TOutline
TOutline|dF
Outline2
Lines<aF
OutlineStyle
OnExpand
OnCollapse\bF
Options
StyleT
ItemHeight
OnDrawItem
Align
Enabled
Color
ParentColor
ParentCtl3D
Ctl3DTxC
TabOrder
TabStop
Visible|
OnClick
DragMode xC
DragKind
DragCursor
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag|~C
OnStartDockt|C
OnStartDrag|
OnEnter|
OnExit(zC
OnMouseDown
OnMouseMove(zC
OnMouseUp|
OnDblClick
OnKeyDownP{C
OnKeyPress
OnKeyUp
BorderStyle
ItemSeparator
PicturePlus
PictureMinus
PictureOpen
PictureClosed
PictureLeaf
ParentFont
ParentShowHint
ShowHintT
PopupMenu
ScrollBarsP
OnContextPopup
TOutlineStrings
TOutlineStrings
Outline
Uh=oF
^[YY]
YZ]_^[
SVWUQ
Z]_^[
_^[YY]
YZ]_^[
SVWUQ
Z]_^[
C ;F t
_^[Y]
PhxzF
Nodes
Uhw{F
UhR{F
Uh5{F
Uhj|F
UhM|F
QQQQSVW
MINUS
CLOSED
jHjZ
jdjxV
_^[Y]
_^[Y]
R|_^[YY]
tPHt*H
^[YY]
SVWUQ
Z]_^[
R|]_^[
EBcdException
EBcdOverflowException
TFMTBcdVariantType
TFMTBcdData
TFMTBcdData
FMTBcd
AsCurrency
AsDoubleT
AsInteger<
AsSmallInt
AsStringU
t)j j
QSVWf
_^[Y]
QQQQSVW
_^[Y]
_^[Y]
PSQRW
_ZY[X
_^[Y]
VWSQR
ZY[_^]
[_^Y]
QVWSQRf
ZY[_^Y]
QVWSQRf
ZY[_^Y]
QVWSRf
D$$Pj
\$&US3
H]_^[
_^[YY]
_^[YY]
D$/Pj
T]_^[
%s %s
(%s%s)
-%s%s
%s-%s
%s%s-
-%s %s
%s %s-
%s %s
%s -%s
(%s- %s)
(%s %s)
_^[YY]
TLiteralInfo
V,#tR,
TSQLTimeStampVariantType
TSQLTimeStampData
TSQLTimeStampData
SqlTimSt
AsDateTime
AsString
Fractions
Minute
Month
Second<
^[YY]
EOleError
EOleSysError
EOleException
Apartment
Neutral
_^[Y]
ole32.dll
CoCreateInstanceEx
CoInitializeEx
CoAddRefServerProcess
CoReleaseServerProcess
CoResumeClassObjects
CoSuspendClassObjects
QQQQQQQQSV
EDatabaseError
EUpdateError
TFieldType
ftUnknown
ftString
ftSmallint
ftInteger
ftWord
ftBoolean
ftFloat
ftCurrency
ftBCD
ftDate
ftTime
ftDateTime
ftBytes
ftVarBytes
ftAutoInc
ftBlob
ftMemo
ftGraphic
ftFmtMemo
ftParadoxOle
ftDBaseOle
ftTypedBinary
ftCursor
ftFixedChar
ftWideString
ftLargeint
ftADT
ftArray
ftReference
ftDataSet
ftOraBlob
ftOraClob
ftVariant
ftInterface
ftIDispatch
ftGuid
ftTimeStamp
ftFMTBcd
TCustomConnection
TCustomConnection\
TNamedItem
TNamedItem4
TDefCollection
TDefCollection
TFieldAttribute
faHiddenCol
faReadonly
faRequired
faLink
faUnNamed
faFixed
TFieldAttributes
TFieldDef
TFieldDef$
Attributes
ChildDefs|
DataTypeT
PrecisionT
TFieldDefs
TFieldDefsl
TIndexOption
ixPrimary
ixUnique
ixDescending
ixCaseInsensitive
ixExpression
ixNonMaintained
TIndexOptions
TIndexDef
TIndexDef
CaseInsFields
DescFields
Expression
Fields4
Options
SourceT
GroupingLevelT
TIndexDefs
TIndexDefsT
TFlatList
TFlatList
TFieldDefList
TFieldDefList
TFieldList
TFieldList,
TFieldKind
fkData
fkCalculated
fkLookup
fkInternalCalc
fkAggregate
TFields
TProviderFlag
pfInUpdate
pfInWhere
pfInKey
pfHidden
TProviderFlags
TFieldNotifyEvent
Sender
TField
TFieldGetTextEvent
Sender
TField
String
DisplayText
Boolean
TFieldSetTextEvent
Sender
TField
String
TAutoRefreshFlag
arNone
arAutoInc
arDefault
TLookupListEntry
TLookupList
TField
TField
Alignment
AutoGenerateValue
CustomConstraint
ConstraintErrorMessage
DefaultExpression
DisplayLabelT
DisplayWidth
FieldKind
FieldName
HasConstraintsT
Index
ImportedConstraintddG
LookupDataSet
LookupKeyFields
LookupResultField
KeyFields
LookupCache
Origin
ProviderFlags
ReadOnly
Required
Visible
OnChange<
OnGetText
OnSetText
OnValidate
TStringField
TStringField
EditMask
FixedCharT
Transliterate
TWideStringField
TWideStringField
TNumericField
TNumericField
Alignment
DisplayFormat
EditFormat
TIntegerField
TIntegerField
MaxValueT
MinValue
TSmallintField
TSmallintField
TLargeintField
TLargeintField
MaxValue
MinValue
TWordField
TWordField
TAutoIncField
TAutoIncField
TFloatField<2G
TFloatFieldL1G
currency
MaxValue
MinValueT
Precision
TCurrencyField
TCurrencyField43G
currency
TBooleanField
TBooleanField
DisplayValues
TDateTimeField
TDateTimeFieldp6G
DisplayFormatt
EditMask
TSQLTimeStampField
TSQLTimeStampField08G
DisplayFormatt
EditMask
TDateField
TDateField
TTimeField
TTimeFieldP;G
TBinaryField
TBinaryField
Size$>G
TBytesField
TBytesField$>G
TVarBytesField
TVarBytesField|?G
TBCDField
TBCDField
currency
MaxValue
MinValueT
PrecisionT
TFMTBCDField
TFMTBCDField
currency
MaxValue
MinValueT
PrecisionT
TBlobType
TBlobField
TBlobField$EG
BlobType
GraphicHeaderT
TMemoField
TMemoField
Transliterate
TGraphicField
TGraphicFieldpHG
TObjectField
TObjectField
ObjectType
TADTField
TADTField
TArrayField
TArrayField
TDataSetField
TDataSetFieldLNG
IncludeObjectField
TReferenceField
TReferenceField
ReferenceTableNameT
TVariantField
TVariantField
TInterfaceField
TInterfaceField
TIDispatchFielddUG
TIDispatchFieldpTG
TGuidField
TGuidField
TDataLink
TDataLink(WG
TDetailDataLinklXG
TDetailDataLink
TDataChangeEvent
Sender
TObject
Field
TField
TDataSourceXYG
TDataSource
AutoEditddG
DataSet
Enabled|
OnStateChange
OnDataChange|
OnUpdateData
TCheckConstraint
TCheckConstraint
CustomConstraint
ErrorMessage
FromDictionary
ImportedConstraint
TCheckConstraints
TCheckConstraints
TParamType
ptUnknown
ptInput
ptOutput
ptInputOutput
ptResult
TParam
TParam
DataTypeT
PrecisionT
NumericScale
Name|\G
ParamTypeT
Value
TParams
TParams
TBufferList
DB<_G
TDataSetNotifyEvent
DataSet
TDataSet
TPacketAttribute
TBlobByteData
TDataSet
TDataSet
Unknown
String
SmallInt
Integer
Boolean
Float
Currency
DateTime
Bytes
VarBytes
AutoInc
Graphic
FmtMemo
ParadoxOle
dBaseOle
TypedBinary
Cursor
FixedChar
WideString
LargeInt
Array
Reference
DataSet
HugeBlob
HugeClob
Variant
Interface
Dispatch
SQLTimeStamp
FMTBcdField
%s: %s
_^[Y]
_^[YY]
UhyjG
_^[Y]
Uh,mG
_^[Y]
Uh^nG
Uh&pG
Required
_^[YY]
%s[%d]
UhkxG
SVWUQ
Z]_^[
F(0{G
Uhz{G
%s[%d]
^[YY]
Q8FKu
_^[Y]
SVWUQ
Z]_^[
SVWUQ
Z]_^[
QQQQSV
AttributeSet
Calculated
Lookup
Boolean
,$YZ[
$YZ^[
DateTime
$YZ^[
Float
Integer
SQLTimeStamp
Variant
FIELD
Gd_^[
Boolean
DateTime
Float
Integer
SQLTimeStamp
String
s4_^[
:^Btc
^B^[Y]
Variant
^[YY]
Variant
QQQQSVW
YZ_^[
,$YZ[
,$YZ[
_^[Y]
UnNamed
^[YY]
PBGNu
PBGNu
_^[YY]
R<FKu
QQQQQSVW
Qd_^[
QQQQQQSVW
_^[Y]
QQQQSV
QQQQS
QQQQQQS
QQQQSV
QQQQQQS
QQQQS
QQQQSV
QQQQSV
QQQQSV
QQQQS
QQQQSV
QQQQS
QQQQSV
QQQQSV
^[YY]
<Primary>
Q$]_^
VP_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
^[YY]
_^[Y]
QQQQQQSV
_^[Y]
QQQQSV
QQQQS
QQQQSV
QQQQS
QQQQS
QQQQS
,$YZ[
QQQQSV
QQQQSV
QQQQSV
QQQQSV
QQQQSV
QQQQS
QQQQS
QQQQS
QQQQSV
QQQQSV
^[YY]
_^[Y]
Uh{ H
_^[Y]
t;;^4t
Uh>#H
UhA$H
Uh3%H
SVWUQ
Z]_^[
%s.%s
Uho(H
UhO-H
R<FKu
Uh{.H
_^[YY]
UhU2H
UhA3H
^[YY]
Uh(4H
^[YY]
UhC5H
Uh&5H
_^[Y]
Uh:<H
Uh\=H
Y_^[YY]
SVWUQ
Z]_^[
sX_^[
FX;FTu;
FP;FL}
Uh1CH
CP;CL}
CP;CL}
PT;PP
QQQQQQSV
UhtHH
_^[YY]
Uh6RH
UhATH
TDefaultDBScreenApplication
UhpVH
DISTINCT
ASCENDING
DESCENDING
SELECT
WHERE
GROUP
HAVING
UNION
UPDATE
ORDER
UhA_H
uEh4aH
and
%s = ?
%s = :%s
where
QQQQQQSV
Uh/cH
UhIdH
6h`dH
inner join
outer join
ShXfH
UhuhH
UhFhH
ISQLDriver
DBXpress
ISQLConnection
DBXpress
ISQLCommand
DBXpress
ISQLCursor
DBXpress
ISQLMetaData
DBXpress
SPParamDesc
TSQLBlobStream
TTableScope
tsSynonym
tsSysTable
tsTable
tsView
SqlExpr
TTableScopes
TSQLConnectionLoginEvent
Database
TSQLConnection
LoginParams
TStrings
TSQLConnection
TSQLConnectionHnH
SqlExpr
ConnectionName
DriverName
GetDriverFunc
KeepConnection
LibraryName
LoadParamsOnConnect
LoginPrompt
Params
TableScope
VendorLib|
AfterConnect|
AfterDisconnect|
BeforeConnect|
BeforeDisconnect
OnLogin
Connected
TSQLDataLink
TSQLDataLink
SqlExpr
TSQLCommandType
ctQuery
ctTable
ctStoredProc
SqlExpr
TSQLSchemaInfo
SqlExpr
TCustomSQLDataSetxvH
TCustomSQLDataSet
SqlExpr
SchemaName
NoMetadata
GetMetadata
NumericMapping
ObjectView8_G
BeforeOpen8_G
AfterOpen8_G
BeforeClose8_G
AfterClose8_G
BeforeScroll8_G
AfterScroll8_G
BeforeRefresh8_G
AfterRefresh8_G
OnCalcFields
Active
TSQLDataSet
TSQLDataSet$yH
SqlExpr
CommandText
CommandTypeTYG
DataSourceT
MaxBlobSize
ParamCheck
Params
SortFieldNames
SQLConnection
\Software\Borland\DBExpress
dbxdrivers.ini
Driver Registry File
dbxconnections.ini
Connection Registry File
SqlExpr
4E<DI
@<PVS3
C<EOu
YZ]_^[
_^[YY]
TSQLParams
TSQLParams
SqlExpr
select
delete
insert
update
select
values
select
select *
select
values(
values (
;wPt7
f;CUt
USER_NAME
PASSWORD
DriverName
LibraryName
VendorLib
GetDriverFunc
Database
QQQQQQS
BlobSize
ErrorResourceFile
PASSWORD
USER_NAME
Database
PASSWORD
%s=%s
USER_NAME
Database
v?;Chw:
Clone1
PARAM_POSITION
PARAM_TYPE
PARAM_DATATYPE
PARAM_SUBTYPE
PARAM_PRECISION
PARAM_SCALE
PARAM_LENGTH
PARAM_NAME
Result
VendorLib
LibraryName
GetDriverFunc
VendorLib
LibraryName
GetDriverFunc
DriverName
^[YY]
VendorLib
LibraryName
HostName
RoleName
WaitOnLocks
CommitRetain
AutoCommit
BlockingMode
ServerCharSet
%s TransIsolation
repeatableread
dirtyread
SqlDialect
OS Authentication
Server Port
Multiple Transaction
Trim Char
Custom String
Connection Timeout
LocaleCode
QQQQSVW
BlobSize
(]_^[
^[YY]
%s_%d
R|H}"
QQQQQQSVW
select * from
where
0 = 1
_^[YY]
SVWUQ
Z]_^[
_^[YY]
RowsetSize
QQQQQSV
select * from
order by
_^[Y]
select
select count(*) from
distinct
where
order by
SVWUQ
Z]_^[
DesignerData
INDEX_NAME
COLUMN_NAME
INDEX_TYPE
SORT_ORDER
^[YY]
Q8GNu
_^[Y]
Database
USER_NAME
OpenDialog1
MainMenu1
PopupMenu1
Outline1
SQLDataSet1
TForm1
TForm1T
Unit1
GetSystemTimeAsFileTime
kernel32
FileTimeToSystemTime
Error
Runtime error at 00000000
0123456789ABCDEF
0123456789ABCDEF
MS Sans Serif
O)C+CCCK)
K)C+\CLC
yCC)C
CCC%x
[+GBCC
?#CC)
+GKCC
;CCC)G
+GKCC
BCCCz
KCCC+
s[+KACC
^ZCC)G+CsCC+CSCC
ZCCCL
CC+CKCC
CCC+GBCC
vCCC)
CCC)'
ICCCp
ICCCp
SCC),
YCCx6
6O)C+CCSC)@+K+
[CCC)
GBCC+
OACCx
ECCCL
WCCC)C
CCCBL
WCCC)C
JCCCz
KCCC)C
CCC+C
NCCC%z
kCCC)C+
[nCCp
8aCC)G+CsCC
[[CCx
)A+CCC
CC%zBL
+wDCC
-eCC+C
KCCC)C
rCC~GBCCL
KCCC)C
KKACC
oACCp
fCCCL
4CC%x
7CC%x
+CsCC
GCCC)C
CCC+5
+Tt;(
O+KACC
iCC)G+CsCC+CSCC
CACBC
JCCCz>
cCC)S
gCCCL
uCCC%zwRL
LCC)B
tyCCp
+GBCC
gCC)5
)G+CsCC
wCCCp
)C)C%
+GBCC
{CCC),
GBCC+C
dCC%z
hCCC+
60&1%
CCC+l
SBCC)
CSCC+CsCC
)B+CCC
oACC)y
+GBCC
DCC)S
BCCC)s
@CCCp
z]CCp
+KACC
+GBCC
CACBC
SCCCz
)G+CsCC
+GBCC
pSCCp
)G+CsCC
sCCC'
+GBCC
sCCC'
CCCz>
_CCCh
A%xBL
FCCCp
)G+CsCC+
CCC)F
CCCCL
JCCCz
+GBCC
CC%zDL
KCCC)C
KCCC)C
+CsCC
+2Vo(
+2Vo(
@CCCp
CCCCL
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegFlushKey
RegCloseKey
kernel32.dll
lstrcpyA
WriteFile
WaitForSingleObjectEx
WaitForSingleObject
VirtualQuery
VirtualAlloc
Sleep
SizeofResource
SetThreadLocale
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
ReadFile
MultiByteToWideChar
MulDiv
LockResource
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetVersionExA
GetVersion
GetTickCount
GetThreadLocale
GetSystemInfo
GetStringTypeExA
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetCPInfo
GetACP
FreeResource
InterlockedExchange
FreeLibrary
FormatMessageA
FindResourceA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
ExitProcess
EnumCalendarInfoA
EnterCriticalSection
DeleteCriticalSection
CreateThread
CreateFileA
CreateEventA
CompareStringA
CloseHandle
version.dll
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
gdi32.dll
UnrealizeObject
StretchBlt
SetWindowOrgEx
SetWindowExtEx
SetWinMetaFileBits
SetViewportOrgEx
SetViewportExtEx
SetTextColor
SetStretchBltMode
SetROP2
SetPixel
SetMapMode
SetEnhMetaFileBits
SetDIBColorTable
SetBrushOrgEx
SetBkMode
SetBkColor
SelectPalette
SelectObject
SelectClipPath
SaveDC
RestoreDC
RectVisible
RealizePalette
PolyPolyline
PlayEnhMetaFile
PatBlt
MoveToEx
MaskBlt
LineTo
IntersectClipRect
GetWindowOrgEx
GetWinMetaFileBits
GetTextMetricsA
GetTextExtentPoint32A
GetSystemPaletteEntries
GetStockObject
GetPixel
GetPaletteEntries
GetObjectA
GetEnhMetaFilePaletteEntries
GetEnhMetaFileHeader
GetEnhMetaFileBits
GetDeviceCaps
GetDIBits
GetDIBColorTable
GetDCOrgEx
GetCurrentPositionEx
GetClipBox
GetBrushOrgEx
GetBitmapBits
ExtCreatePen
ExcludeClipRect
DeleteObject
DeleteEnhMetaFile
DeleteDC
CreateSolidBrush
CreatePenIndirect
CreatePalette
CreateHalftonePalette
CreateFontIndirectA
CreateDIBitmap
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
CreateBrushIndirect
CreateBitmap
CopyEnhMetaFileA
BitBlt
user32.dll
CreateWindowExA
WindowFromPoint
WinHelpA
WaitMessage
ValidateRect
UpdateWindow
UnregisterClassA
UnionRect
UnhookWindowsHookEx
TranslateMessage
TranslateMDISysAccel
TrackPopupMenu
SystemParametersInfoA
ShowWindow
ShowScrollBar
ShowOwnedPopups
ShowCursor
SetWindowsHookExA
SetWindowTextA
SetWindowPos
SetWindowPlacement
SetWindowLongA
SetTimer
SetScrollRange
SetScrollPos
SetScrollInfo
SetRect
SetPropA
SetParent
SetMenuItemInfoA
SetMenu
SetKeyboardState
SetForegroundWindow
SetFocus
SetCursor
SetClipboardData
SetClassLongA
SetCapture
SetActiveWindow
SendMessageA
ScrollWindowEx
ScrollWindow
ScreenToClient
RemovePropA
RemoveMenu
ReleaseDC
ReleaseCapture
RegisterWindowMessageA
RegisterClipboardFormatA
RegisterClassA
RedrawWindow
PtInRect
PostQuitMessage
PostMessageA
PeekMessageA
OpenClipboard
OffsetRect
OemToCharA
MessageBoxA
MessageBeep
MapWindowPoints
MapVirtualKeyA
LoadStringA
LoadKeyboardLayoutA
LoadIconA
LoadCursorA
LoadBitmapA
KillTimer
IsZoomed
IsWindowVisible
IsWindowEnabled
IsWindow
IsRectEmpty
IsIconic
IsDialogMessageA
IsChild
IsCharAlphaNumericA
IsCharAlphaA
InvalidateRect
IntersectRect
InsertMenuItemA
InsertMenuA
InflateRect
GetWindowThreadProcessId
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowLongA
GetWindowDC
GetTopWindow
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSysColor
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMessageTime
GetMenuStringA
GetMenuState
GetMenuItemInfoA
GetMenuItemID
GetMenuItemCount
GetMenu
GetLastActivePopup
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetIconInfo
GetForegroundWindow
GetFocus
GetDoubleClickTime
GetDlgItem
GetDesktopWindow
GetDCEx
GetDC
GetCursorPos
GetCursor
GetClipboardData
GetClientRect
GetClassNameA
GetClassInfoA
GetCaretPos
GetCapture
GetActiveWindow
FrameRect
FindWindowA
FillRect
EqualRect
EnumWindows
EnumThreadWindows
EnumClipboardFormats
EndPaint
EnableWindow
EnableScrollBar
EnableMenuItem
EmptyClipboard
DrawTextA
DrawMenuBar
DrawIconEx
DrawIcon
DrawFrameControl
DrawFocusRect
DrawEdge
DispatchMessageA
DestroyWindow
DestroyMenu
DestroyIcon
DestroyCursor
DeleteMenu
DefWindowProcA
DefMDIChildProcA
DefFrameProcA
CreatePopupMenu
CreateMenu
CreateIcon
CloseClipboard
ClientToScreen
CheckMenuItem
CallWindowProcA
CallNextHookEx
BeginPaint
CharNextA
CharLowerBuffA
CharLowerA
CharUpperBuffA
CharToOemA
AdjustWindowRectEx
ActivateKeyboardLayout
kernel32.dll
Sleep
oleaut32.dll
SafeArrayPtrOfIndex
SafeArrayPutElement
SafeArrayGetElement
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopyInd
VariantCopy
VariantClear
VariantInit
ole32.dll
CoUninitialize
CoInitialize
oleaut32.dll
GetErrorInfo
SysFreeString
comctl32.dll
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_GetDragImage
ImageList_DragShowNolock
ImageList_SetDragCursorImage
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_ReplaceIcon
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
comdlg32.dll
GetOpenFileNameA
kernel32.dll
MulDiv
0(0<0T0l0
1$1D1P1T1X1\1`1d1h1l1x1
3"3*323:3B3J3R3Z3b3j3r3z3
4&4/4P4X4
7)8]8i8
;%;8;B;H;V;\;d;v;
<0<6<><H<_<j<
<"=8=
>/?5?N?W?`?k?t?{?
