Auto Tasks

#17824: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 13:53:07 2020-06-30 13:59:21 374 seconds Show Options Show Log
route = tor
2020-05-13 09:29:40,746 [root] INFO: Date set to: 20200630T13:47:47, timeout set to: 200
2020-06-30 13:47:47,062 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-06-30 13:47:47,062 [root] DEBUG: Storing results at: C:\ouJBLas
2020-06-30 13:47:47,062 [root] DEBUG: Pipe server name: \\.\PIPE\oSqtImjyKb
2020-06-30 13:47:47,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-30 13:47:47,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 13:47:47,078 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 13:47:47,078 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 13:47:47,625 [root] DEBUG: Imported analysis package "exe".
2020-06-30 13:47:47,625 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 13:47:47,625 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 13:47:48,249 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 13:47:48,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 13:47:48,578 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 13:47:48,734 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 13:47:48,750 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 13:47:48,750 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 13:47:48,765 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 13:47:48,812 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 13:47:48,812 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 13:47:48,859 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 13:47:48,859 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 13:47:48,906 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 13:47:48,906 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 13:47:48,921 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 13:47:48,921 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 13:47:48,921 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 13:47:48,921 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 13:47:48,921 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 13:47:48,921 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 13:47:48,953 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 13:47:48,953 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 13:47:52,671 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 13:47:52,687 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 13:47:52,843 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 13:47:52,843 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 13:47:52,843 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 13:47:52,843 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 13:47:52,843 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 13:47:52,859 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 13:47:52,859 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 13:47:52,859 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 13:47:52,859 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 13:47:52,859 [root] DEBUG: Started auxiliary module Browser
2020-06-30 13:47:52,859 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 13:47:52,859 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 13:47:52,859 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 13:47:52,859 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 13:47:52,859 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 13:47:52,859 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 13:47:52,859 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 13:47:52,859 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 13:47:54,625 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 13:47:54,625 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 13:47:54,625 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 13:47:54,625 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 13:47:54,625 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 13:47:54,625 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 13:47:54,640 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 13:47:54,656 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 13:47:54,656 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 13:47:54,656 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 13:47:54,656 [root] DEBUG: Started auxiliary module Human
2020-06-30 13:47:54,656 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 13:47:54,656 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 13:47:54,656 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 13:47:54,687 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 13:47:54,687 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 13:47:54,687 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 13:47:54,687 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 13:47:54,687 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 13:47:54,687 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 13:47:54,687 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 13:47:54,687 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 13:47:54,687 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 13:47:54,687 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 13:47:54,687 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 13:47:54,703 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 13:47:54,703 [root] DEBUG: Started auxiliary module Usage
2020-06-30 13:47:54,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 13:47:54,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 13:47:54,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 13:47:54,703 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 13:47:54,734 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\Account details.exe" with arguments "" with pid 4084
2020-06-30 13:47:54,734 [lib.api.process] INFO: Monitor config for process 4084: C:\tmp558c2t_g\dll\4084.ini
2020-06-30 13:47:54,734 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\EVkepc.dll, loader C:\tmp558c2t_g\bin\SZlwDYo.exe
2020-06-30 13:47:54,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:47:54,968 [root] DEBUG: Loader: Injecting process 4084 (thread 1756) with C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:54,968 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:47:54,968 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:54,968 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:47:54,968 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:55,015 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4084
2020-06-30 13:47:57,015 [lib.api.process] INFO: Successfully resumed process with pid 4084
2020-06-30 13:47:57,625 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:47:57,625 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:47:57,640 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:47:57,640 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4084 at 0x72fd0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-30 13:47:57,640 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Account details.exe".
2020-06-30 13:47:57,687 [root] INFO: Loaded monitor into process with pid 4084
2020-06-30 13:47:57,703 [root] INFO: Disabling sleep skipping.
2020-06-30 13:47:57,703 [root] INFO: Disabling sleep skipping.
2020-06-30 13:47:57,703 [root] INFO: Disabling sleep skipping.
2020-06-30 13:47:57,703 [root] INFO: Disabling sleep skipping.
2020-06-30 13:47:57,703 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4084, handle 0xd4.
2020-06-30 13:47:57,734 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:47:57,734 [root] DEBUG: set_caller_info: Adding region at 0x01FD0000 to caller regions list (kernel32::GetSystemTime).
2020-06-30 13:47:57,750 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1fd0000
2020-06-30 13:47:57,750 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01FD0000 size 0x400000.
2020-06-30 13:47:57,750 [root] DEBUG: DumpPEsInRange: Scanning range 0x1fd0000 - 0x1fd1000.
2020-06-30 13:47:57,750 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1fd0000-0x1fd1000.
2020-06-30 13:47:57,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\4084_139961480457721372020 (size 0xffe)
2020-06-30 13:47:57,906 [root] DEBUG: DumpRegion: Dumped stack region from 0x01FD0000, size 0x1000.
2020-06-30 13:47:58,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\4084_82041189657721372020 (size 0x958e)
2020-06-30 13:47:58,046 [root] DEBUG: DumpRegion: Dumped stack region from 0x003F0000, size 0xa000.
2020-06-30 13:47:58,046 [root] DEBUG: set_caller_info: Adding region at 0x00550000 to caller regions list (ntdll::memcpy).
2020-06-30 13:47:58,093 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\4084_121585508658721372020 (size 0x1a)
2020-06-30 13:47:58,093 [root] DEBUG: DumpRegion: Dumped stack region from 0x00550000, size 0x1000.
2020-06-30 13:47:58,109 [root] INFO: Announced 32-bit process name: Account details.exe pid: 2672
2020-06-30 13:47:58,109 [lib.api.process] INFO: Monitor config for process 2672: C:\tmp558c2t_g\dll\2672.ini
2020-06-30 13:47:58,109 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\EVkepc.dll, loader C:\tmp558c2t_g\bin\SZlwDYo.exe
2020-06-30 13:47:58,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:47:58,156 [root] DEBUG: Loader: Injecting process 2672 (thread 1380) with C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,156 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:47:58,156 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,156 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:47:58,156 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,171 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2672
2020-06-30 13:47:58,171 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:47:58,203 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-30 13:47:58,203 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Users\Louise\AppData\Local\Temp\Account details.exe" .
2020-06-30 13:47:58,218 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2672, ImageBase: 0x00400000
2020-06-30 13:47:58,234 [root] INFO: Announced 32-bit process name: Account details.exe pid: 2672
2020-06-30 13:47:58,234 [lib.api.process] INFO: Monitor config for process 2672: C:\tmp558c2t_g\dll\2672.ini
2020-06-30 13:47:58,234 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\EVkepc.dll, loader C:\tmp558c2t_g\bin\SZlwDYo.exe
2020-06-30 13:47:58,281 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:47:58,281 [root] DEBUG: Loader: Injecting process 2672 (thread 1380) with C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,281 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:47:58,281 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,281 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:47:58,281 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,296 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2672
2020-06-30 13:47:58,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11c amd local view 0x03D90000 to global list.
2020-06-30 13:47:58,296 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11c to target process 2672.
2020-06-30 13:47:58,296 [root] INFO: Announced 32-bit process name: Account details.exe pid: 2672
2020-06-30 13:47:58,296 [lib.api.process] INFO: Monitor config for process 2672: C:\tmp558c2t_g\dll\2672.ini
2020-06-30 13:47:58,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\EVkepc.dll, loader C:\tmp558c2t_g\bin\SZlwDYo.exe
2020-06-30 13:47:58,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:47:58,328 [root] DEBUG: Loader: Injecting process 2672 (thread 0) with C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,328 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1380, handle 0xbc
2020-06-30 13:47:58,328 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:47:58,328 [root] DEBUG: InjectDllViaIAT: Executable DOS header zero.
2020-06-30 13:47:58,343 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,343 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2672
2020-06-30 13:47:58,343 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x000A20E0 (process 2672).
2020-06-30 13:47:58,343 [root] INFO: Announced 32-bit process name: Account details.exe pid: 2672
2020-06-30 13:47:58,343 [lib.api.process] INFO: Monitor config for process 2672: C:\tmp558c2t_g\dll\2672.ini
2020-06-30 13:47:58,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\EVkepc.dll, loader C:\tmp558c2t_g\bin\SZlwDYo.exe
2020-06-30 13:47:58,375 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:47:58,375 [root] DEBUG: Loader: Injecting process 2672 (thread 1380) with C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,375 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:47:58,390 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,390 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:47:58,390 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\EVkepc.dll.
2020-06-30 13:47:58,390 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2672
2020-06-30 13:47:58,390 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-30 13:47:58,390 [root] DEBUG: DumpProcess: Module entry point VA is 0x000A20E0.
2020-06-30 13:47:58,453 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2fe00.
2020-06-30 13:47:58,453 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-06-30 13:47:58,453 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2672.
2020-06-30 13:47:58,453 [root] DEBUG: DumpSectionViewsForPid: Shared section view found with pid 2672, local address 0x03D90000.
2020-06-30 13:47:58,453 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3d90000
2020-06-30 13:47:58,468 [root] DEBUG: DumpSectionViewsForPid: Dumping PE image from shared section view, local address 0x03D90000.
2020-06-30 13:47:58,468 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:47:58,468 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x03D90000.
2020-06-30 13:47:58,468 [root] DEBUG: DumpProcess: Module entry point VA is 0x000A20E0.
2020-06-30 13:47:58,468 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000.
2020-06-30 13:47:58,484 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2fe00.
2020-06-30 13:47:58,484 [root] DEBUG: DumpSectionViewsForPid: Dumped PE image from shared section view.
2020-06-30 13:47:58,500 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3d90001-0x3e34000.
2020-06-30 13:47:58,500 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4084
2020-06-30 13:47:58,500 [root] DEBUG: GetHookCallerBase: thread 4292 (handle 0x0), return address 0x003F0102, allocation base 0x003F0000.
2020-06-30 13:47:58,500 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-30 13:47:58,500 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:47:58,500 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-30 13:47:58,500 [root] DEBUG: DumpProcess: Module entry point VA is 0x000921F0.
2020-06-30 13:47:58,531 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:47:58,531 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:47:58,531 [root] INFO: Disabling sleep skipping.
2020-06-30 13:47:58,531 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:47:58,546 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2672 at 0x72fd0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-30 13:47:58,546 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Account details.exe".
2020-06-30 13:47:58,609 [root] INFO: Loaded monitor into process with pid 2672
2020-06-30 13:47:58,640 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xee800.
2020-06-30 13:47:58,656 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\mscoree (0x4a000 bytes).
2020-06-30 13:47:58,656 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-06-30 13:47:58,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x70CE0000 to global list.
2020-06-30 13:47:58,687 [root] DEBUG: DLL loaded at 0x70CE0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-30 13:47:58,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x72F30000 to global list.
2020-06-30 13:47:58,750 [root] DEBUG: DLL loaded at 0x72F30000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80 (0x9b000 bytes).
2020-06-30 13:47:58,781 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 13:47:58,781 [root] DEBUG: set_caller_info: Adding region at 0x01F00000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 13:47:58,796 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1f00000
2020-06-30 13:47:58,812 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01F00000 size 0x400000.
2020-06-30 13:47:58,812 [root] DEBUG: DumpPEsInRange: Scanning range 0x1f00000 - 0x1f7f000.
2020-06-30 13:47:58,828 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1f00000-0x1f7f000.
2020-06-30 13:47:59,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\2672_4790195558721372020 (size 0x50692)
2020-06-30 13:47:59,046 [root] DEBUG: DumpRegion: Dumped stack region from 0x01F00000, size 0x7f000.
2020-06-30 13:47:59,046 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00090000.
2020-06-30 13:47:59,046 [root] DEBUG: set_caller_info: Adding region at 0x004B0000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 13:47:59,062 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x004B0000.