0.141D1M1
2H2b2
4$4*4\4
4!5,555;5K5T5
6M7S7[7
;Z;c;
.2m2}2
4'5;7
8:8V8b8v8
8+949i9p9
<'=.=F=h=
=;>N>b>
>H?P?|?
030=0B0a0f0k0
151B1}2
9J<S<Z=c=
8Q:o:
<-=>=~=
2(3q3
4/484A4M4W4~4
4 5.535L5\5m5~5
5;6G6T6f6l6}6
727:7B7J7R7Z7b7j7r7z7
8"8*828:8B8J8R8Z8b8j8r8z8
9"9*929:9B9J9R9Z9b9j9r9z9
:":*:2:::B:J:R:Z:b:j:r:z:
;";*;2;:;B;J;R;Z;b;j;r;z;
<"<*<2<:<B<J<R<Z<b<j<r<z<
="=*=2=:=B=J=R=Z=b=j=r=z=
>">*>2>:>B>J>R>Z>b>j>r>z>
?"?*?2?:?B?J?R?Z?b?j?r?z?
0"0*020:0B0J0R0Z0b0j0r0z0
1"1*121:1B1
4 4([email protected]`4h4p4x4
5 5([email protected]`5h5p5x5
6 6([email protected]`6h6p6x6
8 8(8,8084888<[email protected]|8
:<:D:H:L:P:T:X:\:`:d:t:
;$;D;L;P;T;X;\;`;d;h;l;
< <0<P<X<\<`<d<h<l<p<t<x<
= =$=(=8=X=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8>L>l>t>x>|>
?$?,?0?4?8?<[email protected]?D?H?L?`?
1,1L1T1X1\1`1d1h1l1p1t1
282X2`2d2h2l2p2t2x2|2
4;4C4P4U4[4U7;8n;
<$</<<<A<
=[=l=
4u5y5}5
9E9M9U9]9e9
: :$:a;$<,<
0A1S1
4&5A5\5{5
;@<{<
>L>P>T>X>\>`>d>h>l>p>t>x>|>
0$080i0
5K5c5U6
:Z:p:}:
;!;M;
;.<[<
02070C0f0
1C1M1s1
1/2>2X2j2
5[5`5h5
5a6k6
6 7'7
9/9Q9_9f9~9
9':E:p:
='=s=
>>>E>O>U>\>f>k>q>v>|>
?"?+?4?\?e?n?t?
+0Y0|0
0$1>1\1
1$2X2
3I3y3
7"7,767H7]7h7m7r7
8!8>8P8
9(9;9N9W9r9
:1:O:q:
;4;A;
=6=L=
>N>U>h>t>y>
><?O?W?f?v?
474v4
5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6$6(60646<[email protected]`6d6l6p6x6|6
7 7$7,70787<7D7H7P7T7\7`7h7l7t7x7
8*858?8J8T8_8i8s8y8
9$9.989B9L9V9h9
: ;-;V;
<.<d<q<
<%=c=
>G>f>n>v>~>
?%?*?5?;[email protected]?K?Q?V?a?g?l?w?}?
0'0-020=0C0H0S0Y0^0i0o0t0
2>2B2F2^2l2p2
3 3$383
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
6 6<6\6d6h6l6p6t6x6|6
7$7,7074787<[email protected]
888X8`8d8h8l8p8t8x8|8
9$9,9094989<[email protected]
:?:{:
;+;:;Q;
<*<A<n<
=%=4=K=Z=q=
>&>X>g>~>
?B?y?
275E5;6]6a6e6i6m6q6u6y6}6
7\8u8
9)9P9u9
;!;%;);-;1;5;9;=;A;E;I;M;Q;U;Y;];i;
1#1'1+1/131
3O4V4l4p4t4x4|4
4C5J5a5e5i5m5q5u5
6&6>6B6F6J6N6R6V6c6
=6>x>
>b?f?j?n?r?v?z?~?
0,0A0$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1
3x4|4
4=5U6Y6]6a6e6i6m6q6u6y6}6
8"8&8*8.82868:8>8B8F8J8N8R8V8Z8^8b8f8j8z8=9
:6;O;h;
< <$<(<,<0<4<8<<<P<
>5?Y?
0P1T1X1\1`1d1h1l1p1t1x1|1
1N2i2
2U3Y3]3a3e3i3m3q3u3y3}3
3)4F4c4
4 5X5
6P6g6
767M7
8!8%8)8-8185898=8A8E8I8M8Q8U8Y8]8a8e8i8m8q8u8
<E=\=u=
>1>l>
>.?J?N?R?V?Z?^?b?f?j?n?r?v?z?~?
2!2%2
526}6
9-:F:]:
<7=o=
0&0?0X0
3P5k5z5
:&;z;
000M0
0*1l1
3,5K5c5{5
6&6H7
8P;y;
;O<P=
0)1l1p1t1x1|1
1:3W3`3s3
4T6q6
7Q8`8
9+9:9g9v9
:4:b:t:
;';B;H;\;a;
2<2J2
3-323g3v3
5"5'5,51575<5A5G5N5T5[5a5h5n5u5{5
6$6,646<6D6L6T6\6d6l6t6|6
7E7I7M7Q7i7x7|7
808P8X8\8`8d8h8l8p8t8x8
8/969
:!:%:):-:1:5:9:=:
;:<A<~<
><?r?
0 0*010y0
1h3o3
4C4J4c4
4k5r5
;<<@<D<H<L<P<
?'?9?J?P?j?r?z?
040L0
1,1D1d1|1
2$2,2024282<[email protected]
4 [email protected]\4`4d4h4|4
5 505P5X5\5`5d5h5l5p5t5x5
6 6$6(6,606D6d6l6p6t6x6|6
7 7(7,7074787<[email protected]
8 8,80888<[email protected]\8`8d8n8r8
9 9(9,9094989<[email protected]
:&:*:@:U:Y:l:x:|:
;);-;@;P;\;`;h;l;p;t;x;|;
<4<@<D<T<\<`<d<h<l<p<t<x<|<
> >$>(>,>0>4>8><>@>D>T>e>i>|>
? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?d?
0 0$0(0,0004080<0T0t0|0
1 1$1(1,10141
2"2&2*2.22262N2\2`2|2
3 3$3(3,[email protected]`3h3l3p3t3x3|3
4"444T4\4`4d4h4l4p4t4x4|4
4"5&5*5.52565:5R5n5|5
6,6064686<[email protected]\6`6d6h6x6
7 7$7(7,7074787<[email protected]\7l7x7|7
808L8
9 9$9(989X9`9d9h9l9p9t9x9|9
;2<9<Z<
?>?P?g?
2 2P2U2
2$3)3b3}3
374D4S4^4p4
5$5B5O5^5p5u5
6 6$6(6,606
8A8L8s8
9Q:}:
;(<K<e<w<
0?0[0
3c3j3
3!4<4
4R5n5~5
7B7p7
=5>R>
001F1
5<5h5
6J7{7
849F9c9
:A:[:
:%;C;
;'<X<
=5=K=
>.?D?
90V0Q1
1;2q2
7M8T8
:+;;;[;
20282<[email protected]\2j2r2
424z4
4n5{5
7)787
7 8%8D8U8s8z8
;A;];
=$>V>
3;4]4
515G5
8K8Y8g8u8
;K<O<r<v<
<+=Y=
=#>E>
? ?$?(?,?0?4?8?
353H3
9#9'9+9/93979;9?9C9G9K9O9J:p:
:2;l;
=<=L=Y=
>%>,>Z>w>
?"?&?*?.?2?6?:?>?B?F?J?N?R?V?Z?^?b?
2=3M3i3s3
474D4S4c4
5>5[5`5
9)969<9L92:9:
2+3*4
626<6K6
737;7A7
8'818C8[8g8t8
9 9([email protected]`9h9p9x9
: :(:0:8:@:H:P:X:`:h:p:x:
; ;(;0;8;@;H;P;X;`;h;p;x;
< <$<(<,<0<4<8<<<@<T<t<|<
=,=E=|=
>4?D?P?T?\?`?d?h?l?p?t?x?|?
0$0(0004080<[email protected]\0j0v0
1"1&1*1B1F1J1a1e1i1
2#2+2B2F2J2b2f2j2
3%3)3-3H3X3h3p3t3x3|3
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5
6 6$6,606<[email protected]\6`6d6h6l6p6t6x6
7,7L7T7X7\7`7d7h7l7p7t7x7
8 8$8(8,8084888H8W8[8l8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :0:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;$;(;,;0;4;8;<;@;D;
>C>u>
> ?*?<?_?
7N7k7
7>8N8`8
8Y9j9
;#<N<k<
<"=2=D=
?6?O?g?x?
0 0>0
0V1[1
222D2N2
5C5m5
7J7t7
9"9`9
:@:`:q:}:
;5;<;
=%=9=G=V=m=
0/1-2
;0;S;
=3>F?
1%1<1L1
4#444
425<5F5K5
728O8
3.4L5
5,6[6
8'8+8C8S8
9I9N9
9A:S:
:,;>;
3L394
5&6=6
6M7R7
061g1t1
1U2c2
4#5j5
8&8;8
0_0'1
1$242
4)4^4m4r4
546e6u6t7
8"8,868E8O8Y8c8m8w8
9/9?9I9T9^9i9s9z9
:<:D:H:L:P:T:X:\:`:d:h:l:p:t:
; ;$;(;,;0;4;8;<;@;
="=*=2=:=B=J=R=Z=b=j=r=z=
>$>*>C>a>l>z>
>F?N?T?`?h?
k0s0y0
1#1+1g1r1
1;2F2f2
5#505B5W5c5p5
606I6l6
7 7$7(7,7H7T7h7p7t7x7|7
7?8C8G8K8O8S8W8[8_8c8g8k8o8s8w8
9,949<9D9l9x9
:1;F;o;
=!>m>
1D1j1q1
2Y2|2
3R3~3
3 4?5K5S5]5j5z5
656B6[6o6z6
7 7)7.737A7J7O7T7b7k7p7u7
9<9D9H9L9P9T9X9\9`9d9h9l9
; ;';.;5;<;C;J;Q;X;_;f;m;t;{;
<#<*<1<8<?<F<M<T<[<h<m<
[email protected]=E=R=W=d=i=v={=
>*>/><>A>N>S>`>e>r>w>
?&?+?8?=?J?O?\?a?n?s?
0$0)0
4'454=4O4b4l4v4
5+575D5V5c5o5|5
6 626:6G6S6`6r6
7 7$7(7,7074787H7L7P7T7X7l7
:5:@:|:
;&;.;6;>;R;V;Z;^;b;t;
<(<0<M<o<
=-=T=
=N>V>h>z>
90N0`0n0
494D4
5"5<5
6(626<6F6P6\6
:p;z;
<$<(<0<4<<<@<H<L<T<X<`<d<l<p<x<|<
=&=5=?=J=O=\=l=x=|=
>+>3>N>V>
?8?y?
D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,30343?3K3R3]3o3
4 4$4(4,4044484<[email protected]\4l4p4
5(5G5N5
5 6;6
777h7
9B9L9V9[9n9
:.:6:A:F:Q:X:
;$;(;0;4;<;@;H;L;[;g;{;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<[email protected]=D=R=h=x=
> >$>(>,>0>4>8><>@>D>H>`>w>{>
? ?$?(?,?
0N0{0
171;1C1\1
2M2~2
363_3c3k3
4F4v4
5L5t5
617I7Y7
;>;a;
>"?;?
(080`0
111u1
3*4:4b4
5C5O5V5a5s5
6 6$6(6,60646B6g6n6
8#9M9
;+;>;_;k;s;{;
<(<:<@<`<h<l<p<t<x<|<
<G=S=[=c=o=w=
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
3]6<7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
96:::B:d:n:x:
=1>\>|>
3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
334?4L4^4d4
5 5$5(5,5054585<5T5p5
5$6^6i6t6
7+777P7v7
:F:N:l:z:
<-<^<
1/1;1E1O1T1c1u1
2 2$2(2,2024282<[email protected]\2`2d2t2
3,3H3L3`3
4 4$4(4,4044484<[email protected]\4`4|4
5)[email protected]`5h5l5p5t5x5|5
6 6$6(6,6064686<6P6d6h6|6
7 7$7(7,7074787<[email protected]
7 888T8l8|8
9 9$9(9,9094989<[email protected]
;C;G;K;P;
<a<e<i<m<t<
=m=q=u=y=
>l>p>t>x>|>
>>?B?N?T?
>0B0F0J0N0T0
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
263:3>3B3F3J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
4"4&4*4.42464:4>4B4F4J4N4R4V4Z4^4l4z4~4
5.5:5M5p5x5|5
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
9"9&9*9.92969:9>9B9F9J9N9R9V9Z9^9b9f9j9n9r9v9z9~9
:":&:*:.:2:6:::>:B:F:J:N:R:V:Z:^:b:f:j:n:r:v:z:~:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <4<D<P<T<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=j=n=r=v=
?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?
20:0I0Q0l0r0
0 111
4 4$4(4,4044484<[email protected]
7(7e7~7
<J=e=x=
==>O>Z>
?e?w?
(050>0G0b0
1$1/151N1W1_1m1r1|1
2!2.2P2]2q2{2
3"3*3<3c3l3u3
5!5B5J5[5y5
7&787H7Q7z7
9'929G9Q9[9d9w9|9
:#:.:B:S:
:S;c;
<V<q<
=V=[=
=F>.?Y?l?
0#1&2D2b2
3*3/3;3O3
7S8W:
?<?B?
5+5:5}5
828J8f8o8
9%9F9
0)5`5k5y5
:<:,<7<E<
273g6
7 7A7s7
839f9
>#>:?C?
132C2
5(7L7
8-9g9
:7<~<
0&141P1v1
'0J0W0r0
161K1^1{1
647[7`:
=+=:=Q=`=,>
5-7n7u7
061<1
4)4C4
8A8c8t8
:7;a;
5D658<8
1x2q5
8l:|:
>&>7>O>g>x>
=0[0D1
3)5r5
?G?Q?[?e?o?y?
1)111=1H1N1Z1d1j1v1{1
2#2.23282C2P2b3s3
4-4C4K4Z4d4m4y4
5'545>5O5X5x5
6 6%6/6?6J6W6
7/7;7S7]7g7r7w7
8 8$8(8,8084888<[email protected]
9 9$9(9,9094989<[email protected]\9j9n9r9v9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;~;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
7A8[9
:":+:0:;:@:L:h:l:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;\;t;
=8=|=
=5?L?u?
0M0j0
0*1"2
3+484H4q4
4F5c5
6;7e7t7
9/9?9j9
=C=l=|=
>/>\>y>
>Q?Y?c?i?t?
1*101P1X1\1`1d1h1l1p1t1x1
2 2{2
3b3f3j3n3t3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]~5
6,646X6\6`6y6
7'7/737I7Q7n7z7
8'8+8A8M8c8
9 9$9(9,9094989<[email protected]\9`9d9r9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:h:w:{:
;";*;C;K;g;o;
<4<R<
= =$=(=,=0=4=8=<[email protected]=D=T=d=h=v=
>3>7>;>Y>a>z>
?8?\?|?
2*2E2
4.6H6{6
:K;\;
<.<:<F<
=->K?
$0M0X0
1}1W2
<*?=?
1(3y3
495C5M5`5j5}5
8}8W9
9U:y:f;
>(?_?
4=5h5m5u5z5
5K6}6
2A2N2p2u2
7,:Q:]:q:}:
>n>~>
070T0
2E2a2
3&3:3
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6{6
7"7,787B7I7S7Z7d7l7
8 888O8S8a8i8
: :;:h:x:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <@<_<
=4=M=
>$???l?
,000x0}0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
1j2n2r2v2z2~2
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3l3}3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5"5>5F5^5f5
6#6:6B6F6`6h6l6
7#7'7;7C7f7n7
8.868Q8t8
9!9)9-9B9e9m9q9
:!:%:B:k:o:s:
; ;E;M;Q;h;
<%<)<B<N<g<s<
<&=O=[=r=~=
>,>8>Q>]>v>
?(?4?M?Y?o?{?
010Z0f0|0
[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2
3(3034383<[email protected]`3l3p3
4/484D4H4X4`4d4h4l4p4t4x4|4
5!5)5}5
6%6,646B6O6_6v6
7+747<7E7U7\7c7j7{7
8=8S8
:.:=:T:
33393
434d4
6"686
6G7W738
=N>Y>h>
?!?W?\?x?
0=0Q0e0
0&1h1{1
2G3v3
4D4j4
5i5}5
7R7]7j7p7{7
>P?`?}?
Z0g0w0
5U5s5
7P7f7
7P8Z8B:Q:h:|:
>5>Q>t>
???Q?o?
040K0c0u0
1)2C2m2
8+868M8p8S9
;";6;s;
2(2:2N3Z324
6Y9|9
:L:h:
;);i;
<(<A<
=7=\=x=
?_?o?
3 3*3B3X3
4$4)4:4H4Z4q4{4
=y>e?
0-0<0i0s0~0
<1=~=
?.?=?M?Z?`?u?{?
1[1m1r1
4!404A4T4m4
505O5
5$6M697
878x8/9
>H>p?
838V8
0!0/0O0l0
1D3j3
384[4
949w9
9J:Z:e:
;";2;:;I;S;X;t;
<`=k=
6(6,686<6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7n7v7
8'8k:
;p<w<
0(1N1m1
>0?t?
7,7<7H7L7T7X7\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
; ;$;(;,;0;4;8;<;@;D;T;e;i;w;
?+?u?
:W:d:
80:@:
:%;E;n;~;
2#6*6
3 3J5
3:3m3
405y5
0 0(0,0004080<[email protected]\0h0l0|0
02161<1X1
2\2r2x2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4 [email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5p5~5
5!6)6C6K6c6k6
7.767T7\7z7
8#8F8i8
8 9F9l9
:D:h:
;#;';+;/;J;N;R;V;p;t;x;|;
</<7<S<[<x<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=
=G> ?
:(;E;j;
;@<]<
<(=R=
1,1E1y1
1,2A2o2
464f4j4r4
5,60686
7>7t7
898=8E8d8
8%9)9
02161:1>1B1F1J1
7P7s7L8P8T8X8\8`8d8
;a?|?
0B0R0
041b1A2w2
2C3O3\3n3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6
75797=7X7\7`7|7
8<8T8b9
> >M>m>
>%?[?
151L1e1
2F2o2
657F7j748F8
9.9=9[9i96:H:
:_;2<A=L=(>
3'444[4
6:7a7o7~7
;<;$<
3/4d4
5 6V6
8;9b9|9
9W:h:y:
:{;9<e<
=+=5=
?9?_?
030\0
1)1R1{1
2E2k2
2k3z3
5*5K5l5
5_6n6
8E8i8
<L<{<
=F>U>
050O0[0h0z0
1<1L1\1d1h1l1p1t1x1|1
2$2:2B2^2f2}2
2O3[3
3 4,4d4p4L8e8
8'9G9
90:]:
::;J;e;
;(<D<S<j<D=c=~=
?T?c?z?
0'040F0L0l0t0x0|0
1 1(1,1014181<[email protected]^132c2
2=3{3
4Z5q5
:4:;:
;';:;g;[<
<f=o=u=~=
>#>0>;>M>^>k>q>x>~>
?0?8?<[email protected]?D?H?L?P?T?X?f?|?
1 10181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]^2t2
3 3$383L3P3\3z3
4 4$4(4,4044484<[email protected]_4c4n4v4
5 [email protected]\5`5d5h5l5p5t5x5|5
546H6L6X6\6l6t6x6|6
727:7W7[7_7|7
8(8084888<[email protected]\8`8d8h8l8p8t8x8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
<P<p<x<|<
=5=<=
>6>>>H>h>p>t>x>|>
? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
1K1O1S1W1r1v1z1~1
2*2W2_2
4;4`4p4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6#6L6\6l6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
9*929N9V9v9~9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;%;@;P;`;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
=">H>X>h>p>t>x>|>
? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1 1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(282I2M2X2`2{2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4$484<4G4O4l4}4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6$60646D6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
989P9T9_9g9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;$;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<<<L<P<\<l<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
?!?%[email protected]?P?X?\?`?d?h?l?p?t?x?|?
0 0$0(0,0004080<[email protected]
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2,242O2W2s2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4,444O4W4r4z4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6$6(63676;6V6~6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
7$848D8L8P8T8X8\8`8d8h8l8p8t8x8|8
9 9$9(9,9094989<[email protected]{9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;8;H;X;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?0?4?H?[?_?j?r?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1E1d1t1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4$444D4L4P4T4X4\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]`5u5y5
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7
8 8$8(8,8084888<[email protected]}8
9 9$9(9,9094989<[email protected]
:*:T:`:d:t:|:
;!;D;L;k;
< <$<(<,<0<4<<<T<k<o<|<
= =$=(=,=0=4=8=F=N=V=h=t=x=
>4>S>W>[>_>t>
?8?f?l?
1!1%1)1-1115191=1A1E1I1M1Q1U1Y1]1a1y1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4 4$4(4,4:4B4P4T4d4r4v4Q7
8?8N8c8z8
;&<N<
4*5_5
777C7_7
9<:x:
:<;P;m;
<)=w=
>,?<?
4M5z5
7^8g8u8
9(:Y:
?#?J?
1B1r1
2:2C2
2 3Q3}3
4B4F4i4
4,5T5
97:U:q:
: ;d;
>4>[>
>+?v?
1=1g1{1
2F2o2
434]4
4+5R5
9n:i;
:/;A;n;E=
>M?f?
0;1b1
1*2H2s2
3.4L4
4%585T5
7D8W8j8
8L9|9f:w:
=P>`>
1 1H1p1
2F2n2
4,4c4q4
4/5f5
6=6P6a6
7!8>8q8
999q9
;o<a=j=x=
0M1e1
3$4o4
9>9g9
:@:g:
;5;c;
<=<h<
>E?X?t?
3>3_3
>M?X?
556B6
7!7%7)7-7175797=7A7E7U7
9#9'9+9<9
<A<`<g<
?"?O?t?
080f0
1#2P2z2
444`4
5K5v5
6K6x6
6%737\7
:G:r:
:H;Y;j;{;
313`3w3
7V7|7
7)8]8
:/:B:
;M<==
>L>n>
2 2H2
565z5
6#6E6I6M6Q6U6Y6]6
7P:T:X:\:`:d:h:l:p:t:x:
<-<g<
6S788E9F:
3/3[3w3
344q4
5"5&5*5.5F5b5p5t5|5
5'636:6D6N6Y6k6
6&7j7
8>8N8e8u8
8*9?9p9
: :5:I:^:
3<4}4/5s5
506v6
6#8V8
9,9=9`9p9
: :(:0:8:@:H:P:X:`:h:p:x:
; ;(;0;8;@;H;P;X;`;h;w;
< <$<(<,<0<4<8<<<@<D<H<L<P<V<^<o<{<
>$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
?0?4?D?H?L?m?u?
070]0e0~0
2 2$2(2,2024282<[email protected]~2
383D3H3X3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6"6*626:6B6J6R6Z6t6
8>8f8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
;%<-<J<R<p<
==>R>b>z>
>Z?_?
1?2I2
3%3C3d3
3>4y4
4-565P5e5
5G6r6
:0:F:
:1;K;h;
;X<h<x<
>)>F>o>
7?7t7
7%8A8
9<9V9
;!;)<
?;?]?p?
0D0w0
121S1r1
4.4>4p4
4R5k5
6M7c7
8-8B8\8z8
<+<b<
<==s=
>(>,>0>4>8><>@>"?Q?
2V2u2
5b5s5
5>6s6
6?7_7h7d9
<G<l<
1!292~2
2 393b3
3*4L4b4
5F5x5
6!6_6
667[7t7
728K8
;K;};
<D<R<k<
?C?_?
3+4\4|4
7G8m8(9/9M9Q9U9Y9]9a9e9i9
91:D:[:
:,;c;y;U<o<
<^=v=
=T>p>
?:?>?B?F?J?N?R?V?Z?^?b?f?
,1e1~192z2
526[6k6
8G9W9X:
=<>e>v>
>%?C?
1W1j1
2S3[3
3a4v4
5$5?5g5
:$:-:
;c;q;
=G=X=j=
3Z4+5X5]5
6!6D6P6
727^718{8
8'9+9/93979;9?9C9G9?;
1j273M3
3;4D4
6)7N7{7
;(;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<J<
<$=8=X=
='>3>@>U>f>s>|>
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2X2`2h2p2x2
8 8([email protected]`8h8p8x8
:T<X<\<`<d<h<l<p<t<x<|<
=P=`=h=p=x=
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
333333333333333333
33333333?333333
33?33
33338
33333
33833
333338
33333833
33333
333838
3333339
3333333333333338
333333333333333333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*"*"$3338
"C338
"*"$33
"*:"$
"J"$3
:33:"$
"C8338
"J"C3333
3333:"$
#33338
33333
"J333333
33333:"$3333338
333333
$3333333
333333:"33333338
3333333
33333333
333333333333333333
33333333?333333
33?33
33338
33333
33833
333338
33333833
33333
333838
3333339
3333333333333338
333333333333333333
33DDDDD3333
33333333333
333333?
333333
333333
3333f3333333?
3336Dc3333338
333>fC333333
c333333
3333333333338
3333Dc3333333
3336fC3333338
333>fC333333
333>fd333333
fC33333
3333>fd333338
334C3
fC333?3
33fd3>fC333
fDFfC338
33>ffffc338
fff3333
33833
33338
3333333333338
4DF334DC33
333*C33
c33*C333
338?3
33338?383
F*F333383
"$c33333
"dc3333833
CjC338
CjC338
D*C33383
33333
3332*
C33333833?33
3333"
3333333
3334JC33333338?333
C3333333
C3333333
3333fc33333338
333333333333?
33333?
333333
333333333333333333
333333333333333333
333333333333
33333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
"C333
3333:"$3333338
33333
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
333DDD33333?
2C4"""D338
2$B""""C38
2""333:"C8
83338
2""#33:DC8
333338
33333
333333333333333
333333DDD3
:DC33:""$8
:"C333
$334B"$3
"DDB""$3
3:"""""
333333
333333333333333333
333333333333333333
333333333333
33333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
"C333
3333:"$3333338
33333
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
3333333
3333333
3333333
3333333
3333333
33333333
WRU9>:<~+(*
onn)+()_423
bbbB566
JJJ1333u)**
Gz||>
\[[qHHH>
7Project1
SqlExpr
8Registry
"RTLConsts
System
SysInit
KWindows
UTypes
^Classes
SysConst
3Messages
SysUtils
CVariants
$VarUtils
QTypInfo
sActiveX
IniFiles
"SqlConst
wDBConsts
DBConnAdmin
FComObj
qComConst
5MaskUtils
rSqlTimSt
_DateUtils
dFMTBcd
aDBCommon
~DBXpress
Outline
Consts
Forms
Printers
WWinSpool
+Graphics
CommCtrl
FlatSB
StdActns
Clipbrd
YStrUtils
*ShellAPI
&Controls
5Themes
nComCtrls
ComStrs
ExtActns
0Mapi
EActnList
vMenus
Contnrs
ImgList
dStdCtrls
Dialogs
ExtCtrls
IDlgs
3CommDlg
(ShlObj
RegStr
?WinInet
UrlMon
ExtDlgs
Buttons
CUxTheme
SyncObjs
RichEdit
ToolWin
ListActns
MultiMon
WinHelpViewer
RHelpIntfs
XGrids
Unit1
TForm1
Form1
Width
Height
Caption
0KJeutVldBm0IqiYC9TU6
Color
clBtnFace
Font.Charset
DEFAULT_CHARSET
Font.Color
clWindowText
Font.Height
Font.Name
MS Sans Serif
Font.Style
MainMenu1
OldCreateOrder
PixelsPerInch
TextHeight
TOutline
Outline1
Width
Height
ItemHeight
TabOrder
ItemSeparator
TOpenDialog
OpenDialog1
TMainMenu
MainMenu1
TPopupMenu
PopupMenu1
TSQLDataSet
SQLDataSet1
Params
OOOOOOOjc
OOOOOOO
POOOOOOO
OOOOOOO3C/
i+&#q
OOOOOOO
OOOOOOO
43OOOOOOO
OOOOOOO
vt40m^x%/
OOOOOOO
p\)Kd
wOOOOOOO
OOOOOOO
sOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
I_Tg!f#
"O^v|
OOOOOOO
<ymcR
OOOOOOO
OOOOOOO,-^
CGY'%_
4hOOOOOOO
p_OOOOOOO
OOOOOOOv|msY
+JJzm
OOOOOOOX
OOOOOOO
OOOOOOOD
OOOOOOO
OOOOOOOW
wLOOOOOOO
[OOOOOOO+n
T!!OOOOOOO8
St?x
OOOOOOO8i
OOOOOOO
OOOOOOO
30v~JOOOOOOO
OOOOOOO
WaIOOOOOOO
$OOOOOOOC
OOOOOOO
OOOOOOO>
OOOOOOON
kdH7t
>zuS_U
OOOOOOO
ROOOOOOO
OOOOOOOO
OOOOOOO3
)OOOOOOOy|%
OOOOOOO
g)OOOOOOO
OOOOOOO
OOOOOOOk
OOOOOOO
OOOOOOO
OOOOOOOY
!sOOOOOOO
a6{WQ
OOOOOOOP
H0OOOOOOOW
aOOOOOOO
OOOOOOOfK
duOOOOOOO
eOOOOOOO
eOOOOOOO
F+OOOOOOO
:OOOOOOOL
*|PsF
v#RBr
tOOOOOOO
&OOOOOOOM
OOOOOOO+
6OOOOOOO^
&HVgv
OOOOOOO
OOOOOOO<
OOOOOOO
[OOOOOOO
-LY7N
0OOOOOOO
dT!ux
OOOOOOO`:
OOOOOOOc
OOOOOOO9
OOOOOOO
I"OOOOOOONY
7OOOOOOOH
{hVTf2
OOOOOOO
OOOOOOO
OOOOOOO
5}m:$_w
Yj hH
0S+$9
OOOOOOOe
OOOOOOOz
OOOOOOO;F
OOOOOOO
lMOOOOOOO-
OOOOOOOs
=T1Oc
rOOOOOOO
+/aK]A
BOOOOOOO
TG{)d
OOOOOOO
OOOOOOO\
,OOOOOOO
alOOOOOOO
OOOOOOO
,rd3F
OOOOOOO
azxVpB
OOOOOOO
OOOOOOO
TOOOOOOO
OOOOOOO]
@bqb|
OOOOOOO
-ROOOOOOO
OOOOOOO
GNOOOOOOO
OOOOOOO
dr8ho
&OOOOOOOq
TtrcHjA
fOOOOOOO
uDE)<
z?OOOOOOOm
IOOOOOOO
bk4w|+(z
OOOOOOO
sOOOOOOO
w&8;"
0v,u8
OOOOOOOIo
xOOOOOOO9
OOOOOOOj
OOOOOOO
OOOOOOO
h^g*8
rCZBN
NOOOOOOO'
OOOOOOO
WEBpOOOOOOOA&
OOOOOOO
3OOOOOOO
OOOOOOO
OOOOOOO
>OOOOOOO
7'2:c
SOOOOOOO
HOOOOOOO
OOOOOOO
OOOOOOO
}vmeF
;tbEF3
OOOOOOO
OOOOOOO
OOOOOOOOI
NasKO<hx
FOOOOOOO
v 9t`
OOOOOOO!