2020-06-30 13:47:59,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x732A0000 for section view with handle 0xd8.
2020-06-30 13:47:59,093 [root] DEBUG: DLL loaded at 0x732A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 13:47:59,093 [root] DEBUG: DLL unloaded from 0x75E80000.
2020-06-30 13:47:59,109 [root] DEBUG: DLL loaded at 0x72600000: C:\Windows\system32\sxs (0x5f000 bytes).
2020-06-30 13:47:59,953 [root] DEBUG: DLL loaded at 0x72F20000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-06-30 13:48:00,125 [root] DEBUG: DLL loaded at 0x750D0000: C:\Windows\syswow64\SHELL32 (0xc4c000 bytes).
2020-06-30 13:48:00,312 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\iphlpapi (0x1c000 bytes).
2020-06-30 13:48:00,328 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-30 13:48:00,343 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-30 13:48:00,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 amd local view 0x72D80000 to global list.
2020-06-30 13:48:00,406 [root] DEBUG: DLL loaded at 0x72D80000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\Gdiplus (0x192000 bytes).
2020-06-30 13:48:00,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70C50000 for section view with handle 0x108.
2020-06-30 13:48:00,812 [root] DEBUG: DLL loaded at 0x70C50000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader (0x8d000 bytes).
2020-06-30 13:48:04,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x72D60000 to global list.
2020-06-30 13:48:04,359 [root] DEBUG: DLL loaded at 0x72D60000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec (0x13000 bytes).
2020-06-30 13:48:04,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76740000 for section view with handle 0x110.
2020-06-30 13:48:04,375 [root] DEBUG: DLL loaded at 0x76740000: C:\Windows\syswow64\WINTRUST (0x2f000 bytes).
2020-06-30 13:48:04,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76770000 for section view with handle 0x110.
2020-06-30 13:48:04,406 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-06-30 13:48:04,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x762F0000 for section view with handle 0x110.
2020-06-30 13:48:04,453 [root] DEBUG: DLL loaded at 0x762F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-06-30 13:48:04,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x118 amd local view 0x70BC0000 to global list.
2020-06-30 13:48:04,468 [root] DEBUG: DLL loaded at 0x70BC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\COMCTL32 (0x84000 bytes).
2020-06-30 13:48:04,468 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2672, handle 0x128.
2020-06-30 13:48:04,515 [root] DEBUG: DLL loaded at 0x70B40000: C:\Windows\system32\RichEd20 (0x76000 bytes).
2020-06-30 13:48:04,531 [root] DEBUG: DLL unloaded from 0x70B40000.
2020-06-30 13:48:04,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x130 amd local view 0x03D60000 to global list.
2020-06-30 13:48:04,609 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:48:04,609 [root] DEBUG: DLL unloaded from 0x70CE0000.
2020-06-30 13:48:04,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x12c amd local view 0x70AC0000 to global list.
2020-06-30 13:48:04,765 [root] DEBUG: DLL loaded at 0x70AC0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks (0xf8000 bytes).
2020-06-30 13:48:04,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72D50000 for section view with handle 0x12c.
2020-06-30 13:48:04,953 [root] DEBUG: DLL loaded at 0x72D50000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture (0x8000 bytes).
2020-06-30 13:48:04,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70A60000 for section view with handle 0x130.
2020-06-30 13:48:04,968 [root] DEBUG: DLL loaded at 0x70A60000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-06-30 13:48:05,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x134 amd local view 0x70A00000 to global list.
2020-06-30 13:48:05,031 [root] DEBUG: DLL loaded at 0x70A00000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc (0x55000 bytes).
2020-06-30 13:48:05,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x140 amd local view 0x01EE0000 to global list.
2020-06-30 13:48:05,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x148 amd local view 0x01EF0000 to global list.
2020-06-30 13:48:05,437 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2672.
2020-06-30 13:48:05,484 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:48:05,484 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2672.
2020-06-30 13:48:05,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 amd local view 0x6FF00000 to global list.
2020-06-30 13:48:05,562 [root] DEBUG: DLL loaded at 0x6FF00000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-30 13:48:05,703 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-06-30 13:48:05,718 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-06-30 13:48:05,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 amd local view 0x03750000 to global list.
2020-06-30 13:48:05,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03770000 for section view with handle 0x208.
2020-06-30 13:48:05,890 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:48:05,906 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:48:06,156 [root] DEBUG: set_caller_info: Adding region at 0x06450000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:48:06,171 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x645ffff
2020-06-30 13:48:06,171 [root] DEBUG: DumpMemory: Nothing to dump at 0x06450000!
2020-06-30 13:48:06,171 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06450000 size 0x10000.
2020-06-30 13:48:06,171 [root] DEBUG: DumpPEsInRange: Scanning range 0x6450000 - 0x645d000.
2020-06-30 13:48:06,187 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6450000-0x645d000.
2020-06-30 13:48:06,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\2672_3328641386821372020 (size 0xce7a)
2020-06-30 13:48:06,265 [root] DEBUG: DumpRegion: Dumped stack region from 0x06450000, size 0xd000.
2020-06-30 13:48:06,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x6F2C0000 to global list.
2020-06-30 13:48:06,328 [root] DEBUG: DLL loaded at 0x6F2C0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-30 13:48:06,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 amd local view 0x6FD70000 to global list.
2020-06-30 13:48:06,343 [root] DEBUG: DLL loaded at 0x6FD70000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-30 13:48:06,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E6E0000 for section view with handle 0x210.
2020-06-30 13:48:06,375 [root] DEBUG: DLL loaded at 0x6E6E0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-30 13:48:06,625 [root] DEBUG: set_caller_info: Adding region at 0x035C0000 to caller regions list (ntdll::memcpy).
2020-06-30 13:48:06,625 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x035C0000.
2020-06-30 13:48:06,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x037D0000 for section view with handle 0x210.
2020-06-30 13:48:06,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x037E0000 to global list.
2020-06-30 13:48:06,890 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-30 13:48:08,406 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 amd local view 0x6E540000 to global list.
2020-06-30 13:48:08,406 [root] DEBUG: DLL loaded at 0x6E540000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-06-30 13:48:20,484 [root] DEBUG: DLL loaded at 0x73920000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:48:20,500 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-30 13:48:20,515 [root] DEBUG: DLL loaded at 0x75DE0000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-30 13:48:20,531 [root] DEBUG: DLL loaded at 0x6FD30000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-30 13:48:20,562 [root] DEBUG: DLL loaded at 0x6FCD0000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-30 13:48:20,593 [root] DEBUG: DLL loaded at 0x76B20000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-30 13:48:20,609 [root] INFO: Stopping WMI Service
2020-06-30 13:48:28,750 [root] INFO: Stopped WMI Service
2020-06-30 13:48:29,640 [lib.api.process] INFO: Monitor config for process 588: C:\tmp558c2t_g\dll\588.ini
2020-06-30 13:48:29,656 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ExRAFvc.dll, loader C:\tmp558c2t_g\bin\mHwwYmMg.exe
2020-06-30 13:48:29,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:48:29,703 [root] DEBUG: Loader: Injecting process 588 (thread 0) with C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:48:29,703 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 592, handle 0xa4
2020-06-30 13:48:29,703 [root] DEBUG: Process image base: 0x00000000FF500000
2020-06-30 13:48:29,703 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-30 13:48:29,718 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 13:48:29,734 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:48:29,750 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:48:29,765 [root] INFO: Disabling sleep skipping.
2020-06-30 13:48:29,765 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 588 at 0x000000006E440000, image base 0x00000000FF500000, stack from 0x0000000000566000-0x0000000000570000
2020-06-30 13:48:29,765 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2020-06-30 13:48:29,875 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:48:29,875 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:48:29,921 [root] INFO: Loaded monitor into process with pid 588
2020-06-30 13:48:29,937 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:48:29,953 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:48:29,968 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:48:31,968 [root] INFO: Starting WMI Service
2020-06-30 13:48:32,140 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2416, handle 0x5f4.
2020-06-30 13:48:34,156 [root] INFO: Started WMI Service
2020-06-30 13:48:34,171 [lib.api.process] INFO: Monitor config for process 2416: C:\tmp558c2t_g\dll\2416.ini
2020-06-30 13:48:34,249 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ExRAFvc.dll, loader C:\tmp558c2t_g\bin\mHwwYmMg.exe
2020-06-30 13:48:34,265 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:48:34,281 [root] DEBUG: Loader: Injecting process 2416 (thread 0) with C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:48:34,281 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:48:34,296 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:48:34,312 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:48:34,312 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:48:34,312 [root] INFO: Disabling sleep skipping.
2020-06-30 13:48:34,328 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 2416 at 0x000000006E440000, image base 0x00000000FF500000, stack from 0x0000000000EB6000-0x0000000000EC0000
2020-06-30 13:48:34,328 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-30 13:48:34,390 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:48:34,406 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:48:34,421 [root] INFO: Loaded monitor into process with pid 2416
2020-06-30 13:48:34,421 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:48:34,421 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:48:34,421 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:48:36,468 [root] DEBUG: DLL loaded at 0x6FCC0000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-30 13:48:36,484 [root] DEBUG: DLL loaded at 0x6E3D0000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-06-30 13:48:36,718 [root] DEBUG: DLL loaded at 0x6FCA0000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-30 13:48:37,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2dc amd local view 0x06B50000 to global list.
2020-06-30 13:48:37,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2e0 amd local view 0x6E2C0000 to global list.
2020-06-30 13:48:37,843 [root] DEBUG: DLL loaded at 0x6E2C0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni (0x106000 bytes).
2020-06-30 13:48:37,921 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2672.
2020-06-30 13:48:38,109 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2672.
2020-06-30 13:48:38,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x32c amd local view 0x6E2A0000 to global list.
2020-06-30 13:48:38,218 [root] DEBUG: DLL loaded at 0x6E2A0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils (0x1e000 bytes).
2020-06-30 13:48:38,249 [root] DEBUG: set_caller_info: Adding region at 0x06AE0000 to caller regions list (ole32::CoCreateInstance).
2020-06-30 13:48:38,281 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x6aeffff
2020-06-30 13:48:38,281 [root] DEBUG: DumpMemory: Nothing to dump at 0x06AE0000!
2020-06-30 13:48:38,296 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06AE0000 size 0x10000.
2020-06-30 13:48:38,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x6ae0000 - 0x6ae3000.
2020-06-30 13:48:38,312 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6ae0000-0x6ae3000.
2020-06-30 13:48:38,375 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\2672_1716212488381021372020 (size 0x2164)
2020-06-30 13:48:38,375 [root] DEBUG: DumpRegion: Dumped stack region from 0x06AE0000, size 0x3000.
2020-06-30 13:48:38,468 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2672.
2020-06-30 13:48:51,812 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2672.
2020-06-30 13:48:51,828 [root] DEBUG: set_caller_info: Adding region at 0x06AF0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-30 13:48:51,828 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x6afffff
2020-06-30 13:48:51,828 [root] DEBUG: DumpMemory: Nothing to dump at 0x06AF0000!
2020-06-30 13:48:51,828 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06AF0000 size 0x10000.
2020-06-30 13:48:51,843 [root] DEBUG: DumpPEsInRange: Scanning range 0x6af0000 - 0x6af1000.
2020-06-30 13:48:51,843 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6af0000-0x6af1000.
2020-06-30 13:48:51,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\2672_173353510011621372020 (size 0x235)
2020-06-30 13:48:51,953 [root] DEBUG: DumpRegion: Dumped stack region from 0x06AF0000, size 0x1000.
2020-06-30 13:48:51,984 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x394 amd local view 0x06B00000 to global list.
2020-06-30 13:48:51,984 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x390 amd local view 0x06B00000 to global list.
2020-06-30 13:48:59,968 [root] DEBUG: set_caller_info: Adding region at 0x067F0000 to caller regions list (kernel32::SetErrorMode).
2020-06-30 13:49:00,000 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x67fffff
2020-06-30 13:49:00,000 [root] DEBUG: DumpMemory: Nothing to dump at 0x067F0000!
2020-06-30 13:49:00,015 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x067F0000 size 0x10000.
2020-06-30 13:49:00,015 [root] DEBUG: DumpPEsInRange: Scanning range 0x67f0000 - 0x67f4000.
2020-06-30 13:49:00,015 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x67f0000-0x67f4000.
2020-06-30 13:49:00,093 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\2672_1145570423301721372020 (size 0x37df)
2020-06-30 13:49:00,093 [root] DEBUG: DumpRegion: Dumped stack region from 0x067F0000, size 0x4000.
2020-06-30 13:49:00,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x041D0000 for section view with handle 0x390.
2020-06-30 13:49:00,718 [root] DEBUG: set_caller_info: Adding region at 0x06800000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-30 13:49:00,718 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x680ffff
2020-06-30 13:49:00,718 [root] DEBUG: DumpMemory: Nothing to dump at 0x06800000!
2020-06-30 13:49:00,718 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x06800000 size 0x10000.
2020-06-30 13:49:00,734 [root] DEBUG: DumpPEsInRange: Scanning range 0x6800000 - 0x6805000.
2020-06-30 13:49:00,734 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6800000-0x6805000.
2020-06-30 13:49:00,781 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ouJBLas\CAPE\2672_1811903910301721372020 (size 0x40df)
2020-06-30 13:49:00,796 [root] DEBUG: DumpRegion: Dumped stack region from 0x06800000, size 0x5000.
2020-06-30 13:49:01,718 [root] DEBUG: DLL loaded at 0x6E270000: C:\Windows\SysWOW64\wshom.ocx (0x21000 bytes).
2020-06-30 13:49:01,765 [root] DEBUG: DLL loaded at 0x6E250000: C:\Windows\SysWOW64\MPR (0x12000 bytes).
2020-06-30 13:49:01,812 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2672.
2020-06-30 13:49:01,812 [root] DEBUG: DLL loaded at 0x6E220000: C:\Windows\SysWOW64\ScrRun (0x2a000 bytes).
2020-06-30 13:49:01,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3c0 amd local view 0x067A0000 to global list.
2020-06-30 13:49:02,234 [root] DEBUG: DLL loaded at 0x6FC90000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-30 13:49:02,249 [root] DEBUG: DLL loaded at 0x000007FEF6790000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2020-06-30 13:49:02,249 [root] DEBUG: DLL unloaded from 0x764D0000.
2020-06-30 13:49:02,281 [root] DEBUG: DLL loaded at 0x000007FEFAD80000: C:\Windows\system32\ATL (0x19000 bytes).
2020-06-30 13:49:02,343 [root] DEBUG: DLL loaded at 0x000007FEF6700000: C:\Windows\system32\VssTrace (0x17000 bytes).
2020-06-30 13:49:02,437 [root] DEBUG: DLL loaded at 0x000007FEFA440000: C:\Windows\system32\samcli (0x14000 bytes).
2020-06-30 13:49:02,515 [root] DEBUG: DLL loaded at 0x000007FEFB520000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2020-06-30 13:49:02,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c0 amd local view 0x0000000001290000 to global list.
2020-06-30 13:49:02,734 [root] DEBUG: DLL unloaded from 0x000007FEF6700000.
2020-06-30 13:49:04,296 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-30 13:49:04,296 [lib.api.process] INFO: Monitor config for process 472: C:\tmp558c2t_g\dll\472.ini
2020-06-30 13:49:04,296 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ExRAFvc.dll, loader C:\tmp558c2t_g\bin\mHwwYmMg.exe
2020-06-30 13:49:04,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:49:04,328 [root] DEBUG: Loader: Injecting process 472 (thread 0) with C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:49:04,328 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:49:04,328 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:49:04,343 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:49:04,343 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:49:04,343 [root] INFO: Disabling sleep skipping.
2020-06-30 13:49:04,343 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 472 at 0x000000006E440000, image base 0x00000000FFF50000, stack from 0x0000000001146000-0x0000000001150000
2020-06-30 13:49:04,343 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-06-30 13:49:04,390 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:49:04,390 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:49:04,421 [root] INFO: Loaded monitor into process with pid 472
2020-06-30 13:49:04,421 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:49:04,468 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:49:04,468 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:49:05,546 [root] INFO: Announced 64-bit process name: lsass.exe pid: 3864
2020-06-30 13:49:05,546 [lib.api.process] INFO: Monitor config for process 3864: C:\tmp558c2t_g\dll\3864.ini
2020-06-30 13:49:05,640 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ExRAFvc.dll, loader C:\tmp558c2t_g\bin\mHwwYmMg.exe
2020-06-30 13:49:05,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:49:05,734 [root] DEBUG: Loader: Injecting process 3864 (thread 2440) with C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:49:05,828 [root] DEBUG: Process image base: 0x00000000FFDB0000
2020-06-30 13:49:05,828 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:49:05,875 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:49:05,875 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:49:05,875 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3864
2020-06-30 13:49:05,875 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-30 13:49:05,890 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3864, ImageBase: 0x00000000FFDB0000
2020-06-30 13:49:05,890 [root] INFO: Announced 64-bit process name: lsass.exe pid: 3864
2020-06-30 13:49:05,890 [lib.api.process] INFO: Monitor config for process 3864: C:\tmp558c2t_g\dll\3864.ini
2020-06-30 13:49:05,890 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\ExRAFvc.dll, loader C:\tmp558c2t_g\bin\mHwwYmMg.exe
2020-06-30 13:49:05,906 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\oSqtImjyKb.
2020-06-30 13:49:05,906 [root] DEBUG: Loader: Injecting process 3864 (thread 2440) with C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:49:05,906 [root] DEBUG: Process image base: 0x00000000FFDB0000
2020-06-30 13:49:05,937 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:49:05,937 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:49:05,984 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\ExRAFvc.dll.
2020-06-30 13:49:06,031 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3864
2020-06-30 13:49:06,031 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3864.
2020-06-30 13:49:06,093 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:49:06,093 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:49:06,171 [root] INFO: Disabling sleep skipping.
2020-06-30 13:49:06,171 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:49:06,171 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 3864 at 0x000000006E440000, image base 0x00000000FFDB0000, stack from 0x0000000000244000-0x0000000000250000
2020-06-30 13:49:06,171 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2020-06-30 13:49:06,203 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:49:06,203 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:49:06,234 [root] INFO: Loaded monitor into process with pid 3864
2020-06-30 13:49:32,203 [root] DEBUG: DLL unloaded from 0x000007FEFD2B0000.
2020-06-30 13:49:36,078 [root] INFO: Process with pid 3864 has terminated
2020-06-30 13:49:36,281 [root] DEBUG: set_caller_info: Adding region at 0x04150000 to caller regions list (shell32::SHGetFolderPathW).
2020-06-30 13:49:36,281 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x415ffff
2020-06-30 13:49:36,281 [root] DEBUG: DumpMemory: Nothing to dump at 0x04150000!
2020-06-30 13:49:36,281 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x04150000 size 0x10000.
2020-06-30 13:49:36,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x4150000 - 0x4151000.
2020-06-30 13:49:36,375 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4150000-0x4151000.
2020-06-30 13:49:36,437 [root] DEBUG: DLL unloaded from 0x72D50000.
2020-06-30 13:51:18,000 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 13:51:18,000 [lib.api.process] ERROR: Failed to open terminate event for pid 4084
2020-06-30 13:51:18,000 [root] INFO: Terminate event set for process 4084.
2020-06-30 13:51:18,000 [lib.api.process] INFO: Terminate event set for process 2672
2020-06-30 13:51:18,031 [root] DEBUG: Terminate Event: Attempting to dump process 2672
2020-06-30 13:51:18,046 [lib.api.process] INFO: Termination confirmed for process 2672
2020-06-30 13:51:18,046 [root] INFO: Terminate event set for process 2672.
2020-06-30 13:51:18,046 [lib.api.process] INFO: Terminate event set for process 588
2020-06-30 13:51:18,046 [root] DEBUG: Terminate Event: Attempting to dump process 588
2020-06-30 13:51:18,046 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-06-30 13:51:18,062 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:51:18,109 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-06-30 13:51:18,125 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-30 13:51:18,437 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-30 13:51:18,453 [lib.api.process] INFO: Termination confirmed for process 588
2020-06-30 13:51:18,453 [root] INFO: Terminate event set for process 588.
2020-06-30 13:51:18,453 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 588
2020-06-30 13:51:18,453 [lib.api.process] INFO: Terminate event set for process 2416
2020-06-30 13:51:18,453 [lib.api.process] INFO: Termination confirmed for process 2416
2020-06-30 13:51:18,453 [root] INFO: Terminate event set for process 2416.
2020-06-30 13:51:18,468 [lib.api.process] INFO: Terminate event set for process 472
2020-06-30 13:51:18,484 [root] DEBUG: Terminate Event: Attempting to dump process 472
2020-06-30 13:51:18,500 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFF50000.
2020-06-30 13:51:18,515 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:51:18,515 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFF50000.
2020-06-30 13:51:18,515 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000001331C.
2020-06-30 13:51:18,656 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x50000.
2020-06-30 13:51:18,671 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 472
2020-06-30 13:51:18,671 [lib.api.process] INFO: Termination confirmed for process 472
2020-06-30 13:51:18,671 [root] INFO: Terminate event set for process 472.
2020-06-30 13:51:18,671 [root] INFO: Created shutdown mutex.
2020-06-30 13:51:19,671 [root] INFO: Shutting down package.
2020-06-30 13:51:19,671 [root] INFO: Stopping auxiliary modules.
2020-06-30 13:51:19,906 [lib.common.results] WARNING: File C:\ouJBLas\bin\procmon.xml doesn't exist anymore
2020-06-30 13:51:19,906 [root] INFO: Finishing auxiliary modules.
2020-06-30 13:51:19,906 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 13:51:19,906 [root] WARNING: Folder at path "C:\ouJBLas\debugger" does not exist, skip.