OOOOOOO
OOOOOOO3W[
OOOOOOO
WOOOOOOO
OOOOOOO
:OOOOOOOZ
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO7
5^^_F
^OOOOOOO
OOOOOOO
VOOOOOOOk
AK|Epf
xA#;J
OOOOOOO
dOOOOOOO
OOOOOOOn
eoH$CR
fX^KE
OOOOOOO
OOOOOOOKH
|WjvyY
z/OOOOOOO_
OOOOOOOu
{.44T
{OOOOOOO;
OOOOOOOp
gi_OS
OOOOOOO(
ROOOOOOO
S?8%u
b#RU0
OOOOOOO^
_UJ\c
OOOOOOO
N:OOOOOOO
OOOOOOO
i*W{Yjz
7OOOOOOO
(OOOOOOOB
OOOOOOOn
OOOOOOOI
OOOOOOOvy4BV
OOOOOOO
lfN+Q
OOOOOOOk
:2v^<
js,OOOOOOOV
rNK:?
OOOOOOOD
OOOOOOO
OOOOOOO
/,*5P
b'=,'
2&OOOOOOO^8
wOOOOOOOx
OOOOOOO
OOOOOOO.
OOOOOOO
v\OOOOOOO
(!sVV
OOOOOOO
:WOOOOOOO
vQtLKQ
.b,{O
OOOOOOO
c9;!U
#OOOOOOO
OOOOOOO
5"5Bggy
UOOOOOOO
XOOOOOOO
OOOOOOO
OOOOOOOn[
OOOOOOO
Jys7\:
#OOOOOOOt
OOOOOOO
OOOOOOO
izOOOOOOO
kfDSn
OOOOOOOw
'j-l[
OOOOOOOaT
+s>mK_
<OOOOOOO
jA3N|
OOOOOOOw
20s<}
OOOOOOO\
%1Bd22o
=OOOOOOO
OOOOOOO%h9A[
OOOOOOO
vOOOOOOO
OOOOOOO
OOOOOOOQ
OOOOOOO
2OOOOOOO
u-vHvA
$OOOOOOOBNu
OOOOOOO=
%bi!GD
P}OOOOOOOg
OOOOOOO~
]OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOW
OOOOOOO
OOOOOOO[8"e
haOOOOOOO
OOOOOOO(
@OOOOOOO
OOOOOOO
EX}x##|
OOOOOOO{
4eBY=
QOOOOOOO1o
OOOOOOOn
FOOOOOOOwr
OOOOOOOv
QOOOOOOOOA
|OOOOOOO
OOOOOOO6)pQ
OOOOOOO
OOOOOOO
OOOOOOO-
OOOOOOO
OOOOOOO
4LOOOOOOO~
OOOOOOO
OOOOOOO
9BJ-,?
OOOOOOO
%OOOOOOO
{OOOOOOOK
OOOOOOO
POOOOOOO
]OOOOOOO
hOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO<
OOOOOOO
OOOOOOO
>OOOOOOO
OOOOOOO]
OOOOOOO
aQRM3
OOOOOOO%l
sOOOOOOO|
OOOOOOO
3*qH0
OOOOOOO
OOOOOOOv
OOOOOOO)Y
OOOOOOO
OOOOOOO
OOOOOOO
{xB#*(
OOOOOOO
OOOOOOO
1=8C8"
OOOOOOO
OOOOOOO
~ OOOOOOOh
BsOOOOOOO
-;{hy
aOOOOOOO
e*OOOOOOO
OOOOOOO
OOOOOOO
`bS_
vOOOOOOO
,_DOOOOOOO
OOOOOOO
seOOOOOOO
06,'a
OOOOOOO
xOOOOOOOtq
OOOOOOOQv
.OOOOOOO
OOOOOOO
OOOOOOO+
OOOOOOO!]
OOOOOOON
|WxnGP
VOOOOOOO
OOOOOOO
OOOOOOOQ
OOOOOOOUn
N\a \o<
OOOOOOO
KOOOOOOOy
tJOOOOOOO%r
PYd:i?
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
)OOOOOOO-
OOOOOOO
lv['N9<j%=k
h=k_OOOOOOO
(OOOOOOO0
`?TcT
#OOOOOOO
BOOOOOOOAL;
/~.TeQ[
&OOOOOOO
zJ|mOOOOOOO
OOOOOOOUKg
OOOOOOO
9?I~k
OOOOOOO
3OOOOOOO&?"
OOOOOOOK
Q`KMFG
OOOOOOO
WOOOOOOO
OOOOOOOj
Gxx^OOOOOOO/i*
3OOOOOOOyEgo
$ Da1
OOOOOOO
dGOOOOOOO
OOOOOOO}p*
^~.d{
OOOOOOO
OOOOOOOV
+OOOOOOO
OOOOOOO
POOOOOOO
DOOOOOOO#h
OOOOOOO
8OOOOOOOQ
OOOOOOO
Mm+OOOOOOO?
td-.n
OOOOOOOv
9.OOOOOOO
7EOOOOOOO=y
u-OOOOOOO
XOOOOOOOO
OOOOOOO2i
OOOOOOO,
OOOOOOO
OOOOOOOt
OOOOOOO
`OOOOOOO{F|
77u7YQ
jLeH)<
OOOOOOO0
OOOOOOO6
OOOOOOO
=;:xu
OOOOOOO
OOOOOOO\T
:_cOOOOOOOg
BUOOOOOOO
|OOOOOOO
OOOOOOO
OOOOOOO^
l:<dp
"~SOOOOOOO
OOOOOOOP
OOOOOOO
OOOOOOO
OOOOOOO
<OOOOOOO
OOOOOOOC
oOOOOOOOGI
b]`h3
OOOOOOO6
3,;d49x
OOOOOOOz\
W~e'k6
yOOOOOOOg6-}
OOOOOOO
3li Ps
OOOOOOO
OOOOOOO
GOOOOOOO
OOOOOOO7
OOOOOOO
OOOOOOO_
"&tr=
OOOOOOOn e
OOOOOOO
OOOOOOO
}NOOOOOOO
OOOOOOOl\
OOOOOOO
wM$OOOOOOO
OOOOOOOs
_N^3/
OOOOOOO
{n${h
OOOOOOOF
OOOOOOO
1!HCJ
OOOOOOO
OOOOOOO~v
sy,x>
OOOOOOO2
OOOOOOO
ROOOOOOO
OOOOOOO
[C]$+
>OOOOOOO&=
OOOOOOO
!OOOOOOOr
uOOOOOOO
6}OOOOOOO
OOOOOOO
cOOOOOOO
OOOOOOO
OOOOOOO_
J9OOOOOOO/
OOOOOOO
.qx,J
OOOOOOO
KOOOOOOO/
OOOOOOO
OOOOOOO=
OOOOOOO
+OOOOOOOY
|OOOOOOOv
`NEwq
OOOOOOO
OOOOOOO
A'cn3_
OOOOOOO
OOOOOOO
1OOOOOOO
OOOOOOO
?&Iz%
OOOOOOOT${
pOOOOOOO
9q5k8)
UOOOOOOO
OOOOOOO]
OOOOOOO
mcl)m
OOOOOOO$ d
UOOOOOOOz
\@Q o
OOOOOOO2
G,OOOOOOO
GQOOOOOOO
(+bH^
OOOOOOO}Khn'B{
NXOOOOOOO
iOOOOOOO
OOOOOOO5&)'
@OOOOOOO
OOOOOOO0z
#"TY,s
iOOOOOOO
!OOOOOOO
OOOOOOONb
%Uf$U
WOOOOOOO/+
OOOOOOO
OOOOOOO
OOOOOOO
Y*zOOOOOOO
OOOOOOO
gOOOOOOO
OOOOOOOf
OOOOOOO>
OOOOOOO
OOOOOOO
OOOOOOOp
9OOOOOOO
sAD,A\
OOOOOOO1
OOOOOOO
:OOOOOOO
OOOOOOO
OOOOOOO
UqOOOOOOO
lFOOOOOOO
{OZA|
OOOOOOO
a:OOOOOOO2
OOOOOOO
OOOOOOO9
OOOOOOOB
XDt 38
OOOOOOO
3OOOOOOO
p#{K(G
~OOOOOOOq
GOOOOOOO
OOOOOOO
qdSc?
OOOOOOO
OOOOOOOT
BOOOOOOO
OOOOOOOg0
NOOOOOOO^j
OOOOOOOL
xOOOOOOO
OOOOOOO
NN5r9
OOOOOOO4R
OOOOOOO
)5OOOOOOO
H>OOOOOOO*
eOOOOOOO
OOOOOOO
OOOOOOO
zY_Jv$
AxWOOOOOOO~
OOOOOOO
:!/5d
OOOOOOOq
OOOOOOO
OOOOOOO
OOOOOOO
o<?N0
OOOOOOO
cB59l
%sOOOOOOO
OOOOOOO
AOOOOOOO
DOOOOOOOxC
OOOOOOOK*_
3wOOOOOOO
OOOOOOO`
OOOOOOO
OOOOOOO+
bOOOOOOO
2>"ac9;
OOOOOOO
OOOOOOO
,R|fhzo
OOOOOOO
OOOOOOO[
OOOOOOOc
q~Dxk
OOOOOOO
OOOOOOO
GE=vFW
ZOOOOOOO
!OOOOOOOy0F
jOOOOOOO
OOOOOOO
OOOOOOO
_`OOOOOOONR
qOOOOOOO
\OOOOOOOs
OOOOOOO
Q{OOOOOOODQ
OOOOOOO
oaOOOOOOO
OOOOOOO
OOOOOOO
>OOOOOOO
&OOOOOOO
OOOOOOO*
OOOOOOO
OOOOOOO
OOOOOOO
qOOOOOOO
&SJm.s
OOOOOOO
#8pOOOOOOO
OOOOOOO
4:K:S
OOOOOOO
OOOOOOO
OOOOOOO
CdJJR
JxxrN\8m
f8w!'O
8vROOOOOOO$Z
OOOOOOO=
2+l0?
OOOOOOO4:
9F.OOOOOOOv
hhc!x7
$|->_
3OOOOOOOV
]C#jOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
=jOOOOOOO.
OOOOOOO
4?lPU
VOOOOOOO=
fOOOOOOO
QOOOOOOOs&
N6OOOOOOO
VOOOOOOO
GOOOOOOO
OOOOOOO9Z;N
4~F"5
>Mq#C
?xsRS
OOOOOOO
OOOOOOOU
OOOOOOO
rOOOOOOO
}y5qrw
OOOOOOO*
OOOOOOOx
Xb1*e
OOOOOOO
OOOOOOO
YOOOOOOO
OOOOOOO
OOOOOOOa^/
OOOOOOO
OOOOOOO)
\OOOOOOO
ZOOOOOOO
OOOOOOON
7D2ZTMOOOOOOOcNI\
OOOOOOO
uOOOOOOO
ZOOOOOOO;`=
,-T xOOOOOOO
POOOOOOO
"nF,OOOOOOOkz
6OOOOOOO
XuxyBD#
OOOOOOO
!)FVV
OOOOOOO
OOOOOOO
BTOBe
OOOOOOO
8xOD,
OOOOOOO
f~`;{
OOOOOOO
TsOOOOOOO%L&M60
OOOOOOOu
-OOOOOOO
OOOOOOOT
OOOOOOO"
OOOOOOO
hOOOOOOO&
OOOOOOO
;^Q&~
OOOOOOO
6hOOOOOOO
frOOOOOOO
<ukQOOOOOOO(
/bOOOOOOOw9`X
OOOOOOO)
'7LrZ5
OOOOOOO
OOOOOOO
[xl(l
OOOOOOOnvJ
OOOOOOO
OOOOOOO
GOOOOOOOU
OOOOOOOz
OOOOOOO
OOOOOOO
OOOOOOO
zsW[A
4OOOOOOO
OOOOOOO
OOOOOOO
">V7i
OOOOOOO
b: T0
sCZTa
OOOOOOO
&$OOOOOOOh
?["OOOOOOOv
OOOOOOO
O^OvL
OOOOOOO/9(
ua21*
(OOOOOOO
r{H{qQL
OOOOOOO
TKOOOOOOO
OOOOOOO
`OfF0
mOOOOOOO
$zsET'?
%Rh:Qs
dOOOOOOO
OOOOOOO
OOOOOOO!
Z_gx`
Q>Q?w3
OOOOOOO
OOOOOOO
OOOOOOO
J}bbyJ+'>G
OOOOOOO
o$WOOOOOOO
OOOOOOO
1)[LB
AOOOOOOO
NtzRf_:
xOOOOOOO
OOOOOOO
JV%?(C
OOOOOOO
wY}]M3
OOOOOOO~&
OOOOOOO
OOOOOOO
~AN{Y.v
OOOOOOO
>w9v$Z
=OOOOOOO
OOOOOOO
OOOOOOOK
}4iOOOOOOO
OOOOOOOR
m6OOOOOOO
OOOOOOO9
K]^(OOOOOOO;w
T5OOOOOOO0#
OOOOOOOc\"al
`@OOOOOOO
tS"KS
OOOOOOO
oOOOOOOO
OOOOOOO2j
hTHOOOOOOO
OOOOOOO<
OOOOOOO6
OOOOOOO
OOOOOOO
dOOOOOOO
OOOOOOO
OOOOOOO
K-8/J
OOOOOOOY6
OOOOOOO
u7#3]
OOOOOOO
OOOOOOO
OOOOOOOSP:
'hh2;;
OOOOOOOO&x
OOOOOOO-
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOS"Nx"!;x
OOOOOOO0
qOOOOOOO
OOOOOOOO
sroOOOOOOO
OOOOOOO
!ol.k
OOOOOOO?g
%8pOOOOOOO
_OOOOOOO
~OOOOOOO
OOOOOOO
Q=~r)
^82o]
OOOOOOO
YOOOOOOO
6onOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
kd"OOOOOOO
OOOOOOO
OOOOOOO
c`BX*
lSOOOOOOO
OOOOOOO
OOOOOOO#7
OOOOOOO
t=;eX
OOOOOOO0
QP.u
OOOOOOO
vY2OOOOOOObql
eOOOOOOO
OOOOOOO
$5z[.
OOOOOOOe
OOOOOOOs
rXOOOOOOOB
;3VYU
31OOOOOOOn
mybnLU
`hng.[}e
OOOOOOOL
\OOOOOOO
OOOOOOO
rW/4:
OOOOOOO4
'OOOOOOO
z_OOOOOOO
OOOOOOO
g$.OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO+
._C**
OOOOOOOD
@^"Ig
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
#o.([
OOOOOOO=
OOOOOOO
JOOOOOOO
OOOOOOO(-P5m
jj*c%F
OOOOOOO
lC/z5&(
OOOOOOO
OOOOOOO
9vf|;
ZOOOOOOO9
OOOOOOOp
OOOOOOO
;-{.Y
LOOOOOOO
OOOOOOO^cK
z<,1OOOOOOOv
OOOOOOO
OOOOOOO
gOOOOOOO
bOOOOOOO
OOOOOOOqN
F`FwP
OOOOOOO
zOOOOOOOu
*T5TP
(OOOOOOO
OOOOOOO
UWeN?
OOOOOOOi
OOOOOOO
~_6q<
OOOOOOO
=lD-r,WwM
OOOOOOO
OOOOOOO8
OOOOOOO
OOOOOOOU#/
OOOOOOO
VOOOOOOO
OOOOOOOV
OOOOOOO2B
OOOOOOOD*
oOOOOOOO$
g"OOOOOOO
OOOOOOO$F
!OOOOOOO
DoOOOOOOO
b|'oc
OOOOOOO
oOOOOOOO
OOOOOOOh>
OOOOOOO
HOOOOOOO
gQ8Fb
7A&OOOOOOO
V<(,_OOOOOOO
5^k4B
gOOOOOOO
OOOOOOO
OOOOOOO
}4:v9
OOOOOOO|H
OOOOOOO!
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
65Q(w
OOOOOOO(
bdoC0r
OOOOOOOD
OOOOOOOXL
OOOOOOO&
OOOOOOO
kQ!OOOOOOO
lO;!GP*&
^jOOOOOOO
E38C<
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
1kMwF
?OOOOOOO!