2020-06-30 13:51:19,937 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-06-30 13:53:09 2020-06-30 13:59:21

File Details

File Name Account details.exe
File Size 973312 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 1992-06-19 22:22:17
MD5 7e68ae591116e242bbbbd2557217cabe
SHA1 17400cce304f181e3f6b9f64c98709edb2e682b6
SHA256 78786a5ff2dbc771a4d1798bfbf2ebc0477b9db30af86b19ee17c8f17fef709e
SHA512 40b211dc7b9117c740b6460ddeea60f555a61406cb949da3ed5d91f763bea0b8bea35a5bae2c5e559f8bd5a51db01d4472f992548efeca5ec9239569117fe4f1
CRC32 1B8E1592
Ssdeep 12288:G1JUuXUn6wUN4KSgqJ6wWska30/jgrTfz8BYnKFvkpzoMTK9tzxbz/Uxo10GFgBQ:OOPXUWD6wEc0bp8RoMTKTNwo10d6DUzI
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 4084 trigged the Yara rule 'shellcode_patterns'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: Account details.exe, PID 4084
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: Account details.exe tried to sleep 278.75 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExA
DynamicLoader: oleaut32.dll/VariantChangeTypeEx
DynamicLoader: oleaut32.dll/VarNeg
DynamicLoader: oleaut32.dll/VarNot
DynamicLoader: oleaut32.dll/VarAdd
DynamicLoader: oleaut32.dll/VarSub
DynamicLoader: oleaut32.dll/VarMul
DynamicLoader: oleaut32.dll/VarDiv
DynamicLoader: oleaut32.dll/VarIdiv
DynamicLoader: oleaut32.dll/VarMod
DynamicLoader: oleaut32.dll/VarAnd
DynamicLoader: oleaut32.dll/VarOr
DynamicLoader: oleaut32.dll/VarXor
DynamicLoader: oleaut32.dll/VarCmp
DynamicLoader: oleaut32.dll/VarI4FromStr
DynamicLoader: oleaut32.dll/VarR4FromStr
DynamicLoader: oleaut32.dll/VarR8FromStr
DynamicLoader: oleaut32.dll/VarDateFromStr
DynamicLoader: oleaut32.dll/VarCyFromStr
DynamicLoader: oleaut32.dll/VarBoolFromStr
DynamicLoader: oleaut32.dll/VarBstrFromCy
DynamicLoader: oleaut32.dll/VarBstrFromDate
DynamicLoader: oleaut32.dll/VarBstrFromBool
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/AnimateWindow
DynamicLoader: comctl32.dll/InitializeFlatSB
DynamicLoader: comctl32.dll/UninitializeFlatSB
DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoAddRefServerProcess
DynamicLoader: ole32.dll/CoReleaseServerProcess
DynamicLoader: ole32.dll/CoResumeClassObjects
DynamicLoader: ole32.dll/CoSuspendClassObjects
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/FlushInstructionCache
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/FindResourceW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/CreateEventExW
DynamicLoader: kernel32.dll/CreateSemaphoreExW
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/CreateThreadpoolTimer
DynamicLoader: kernel32.dll/SetThreadpoolTimer
DynamicLoader: kernel32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: kernel32.dll/CloseThreadpoolTimer
DynamicLoader: kernel32.dll/CreateThreadpoolWait
DynamicLoader: kernel32.dll/SetThreadpoolWait
DynamicLoader: kernel32.dll/CloseThreadpoolWait
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: kernel32.dll/GetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetLogicalProcessorInformation
DynamicLoader: kernel32.dll/CreateSymbolicLinkW
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: kernel32.dll/EnumSystemLocalesEx
DynamicLoader: kernel32.dll/CompareStringEx
DynamicLoader: kernel32.dll/GetDateFormatEx
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/GetTimeFormatEx
DynamicLoader: kernel32.dll/GetUserDefaultLocaleName
DynamicLoader: kernel32.dll/IsValidLocaleName
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: kernel32.dll/GetFileInformationByHandleExW
DynamicLoader: kernel32.dll/SetFileInformationByHandleW
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: ntdll.dll/ZwCreateSection
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorImageUnloading
DynamicLoader: mscoree.dll/_CorValidateImage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: mscoree.dll/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetModuleHandle
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: kernel32.dll/LoadLibrary
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: kernel32.dll/ZeroMemory
DynamicLoader: kernel32.dll/ZeroMemoryA
DynamicLoader: kernel32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/GetComputerName
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/CreateIoCompletionPort
DynamicLoader: kernel32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/FindNextFile
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: sxs.dll/SxsLookupClrGuid
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: sxs.dll/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: sxs.dll/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: Culture.dll/ConvertLangIdToCultureName
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
CAPE extracted potentially suspicious content
Account details.exe: Unpacked Shellcode
Account details.exe: Unpacked Shellcode
Account details.exe: Unpacked Shellcode
Account details.exe: Unpacked Shellcode
Account details.exe: Unpacked Shellcode
Account details.exe: Unpacked Shellcode
Account details.exe: Injected PE Image: 32-bit executable
Account details.exe: Unpacked Shellcode
Account details.exe: Unpacked Shellcode
Account details.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary contains an unknown PE section name indicative of packing
unknown section: name: CODE, entropy: 6.55, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00091400, virtual_size: 0x00091238
unknown section: name: DATA, entropy: 4.26, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000ea00, virtual_size: 0x0000e8dc
unknown section: name: BSS, entropy: 0.00, characteristics: IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00000d4d
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.33, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00040c00, virtual_size: 0x00040ac0
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\Account details.exe
Behavioural detection: Injection (Process Hollowing)
Injection: Account details.exe(4084) -> Account details.exe(2672)
Executed a process and injected code into it, probably while unpacking
Injection: Account details.exe(4084) -> Account details.exe(2672)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Tries to unhook or modify Windows functions monitored by Cuckoo
unhook: function_name: NtCreateSection, type: modification
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: Account details.exe (2672) called API NtYieldExecution 10549 times
Spam: services.exe (472) called API GetSystemTimeAsFileTime 1134668 times
Steals private information from local Internet browsers
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
file: C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
Network activity detected but not expressed in API logs
File has been identified by 28 Antiviruses on VirusTotal as malicious
Bkav: W32.AIDetectVM.malware2
MicroWorld-eScan: Trojan.Delf.FareIt.Gen.4
FireEye: Generic.mg.7e68ae591116e242
Qihoo-360: HEUR/QVM05.1.40EA.Malware.Gen
BitDefender: Trojan.Delf.FareIt.Gen.4
Cybereason: malicious.e304f1
BitDefenderTheta: Gen:[email protected]!sni
ESET-NOD32: a variant of Win32/GenKryptik.ENJN
APEX: Malicious
GData: Trojan.Delf.FareIt.Gen.4
Kaspersky: UDS:DangerousObject.Multi.Generic
Ad-Aware: Trojan.Delf.FareIt.Gen.4
Invincea: heuristic
Emsisoft: Trojan.Delf.FareIt.Gen.4 (B)
Ikarus: Win32.Outbreak
MAX: malware (ai score=87)
Endgame: malicious (high confidence)
Arcabit: Trojan.Delf.FareIt.Gen.4
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Microsoft: Trojan:Win32/Wacatac.C!ml
Acronis: suspicious
VBA32: BScope.TrojanSpy.Swotter
ALYac: Trojan.Delf.FareIt.Gen.4
Rising: [email protected] (RDML:e6mqPHHTUk+Hod6fOLoFEQ)
eGambit: Unsafe.AI_Score_99%
Fortinet: W32/Injector.EEHO!tr
Paloalto: generic.ml
CrowdStrike: win/malicious_confidence_70% (D)
Harvests credentials from local FTP client softwares
file: C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file: C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\Louise\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Anomalous binary characteristics
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.145.123.29 [VT] United Kingdom
Y 13.107.42.23 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\Account details.ENU
C:\Users\Louise\AppData\Local\Temp\Account details.ENU.DLL
C:\Users\Louise\AppData\Local\Temp\Account details.EN
C:\Users\Louise\AppData\Local\Temp\Account details.EN.DLL
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Users\Louise\AppData\Local\Temp\Account details.exe.config
C:\Users\Louise\AppData\Local\Temp\Account details.exe
C:\Users\Louise\AppData\Local\Temp\Account details.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Users\Louise\AppData\Local\Temp\Account details.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\sxs.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\shfolder.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\user32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\iphlpapi.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\advapi32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\OLEAUT32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\oleaut32.dll
C:\%insfolder%\%insname%
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Local\CocCoc\Browser\User Data
C:\Users\Louise\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Louise\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Louise\AppData\Local\Elements Browser\User Data