W!qON
'OOOOOOO
OOOOOOOEZ
' diu
OOOOOOOq
OOOOOOO
( [(@
}kOOOOOOO
SOOOOOOO
OOOOOOOK
OOOOOOO
]NeAi
~OOOOOOO
OOOOOOO
OOOOOOO
u0#+O
OOOOOOO
Qs8h^P
`'5r.-
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOON
OOOOOOO,
OOOOOOO
OOOOOOO%
}GXq0
SOOOOOOO
OOOOOOO'
OOOOOOO[
E7OOOOOOO
](c1+
+OOOOOOO
SOOOOOOO
EOOOOOOOw
HOOOOOOO
`-OOOOOOO!
OOOOOOO
8}OOOOOOO
OOOOOOO
OOOOOOOW
OOOOOOO
:OOOOOOO
COOOOOOO
vOOOOOOO{z
Dc.OOOOOOO
)\of\
xOOOOOOO
OOOOOOO
;v#4c
HOOOOOOO
OOOOOOOF
T1qNy
OOOOOOOi
nz/wlOOOOOOOeD
OOOOOOO
:OOOOOOO<
OOOOOOO
OOOOOOOgR
LOOOOOOO
17^$#4
NjOOOOOOOY~Gb
OOOOOOO
MGW[dz
OOOOOOO
rOOOOOOOU
QOOOOOOOOo
TOOOOOOO
OOOOOOO7
>'OOOOOOO
V&+wA
OOOOOOO
OOOOOOO
OOOOOOO%oP
OOOOOOO
OOOOOOOm
OOOOOOOq
OOOOOOO
OOOOOOO
OOOOOOOrD
OOOOOOO
OOOOOOO
VOOOOOOO
OOOOOOO
Iu&\r
OOOOOOOb
OOOOOOO
OOOOOOO
*aKopW~:^6x
$[US!:
OOOOOOOn"
OOOOOOO|
|OOOOOOOp
OOOOOOO"
OOOOOOO
,OOOOOOO
$yYCV
<OOOOOOO
U) >lh
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOxA
7r[;-
Pr{4&
OOOOOOO
OOOOOOO
OOOOOOO
(OOOOOOOF
OOOOOOO
S({@D
OOOOOOO
AckMGP
OOOOOOO`
OOOOOOO
OOOOOOO
FOOOOOOO0
~iOOOOOOO
OOOOOOO0
MOOOOOOO
0<d`lJ
FOOOOOOO1
OOOOOOO
wgZ|p
OOOOOOO
t7OOOOOOO
?OOOOOOO
tOOOOOOO
@jOOOOOOO
OOOOOOOp
7OOOOOOO
;J UL
OOOOOOO
OOOOOOO
OOOOOOOW2
OOOOOOO
OOOOOOOa
OOOOOOOv
V}O~j46
u1msY.
HOOOOOOO
i1=KcFC*
OOOOOOO
OOOOOOO
P_*-I
OOOOOOOi"G9
OOOOOOOGF
`SpSj-
OOOOOOO
OOOOOOO
ukjnF
fOOOOOOO~Y6k<
OOOOOOO
V5|<7
(OOOOOOOR
NOOOOOOO
OOOOOOO
OOOOOOOiU
%OOOOOOOj
OOOOOOO
taIxOOOOOOO
OOOOOOO*
HN:U9
/OOOOOOO
OOOOOOO
@}1K:h
>mOOOOOOO
/:z'E
OOOOOOOk
^GOOOOOOO
vOOOOOOOU
LlQcc
e-OOOOOOO
KOOOOOOO
OOOOOOO
a9OOOOOOO 1'
JY?}e
bqOOOOOOO
OOOOOOO4K
qOOOOOOO
(u}OOOOOOO8r|
rx<s&
OOOOOOO
hpQ$/HW
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
d9ac(
OOOOOOO
OOOOOOO
OOOOOOO
nOOOOOOO
3Cbhj
OOOOOOO/
OOOOOOO
OOOOOOOO
(hF_K
OOOOOOO
=OOOOOOO
OOOOOOO
OOOOOOOO
OOOOOOOM
EF"-[
OOOOOOO
\\*?3L4
OOOOOOO4-
Pow_`
OOOOOOOJ
+zo.VY
OOOOOOO
OOOOOOOG^
OOOOOOO
oOOOOOOO
OOOOOOO
tX6\5
OOOOOOO
OOOOOOO>
OOOOOOO
OOOOOOO
OOOOOOOe
rI=Uv.y
5OOOOOOO
"5OOOOOOO\8
gmOOOOOOO
zOOOOOOO
MOOOOOOO
OOOOOOO
LOOOOOOO
zOOOOOOO
OOOOOOOP
OOOOOOO7
jOOOOOOO
"|OOOOOOO1
OOOOOOO
EOOOOOOO*
OOOOOOO
OOOOOOOVu
OOOOOOO
,5^0559
OOOOOOOnW
60I<6r
OOOOOOO
OOOOOOOD
Z*OOOOOOOB
fWOOOOOOO
Y",}^OOOOOOO
OOOOOOO
OOOOOOO
kyv+S.
U*OOOOOOO7
OOOOOOO
sOOOOOOO
DOOOOOOO=*
OOOOOOO
OOOOOOO
OOOOOOO
dOOOOOOOK
|OOOOOOO
3OOOOOOOXAF]
SOOOOOOO
3OOOOOOO
SqOOOOOOO
OOOOOOO
3=qF?
OOOOOOOJ
OOOOOOO
OOOOOOO
WOOOOOOO
OOOOOOO{
OOOOOOO
OOOOOOO
OOOOOOO_
$OOOOOOO
\JOOOOOOO
E[dAwy
OOOOOOO_
OOOOOOO\
pOOOOOOO/A
U6OOOOOOO
KGspg;
OOOOOOO
OOOOOOO{h
OOOOOOO$
5Zv,&
OOOOOOO8W
OOOOOOO%
OOOOOOO4
OOOOOOO;t
;OOOOOOO
OOOOOOO
f6s-+<
*OOOOOOO
OOOOOOO
QOOOOOOONK
^~xw*
OOOOOOO
0OOOOOOO
OOOOOOOaKY
}h In
OOOOOOO
]DH=g
}OOOOOOO"@
OOOOOOO
7OOOOOOO
.6E}y
OOOOOOO'
OOOOOOO
OOOOOOO
of3OOOOOOO
5`mJ_Nt
$"COOOOOOO
OOOOOOO
OOOOOOO
>[5ECOb')y
OOOOOOOv
OOOOOOO~
OOOOOOO
]`bzjV
NOOOOOOO
OOOOOOO
1:wYRo
~OOOOOOO$
?hI!,
OOOOOOO
D' ^G
OOOOOOO(
0B|OOOOOOO
OOOOOOO
OOOOOOO
%%OOOOOOO
jOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO9Df
VL-/_
}OOOOOOO`
OOOOOOO
DOOOOOOO
OOOOOOO
o<OOOOOOO5
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOud^
OOOOOOO
OOOOOOO
]]HOOOOOOO
OOOOOOO
OOOOOOO
$m.xOOOOOOOb
OOOOOOO
tOOOOOOO
2OOOOOOO
EOOOOOOO
POOOOOOO
OOOOOOO
OOOOOOO2:
OOOOOOO
OOOOOOO%
OOOOOOO
OOOOOOO
OOOOOOO8
OOOOOOO+
OOOOOOO?5T:
pOOOOOOOI
4zk7K1
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO{
/OOOOOOO
WOOOOOOO
.OOOOOOO
OOOOOOO
OOOOOOO
b:RMrv
OOOOOOO
OOOOOOO,
'q2q\OOOOOOOO
`n.1S
5tZI~$
OOOOOOOJ
OOOOOOOx
OOOOOOO
6OOOOOOO
OOOOOOO
sa(D8
OOOOOOO
EA2OOOOOOO
OOOOOOO
OOOOOOO
POOOOOOO
i<y-H
OOOOOOO-?L
"mkpe
B[Dn(+{
OOOOOOO
giT-\
oxH+ZV|
gOOOOOOO
OOOOOOO
-ga.|OOOOOOOZGM
zOOOOOOOg>70
uZY.qj1t
kOOOOOOOO]~
OOOOOOO
D\V$D
OOOOOOO
OOOOOOO
OOOOOOOkh
OOOOOOOKf7
OOOOOOO
OOOOOOO
SOOOOOOO0
OOOOOOO
HOOOOOOO*t
clCm-7>
ZOOOOOOO
~tOOOOOOO
OOOOOOO>
'&x2/
>?^pr#
lOOOOOOO>Zmw-9
}u%8g
"OOOOOOOla
OOOOOOO0
OOOOOOO
OOOOOOO(hM
>OOOOOOO
IkOOOOOOO
f5OOOOOOO%w
OOOOOOO
OOOOOOOqd
0'OOOOOOOh
;9Aj%
OOOOOOO^
OOOOOOOb
OOOOOOO
OOOOOOO
Y^uXT
OOOOOOO
OOOOOOO
6%3bX
,_ofE
dOOOOOOOD
KOOOOOOOl0M
?W='3
0OOOOOOOV
G =HOOOOOOO
A:c=0
q~OOOOOOO
OOOOOOO
?.i3W?
OOOOOOO~
OOOOOOO
7OOOOOOO
MSmZTp
OOOOOOO8
OOOOOOO
OOOOOOO
/@C!v
OOOOOOOW
OOOOOOO
:BK"j
OOOOOOO
OOOOOOO
0m/k;A
+7b6'
%OOOOOOOi
hl5LFCG'
[OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOL9|
OOOOOOO
OOOOOOO
OOOOOOOC
_&zdN1
OOOOOOO
~OOOOOOOIZw
OOOOOOO
\OOOOOOO
OOOOOOOlQ
tOOOOOOO
1OOOOOOO1
FOOOOOOOg
POOOOOOO
OOOOOOO
, OOOOOOO
-j.D<
OOOOOOOb{"w
7V-OOOOOOO
FOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO=jT
OOOOOOO#
9stP2\
OOOOOOO
OOOOOOO
I!DPi+
OOOOOOOb
OOOOOOOM
OOOOOOO
j}aHD
USAOOOOOOO
VOOOOOOO
OOOOOOO
xOOOOOOO
nlK{17
5OOOOOOO\
a2{0{
*OOOOOOO
OOOOOOO2
OOOOOOO
8QpiOOOOOOO
OOOOOOO
BOOOOOOO
OOOOOOO7P
OOOOOOO
7`L]n
3"^OOOOOOO
OOOOOOO
/OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
&OOOOOOO
(4t`E-
8(JG|
OOOOOOO
OOOOOOO~
wOOOOOOOE
N2:4\
OOOOOOO
OOOOOOOV
OOOOOOO
OOOOOOO
9N[`!i
OOOOOOO
zYOOOOOOO$
c{OOOOOOO
OOOOOOO
OOOOOOO$5/
XOOOOOOO
azU|L
LOOOOOOO~
p4>(b
x!OOOOOOO
OOOOOOO0
3<gOOOOOOO
OOOOOOO
OOOOOOOII
r8OOOOOOO
OOOOOOO
x~584
!POOOOOOO
OOOOOOO
8OOOOOOO
WOOOOOOO
@OOOOOOO
{%R[l
[fLs]U*V
OOOOOOO#
?OOOOOOOevd
OOOOOOOW
>(x+Wa&e
OOOOOOO
];Yzh
WB(\2OH
OOOOOOO^
"OOOOOOO
OOOOOOO
D,OOOOOOO
e dvL
;g A~
vYOOOOOOO
OOOOOOO
OOOOOOO
.OOOOOOO
VzYrTy
OOOOOOO
OOOOOOOI
OOOOOOO
~;OOOOOOO
OOOOOOO,
E"+sx
K(NOOOOOOO
w'OOOOOOO$Q=(b
OOOOOOO59
"aOY;/.(O,
OOOOOOO
OOOOOOO
OOOOOOO
)OO6y
oKX(d
OOOOOOOy
Z=K'#u
OOOOOOO
OOOOOOOj
Ufdv[
{OOOOOOOg
SD'W9
OOOOOOO
(OOOOOOO
]D6|[N
*OOOOOOO
OOOOOOO
H'OOOOOOO
dOOOOOOO
OOOOOOOs
OOOOOOOZ
&OOOOOOO5X
[R$8~
dlOOOOOOO
OOOOOOO
OOOOOOO
IaOOOOOOO$
OOOOOOO
OOOOOOO
:q<H;?7s
OOOOOOO
*OOOOOOO
OOOOOOO
\MjaJ
cOOOOOOO,+
OOOOOOO
HEPJ[
OOOOOOO
Dm8O;
0]ZKu
OOOOOOO
OOOOOOO
OOOOOOO7"Q;
'g.AAT
hOOOOOOOt
OOOOOOO
8OOOOOOO
OOOOOOO
63:jG7
OOOOOOO>
wPia3(
OOOOOOO
t+OOOOOOOIw3
OOOOOOO
HSN)o
OOOOOOO
OOOOOOO
OOOOOOOfv&
[OOOOOOO
OOOOOOO{
OOOOOOOS
aOOOOOOO
sOOOOOOO
OOOOOOO<
OOOOOOO
2-OOOOOOO
OOOOOOOm
Qjn9G
OOOOOOO
]_]5z
nOOOOOOO
OOOOOOO
w6E/=
7OOOOOOOv#
OOOOOOO
OOOOOOOfV
r2 11
OOOOOOO0
OOOOOOO
;h4uj
OOOOOOOg
+OOOOOOO
7E6OOOOOOO
D,E9%jvU
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO68:P
OOOOOOO
OOOOOOO
3OOOOOOO
Q+o8^!
9wuO]L
OOOOOOO61
{VA+k
C=dwR
~OOOOOOO
OOOOOOO
BOOOOOOO
OOOOOOO
=mfrHL
OOOOOOO
iOOOOOOO
l(XI~u
>OOOOOOOT
OOOOOOOhb
bOOOOOOO
OOOOOOO_
QOOOOOOO
OOOOOOO
OOOOOOO
EOOOOOOO)
OOOOOOO
OOOOOOO
OOOOOOO
t'Chh
OOOOOOO
Bq9gv
OOOOOOO
OOOOOOO
SOOOOOOO
uOOOOOOO
5OOOOOOOH
OOOOOOO
OOOOOOO
OOOOOOO
U('LO7lm
OOOOOOO
OOOOOOONbFj1
OOOOOOOz
OOOOOOO
OOOOOOO>
gOOOOOOO
OOOOOOO
OOOOOOO
sZ{!m
ZZ\|`3
OOOOOOO
NOOOOOOO
JLnOT
XdGQ3i
OOOOOOO^
cOP,OOOOOOO_
OOOOOOO
OOOOOOOy
OOOOOOO
6OOOOOOO
bOOOOOOO
OOOOOOOL
OOOOOOO
+OOOOOOO
OOOOOOO5
51)'Q
OOOOOOO
VOOOOOOOg
OOOOOOO
_`M7OOOOOOO
=&:=L
OOOOOOO
8cOOOOOOO
TOOOOOOO9
OfOOOOOOO
OOOOOOO
gOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOVy
xbGdu
OOOOOOO\
OOOOOOOO
cFCjG)w
OOOOOOO
OOOOOOO
1OOOOOOO
OOOOOOOQ
OOOOOOO8
OOOOOOO^
eS]U;
bE<]|aV
OOOOOOO
CAJ`CZiL
OOOOOOOJ
OOOOOOO
OOOOOOOv
hOOOOOOO5
,tpFL|
OOOOOOO
^fcOOOOOOO
OOOOOOO
OOOOOOO
\OOOOOOO
OOOOOOO
:tOOOOOOO
OOOOOOO
T2Q'g
OOOOOOO
OOOOOOO
)OOOOOOO%K
SOOOOOOO_
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
`3#o3
OOOOOOOv
OOOOOOOt
TOOOOOOO
*O:L<
gD9:k
OOOOOOO
3dFOOOOOOO0=
0e+Z$'
M-EOOOOOOO
[OOOOOOOL
OOOOOOOC
OOOOOOOI]R
$5Vr,
FOOOOOOO
%OOOOOOO
OOOOOOO}{
OOOOOOO8
XS_X1
~;{10
{TX0|SOOOOOOO
OOOOOOOY
OOOOOOOO
3`mL,#^P
OOOOOOOm~
OOOOOOO+
OOOOOOO%
OOOOOOO
OOOOOOO
^&KOOOOOOO]
9?uOOOOOOO
ZOOOOOOO.F
5OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
zaZ$t
OOOOOOO>
OOOOOOOaV
a[#[N
OOOOOOO
OOOOOOO
QoOOOOOOOG90
OOOOOOO
OOOOOOO
OOOOOOO
g[OZv
OOOOOOO
OOOOOOO'(
OOOOOOO
i \9OOOOOOO1]
OOOOOOOR
OOOOOOO
-UOOOOOOO_
'(_wS
btK8!
OOOOOOO
"B^yOOOOOOO
o_ZP&
OOOOOOO
]OOOOOOO
OOOOOOO
iTOOOOOOO
OOOOOOOB
OOOOOOO
OOOOOOO
OOOOOOO
\OOOOOOO
LXst0
OOOOOOO
aV52x
OOOOOOO
OOOOOOO)
NFOOOOOOOU!
?FOOOOOOO
Mra.y
hoB<[
>&lmZ
OOOOOOO
OOOOOOO
OOOOOOO
;nPh]
xt^OOOOOOO
C6.TOOOOOOO
OOOOOOOi2
MOOOOOOO
OOOOOOO
OOOOOOO6
TOOOOOOO
OOOOOOO
gOOOOOOO
"9)$/
OOOOOOO
b0qBm
qOOOOOOO
M^OOOOOOO
BmOOOOOOO?
sOOOOOOO*
OOOOOOO
OOOOOOO
vE,aH
Z,E0$
pOOOOOOO
OOOOOOO
OOOOOOOo2d
OOOOOOO
Z+7yv
OOOOOOO
OOOOOOO
BBFQB
t>OOOOOOO
OOOOOOOC3
OOOOOOO
tn/N%
yOOOOOOO
dOOOOOOO
wZBcw
OOOOOOO
OOOOOOO(
y|Q%r
OOOOOOO
OOOOOOO'
{Q"@EWaZ
;OOOOOOO
OOOOOOO
bX6COOOOOOOz
OOOOOOOP
OOOOOOO
OOOOOOO2
OOOOOOO
><U'\
OOOOOOO9
IOOOOOOOc
OOOOOOO
OOOOOOOp
OOOOOOO
OOOOOOO"Mk
)48S"7
OOOOOOOt3
Z;L_?
OOOOOOO=
OOOOOOO
g:{dE
3OOOOOOO
k=6OOOOOOOI
OOOOOOO
CGAFE
OOOOOOO
`4.ui
OOOOOOO
OOOOOOO
OOOOOOO
\OOOOOOO
OOOOOOOq
|OOOOOOO6
nOOOOOOOp
;yi3a
[W5>|
'OOOOOOOx't
__=p
mOOOOOOO
jp.OOOOOOO
(OOOOOOO
OOOOOOO
OOOOOOO
h?2M>
3y\OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOu
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
6x:\^
-OOOOOOO"
OOOOOOO
,OOOOOOO?
OOOOOOO
(*b[aq?
OOOOOOO
q>*@+
OOOOOOO
~OOOOOOOcZ
vyOOOOOOO`
OOOOOOOz
6DCOOOOOOO
OOOOOOO
H=orOOOOOOO
<*_Y%qGC
&OOOOOOO
fEWu9
OOOOOOO
3OOOOOOO
3SOOOOOOO
[OOOOOOO
}<?iC
OOOOOOObF
!OOOOOOOK
^nr1p
OOOOOOOF
OOOOOOO5|
OOOOOOO
OOOOOOO
OOOOOOO[
OOOOOOO
OOOOOOO
+7lt=V
OOOOOOO
~k<ZOOOOOOO
yOOOOOOO?D
OOOOOOO
XD$+W<
6OOOOOOO
JOOOOOOO
OOOOOOOL
p%GOOOOOOO
OOOOOOO
aXQ^6
UM&k*
OOOOOOOtF{,
OOOOOOO
qOOOOOOO
OOOOOOOn
OOOOOOO
<%OOOOOOO]og
OOOOOOO
,$\w9
OOOOOOOP
^.&tN
0OOOOOOO
]=/OOOOOOOj
OOOOOOOJDHfNV
Z'osbc
OOOOOOO
OOOOOOO
UXOOOOOOOnG
OOOOOOO
OOOOOOO
V4OOOOOOO
XO;"K
OOOOOOO
Z>"$-
OOOOOOOf~
OOOOOOO
OOOOOOO%('
l7`3q
OOOOOOO
NOOOOOOO
\OOOOOOO
eOOOOOOO"
]SJ-s[
>'0OOOOOOO
MTDY3(
2OOOOOOO
hOOOOOOO
04Ow]<
OOOOOOO
OOOOOOO3[_
yOOOOOOOg[I
uLd$uA
qOOOOOOO
OOOOOOO
yhSvc
OOOOOOO
eOOOOOOOk
OOOOOOO
OOOOOOO
1OOOOOOO}*
OOOOOOOW
Uq8"N_a
OOOOOOO
2Uvdv
OOOOOOOf
HOOOOOOO
OOOOOOO{KX
OOOOOOO)
OOOOOOOX>
OOOOOOO
OOOOOOO
bOOOOOOO1
OOOOOOO
iOOOOOOO
!OOOOOOO
OOOOOOO
OOOOOOOZi
OOOOOOO
OOOOOOO
'79Q_u
OOOOOOO
OOOOOOO<Y
+OOOOOOO
OOOOOOO
OOOOOOO]
OOOOOOO
OOOOOOO
2~|Gbu
OOOOOOOfr
@OOOOOOO
bmE~<
OOOOOOO
8P}S:
EOOOOOOO
OOOOOOO
]Tc6=F
OOOOOOO
NOOOOOOOQ
OOOOOOO9
OOOOOOO
;L^C%
XOOOOOOO
OOOOOOOb
bP=9}
BOOOOOOO
?R*OOOOOOO5
OOOOOOO
wOOOOOOO
gOOOOOOO
OOOOOOO3
/RjCIM
OOOOOOO
WOOOOOOO
OOOOOOOY
OOOOOOO|<
$POOOOOOO
OOOOOOO
aOOOOOOO
Js:cOOOOOOO
VOOOOOOO
@m/x/%
e~:_"3
OOOOOOO]
OOOOOOO
kOOOOOOO
OOOOOOO
OLS2H
2<`M.
OOOOOOOGR
OOOOOOO
+SOOOOOOO>&
s-KI^Gc
OOOOOOO
OOOOOOO
POOOOOOOI
,<OOOOOOO_M`
}"~S5
~q[1uf
OOOOOOO
OOOOOOON
OOOOOOO
OOOOOOO
$24,k
6OOOOOOOj
g/10oOOOOOOO<
OOOOOOO
/ktpNf
tsOOOOOOO
p#`%n
OOOOOOO
OOOOOOO1
OOOOOOO
OOOOOOO
OOOOOOO,OOX
OOOOOOO
wOOOOOOO|7
OOOOOOO9
{OOOOOOO
OOOOOOO+u
F+OOOOOOO'
OOOOOOO
Z\ugm
ay'1r
OOOOOOO<
1HqN|
'8HOOOOOOO
OOOOOOO)8M
POOOOOOO
OOOOOOOMw
OOOOOOO
\XZcU&GQ
FOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
Zn|HI&
OOOOOOOg
OOOOOOO
OOOOOOO
];l,OOOOOOO
OOOOOOO
OOOOOOO
w.Z&
OOOOOOO
[1wx d
OOOOOOO
{OOOOOOO
OOOOOOO
=A{uIt=~
_OOOOOOO%
OOOOOOO
OOOOOOO
OOOOOOO
7;ZGOOOOOOO?
OOOOOOO3
OOOOOOO\
_075!
OOOOOOO
OOOOOOO%_
0lhIup
%Q;7y
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO}
d-Y,&
HNOOOOOOO0
OOOOOOO
OOOOOOO7ps
ayOOOOOOO
5k23Y:}
OOOOOOO
OOOOOOO
$.(OOOOOOO
OOOOOOO]
OOOOOOO
OOOOOOO}l
G{3i
aOOOOOOO
OOOOOOOcsY
OOOOOOO
}mOOOOOOO
t1xz9i
0qOOOOOOO
/"Tua6
OOOOOOO
8kO0O
OOOOOOO{2
OOOOOOO
;OOOOOOO
OOOOOOO
'OOOOOOO
OOOOOOOS'
$OOOOOOO8-$
OOOOOOO
OOOOOOO
GOOOOOOO<
OOOOOOO
$LOOOOOOO
:?$dh8-
OOOOOOOM
OOOOOOO
OOOOOOOq
OOOOOOO
OOOOOOO
SiAft
OOOOOOO>
OOOOOOO?
z2j+l?
S47eZ
)OOOOOOOL
{?EWWUE
OOOOOOO
;iwa6%
OOOOOOO
LFDZi
@u{OOOOOOO
Dh6Y`x
,OOOOOOO-
OOOOOOO
OOOOOOO
OOOOOOO|
"Ox0Y
OOOOOOO
4&rOOOOOOO
OOOOOOO
|OOOOOOOI
6"*8={
ZOOOOOOO
OOOOOOOW
OOOOOOO
OOOOOOOT
#XOOOOOOOw,c
OOOOOOOp
OOOOOOO
}OOOOOOOq$
OOOOOOO
)!+7H
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOzO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
;OOOOOOO
=3q9*?u
OOOOOOO
)OOOOOOOs
OOOOOOO+k
OOOOOOO
OOOOOOO5C
|0cjAy4
OOOOOOO
OOOOOOO
1OOOOOOO
v0v/Tt
L*L_H
OOOOOOO
~-Y/Lj
fOOOOOOO\->
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOC
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
.OOOOOOOp
DVns#h
OOOOOOO
)OOOOOOOF=y
&nnv?
OOOOOOOCey9
OOOOOOO
~OOOOOOO
OOOOOOO5?
LOOOOOOO
OOOOOOO
oOOOOOOO
'OOOOOOO
OOOOOOO-aQ
[OOOOOOO
OOOOOOOX
aOOOOOOO
OOOOOOO0K
!]ytC"
OOOOOOO
HOOOOOOO
OOOOOOO;1^
n&OOOOOOOV
OOOOOOOn:
uOOOOOOOm
J6Ck\
TOOOOOOO,
OOOOOOO
KOOOOOOOC
OOOOOOOM'F
dGk{,
OOOOOOO
?OOOOOOO4
oOOOOOOO)
OOOOOOO,Z
iz5-p
COOOOOOO
OOOOOOO
OOOOOOO*@
OOOOOOO
OOOOOOO
OOOOOOO
(sSOOOOOOO
OOOOOOO
OOOOOOO&Y
w{Sj+
OOOOOOO0]T
--OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOS-
OOOOOOO
*{)HO*
`1(&9
hOOOOOOO.
1zwJH
aOOOOOOO
:gzE~i
OOOOOOO
!''!^OOOOOOOr[
'E0Kk
WN&1Z
%OOOOOOOj
OOOOOOO
OOOOOOO
OOOOOOO
iK0Ya'{/
OOOOOOO
OOOOOOO
OOOOOOOc
mjXpZ
SOOOOOOO
OOOOOOO
b(ds!
OOOOOOO
T|^(_T
OOOOOOO
ROOOOOOO
)OOOOOOO
OOOOOOO
NOOOOOOO
0OOOOOOOy&
dOOOOOOOO
OOOOOOO
])5}T7
y+sOOOOOOO
0$LY2
OOOOOOO>
OOOOOOO,4
OOOOOOO}
~ OOOOOOO
cOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO4q
C3\OOOOOOO
OOOOOOO|
jl|OOOOOOOV
]OOOOOOO
OOOOOOO
lOOOOOOOLY
zOOOOOOOn+
OOOOOOO
v\r+t
uz9BK
~OOOOOOO
dX(2i
OOOOOOO
OOOOOOO
S3S%u.
NOOOOOOO<>
OOOOOOO
OOOOOOO
@%/OOOOOOO
0RqLy
OOOOOOO
pNOOOOOOO
ACTN9m
OOOOOOO?g
OOOOOOO
VOOOOOOO
OOOOOOOc
QOOOOOOOr
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
COOOOOOO
badOOOOOOO
$W_<>
OOOOOOOt
OOOOOOO`
"OOOOOOO
5qlrWjf
OOOOOOO
OOOOOOO
OOOOOOO
iZOOOOOOO
/;sNb
%jOOOOOOO
OOOOOOO
^MpOOOOOOO
Fry)J-
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
4OOOOOOO
~'OOOOOOO
OOOOOOO
.OOOOOOO
$jDL2J7
OOOOOOO
MOOOOOOOJ
kOOOOOOO
OOOOOOO
OOOOOOO
sOOOOOOO
OOOOOOO
CaLk]
6OOOOOOO$
BvOOOOOOO
OOOOOOO
OOOOOOO
dOOOOOOO
OOOOOOOQ*
OOOOOOO1
OOOOOOO\
`"OOOOOOO
OOOOOOO
&%q2OOOOOOOM
OOOOOOO2
>@pOOOOOOO6
OOOOOOO
OOOOOOO(/A
?*L9{
OOOOOOO
OOOOOOO/
#3cMOOOOOOO
OOOOOOO
Zy1{mu*`|
OOOOOOOW
HzOOOOOOOi
WOOOOOOO
OOOOOOO
3OOOOOOO
~OOOOOOO
OOOOOOOJ
\ww2.C
OOOOOOO
(eOOOOOOO
OOOOOOO
OOOOOOO
7rpw}
cOOOOOOOy
OOOOOOOWl
OOOOOOO
~OOOOOOO
OOOOOOOw
OOOOOOO
sOOOOOOOH
OOOOOOO
OOOOOOO
OOOOOOO?
OOOOOOO
OOOOOOO
OOOOOOOr
YT'uD
OOOOOOOi
OOOOOOOW
OOOOOOOa
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO7
OOOOOOO
M\-&'
'l]`!H
OOOOOOO9
[!OOOOOOO=9
OOOOOOO
-OOOOOOO4
?r-$RT
OOOOOOO
POOOOOOO
iOOOOOOO
Gwt0g
OOOOOOO
JBv{#
OOOOOOO\
34}jd
OOOOOOO
lp.Wi
R.OOOOOOO
ZOOOOOOO
OOOOOOO
OOOOOOO
hOOOOOOOT
OOOOOOO
Sp\yOOOOOOO8
2OOOOOOO
%OOOOOOO
OOOOOOO
-4OOOOOOO
OOOOOOO
OOOOOOO2
,:;Jh
OOOOOOOe
OOOOOOO
OOOOOOO
=kefu
^c~>V
VP*~5
OOOOOOOL
OOOOOOOy
M\i34
rOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOcY:
^OOOOOOO
OOOOOOO
Q7?(O
OOOOOOO
@%$0Z
$_POOOOOOO
(FUSw
OOOOOOO
2OOOOOOO_8
OOOOOOOrS
OOOOOOO
OOOOOOOe
L]716
cX2<)
v/|%)OOOOOOOt
OOOOOOOF.
OOOOOOO
-xOOOOOOOMU
^*t5n
{GOOOOOOO
OOOOOOOC+
\OOOOOOO
4OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOv\
OOOOOOOS
OOOOOOO
OOOOOOO
VhOOOOOOOF
OOOOOOO
OOOOOOO[
OOOOOOO
OOOOOOO
Q;}tWA
OOOOOOOUN9?
8g8]B>
~OOOOOOO
OOOOOOOs
OOOOOOO
OOOOOOO
jOOOOOOO\
OOOOOOO>
OOOOOOO
6OOOOOOO#6|
OOOOOOO
_OOOOOOO
v&C~s
OOOOOOO
OOOOOOOn
vvfKU7
2OOOOOOO
OOOOOOO
OOOOOOO
eOOOOOOO<
:Ck*=+l
%@S-Z
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOs(
OOOOOOO
OOOOOOO0
OOOOOOO}/
OOOOOOOO
XtE;}fio
0OOOOOOOH
"SH4iC
OOOOOOO
OOOOOOO
OOOOOOPO
XVa8>
OOOOOOO
QOOOOOOO&
OOOOOOO
OOOOOOOW
OOOOOOO
pOOOOOOO:O
OOOOOOOr
OOOOOOO
OOOOOOO
C"t(J
OOOOOOO
OOOOOOO
dOOOOOOO
z.dYE
OOOOOOO
OOOOOOO'
KOOOOOOO
OOOOOOO
OOOOOOO
&AkZp
OOOOOOO
OOOOOOO
OOOOOOOF
fOOOOOOO
OOOOOOOe}/C
rzOOOOOOO>O
OOOOOOO
A_OOOOOOO
/OOOOOOOk}K
sI-St
OOOOOOO
OOOOOOO
OOOOOOO
/OOOOOOO
:OOOOOOO
7utua
OOOOOOO
qOOOOOOO
xeY0OOOOOOO]
OOOOOOO
OOOOOOO
E#H;-
OOOOOOO
_OOOOOOO&
OOOOOOO
ROOOOOOOeH
OOOOOOO
OOOOOOOr
pYFOOOOOOO
OOOOOOOG
OOOOOOO
\]*}_
OOOOOOO
5OOOOOOO
OOOOOOOa
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
3$^Ao
OOOOOOO
aOOOOOOOo
OOOOOOO
+OOOOOOO
?OOOOOOOaH
ABOOOOOOO
OOOOOOOD
OOOOOOOwK
pXX5m
OOOOOOOP\
/J#WR
OOOOOOO*Z
^OOOOOOO]
A7=L(
OOOOOOO(
OOOOOOOU
OOOOOOO
<KOOOOOOO-
OOOOOOO
XOOOOOOO
"OOOOOOO
>OOOOOOOb
_|PDj
{ ]lF
jHOOOOOOO
OOOOOOO
OOOOOOOfr
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
4OOOOOOOg'R
gOOOOOOOSt
YyM c"
OOOOOOO
G>FIr
}OOOOOOO
OOOOOOO
7NOOOOOOO
OOOOOOOm
OOOOOOO
(OOOOOOOnC
,\ jy
OOOOOOOa
OOOOOOO$
LZ+kbHS
YOOOOOOOB:o
v=_8-
#OOOOOOOX
OOOOOOO+
1:OOOOOOO
l~9wek
ROOOOOOO`
G"bdn
G\OOOOOOO
_QJ[Ty*
BOOOOOOOG*
OOOOOOOA7G
3OOOOOOO
+*s"u'%wuM
OOOOOOO
OOOOOOO9|LhL
fOOOOOOOG~
`;DTO
OOOOOOO
OOOOOOO
`Jja.