C:\Users\Louise\AppData\Local\7Star\7Star\User Data
C:\Users\Louise\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Louise\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Louise\AppData\Local\Kometa\User Data
C:\Users\Louise\AppData\Local\Torch\User Data
C:\Users\Louise\AppData\Local\QIP Surf\User Data
C:\Users\Louise\AppData\Local\Orbitum\User Data
C:\Users\Louise\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Louise\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Louise\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Louise\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Louise\AppData\Local\CentBrowser\User Data
C:\Users\Louise\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Louise\AppData\Local\Iridium\User Data
C:\Users\Louise\AppData\Local\Comodo\Dragon\User Data
C:\Users\Louise\AppData\Local\Coowon\Coowon\User Data
C:\Users\Louise\AppData\Local\Amigo\User Data
C:\Users\Louise\AppData\Local\Chedot\User Data
C:\Users\Louise\AppData\Local\liebao\User Data
C:\Users\Louise\AppData\Local\Chromium\User Data
C:\Users\Louise\AppData\Local\Vivaldi\User Data
C:\Users\Louise\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Louise\AppData\Roaming\The Bat!
C:\Users\Louise\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\logins.json
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\signons.sqlite
C:\Users\Louise\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Louise\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Louise\AppData\Roaming\K-Meleon\profiles.ini
C:\FTP Navigator\Ftplist.txt
C:\Users\Louise\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Louise\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\*
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Login Data
C:\Users\Louise\AppData\Local\UCBrowser\*
C:\Users\Louise\AppData\Roaming\Pocomail\accounts.ini
C:\Storage\
C:\mail\
C:\Users\Louise\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Louise\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Program Files (x86)\jDownloader\config\database.script
C:\Users\Louise\AppData\Roaming\Postbox\profiles.ini
C:\Users\Louise\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Louise\AppData\Local\Temp\Folder.lst
C:\Users\Louise\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\Users\Louise\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Louise\AppData\Local\Microsoft\Edge\User Data
C:\Users\Louise\AppData\Local\Temp\vaultcli.dll
C:\cftp\Ftplist.txt
C:\Users\Louise\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Louise\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Users\Louise\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\Users\Louise\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\Louise\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Louise\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\Louise\AppData\Roaming\Claws-mail
C:\Users\Louise\AppData\Roaming\Claws-mail\clawsrc
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Users\Louise\AppData\Roaming\Psi\profiles
C:\Users\Louise\AppData\Roaming\Psi+\profiles
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Users\Louise\AppData\Roaming\Mozilla\icecat\profiles.ini
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
C:\Users\Louise\AppData\Local\Temp\Account details.exe.config
C:\Users\Louise\AppData\Local\Temp\Account details.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Louise\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Louise\AppData\Roaming\K-Meleon\profiles.ini
C:\FTP Navigator\Ftplist.txt
C:\Users\Louise\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Louise\AppData\Roaming\Postbox\profiles.ini
C:\Users\Louise\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Louise\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\Users\Louise\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Louise\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Louise\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Users\Louise\AppData\Roaming\Mozilla\icecat\profiles.ini
\??\PIPE\samr
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
\??\PIPE\samr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2c95c990\373ea991
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\diasymreader.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorsec.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\Account details.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscordacwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Account details.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\Account details.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B412FE29
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Management.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\WMIDisableCOMSecurity
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\diasymreader.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorsec.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscordacwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B412FE29
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Management.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
user32.dll.GetMonitorInfoA
user32.dll.GetSystemMetrics
user32.dll.EnumDisplayMonitors
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
ole32.dll.CoCreateInstanceEx
ole32.dll.CoInitializeEx
ole32.dll.CoAddRefServerProcess
ole32.dll.CoReleaseServerProcess
ole32.dll.CoResumeClassObjects
ole32.dll.CoSuspendClassObjects
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.GetVersionExW
kernel32.dll.GetFullPathNameW
kernel32.dll.GetModuleHandleW
kernel32.dll.VirtualFree
kernel32.dll.LoadLibraryW
kernel32.dll.SizeofResource
kernel32.dll.GetModuleFileNameW
kernel32.dll.CreateFileW
kernel32.dll.MultiByteToWideChar
kernel32.dll.FlushInstructionCache
kernel32.dll.GetCurrentProcess
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.VirtualProtect
kernel32.dll.CloseHandle
kernel32.dll.LoadResource
kernel32.dll.FindResourceW
kernel32.dll.GetProcAddress
kernel32.dll.GetFileSize
kernel32.dll.LCMapStringW
kernel32.dll.LCMapStringA
kernel32.dll.GetStringTypeW
kernel32.dll.GetStringTypeA
kernel32.dll.HeapAlloc
kernel32.dll.GetStartupInfoW
kernel32.dll.DeleteCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.HeapFree
kernel32.dll.HeapReAlloc
kernel32.dll.HeapCreate
kernel32.dll.Sleep
kernel32.dll.ExitProcess
kernel32.dll.WriteFile
kernel32.dll.GetStdHandle
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetCommandLineW
kernel32.dll.SetHandleCount
kernel32.dll.GetFileType
kernel32.dll.GetStartupInfoA
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.InterlockedIncrement
kernel32.dll.SetLastError
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetLastError
kernel32.dll.InterlockedDecrement
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetTickCount
kernel32.dll.GetCurrentProcessId
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.TerminateProcess
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.IsDebuggerPresent
kernel32.dll.RtlUnwind
kernel32.dll.GetCPInfo
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.HeapSize
kernel32.dll.GetLocaleInfoA
kernel32.dll.WideCharToMultiByte
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
psapi.dll.EnumProcessModules
shlwapi.dll.StrStrIW
shlwapi.dll.PathFileExistsW
mscoree.dll._CorExeMain
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll.GetCLRFunction
mscoree.dll.IEE
mscoreei.dll.IEE
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
mscorwks.dll.IEE
ntdll.dll.ZwCreateSection
kernel32.dll.MapViewOfFile
kernel32.dll.LoadLibraryExW
mscoreei.dll._CorExeMain
mscorwks.dll._CorExeMain
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
mscoree.dll._CorImageUnloading
mscoree.dll._CorValidateImage
cryptbase.dll.SystemFunction036
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
mscorjit.dll.getJit
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
user32.dll.CallWindowProcW
user32.dll.RegisterWindowMessageW
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
cryptsp.dll.CryptAcquireContextW
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.MkParseDisplayName
oleaut32.dll.#200
oleaut32.dll.#2
oleaut32.dll.#7
oleaut32.dll.#6
kernel32.dll.CreateEventW
kernel32.dll.SwitchToThread
kernel32.dll.SetEvent
ole32.dll.CoWaitForMultipleHandles
ole32.dll.IIDFromString
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
ole32.dll.CoUninitialize
oleaut32.dll.#500
cryptsp.dll.CryptGetHashParam
kernel32.dll.GetEnvironmentVariableW
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtGetCurrentProcessorNumber
user32.dll.GetLastInputInfo
shfolder.dll.SHGetFolderPathW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
oleaut32.dll.#201
kernel32.dll.ReadFile
oleaut32.dll.#204
oleaut32.dll.#203
kernel32.dll.UnmapViewOfFile
kernel32.dll.FindNextFileW
oleaut32.dll.#179
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsLookupClrGuid
kernel32.dll.ReleaseActCtx
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
oleaut32.dll.#9
oleaut32.dll.#4
vaultcli.dll.VaultEnumerateVaults
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
ole32.dll.OleInitialize
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.WaitMessage
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.I_RpcMapWin32Status
sechost.dll.ConvertSidToStringSidW
ole32.dll.CoTaskMemRealloc
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
ole32.dll.CoCreateGuid
"C:\Users\Louise\AppData\Local\Temp\Account details.exe"
C:\Windows\system32\lsass.exe
Global\CLR_CASOFF_MUTEX
VaultSvc

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004921f0 0x00000000 0x000f4917 4.0 1992-06-19 22:22:17 175f794d98c9dcb0b47ae1ab1087c22c a681900680711f2f859eb47451e90917 c68702c89570054b3c9ca2561270189c

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
CODE 0x00000400 0x00001000 0x00091238 0x00091400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.55
DATA 0x00091800 0x00093000 0x0000e8dc 0x0000ea00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.26
BSS 0x000a0200 0x000a2000 0x00000d4d 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x000a0200 0x000a3000 0x000024b6 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.86
.tls 0x000a2800 0x000a6000 0x00000018 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x000a2800 0x000a7000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.21
.reloc 0x000a2a00 0x000a8000 0x0000a224 0x0000a400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.62
.rsrc 0x000ace00 0x000b3000 0x00040ac0 0x00040c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 7.33

Resources

Name Offset Size Language Sub-language Entropy File type
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_CURSOR 0x000b4848 0x00000134 LANG_NEUTRAL SUBLANG_NEUTRAL 2.92 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_BITMAP 0x000b5fe8 0x000000e8 LANG_NEUTRAL SUBLANG_NEUTRAL 2.85 None
RT_ICON 0x000b60d0 0x000010a8 LANG_ENGLISH SUBLANG_ENGLISH_US 4.61 None
RT_DIALOG 0x000b7178 0x00000052 LANG_NEUTRAL SUBLANG_NEUTRAL 2.56 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_STRING 0x000bb85c 0x00000328 LANG_NEUTRAL SUBLANG_NEUTRAL 3.12 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_RCDATA 0x000f3930 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 7.20 None
RT_GROUP_CURSOR 0x000f3a98 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f3a98 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f3a98 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f3a98 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f3a98 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f3a98 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_CURSOR 0x000f3a98 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 2.02 None
RT_GROUP_ICON 0x000f3aac 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 1.92 None

Imports

0x4a3178 VirtualFree
0x4a317c VirtualAlloc
0x4a3180 LocalFree
0x4a3184 LocalAlloc
0x4a3188 GetVersion
0x4a318c GetCurrentThreadId
0x4a3198 VirtualQuery
0x4a319c WideCharToMultiByte
0x4a31a0 MultiByteToWideChar
0x4a31a4 lstrlenA
0x4a31a8 lstrcpynA
0x4a31ac LoadLibraryExA
0x4a31b0 GetThreadLocale
0x4a31b4 GetStartupInfoA
0x4a31b8 GetProcAddress
0x4a31bc GetModuleHandleA
0x4a31c0 GetModuleFileNameA
0x4a31c4 GetLocaleInfoA
0x4a31c8 GetCommandLineA
0x4a31cc FreeLibrary
0x4a31d0 FindFirstFileA
0x4a31d4 FindClose
0x4a31d8 ExitProcess
0x4a31dc WriteFile
0x4a31e4 RtlUnwind
0x4a31e8 RaiseException
0x4a31ec GetStdHandle
0x4a31f4 GetKeyboardType
0x4a31f8 LoadStringA
0x4a31fc MessageBoxA
0x4a3200 CharNextA
0x4a3208 RegQueryValueExA
0x4a320c RegOpenKeyExA
0x4a3210 RegCloseKey
0x4a3218 SysFreeString
0x4a321c SysReAllocStringLen
0x4a3220 SysAllocStringLen
0x4a3228 TlsSetValue
0x4a322c TlsGetValue
0x4a3230 LocalAlloc
0x4a3234 GetModuleHandleA
0x4a323c RegQueryValueExA
0x4a3240 RegOpenKeyExA
0x4a3244 RegFlushKey
0x4a3248 RegCloseKey
0x4a3250 lstrcpyA
0x4a3254 WriteFile
0x4a325c WaitForSingleObject
0x4a3260 VirtualQuery
0x4a3264 VirtualAlloc
0x4a3268 Sleep
0x4a326c SizeofResource
0x4a3270 SetThreadLocale
0x4a3274 SetFilePointer
0x4a3278 SetEvent
0x4a327c SetErrorMode
0x4a3280 SetEndOfFile
0x4a3284 ResetEvent
0x4a3288 ReadFile
0x4a328c MultiByteToWideChar
0x4a3290 MulDiv
0x4a3294 LockResource
0x4a3298 LoadResource
0x4a329c LoadLibraryA
0x4a32a8 GlobalUnlock
0x4a32ac GlobalReAlloc
0x4a32b0 GlobalHandle
0x4a32b4 GlobalLock
0x4a32b8 GlobalFree
0x4a32bc GlobalFindAtomA
0x4a32c0 GlobalDeleteAtom
0x4a32c4 GlobalAlloc
0x4a32c8 GlobalAddAtomA
0x4a32cc GetVersionExA
0x4a32d0 GetVersion
0x4a32d4 GetTickCount
0x4a32d8 GetThreadLocale
0x4a32dc GetSystemInfo
0x4a32e0 GetStringTypeExA
0x4a32e4 GetStdHandle
0x4a32e8 GetProcAddress
0x4a32ec GetModuleHandleA
0x4a32f0 GetModuleFileNameA
0x4a32f4 GetLocaleInfoA
0x4a32f8 GetLocalTime
0x4a32fc GetLastError
0x4a3300 GetFullPathNameA
0x4a3304 GetDiskFreeSpaceA
0x4a3308 GetDateFormatA
0x4a330c GetCurrentThreadId
0x4a3310 GetCurrentProcessId
0x4a3314 GetCPInfo
0x4a3318 GetACP
0x4a331c FreeResource
0x4a3320 InterlockedExchange
0x4a3324 FreeLibrary
0x4a3328 FormatMessageA
0x4a332c FindResourceA
0x4a3330 FindFirstFileA
0x4a3334 FindClose
0x4a3340 ExitThread
0x4a3344 ExitProcess
0x4a3348 EnumCalendarInfoA
0x4a3354 CreateThread
0x4a3358 CreateFileA
0x4a335c CreateEventA
0x4a3360 CompareStringA
0x4a3364 CloseHandle
0x4a336c VerQueryValueA
0x4a3374 GetFileVersionInfoA
0x4a337c UnrealizeObject
0x4a3380 StretchBlt
0x4a3384 SetWindowOrgEx
0x4a3388 SetWindowExtEx
0x4a338c SetWinMetaFileBits
0x4a3390 SetViewportOrgEx
0x4a3394 SetViewportExtEx
0x4a3398 SetTextColor
0x4a339c SetStretchBltMode
0x4a33a0 SetROP2
0x4a33a4 SetPixel
0x4a33a8 SetMapMode
0x4a33ac SetEnhMetaFileBits
0x4a33b0 SetDIBColorTable
0x4a33b4 SetBrushOrgEx
0x4a33b8 SetBkMode
0x4a33bc SetBkColor
0x4a33c0 SelectPalette
0x4a33c4 SelectObject
0x4a33c8 SelectClipPath
0x4a33cc SaveDC
0x4a33d0 RestoreDC
0x4a33d4 RectVisible
0x4a33d8 RealizePalette
0x4a33dc PolyPolyline
0x4a33e0 PlayEnhMetaFile
0x4a33e4 PatBlt
0x4a33e8 MoveToEx
0x4a33ec MaskBlt
0x4a33f0 LineTo
0x4a33f4 IntersectClipRect
0x4a33f8 GetWindowOrgEx
0x4a33fc GetWinMetaFileBits
0x4a3400 GetTextMetricsA
0x4a340c GetStockObject
0x4a3410 GetPixel
0x4a3414 GetPaletteEntries
0x4a3418 GetObjectA
0x4a3424 GetEnhMetaFileBits
0x4a3428 GetDeviceCaps
0x4a342c GetDIBits
0x4a3430 GetDIBColorTable
0x4a3434 GetDCOrgEx
0x4a343c GetClipBox
0x4a3440 GetBrushOrgEx
0x4a3444 GetBitmapBits
0x4a3448 ExtCreatePen
0x4a344c ExcludeClipRect
0x4a3450 DeleteObject
0x4a3454 DeleteEnhMetaFile
0x4a3458 DeleteDC
0x4a345c CreateSolidBrush
0x4a3460 CreatePenIndirect
0x4a3464 CreatePalette
0x4a346c CreateFontIndirectA
0x4a3470 CreateDIBitmap
0x4a3474 CreateDIBSection
0x4a3478 CreateCompatibleDC
0x4a3480 CreateBrushIndirect
0x4a3484 CreateBitmap
0x4a3488 CopyEnhMetaFileA
0x4a348c BitBlt
0x4a3494 CreateWindowExA
0x4a3498 WindowFromPoint
0x4a349c WinHelpA
0x4a34a0 WaitMessage
0x4a34a4 ValidateRect
0x4a34a8 UpdateWindow
0x4a34ac UnregisterClassA
0x4a34b0 UnionRect
0x4a34b4 UnhookWindowsHookEx
0x4a34b8 TranslateMessage
0x4a34c0 TrackPopupMenu
0x4a34c8 ShowWindow
0x4a34cc ShowScrollBar
0x4a34d0 ShowOwnedPopups
0x4a34d4 ShowCursor
0x4a34d8 SetWindowsHookExA
0x4a34dc SetWindowTextA
0x4a34e0 SetWindowPos
0x4a34e4 SetWindowPlacement
0x4a34e8 SetWindowLongA
0x4a34ec SetTimer
0x4a34f0 SetScrollRange
0x4a34f4 SetScrollPos
0x4a34f8 SetScrollInfo
0x4a34fc SetRect
0x4a3500 SetPropA
0x4a3504 SetParent
0x4a3508 SetMenuItemInfoA
0x4a350c SetMenu
0x4a3510 SetKeyboardState
0x4a3514 SetForegroundWindow
0x4a3518 SetFocus
0x4a351c SetCursor
0x4a3520 SetClipboardData
0x4a3524 SetClassLongA
0x4a3528 SetCapture
0x4a352c SetActiveWindow
0x4a3530 SendMessageA
0x4a3534 ScrollWindowEx
0x4a3538 ScrollWindow
0x4a353c ScreenToClient
0x4a3540 RemovePropA
0x4a3544 RemoveMenu
0x4a3548 ReleaseDC
0x4a354c ReleaseCapture
0x4a3558 RegisterClassA
0x4a355c RedrawWindow
0x4a3560 PtInRect
0x4a3564 PostQuitMessage
0x4a3568 PostMessageA
0x4a356c PeekMessageA
0x4a3570 OpenClipboard
0x4a3574 OffsetRect
0x4a3578 OemToCharA
0x4a357c MessageBoxA
0x4a3580 MessageBeep
0x4a3584 MapWindowPoints
0x4a3588 MapVirtualKeyA
0x4a358c LoadStringA
0x4a3590 LoadKeyboardLayoutA
0x4a3594 LoadIconA
0x4a3598 LoadCursorA
0x4a359c LoadBitmapA
0x4a35a0 KillTimer
0x4a35a4 IsZoomed
0x4a35a8 IsWindowVisible
0x4a35ac IsWindowEnabled
0x4a35b0 IsWindow
0x4a35b4 IsRectEmpty
0x4a35b8 IsIconic
0x4a35bc IsDialogMessageA
0x4a35c0 IsChild
0x4a35c4 IsCharAlphaNumericA
0x4a35c8 IsCharAlphaA
0x4a35cc InvalidateRect
0x4a35d0 IntersectRect
0x4a35d4 InsertMenuItemA
0x4a35d8 InsertMenuA
0x4a35dc InflateRect
0x4a35e4 GetWindowTextA
0x4a35e8 GetWindowRect
0x4a35ec GetWindowPlacement
0x4a35f0 GetWindowLongA
0x4a35f4 GetWindowDC
0x4a35f8 GetTopWindow
0x4a35fc GetSystemMetrics
0x4a3600 GetSystemMenu
0x4a3604 GetSysColorBrush
0x4a3608 GetSysColor
0x4a360c GetSubMenu
0x4a3610 GetScrollRange
0x4a3614 GetScrollPos
0x4a3618 GetScrollInfo
0x4a361c GetPropA
0x4a3620 GetParent
0x4a3624 GetWindow
0x4a3628 GetMessageTime
0x4a362c GetMenuStringA
0x4a3630 GetMenuState
0x4a3634 GetMenuItemInfoA
0x4a3638 GetMenuItemID
0x4a363c GetMenuItemCount
0x4a3640 GetMenu
0x4a3644 GetLastActivePopup
0x4a3648 GetKeyboardState
0x4a3650 GetKeyboardLayout
0x4a3654 GetKeyState
0x4a3658 GetKeyNameTextA
0x4a365c GetIconInfo
0x4a3660 GetForegroundWindow
0x4a3664 GetFocus
0x4a3668 GetDoubleClickTime
0x4a366c GetDlgItem
0x4a3670 GetDesktopWindow
0x4a3674 GetDCEx
0x4a3678 GetDC
0x4a367c GetCursorPos
0x4a3680 GetCursor
0x4a3684 GetClipboardData
0x4a3688 GetClientRect
0x4a368c GetClassNameA
0x4a3690 GetClassInfoA
0x4a3694 GetCaretPos
0x4a3698 GetCapture
0x4a369c GetActiveWindow
0x4a36a0 FrameRect
0x4a36a4 FindWindowA
0x4a36a8 FillRect
0x4a36ac EqualRect
0x4a36b0 EnumWindows
0x4a36b4 EnumThreadWindows
0x4a36bc EndPaint
0x4a36c0 EnableWindow
0x4a36c4 EnableScrollBar
0x4a36c8 EnableMenuItem