OOOOOOO
[A0>,v
OOOOOOO
6z#F`
OOOOOOOE
OOOOOOO
OOOOOOO
rH&(/j
sOOOOOOO
OOOOOOON
OOOOOOOJ
OOOOOOO
*CoOOOOOOO
OOOOOOO
OOOOOOO9
OOOOOOO
OOOOOOO
[OOOOOOO
OOOOOOOE
OOOOOOOL
7lpimd
hd^&~*
OOOOOOO
OOOOOOO
%BV'8
fOOOOOOO
OOOOOOO
OOOOOOO2
S7P]J
OOOOOOO
OOOOOOO
-OOOOOOOu
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
HnWH.y
OOOOOOOM
VT!EYO
OOOOOOO
OOOOOOOL
NMOOOOOOO
'SWOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO*L
OOOOOOO
OOOOOOOX^
OOOOOOOC
{y/w~
OOOOOOOMi
OOOOOOOI
|^E%[
|OOOOOOO"b
OOOOOOO
OOOOOOO{
KVm]>8'
OOOOOOOg
OOOOOOOG
5C3#m
)KOOOOOOO
OOOOOOOO
.a H+4
rw),eOOOOOOO
OOOOOOO
OOOOOOO
1iOOOOOOOt
OOOOOOO
OOOOOOO
heb~H
:OOOOOOO
1OOOOOOO
}_`fG
OOOOOOOQ
}myOOOOOOO
OOOOOOO
\OOOOOOO
v>OOOOOOO
@OOOOOOOd
OOOOOOO#
OOOOOOO
OOOOOOO
EOOOOOOOF
b-OOOOOOO
OOOOOOO
pOOOOOOOZ
OOOOOOO
OOOOOOO
aOeH2
OOOOOOO
OOOOOOO3z=
XOOOOOOO
OOOOOOO.
9W7-:q
,OOOOOOO
|,OOOOOOO
YOOOOOOO
4vp>n
<OOOOOOO
s_OOOOOOOF
OOOOOOOY
COOOOOOO
e-7>~
OOOOOOO
OOOOOOO
qaHOOOOOOO
OOOOOOO
OOOOOOO
r=*0x
OOOOOOO
8~E8f
eOOOOOOO?:
n].Up
zyJNr
ta;OOOOOOO
`cLCg
OOOOOOO
F<cQT
5OOOOOOO
6nSW"61)
S)A#OOOOOOO
ldcLI
UOOOOOOO
OOOOOOO
Uy,p?n
pOOOOOOO
OOOOOOO*
mqOOOOOOO9K^
KOOOOOOO
OOOOOOO9
OOOOOOO
OOOOOOO.
95&V;
FOOOOOOO[
OOOOOOOT
OOOOOOO
-OOOOOOO
80EOOOOOOO`nc
B OZ:
OOOOOOO
OOOOOOO_0D
S8uea
OOOOOOO
OOOOOOOK
DK:WQ
UOOOOOOO
+cy:OOOOOOO:
gjx-2R
OOOOOOO
OOOOOOOf
z%:/W
n#OOOOOOO
OOOOOOO
gOOOOOOO
OOOOOOO2
[f[u|h
LOOOOOOO
#OOOOOOO
OOOOOOO"
OOOOOOO
OOOOOOOI<
OOOOOOOn
OOOOOOO
OOOOOOODm
sOOOOOOO
#JOOOOOOO
FEGOOOOOOOEgo
MOOOOOOO
3gHkqp
OOOOOOOO
OOOOOOO
pE['1QM;}
OOOOOOO
!M^*B
6_RweK1k
;OOOOOOO
UOOOOOOO
OOOOOOO
OOOOOOO
4OOOOOOO
w+^(xSb
OOOOOOOM
VOOOOOOOB
(+^3OOOOOOOB
@OOOOOOO
OOOOOOO'
OOOOOOO
OOOOOOOk
OOOOOOO
sEA^E
OOOOOOOi
L.^kROOOOOOO
OOOOOOO
OOOOOOO
\OOOOOOO
OOOOOOO
"5$_bG
OOOOOOO
OOOOOOO
D]=6Gf
OOOOOOO
FOOOOOOO
'6ggZ5
FcOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
,8H5OOOOOOO
=x7oOOOOOOO
OOOOOOO
OOOOOOOW
OOOOOOO
OOOOOOO
QvOOOOOOO
OOOOOOO<=
?O!9F
OOOOOOOy
OOOOOOOK
8s_:TY_
hQZD~5OOOOOOOSRhWc
uDV|nt
ROOOOOOO
OOOOOOO=<
@OOOOOOOO
OOOOOOO
6UWF'
DOOOOOOOE4
eOOOOOOO`
+%OOOOOOO(l
OOOOOOO
<OOOOOOO
TOOOOOOO
)N_mK
EOOOOOOO
_N[\2_
g``dt
pOOOOOOO
bOOOOOOOK
OOOOOOO
OOOOOOO
OOOOOOO
E)v^t
OOOOOOO
OOOOOOO
OOOOOOO]
OOOOOOO/
OOOOOOO
OOOOOOOgI
OOOOOOO+m
OOOOOOO.
OOOOOOO4
OOOOOOO
eOOOOOOO$
@xE!M
OOOOOOO
2OOOOOOO
OOOOOOO4
*sjOOOOOOO
$kOOOOOOO>
OOOOOOO
K"#OOOOOOO
pOOOOOOO
OOOOOOOv
OOOOOOO
OOOOOOO_
>Ccvt
<<OOOOOOO
t4Gtq
dOOOOOOO
OOOOOOO
OOOOOOO`V$
mD${}9%
OOOOOOOt(s
OOOOOOO/
f~G+4
OOOOOOO
OOOOOOO
4COOOOOOOU
H9k'%s
OOOOOOO
dO^1S4k
m~'vn
OOOOOOO
XOOOOOOO6!
'OOOOOOO
GOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOOe
OOOOOOO
OOOOOOOZ`
OOOOOOOWj.
OOOOOOO
OOOOOOO
OOOOOOO
Ws{pz
OOOOOOO
g_7*`
wOOOOOOO'>
OOOOOOO
OOOOOOOj
1o[OOOOOOO
OOOOOOO&
%OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
a41y#
PyrH0
i|ec&
,OOOOOOO
OOOOOOO
POOOOOOOM]
OOOOOOO
GTaYD0^
bOOOOOOO*
:\HiOOOOOOO
w;.^Wl
OOOOOOO
OOOOOOO7
OOOOOOO
"=ZpA
UOOOOOOO
OOOOOOO
Vib<'
81Nx#
6M+wv
OOOOOOO
OOOOOOOy
OOOOOOO
)P^+~/G
OOOOOOO
OOOOOOO
@G{Nz
OOOOOOOqzRI
OOOOOOO
>y|oQ
(OOOOOOOx
OOOOOOO
@] }n
OOOOOOO
_OOOOOOO
OOOOOOO
B({OOOOOOOK
9wWNr
OOOOOOOL
t%OOOOOOOW
`(|H.
OOOOOOO/
KOOOOOOO
OOOOOOO|Z
9/|8_
nOOOOOOOI
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
$89Od[U
OOOOOOO
OOOOOOO
.-OOOOOOOW
vOOOOOOOY
OOOOOOO
^OOOOOOO
\w?t0
AOOOOOOO
OOOOOOO
5hOOOOOOO9
nMSEX
OOOOOOO
ybR{z
tOOOOOOO=
)n*]OOOOOOOf
OOOOOOO
OOOOOOO
)zi^OOOOOOO
`W9,)x
'52OOOOOOO|
yOOOOOOO
OOOOOOO
km})n
.OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
kf6T|
0OOOOOOO
X;OOOOOOO&0
OOOOOOO
OOOOOOO
2OOOOOOO7D
OOOOOOO
<OOOOOOO
$OOOOOOO
OOOOOOO
+gMN<x
OOOOOOO
hOOOOOOO
~/cxD)
AkBau
OOOOOOO
OOOOOOO
OOOOOOO
rOOOOOOO
TsOOOOOOO
W'OOOOOOO
U5->[
OOOOOOO
OOOOOOO.
OOOOOOO
OOOOOOOh.k5
&b"V!
OOOOOOO
OOOOOOO.
uX"4U2]
KOOOOOOO.
OOOOOOO
lOOOOOOO3
XOOOOOOO
OOOOOOOr
POOOOOOO)
gOOOOOOOt
OOOOOOO
OOOOOOO
AOOOOOOO
POOOOOOOy
OOOOOOO
MHOOOOOOO
OOOOOOO
OOOOOOO
cOOOOOOO
OOOOOOO
OOOOOOO
zOOPOOOOO
Y1OOOOOOO<+
FLOOOOOOOOR
$OOOOOOO#8c
OOOOOOO
{OOOOOOO
OOOOOOO
<[ *TY
~OOOOOOO
J=BhA
OOOOOOOl
OOOOOOO
XOOOOOOO
xOOOOOOO
)RvAd
OOOOOOO
oqiMr
OOOOOOO8O
OOOOOOO
gOOOOOOO
OOOOOOO
OOOOOOO
NfOOOOOOOz
$^OOOOOOO#
OOOOOOO
OOOOOOO
OOOOOOO}
d,S.H
AOOOOOOOW
qv{#i=
NOOOOOOO
OOOOOOO
!z#Ya
OOOOOOOUF
+G^|0
OOOOOOORq
OOOOOOO5
OOOOOOO
?8OOOOOOO
SOOOOOOO
OOOOOOO
sOOOOOOOo:
OOOOOOO
OOOOOOOd
]+LOOOOOOO
OOOOOOOM
OOOOOOO
GML7]
OOOOOOO
vOOOOOOOKlT
OOOOOOO
OOOOOOO
d`#`N:
QOOOOOOO
OOOOOOO
OOOOOOOK
j#I2v
[OOOOOOOd2
1AE_z
OOOOOOOM
Sn[&:
hc!/P
OOOOOOO
H9?|Z
9$OOOOOOO
tOOOOOOO
dpE5w=
OOOOOOO
pOOOOOOO
)>-ya7
OOOOOOO
OOOOOOO
OOOOOOO:
-EOOOOOOO
EnH-'?V8
A9-a8Br
OOOOOOO
OOOOOOOG
|l(OOOOOOOh
OOOOOOO
/!OOOOOOO[
OOOOOOO/R
OOOOOOOm
OOOOOOO
?IEO1
OOOOOOO
@[N&Ji
OOOOOOO
OOOOOOO
OOOOOOO
.*OOOOOOOQ&
OOOOOOO
fOOOOOOO
OOOOOOOt
@O|-Z
Eys}E
UOOOOOOO
OOOOOOO
%OOOOOOO
OOOOOOOBF
zOOOOOOOj
_FBbke
H\OOOOOOOu
OOOOOOO
OOOOOOO
OOOOOOO[q
bOOOOOOO
sH5DA
OOOOOOOpX
OOOOOOO
I=)n(
OOOOOOO
UOOOOOOO
OOOOOOO
Z)6!OOOOOOO
0s;9u
OOOOOOOA
;OOOOOOO
L_#OOOOOOO
OOOOOOO4
jOOOOOOO
OOOOOOO
X<{47
OOOOOOOT
r0|^Q+
P&.Ofb
5=OOOOOOO
OOOOOOO
OOOOOOO
#OOOOOOO
{OOOOOOOQ
OOOOOOOV*
OOOOOOO!
<OOOOOOOo
L_/<.
$OOOOOOO
OOOOOOO
Za-RG9
B;OOOOOOO
YOOOOOOO
OOOOOOOyk
@EW$k
OOOOOOO
OOOOOOO!
OCN1=
guoEx%
nOOOOOOO
OOOOOOO
OOOOOOO
C,i_\
OOOOOOO7E
H'Bfy
OOOOOOO
.OOOOOOO2
OOOOOOO
7OOOOOOO
9XOOOOOOO4w
r;7`;yv
qOOOOOOO9
@OOOOOOO
Y3TfA<J
OOOOOOO
OOOOOOO[
OOOOOOO8
OOOOOOO
OOOOOOO2
]*$CHv
JVLOOOOOOO
OOOOOOO
6OOOOOOOy
j,Q>r]
aOOOOOOO
OOOOOOO
OOOOOOO`
(/@WOOOOOOO"rv
}vOOOOOOO'
OOOOOOOg5
KH.6+=k
v<psB
OOOOOOO
_O4O1
XGru(z2OOOOOOO
OOOOOOO[]|
OOOOOOO
OOOOOOOV
OOOOOOO
"C:NS"
OOOOOOOi
AL[_>
oUt](
OOOOOOOc7
OOOOOOO
OOOOOOO\rP~
OOOOOOO|
Y9d7y
OOOOOOO
/|OOOOOOO
+4T_,
OOOOOOO
l$7xx638v=F
bkOOOOOOO
OOOOOOO
=}bOOOOOOOO5
@OOOOOOO
VeOOOOOOO"
hkt9g
OOOOOOO
OOOOOOO
wOOOOOOO
OOOOOOO|
=#a19K
kJOOOOOOO5L
-SOOOOOOO
OOOOOOOy
P6'r Y/
OOOOOOO
_J:Oa
4OOOOOOO
?OOOOOOO
OOOOOOO
^.4WOOOOOOO7%
OOOOOOO
)^~Hd
OOOOOOO
OOOOOOO
,oTfM
OOOOOOO
OOOOOOO
[FhMp,
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
@OOOOOOO"
OOOOOOO^
paLx_Qz2
oQAb3
OOOOOOO1>F4
5`Eh1w
4OOOOOOO>C
/uf}|
'OOOOOOO
rOOOOOOO
lOOOOOOO
OOOOOOO
_OOOOOOO
OOOOOOO
_-OOOOOOO
OOOOOOO
OOOOOOO
`OOOOOOOr
<2[OOOOOOO
OOOOOOO{
OOOOOOOBh
4OOOOOOO
OOOOOOO
OOOOOOO
}rS2f
OOOOOOO
7#^;)
OOOOOOO
"OOOOOOOdLt
NOOOOOOOep
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
+VOOOOOOO
OOOOOOOq>
OOOOOOO
7D1;1
OOOOOOO
OOOOOOO
zOOOOOOO
OOOOOOO
OOOOOOO\W
rOOOOOOOy
bFk>fa
a/a|5
OOOOOOO
)41 Y
OOOOOOO
MOOOOOOO-
OOOOOOO
LA#Nf
OOOOOOO
(8Kb+Y
OOOOOOO
OOOOOOOe
OOOOOOO
OOOOOOO
OOOOOOO/$U
xfK);v
OOOOOOO
*`BeJ
OOOOOOO
OOOOOOO
OOOOOOOd
~{OOOOOOO
OOOOOOO
@r'EU
OOOOOOO
RY5d`
+OOOOOOO#[X
WU:d3BOOOOOOOj
OOOOOOO:g
OOOOOOOB
OOOOOOO
^@T]$
VOOOOOOO
OOOOOOO
.OOOOOOOQC
!OOOOOOOp
4OOOOOOO
OOOOOOOK3
OOOOOOO
OOOOOOO
TOOOOOOOn
)NOOOOOOO
OOOOOOO
2U?zOOOOOOOl
m-#,5#
OOOOOOO
OOOOOOO
YOOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
OOOOOOO
;OOOOOOO?
OOOOOOO
zr.?s;
OOOOOOOgI;
OOOOOOO
J*X;T
OOOOOOO
OOOOOOOU
.OOOOOOOT
P!/hK
OOOOOOO_
=OOOOOOO+
OOOOOOO{
yry;j
OOOOOOO
AOOOOOOO
OOOOOOO
OOOOOOO{
OOOOOOOR=
OOOOOOO]>zi
ro0v4OOOOOOO
<OOOOOOO
c-)?Aln
OOOOOOO
'b_qH
MOOOOOOO".^
_OOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOPK
dk["W
Z4;u<
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
jjjjj
jjjjjj
ebutton
clock
combobox
explorerbar
header
listview
progress
rebar
scrollbar
startpanel
status
taskband
taskbar
toolbar
tooltip
trackbar
traynotify
treeview
window
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjjjjj
jjjjj
jjjjjjj
jjjjj
jjjjjjj
jjjjjjj
jjjjjj
jjjjj
jjjjjjjj
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBRETRY
BBYES
CLOSED
MINUS
PREVIEWGLYPH
DLGTEMPLATE
DVCLAL
PACKAGEINFO
TFORM1
MAINICON
MS Sans Serif
"dbExpress Error: Invalid Precision
dbExpress Error: Invalid Length4dbExpress Error: Invalid Transaction Isolation Level'dbExpress Error: Invalid Transaction ID)dbExpress Error: Duplicate Transaction [email protected] Error: Application is not licensed to use this feature1dbExpress Error: Local Transaction already active2dbExpress Error: Multiple Transactions not Enabled/Multiple Connections not supported by %s driver&Driver (%s) not found in Cfg file (%s),Object type name required as parameter value
Cannot create file %s
DLL/Shared Library Name not Set.Driver/Connection Registry File '%s' not found
Cursor not returned from Query
SQL Error: Error mapping failed*DBX Error: No Mapping for Error Code Found2dbExpress Error: Insufficient Memory for Operation#dbExpress Error: Invalid Field Type
dbExpress Error: Invalid Handle
dbExpress Error: Invalid Time(dbExpress Error: Operation Not Supported)dbExpress Error: Invalid Data Translation"dbExpress Error: Invalid Parameter.dbExpress Error: Parameter/Column out of Range"dbExpress Error: Parameter Not Set"dbExpress Error: Result set at EOF*dbExpress Error: Invalid Username/Password
3Cannot perform this operation on an open connection4Cannot perform this operation on a closed connection2SQLConnection property required for this operation
Connection name missing
No SQL statement available
No value for parameter '%s'+Missing query, table name or procedure name
Missing Database property
Missing DriverName property
Unable to execute Query
Table/Procedure not found&Unable to determine field names for %s
There is no active transaction
A transaction is already active
Unable to Load %s
Unable to Find Procedure %s
Execute not supported: %s1Operation not allowed on a unidirectional dataset
Unassigned variant value
Record not found!FileName property cannot be blank
BCD overflow
%s is not a valid BCD value
Invalid format type for BCD$Could not parse SQL TimeStamp string
Invalid SQL date/time values
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot connect to database '%s'*Cannot change connection on Active Monitor
1Field '%s' cannot be a calculated or lookup field
Duplicate index name '%s'
Index '%s' not found"Circular datalinks are not allowed/Lookup information for field '%s' is incomplete
DataSource cannot be changed0Cannot perform this operation on an open dataset"Dataset not in edit or insert mode1Cannot perform this operation on a closed dataset#Nested dataset must inherit from %s
False
Parameter '%s' not found
Unable to load bind parameters$Field '%s' is of an unsupported type
SQL not supported: %s
Field name missing
Duplicate field name '%s'
Field '%s' not found#Cannot access field '%s' as type %s
Invalid value for field '%s'E%g is not a valid value for field '%s'. The allowed range is %g to %gE%s is not a valid value for field '%s'. The allowed range is %s to %s0'%s' is not a valid integer value for field '%s'0'%s' is not a valid boolean value for field '%s'7'%s' is not a valid floating point value for field '%s'6Type mismatch for field '%s', expecting: %s actual: %s6Size mismatch for field '%s', expecting: %d actual: %d+Invalid variant type or size for field '%s'#Value of field '%s' is out of range
Field '%s' must have a value
Field '%s' has no dataset
Inactive Caption Text
Info Background
Info Text
Menu Background
Menu Text
Scroll Bar
3D Dark Shadow
3D Light
Window Background
Window Frame
Window Text
No help keyword specified.