0x4a36cc EmptyClipboard
0x4a36d0 DrawTextA
0x4a36d4 DrawMenuBar
0x4a36d8 DrawIconEx
0x4a36dc DrawIcon
0x4a36e0 DrawFrameControl
0x4a36e4 DrawFocusRect
0x4a36e8 DrawEdge
0x4a36ec DispatchMessageA
0x4a36f0 DestroyWindow
0x4a36f4 DestroyMenu
0x4a36f8 DestroyIcon
0x4a36fc DestroyCursor
0x4a3700 DeleteMenu
0x4a3704 DefWindowProcA
0x4a3708 DefMDIChildProcA
0x4a370c DefFrameProcA
0x4a3710 CreatePopupMenu
0x4a3714 CreateMenu
0x4a3718 CreateIcon
0x4a371c CloseClipboard
0x4a3720 ClientToScreen
0x4a3724 CheckMenuItem
0x4a3728 CallWindowProcA
0x4a372c CallNextHookEx
0x4a3730 BeginPaint
0x4a3734 CharNextA
0x4a3738 CharLowerBuffA
0x4a373c CharLowerA
0x4a3740 CharUpperBuffA
0x4a3744 CharToOemA
0x4a3748 AdjustWindowRectEx
0x4a3754 Sleep
0x4a375c SafeArrayPtrOfIndex
0x4a3760 SafeArrayPutElement
0x4a3764 SafeArrayGetElement
0x4a376c SafeArrayAccessData
0x4a3770 SafeArrayGetUBound
0x4a3774 SafeArrayGetLBound
0x4a3778 SafeArrayCreate
0x4a377c VariantChangeType
0x4a3780 VariantCopyInd
0x4a3784 VariantCopy
0x4a3788 VariantClear
0x4a378c VariantInit
0x4a3794 CoUninitialize
0x4a3798 CoInitialize
0x4a37a0 GetErrorInfo
0x4a37a4 SysFreeString
0x4a37b4 ImageList_Write
0x4a37b8 ImageList_Read
0x4a37c8 ImageList_DragMove
0x4a37cc ImageList_DragLeave
0x4a37d0 ImageList_DragEnter
0x4a37d4 ImageList_EndDrag
0x4a37d8 ImageList_BeginDrag
0x4a37dc ImageList_Remove
0x4a37e0 ImageList_DrawEx
0x4a37e4 ImageList_Draw
0x4a37f4 ImageList_Add
0x4a37fc ImageList_Destroy
0x4a3800 ImageList_Create
0x4a3808 GetOpenFileNameA
0x4a3810 MulDiv

This program must be run under Win32
`DATA
.idata
.rdata
P.reloc
P.rsrc
Boolean
False
Smallint
Integer
Cardinal
Int64
Double
Currency
String
WideString
Variant
OleVariantp
TObject|
TObjectp
System
IInterface
System
TInterfacedObject
TBoundArray
System
TDateTime
SVWUQ
Z]_^[
YZ]_^[
w;;t$
SVWUQ
Z]_^[
YZ]_^[
Uh #@
_^[YY]
;= &J
_^[Y]
YZ]_^[
Uhe'@
_^[Y]
C<"u1S
Q<"u8S
,$YXZ
~KxI[)
BkU'9
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
_^[YY]
PPRTj
YZXtp
YZXtm1
ZTUWVSPRTj
t=HtN
Uhz>@
t-Rf;
t f;J
SVWRP
Z_^[X
tVSVWU
t1SVW
t-Rf;
t f;J
SVWUQ
Z]_^[
USVW1
USVW1
kernel32.dll
GetLongPathNameA
Uh%[@
Software\Borland\Locales
Software\Borland\Delphi\Locales
Uh[]@
_^[YY]
FFF;M
^[YY]
odSelected
odGrayed
odDisabled
odChecked
odFocused
odDefault
odHotLight
odInactive
odNoAccel
odNoFocusRect
odReserved1
odReserved2
odComboBoxEdit
Windows
TOwnerDrawState
_^[Y]
_^[Y]
_^[Y]
Magellan MSWHEEL
MouseZ
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
TFileName
EAbort
EHeapException
EOutOfMemory
EInOutError
EExternal
EExternalException
EIntError
EDivByZero
ERangeErrorp{@
EIntOverflow
EMathError
EInvalidOp
EZeroDivide
EOverflow
EUnderflow
EInvalidPointer
EInvalidCast
EConvertError
EAccessViolation
EPrivilege
EStackOverflow
EControlC
EVariantError
EAssertionFailed
EAbstractError
EIntfCastError
EOSError
ESafecallException
SysUtils
SysUtils
TThreadLocalCounter
$TMultiReadExclusiveWriteSynchronizer
SWSVj
SVWUQ
Z]_^[
False
_^[Y]
$Z_^[
$Z_^[
^[YY]
<*t"<0r=<9w9i
INFNAN
QS<$t
<'t$<"t
<#t&<0t%<.t,<,t3<'t5<"t1<Et:<et6<;tF
<#t'<0t#<.t
<Et$<et <;tS
_^[YY]
_^[YY]
$YZ_^[
t%HtIHtm
AM/PM
_^[YY]
SVWUQ
$Z]_^[
_^[Y]
QQQQQQSVW3
QQQQQSVW
D$PPj
D$LPj
_^[Y]
_^[YY]
TErrorRec
TExceptRec
t<HtH
$YZ^[
$YZ^[
WUWSj
YZ]_^[
_^[Y]
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
DVCLAL
SVWUQ
Z]_^[
kernel32.dll
GetDiskFreeSpaceExA
SVWUQ
(Z]_^[
SVWUQ
;w$t|
Z]_^[
;F$t=
;C$t4
_^[Y]
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarOr
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
TCustomVariantType
TCustomVariantType
Variants
TVarDataArray
Variants
TInvokeableVariantType
EVariantInvalidOpError
EVariantTypeCastError
EVariantOverflowError
EVariantInvalidArgError
EVariantBadVarTypeError
EVariantBadIndexError
EVariantArrayLockedError
EVariantArrayCreateError
EVariantNotImplError
EVariantOutOfMemoryError
EVariantUnexpectedErrorP
EVariantDispatchError
EVariantInvalidNullOpError
t?Htb
SVWUQ
Z]_^[
_^[YY]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
_^[Y]
UhU#A
Uh])A
Uhd*A
Uhu+A
QQQQSV
Uh*6A
UhZ7A
Uh#=A
Uh>>A
UhfDA
Uh'IA
UhjJA
QQQQSV
UhtLA
UhDMA
Uh_NA
UhePA
UhxSA
FSVWUQ
Mt0MtU
Z]_^[
Uh3[A
Uhg]A
Uh/bA
Empty
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Error
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
Int64
Uh6fA
String
Array
ByRef
Uh\lA
]_^[]
$YZ]_^[
SVWUQ
Z]_^[
UhGsA
UhavA
Variants
Uh%wA
_^[YY]
_^[Y]
SVWUQ
Z]_^[
Uhk{A
TStringDesc
Variants
t~h((J
_^[Y]
TPublishableVariantType|
EPropertyError
EPropertyConvertError
False
_^[Y]
YZ_^[
_^[Y]
_^[Y]
_^[YY]
$YZ^[
tagEXCEPINFO
TAlignment
taLeftJustify
taRightJustify
taCenter
Classes
TBiDiMode
bdLeftToRight
bdRightToLeft
bdRightToLeftNoAlign
bdRightToLeftReadingOnly
Classes
ssShift
ssAlt
ssCtrl
ssLeft
ssRight
ssMiddle
ssDouble
Classes
TShiftState
THelpContext
THelpType
htKeyword
htContext
Classesh
TShortCut
TNotifyEvent
Sender
TObject
EStreamError
EFileStreamError
EFCreateError
EFOpenErrord
EFilerError
EReadError
EWriteErrorl
EClassNotFound
EResNotFound
EListError
EBitsError
EStringListError
EComponentError
EOutOfResources
EInvalidOperation
TList
TThreadList
TBits
TPersistent
TPersistent\
Classes
TInterfacedPersistent
TInterfacedPersistentL
Classes
TCollectionItem
TCollectionItem
Classes
TCollection
TCollection
Classes
TOwnedCollection
TOwnedCollection
Classes
IStringsAdapter
Classes
TStrings
TStrings
Classes
TStringItem
TStringListX
TStringList
Classes
TStream8
THandleStream
TFileStream$
TCustomMemoryStream
TMemoryStream
TResourceStream
TStreamAdapter
TClassFinder
TFiler
TReader
EThread
TComponentName
IDesignerNotify
Classes
TComponent
TComponent
Classes
NameT
TBasicActionLink
TBasicAction
TBasicAction
Classes
TIdentMapEntry
TRegGroup
TRegGroups
YZ]_^[
_^[Y]
_^[Y]
SVWUQ
u%CNu
Z]_^[
SVWUQ
$Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
$Z]_^[
_^[YY]
TIntConst
_^[Y]
_^[Y]
_^[YY]
_^[Y]
SVWUQ
Z]_^[
_^[Y]
%s[%d]
_^[Y]
W<CNu
Strings
_^[Y]
_^[Y]
^[YY]
S$_^[Y]
^[YY]
_^[YY]
SVWUQ
SdZ]_^[
SVWUQ
$Z]_^[
^[YY]
_^[Y]
TPropFixup
TPropIntfFixup
_^[YY]
Owner
_^[YY]
_^[Y]
C0_^[
Classes
_^[Y]
False
_^[YY]
QQQQ3
Uhc!B
%s_%d
Uh/$B
Uh[$B
Uhy%B
_^[YY]
^[YY]
UhW*B
UhD+B
Uhg.B
QQQQQQQS
Uhj5B
UhK5B
SVWUQ
Z]_^[
_^[Y]
S _^[
SVWUQ
Z]_^[
YZ_^[
SVWUQ
Z]_^[
G0_^[
;CDt:
R0_^[]
UhCAB
Uh.BB
_^[YY]
UhrDB
UhaDB
Uh?EB
TPUtilWindow
UhHHB
TColor
EInvalidGraphic
EInvalidGraphicOperation
TFontPitch
fpDefault
fpVariable
fpFixed
Graphics
TFontName
TFontCharset
TFontStyle
fsBold
fsItalic
fsUnderline
fsStrikeOut
Graphics
TFontStyles
TPenStyle
psSolid
psDash
psDot
psDashDot
psDashDotDot
psClear
psInsideFrame
Graphics
TPenMode
pmBlack
pmWhite
pmNop
pmNot
pmCopy
pmNotCopy
pmMergePenNot
pmMaskPenNot
pmMergeNotPen
pmMaskNotPen
pmMerge
pmNotMerge
pmMask
pmNotMask
pmXor
pmNotXor
Graphics
TBrushStyle
bsSolid
bsClear
bsHorizontal
bsVertical
bsFDiagonal
bsBDiagonal
bsCross
bsDiagCross
Graphics
TGraphicsObject
TGraphicsObject
Graphics
IChangeNotifier
Graphics
TFont
TFontTPB
Graphics
Charset
ColorT
Height
PitchT
Size|MB
Style
Graphics
Color
StyleT
Width
TBrush
TBrush
Graphics
Color
Style
TCanvas
TCanvas
Graphics
BrushT
CopyMode
TGraphic
TGraphic
Graphics
TPicture
TPicturelVB
Graphics
TSharedImage
TMetafileImage
TMetafile
TMetafile
Graphics
TBitmapImage
TBitmap
TBitmap
Graphics
TIconImage
TIcon
TIcon\ZB
Graphics
TResourceManager
^[YY]
UhS]B
_^[YY]
UhP^B
_^[Y]
Uhi_B
^[YY]
clBlack
clMaroon
clGreen
clOlive
clNavy
clPurple
clTeal
clGray
clSilver
clRed
clLime
clYellow
clBlue
clFuchsia
clAqua
clWhite
clMoneyGreen
clSkyBlue
clCream
clMedGray
clActiveBorder
clActiveCaption
clAppWorkSpace
clBackground
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clDefault
clGradientActiveCaption
clGradientInactiveCaption
clGrayText
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clMenu
clMenuBar
clMenuHighlight
clMenuText
clNone
clScrollBar
cl3DDkShadow
cl3DLight
clWindow
clWindowFrame
clWindowText
ANSI_CHARSET
DEFAULT_CHARSET
SYMBOL_CHARSET
MAC_CHARSET
SHIFTJIS_CHARSET
HANGEUL_CHARSET
JOHAB_CHARSET
GB2312_CHARSET
CHINESEBIG5_CHARSET
GREEK_CHARSET
TURKISH_CHARSET
HEBREW_CHARSET
ARABIC_CHARSET
BALTIC_CHARSET
RUSSIAN_CHARSET
THAI_CHARSET
EASTEUROPE_CHARSET
OEM_CHARSET
UhmhB
Default
UhQmB
Uh-pB
UheqB
UhzuB
UhUuB
Uh3uB
_^[Y]
$YZ^[
Uhz}B
Uh ~B
E$PVSj
YZ_^[
$Z_^[
_^[YY]
C ;C$s
TClipboardFormats
_^[YY]
_^[Y]
_^[YY]
S`_^[Y]
3TjdP
kD$TdP
3TjdP
kD$PdP
EMFt
?TjdR
D$LPkD$XdPV
?TjdR
D$HPkD$TdPV
|$( EMFt
^[YY]
TBitmapCanvas
TBitmapCanvas
Graphics
@pPV3
_^[YY]
<$BMt
T]_^[
s(;~ t8
D$*Ph
C(_^[Y]
\$4Vj
SVWjH
TPatternManagerSV
_^[YY]
TObjectList
TOrderedList
TStack
_^[Y]
GetMonitorInfoA
GetSystemMetrics
MonitorFromRect
MonitorFromWindow
MonitorFromPoint
>(r[j
GetMonitorInfo
DISPLAY
>(r[j
GetMonitorInfoA
DISPLAY
>(r[j
GetMonitorInfoW
DISPLAY
EnumDisplayMonitors
USER32.DLL
IHelpSelector
HelpIntfs
IHelpSystem
HelpIntfs
ICustomHelpViewer
HelpIntfs
IExtendedHelpViewer
HelpIntfs
ISpecialWinHelpViewer0
HelpIntfs
IHelpManager
HelpIntfs
EHelpSystemException
THelpViewerNode
THelpManager
R(FKu
_^[Y]
comctl32.dll
InitializeFlatSB
UninitializeFlatSB
FlatSB_GetScrollProp
FlatSB_SetScrollProp
FlatSB_EnableScrollBar
FlatSB_ShowScrollBar
FlatSB_GetScrollRange
FlatSB_GetScrollInfo
FlatSB_GetScrollPos
FlatSB_SetScrollPos
FlatSB_SetScrollInfo
FlatSB_SetScrollRange
TSynchroObject
TCriticalSection
uxtheme.dll
OpenThemeData
CloseThemeData
DrawThemeBackground
DrawThemeText
GetThemeBackgroundContentRect
GetThemePartSize
GetThemeTextExtent
GetThemeTextMetrics
GetThemeBackgroundRegion
HitTestThemeBackground
DrawThemeEdge