Invalid field size
Invalid FieldKind Field '%s' is of an unknown type
Medium Gray
Active Border
Active Caption
Application Workspace
Background
Button Face
Button Highlight
Button Shadow
Button Text
Caption Text
Default
Gray Text
Highlight Background
Highlight Text
Inactive Border
Inactive Caption
Olive
Purple
Silver
Yellow
Fuchsia
White
Money Green
Sky Blue
Cream
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Docked control must have a name%Error removing control from dock tree
- Dock zone not found
- Dock zone has no control"Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Black
Maroon
Green
Enter
Space
Right
Shift+
Ctrl+
Warning
Error
Information
Confirm
Cancel
&Help
&Abort
&Retry
&Ignore
N&o to All
Yes to &All
&Close
&Ignore
&Retry
Abort
Cannot drag a form
Outline index not found
Parent must be expanded
Invalid value for current item
Invalid input value7Invalid input value. Use escape key to abandon changes
Invalid outline index
Invalid selection
File load error
Line too long
Maximum outline depth exceeded
!Control '%s' has no parent window
Cannot hide an MDI Child Form)Cannot change Visible in OnShow or OnHide"Cannot make a visible window modal
Menu index out of range
Menu inserted twice
Sub-menu is not in menu
Not enough timers [email protected] cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
Cancel
&Help
Stream write error
Bitmap image is not valid
Icon image is not valid
Metafile is not valid!Cannot change the size of an icon
Unsupported clipboard format
Out of system resources
Canvas does not allow drawing
Invalid image size
Invalid ImageList
Invalid ImageList Index)Failed to read ImageList data from stream(Failed to write ImageList data to stream$Error creating window device context
Error creating window class+Cannot focus a disabled or invisible window
Invalid property value
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
Error reading %s%s%s: %s
Stream read error
Property is read-only
Failed to get data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list Too many rows or columns deleted$%s not in a class registration group
Property %s does not exist
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s1Fixed column count must be less than column count+Fixed row count must be less than row count
Cannot open file "%s". %s
Grid too large for operation
Grid index out of range
Invalid stream format$''%s'' is not a valid component name
Invalid property value
Invalid property element: %s
Invalid property path
Invalid property type: %s
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
January
February
March
April
August
September
October
November
December
?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
A call to an OS function failed/Application is not licensed to use this feature
/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Variant overflow
Invalid argument
Invalid variant type
Operation not supported
Unexpected variant error
External exception %x
Assertion failed
Interface not supported
Exception in safecall method
%s (%s, line %d)
Abstract Error
(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Write
Format string too long$Error creating variant or safe array)Variant or safe array index out of bounds
Variant or safe array is locked
Invalid variant type conversion
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range
Invalid numeric input
Division by zero
Range check error
Integer overflow Invalid floating point operation
Floating point division by zero
Floating point overflow
Floating point underflow
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Access violation
Stack overflow
Control-C hit
Privileged instruction
Operation aborted
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp
Invalid argument to time encode
Invalid argument to date encode
Out of memory
I/O error %d
File not found
Invalid filename
Too many open files
File access denied
Read beyond end of file
Disk full

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.AIDetectVM.malware2 MicroWorld-eScan Trojan.Delf.FareIt.Gen.4 VBA32 BScope.TrojanSpy.Swotter
FireEye Generic.mg.ad520c8794875fc5 CAT-QuickHeal Clean McAfee Artemis!AD520C879487
Cylance Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Clean Alibaba Clean
K7GW Clean Cybereason malicious.9b1d0d Arcabit Trojan.Delf.FareIt.Gen.4
TrendMicro Clean Baidu Clean F-Prot Clean
Symantec Clean TotalDefense Clean APEX Malicious
Avast Clean ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.Delf.FareIt.Gen.4 NANO-Antivirus Clean Paloalto generic.ml
AegisLab Clean Rising Spyware.Noon!8.E7C9 (CLOUD) Endgame malicious (high confidence)
TACHYON Clean Emsisoft Trojan.Delf.FareIt.Gen.4 (B) Comodo Clean
F-Secure Clean DrWeb Clean VIPRE Clean
Invincea heuristic Trapmine suspicious.low.ml.score CMC Clean
Sophos Clean SentinelOne DFI - Suspicious PE Cyren Clean
Jiangmin Clean eGambit Clean Avira Clean
Fortinet W32/Injector.EEHO!tr Antiy-AVL Clean Kingsoft Clean
Microsoft Trojan:Win32/Wacatac.C!ml ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic
Avast-Mobile Clean Cynet Clean AhnLab-V3 Clean
Acronis Clean BitDefenderTheta Gen:[email protected] ALYac Trojan.Delf.FareIt.Gen.4
MAX malware (ai score=83) Ad-Aware Trojan.Delf.FareIt.Gen.4 Malwarebytes Trojan.MalPack.DLF
Zoner Clean ESET-NOD32 a variant of Win32/Injector.EMNR TrendMicro-HouseCall Clean
Tencent Clean Yandex Clean Ikarus Win32.Outbreak
MaxSecure Trojan.Malware.300983.susgen GData Trojan.Delf.FareIt.Gen.4 Webroot Clean
AVG Clean Panda Clean CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 HEUR/QVM05.1.417F.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 13.107.42.23 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.1 9040 192.168.1.8 49176
192.168.1.1 9040 192.168.1.8 49177
192.168.1.1 9040 192.168.1.8 49178
192.168.1.8 49175 13.107.42.23 443
192.168.1.8 49177 13.107.42.23 443

UDP

Source Source Port Destination Destination Port
192.168.1.8 65129 1.1.1.1 53
192.168.1.8 137 192.168.1.255 137
192.168.1.8 51064 8.8.8.8 53
192.168.1.8 63225 8.8.8.8 53
192.168.1.8 65129 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-30 17:33:40.173 192.168.1.8 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 17:33:40.173 192.168.1.8 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 17:33:40.174 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 17:33:40.174 192.168.1.8 [VT] 49177 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 17:33:40.310 192.168.1.8 [VT] 49178 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-30 17:33:40.174 192.168.1.8 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 17:33:40.310 192.168.1.8 [VT] 49178 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 17:33:40.368 192.168.1.8 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 17:33:40.381 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 17:33:40.437 192.168.1.8 [VT] 49177 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.8 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49177 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49178 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name yyyyyy.exe
PID 2108
Dump Size 968192 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe
Type PE image: 32-bit executable
PE timestamp 1992-06-19 22:22:17
MD5 1ad317281cc8ba560b9e0d7994e7f755
SHA1 4e8b3b43545dd919eb9b8fee029544a8ab9d5c6c
SHA256 aa7e8044aa483d13d1ee375662136ed7813794d71c48d6529380561f28da8c7e
CRC32 C14B478C
Ssdeep 12288:W1JUuXUn6wUN4KSgqJ6wWska30/jgrTfz8BYnKFvkpzoMTKrtzxGz/9XYgMdNnQA:+OPXUWD6wEc0bp8RoMTKhNaYggNT
Dump Filename aa7e8044aa483d13d1ee375662136ed7813794d71c48d6529380561f28da8c7e
Download Download Zip
Process Name yyyyyy.exe
PID 3008
Dump Size 285184 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\yyyyyy.exe
Type PE image: 32-bit executable
PE timestamp 2020-06-23 12:19:35
MD5 6a85de41493c30e754f60d23b4289a90
SHA1 2f9a550061aefa730ebc48023b26a0b5c9396adc
SHA256 e4bcec9d3006e699df0cf9d6630549fb577b51ad63334262b73d17bc0f67f48d
CRC32 8F8586E0
Ssdeep 6144:fMDHwwJGExk2yLodZzlTxScBNeY7Q9v0:c22yLuZBggYY7
CAPE Yara
  • AgentTeslaV2 Payload - Author: ditekshen
Dump Filename e4bcec9d3006e699df0cf9d6630549fb577b51ad63334262b73d17bc0f67f48d
Download Download Zip
Process Name svchost.exe
PID 588
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 fd54122244783010b9ec6570d8bc490b
SHA1 e3012d1dd879cdfcc271a7336ec693a95a341fdc
SHA256 6b49dcd2d6b4681dd29054e7c5728554e06c65cedb2555b89c72ec5b649251d8
CRC32 4BCF1305
Ssdeep 384:zvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCEyrlWVSsEsj45RCOvojvPKW9C5bW:bWkX7q+f5TYvVeZMmn+0C4xZEbvKvPK
Dump Filename 6b49dcd2d6b4681dd29054e7c5728554e06c65cedb2555b89c72ec5b649251d8
Download Download Zip
Process Name services.exe
PID 472
Dump Size 327680 bytes
Module Path C:\Windows\sysnative\services.exe
Type PE image: 64-bit executable
PE timestamp 2015-04-13 02:02:59
MD5 3d08e3e6fb3428620894b7d1f587921e
SHA1 2d96de52dc9251b635252972da123c62c46674d5
SHA256 9e0c10f2400b2f991f78985958ffb704efd4fab751e4e67cea831b8531cdbe8c
CRC32 97FFDE82
Ssdeep 6144:HX+dGqMuImU4Zkt8kjM7vFLFb/2JBH4EtLcN8ZE21uqw3LIBm:HX+dGluImU4s8m/zMJI
Dump Filename 9e0c10f2400b2f991f78985958ffb704efd4fab751e4e67cea831b8531cdbe8c
Download Download Zip
Process Name svchost.exe
PID 3016
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 57b580bf5a8dd2f8c22ae2f0a66acc96
SHA1 6cb7bb6f722464cae5f2eb3b77af02ba5b38e96e
SHA256 f6d87c7e911e8468e9ce579b67b5b49892f74173dedb15ebec280a3c75eb8ec6
CRC32 5A8C7498
Ssdeep 384:zvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCEyrlWVSsEsj45RCOvojyfPKW9C56:bWkX7q+f5TYvVeZMmn+0C4xZEbvK8PK
Dump Filename f6d87c7e911e8468e9ce579b67b5b49892f74173dedb15ebec280a3c75eb8ec6
Download Download Zip
Process Name svchost.exe
PID 4284
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 75eac1402847e5ad8925dfa78d632110
SHA1 80b19325556c12b851fa97b054e491db4be76da9
SHA256 7572c532b679b8be03a2d0c78a2b629ba78adc409a3240e1f2fb58fd3f830ff9
CRC32 0E3D4821
Ssdeep 384:zvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCEyrlWVSsEsj45RCOvojiPKW9C5bW:bWkX7q+f5TYvVeZMmn+0C4xZEbvKiPK
Dump Filename 7572c532b679b8be03a2d0c78a2b629ba78adc409a3240e1f2fb58fd3f830ff9
Download Download Zip
Defense Evasion Credential Access Collection Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1089 - Disabling Security Tools
    • Signature - antisandbox_unhook
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_unknown_pe_section_name
  • T1003 - Credential Dumping
    • Signature - infostealer_browser
  • T1081 - Credentials in Files
    • Signature - infostealer_browser
  • T1005 - Data from Local System
    • Signature - infostealer_browser
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 28.306 seconds )

    • 18.299 BehaviorAnalysis
    • 5.3 Suricata
    • 3.072 Static
    • 0.646 CAPE
    • 0.283 VirusTotal
    • 0.251 NetworkAnalysis
    • 0.197 ProcDump
    • 0.09 TargetInfo
    • 0.066 AnalysisInfo
    • 0.046 Strings
    • 0.038 Deduplicate
    • 0.01 Debug
    • 0.008 peid

    Signatures ( 1.0390000000000006 seconds )

    • 0.151 antiav_detectreg
    • 0.056 infostealer_ftp
    • 0.052 territorial_disputes_sigs
    • 0.037 decoy_document
    • 0.035 api_spamming
    • 0.035 masquerade_process_name
    • 0.034 Doppelganging
    • 0.033 infostealer_im
    • 0.032 lsass_credential_dumping
    • 0.032 antianalysis_detectreg
    • 0.031 NewtWire Behavior
    • 0.03 antiav_detectfile
    • 0.028 injection_createremotethread
    • 0.025 InjectionCreateRemoteThread
    • 0.018 infostealer_bitcoin
    • 0.017 antivm_vbox_keys
    • 0.016 antianalysis_detectfile
    • 0.015 InjectionInterProcess
    • 0.014 infostealer_mail
    • 0.013 injection_explorer
    • 0.012 antivm_vbox_files
    • 0.012 ransomware_files
    • 0.011 antivm_vmware_keys
    • 0.01 antiemu_wine_func
    • 0.01 dynamic_function_loading
    • 0.009 exec_crash
    • 0.008 malicious_dynamic_function_loading
    • 0.008 antivm_parallels_keys
    • 0.008 antivm_xen_keys
    • 0.008 ransomware_extensions
    • 0.007 antidebug_guardpages
    • 0.007 antivm_generic_disk
    • 0.007 guloader_apis
    • 0.007 infostealer_browser_password
    • 0.007 geodo_banking_trojan
    • 0.007 predatorthethief_files
    • 0.007 qulab_files
    • 0.006 kovter_behavior
    • 0.006 mimics_filetime
    • 0.005 exploit_heapspray
    • 0.005 reads_self
    • 0.005 stealth_file
    • 0.005 virus
    • 0.005 antivm_generic_diskreg
    • 0.005 antivm_vpc_keys
    • 0.004 antiav_avast_libs
    • 0.004 antivm_generic_scsi
    • 0.004 antivm_vbox_libs
    • 0.004 betabot_behavior
    • 0.004 bootkit
    • 0.004 exploit_getbasekerneladdress
    • 0.004 kibex_behavior
    • 0.004 antidbg_devices
    • 0.004 antivm_vmware_files
    • 0.003 antidbg_windows
    • 0.003 exploit_gethaldispatchtable
    • 0.003 hancitor_behavior
    • 0.003 hawkeye_behavior
    • 0.003 infostealer_browser
    • 0.003 network_tor
    • 0.003 persistence_autorun
    • 0.003 stack_pivot
    • 0.003 stealth_timeout
    • 0.002 antiav_bitdefender_libs
    • 0.002 antiav_emsisoft_libs
    • 0.002 antiav_apioverride_libs
    • 0.002 antiav_nthookengine_libs
    • 0.002 antisandbox_sboxie_libs
    • 0.002 antisandbox_sunbelt_libs
    • 0.002 antivm_generic_services
    • 0.002 dyre_behavior
    • 0.002 encrypted_ioc
    • 0.002 kazybot_behavior
    • 0.002 office_com_load
    • 0.002 OrcusRAT Behavior
    • 0.002 shifu_behavior
    • 0.002 vawtrak_behavior
    • 0.002 antivm_xen_keys
    • 0.002 antivm_hyperv_keys
    • 0.002 antivm_vbox_devices
    • 0.002 ketrican_regkeys
    • 0.002 bypass_firewall
    • 0.002 codelux_behavior
    • 0.002 darkcomet_regkeys
    • 0.002 masslogger_files
    • 0.002 limerat_regkeys
    • 0.002 rat_pcclient
    • 0.002 recon_fingerprint
    • 0.001 InjectionProcessHollowing
    • 0.001 antiav_bullgaurd_libs
    • 0.001 antiav_qurb_libs
    • 0.001 antivm_vmware_libs
    • 0.001 Vidar Behavior
    • 0.001 injection_runpe
    • 0.001 office_vb_load
    • 0.001 office_wmi_load
    • 0.001 process_interest
    • 0.001 blackrat_registry_keys
    • 0.001 rat_nanocore
    • 0.001 recon_programs
    • 0.001 tinba_behavior
    • 0.001 antisandbox_fortinet_files
    • 0.001 antisandbox_threattrack_files
    • 0.001 antivm_generic_bios
    • 0.001 antivm_generic_system
    • 0.001 antivm_vpc_files
    • 0.001 banker_cridex
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 network_tor_service
    • 0.001 medusalocker_regkeys
    • 0.001 revil_mutexes
    • 0.001 dcrat_files
    • 0.001 modirat_bheavior
    • 0.001 obliquerat_files
    • 0.001 warzonerat_files
    • 0.001 warzonerat_regkeys
    • 0.001 remcos_files
    • 0.001 remcos_regkeys
    • 0.001 sniffer_winpcap
    • 0.001 tampers_etw
    • 0.001 targeted_flame

    Reporting ( 21.359000000000005 seconds )

    • 18.111 BinGraph
    • 3.141 JsonDump
    • 0.068 SubmitCAPE
    • 0.039 MITRE_TTPS