DrawThemeIcon
IsThemePartDefined
IsThemeBackgroundPartiallyTransparent
GetThemeColor
GetThemeMetric
GetThemeString
GetThemeBool
GetThemeInt
GetThemeEnumValue
GetThemePosition
GetThemeFont
GetThemeRect
GetThemeMargins
GetThemeIntList
GetThemePropertyOrigin
SetWindowTheme
GetThemeFilename
GetThemeSysColor
GetThemeSysColorBrush
GetThemeSysBool
GetThemeSysSize
GetThemeSysFont
GetThemeSysString
GetThemeSysInt
IsThemeActive
IsAppThemed
GetWindowTheme
EnableThemeDialogTexture
IsThemeDialogTextureEnabled
GetThemeAppProperties
SetThemeAppProperties
GetCurrentThemeName
GetThemeDocumentationProperty
DrawThemeParentBackground
EnableTheming
IShellFolder
ShlObj
TCommonDialog
TCommonDialog
Dialogs
Ctl3D
HelpContext|
OnClose|
OnShow
TOpenOption
ofReadOnly
ofOverwritePrompt
ofHideReadOnly
ofNoChangeDir
ofShowHelp
ofNoValidate
ofAllowMultiSelect
ofExtensionDifferent
ofPathMustExist
ofFileMustExist
ofCreatePrompt
ofShareAware
ofNoReadOnlyReturn
ofNoTestFileCreate
ofNoNetworkButton
ofNoLongNames
ofOldStyleDialog
ofNoDereferenceLinks
ofEnableIncludeNotify
ofEnableSizing
ofDontAddToRecent
ofForceShowHidden
Dialogs
TOpenOptions
TOpenOptionEx
ofExNoPlacesBar
Dialogs
TOpenOptionsEx
TOFNotifyEx
TIncludeItemEvent
TOFNotifyEx
Include
Boolean
TOpenDialog
TOpenDialog
Dialogs
DefaultExt
FileName
FilterT
FilterIndex
InitialDir
Options
OptionsEx
Title
OnCanClose|
OnFolderChange|
OnSelectionChange|
OnIncludeItemSVW
_^[Y]
_^[Y]
;Ght4
FileEditStyle
8Z|03
@\@t*U
u"Vh_
Cancel
Abort
Retry
Ignore
NoToAll
YesToAll
commdlg_help
commdlg_FindReplace
WndProcPtr%.8X%.8X
TTimer
TTimer
ExtCtrls
Enabled
Interval|
OnTimerSV
_^[Y]
Uht#C
TClipboard
TClipboard4$C
Clipbrd
Sh`)C
_^[Y]
_^[Y]
Uhu'C
Uha(C
_^[Y]
Uh!*C
s'h`*C
Delphi Picture
Delphi Component
TCustomIniFile
THashItem
IniFiles
TStringHash
THashedStringList
THashedStringList
IniFiles
TMemIniFileSVW
_^[Y]
Uhi1C
Uh.1C
Uh!2C
UhV3C
_^[Y]
UhS4C
_^[Y]
_^[Y]
_^[Y]
Uh,8C
SVWUQ
Z]_^[
QQQQQSV
Uh2<C
QQQQSVW
_^[Y]
RD_^[
QH_^[
Q8FKu
Uh>AC
Uh!AC
Q8FKu
UhiBC
^[YY]
UhoDC
Wh8EC
_^[YY]
UhxEC
ERegistryException
TRegistryS
UhZIC
SVWUQ
Z]_^[
SVWUQ
Z]_^[
Uh0KC
MAPI32.DLL
Uh-LC
TConversion
TConversionFormat
comctl32.dll
TThemeServices
Theme manager
2001, 2002 Mike Lischke
^[YY]
!"#$%
UhSWC
TCustomEdit
TCustomEdit
StdCtrls
TabStop
TScrollStyle
ssNone
ssHorizontal
ssVertical
ssBoth
StdCtrls
TDrawItemEvent
Control
TWinControl
Index
Integer
TRect
State
TOwnerDrawState
Uh>^C
_^[YY]
D$8PS
THintAction
THintActionHcC
StdActns
UhQdC
TWinHelpViewer
_^[YY]
_^[YY]
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
_^[Y]
JumpID("","%s")
Uh:lC
_^[YY]
_^[Y]
MS_WINHELP
#32770
Uh"oC
Ph8nC
Uh-pC
UhzqC
TCursor
TAlign
alNone
alTop
alBottom
alLeft
alRight
alClient
alCustom
Controls
TDragObjectxrC
TDragObjectDrC
Controls
TBaseDragControlObject
TBaseDragControlObject
Controls
TDragControlObject
TDragControlObjectEx
TDragDockObject
TDragDockObject
Controls
TDragDockObjectEx
TControlCanvas
TControlCanvas(vC
Controls
TControlActionLink
TMouseButton
mbLeft
mbRight
mbMiddle
Controls
TDragMode
dmManual
dmAutomatic
Controls
TDragState
dsDragEnter
dsDragLeave
dsDragMove
Controls
TDragKind
dkDrag
dkDock
Controls
TTabOrder
TCaption
TAnchorKind
akLeft
akTop
akRight
akBottom
Controls
TAnchors
TConstraintSize
TSizeConstraints
TSizeConstraintsDyC
Controls
MaxHeight
MaxWidth
MinHeight
MinWidth
TMouseEvent
Sender
TObject
Button
TMouseButton
Shift
TShiftState
Integer
Integer
TMouseMoveEvent
Sender
TObject
Shift
TShiftState
Integer
Integer
TKeyEvent
Sender
TObject
Shift
TShiftState
TKeyPressEvent
Sender
TObject
TDragOverEvent
Sender
TObject
Source
TObject
Integer
Integer
State
TDragState
Accept
Boolean
TDragDropEvent
Sender
TObject
Source
TObject
Integer
Integer
TStartDragEvent
Sender
TObject
DragObject
TDragObject
TEndDragEvent
Sender
TObject
Target
TObject
Integer
Integer
TDockDropEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
TDockOverEvent
Sender
TObject
Source
TDragDockObject
Integer
Integer
State
TDragState
Accept
Boolean
TUnDockEvent
Sender
TObject
Client
TControl
NewTarget
TWinControl
Allow
Boolean
TStartDockEvent
Sender
TObject
DragObject
TDragDockObject
TGetSiteInfoEvent
Sender
TObject
DockClient
TControl
InfluenceRect
TRect
MousePos
TPoint
CanDock
Boolean
TCanResizeEvent
Sender
TObject
NewWidth
Integer
NewHeight
Integer
Resize
Boolean
TConstrainedResizeEvent
Sender
TObject
MinWidth
Integer
MinHeight
Integer
MaxWidth
Integer
MaxHeight
Integer
TMouseWheelEvent
Sender
TObject
Shift
TShiftState
WheelDelta
Integer
MousePos
TPoint
Handled
Boolean
TMouseWheelUpDownEvent
Sender
TObject
Shift
TShiftState
MousePos
TPoint
Handled
Boolean
TContextPopupEvent
Sender
TObject
MousePos
TPoint
Handled
Boolean
TControl
TControl
Controls
LeftT
WidthT
Height
Cursor
Hint,
HelpType
HelpKeyword
HelpContext
TWinControlActionLink
TImeName
TBorderWidth
IDockManager
Controls
TWinControl
TWinControlH
Controls
TCustomControl
TCustomControl$
Controls
THintWindow
THintWindow
Controls
TDockZone
TDockTree
TMouse
crDefault
crArrow
crCross
crIBeam
crSizeNESW
crSizeNS
crSizeNWSE
crSizeWE
crUpArrow
crHourGlass
crDrag
crNoDrop
crHSplit
crVSplit
crMultiDrag
crSQLWait
crAppStart
crHelp
crHandPoint
crSizeAll
crSize
TSiteList
_^[YY]
tPHt8
_^[Y]
S$_^[]
;B0t'
;B8t=
CQ tA
YZ_^[
YZ]_^[
YZ_^[
t%Jt?Jt[
%s (%s)
Z:Pjt
YZ]_^[
$:Cat
u$;~|u
;CLtX3
Qh_^[
YZ_^[
YZ_^[
V:P\t
GP t;
_^[YY]
CH+D$
CL+D$
;s0t=;
:_Wt+
f;Pxt
KHQRP
Ht7Ht
IsControl
_^[YY]
YZ_^[
_^[YY]
_^[Y]
8]_^[
,]_^[
YZ_^[
^[YY]
RD;PD
:_[up
SVWUQ
Z]_^[
C$PVj
C$_^[
:GauOFKu
_^[Y]
DesignSize
_^[YY]
_^[Y]
t2HtY
,;=,+J
]_^[
_^[Y]
_^[Y]
$Z_^[
_^[YY]
_^[Y]
^[YY]
SVWUQ
Z]_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
_^[YY]
;XDt#
SVWUQ
Z]_^[
t&j7j
YZ]_^[
YZ]_^[
YZ]_^[
t4VS
R|FOu
UhT,D
YZ]_^[
Uhz.D
^[YY]
S8_^[]
+CH+E
+SL+U
Uh"9D
Uhm?D
_^[Y]
f;Pht
_^[Y]
t9;wlt4
YZ_^[
;Bdt*
;Bh|3
@88kD
R|_^[
^dVhXaD
^dVhXaD
_^[Y]
Y_^[]
UhsXD
Y[YY]
Uhx[D
t$;C8u
QQQQSVW
Uhm`D
;Fdu;
^[YY]
Q8FKu
;Xdt>
t#;^dt
YZ_^[
Y_^[]
^[YY]
+W$;U
+G$;E
_^[Y]
BP_^[]
Uh^rD
USER32
WINNLSEnableIME
imm32.dll
ImmGetContext
ImmReleaseContext
ImmGetConversionStatus
ImmSetConversionStatus
ImmSetOpenStatus
ImmSetCompositionWindow
ImmSetCompositionFontA
ImmGetCompositionStringA
ImmIsIME
ImmNotifyIME
YZ_^[
UhlvD
Delphi%.8X
ControlOfs%.8X%.8X
USER32
AnimateWindow
TContainedAction
TContainedAction
ActnList
Category
TCustomActionList
TCustomActionList(yD
ActnList
TShortCutList
TShortCutList
ActnList
TCustomAction
TCustomAction {D
ActnList
TActionLinkSV
^[YY]
u*;~8u
R0GNu
SVWUQ
Z]_^[
QLGNu
R0Z_^[
QPFOu
_^[Y]
$:Cjt_
QTGNu
R0Z_^[
Q`FOu
R0]_^[
$;Ctt?
Q\GNu
R0Z_^[
QhGNu
R0Z_^[
QlGNu
R0Z_^[
SVWQf
QpGNu
R0Z_^[
QtFOu
R0]_^[
SVWUQ
$Z]_^[
TChangeLink
TImageIndex
TCustomImageList
TCustomImageList
ImgList
Rd_^[
s8VV3
S0_^[]
R ;C0|
R,;C4}!
S`]_^[
Bitmap
_^[Y]
comctl32.dll
comctl32.dll
ImageList_WriteEx
EMenuError
TMenuBreak
mbNone
mbBreak
mbBarBreak
Menus
TMenuChangeEvent
Sender
TObject
Source
TMenuItem
Rebuild
Boolean
TMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
ARect
TRect
Selected
Boolean
TAdvancedMenuDrawItemEvent
Sender
TObject
ACanvas
TCanvas
ARect
TRect
State
TOwnerDrawState
TMenuMeasureItemEvent
Sender
TObject
ACanvas
TCanvas
Width
Integer
Height
Integer
TMenuItemAutoFlag
maAutomatic
maManual
maParent
Menus
TMenuAutoFlag
Menus
TMenuActionLink
TMenuItem
TMenuItem
Menus
Action
AutoCheckt
AutoHotkeyst
AutoLineReduction
Bitmap
Break
Caption
Checkedt
SubMenuImages
Default
Enabledl
GroupIndex
HelpContext
ImageIndex
RadioItemd
ShortCut
Visible|
OnClick
OnDrawItem
OnAdvancedDrawItem
OnMeasureItem
TMenu
TMenu,
Menus
Items
TMainMenu
TMainMenu
Menus
AutoHotkeys
AutoLineReduction
AutoMerge4
BiDiModet
Images
OwnerDraw
ParentBiDiMode
OnChange
TPopupAlignment
paLeft
paRight
paCenter
Menus
TTrackButton
tbRightButton
tbLeftButton
Menus8
TMenuAnimations
maLeftToRight
maRightToLeft
maTopToBottom
maBottomToTop
maNone
Menus
TMenuAnimation
TPopupMenu
TPopupMenu
Menus
Alignment
AutoHotkeys
AutoLineReduction
AutoPopup4
BiDiMode
HelpContextt
Images
MenuAnimation
OwnerDraw
ParentBiDiMode
TrackButton
OnChange|
OnPopup
TPopupList
TMenuItemStack
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
_^[YY]
f;B`t
CPPVj
Q<]_^[
SVWUQ
:X?s&
X?ENu
Z]_^[
ShortCutText
_^[Y]
_^[Y]
P?:S?u
:^8tB
:^9tg
Q<_^[
:^?t1
f;P`t
:]:tJ
Q<]_^[
@?:F?v
Q<]_^[
Q<_^[
W<CNu
SpFOu
$YZ]_^[
_^[Y]
_^[Y]
SVWUQ
Z]_^[
_^[YY]
S0^[]
_^[Y]
_^[Y]
Ih;J4u
_^[Y]
YZ]_^[
S0_^[
S<&uO
^[YY]
TScrollBarInc
TScrollBarStyle
ssRegular
ssFlat
ssHotTrack
Forms
TControlScrollBar
TControlScrollBar
Forms
ButtonSize
Colorl
Increment
Margin
ParentColorT
PositionT
Range
SmoothT
StyleT
ThumbSize
Tracking
Visible
TWindowState
wsNormal
wsMinimized
wsMaximized
Forms
TScrollingWinControl
TScrollingWinControl
Forms
HorzScrollBar8
VertScrollBarD
TFormBorderStyle
bsNone
bsSingle
bsSizeable
bsDialog
bsToolWindow
bsSizeToolWin
Forms
TBorderStyle
Forms
IDesignerHook
Forms
IOleForm
Forms
TFormStyle
fsNormal
fsMDIChild
fsMDIForm
fsStayOnTop
Forms
TBorderIcon
biSystemMenu
biMinimize
biMaximize
biHelp
Forms
TBorderIcons
TPosition
poDesigned
poDefault
poDefaultPosOnly
poDefaultSizeOnly
poScreenCenter
poDesktopCenter
poMainFormCenter
poOwnerFormCenter
Forms
TDefaultMonitor
dmDesktop
dmPrimary
dmMainForm
dmActiveForm
Forms
TPrintScale
poNone
poProportional
poPrintToFit
Forms
TCloseAction
caNone
caHide
caFree
caMinimize
Forms
TCloseEvent
Sender
TObject
Action
TCloseAction
TCloseQueryEvent
Sender
TObject
CanClose
Boolean
TShortCutEvent
TWMKey
Handled
Boolean
THelpEvent
Command
Integer
CallHelp
Boolean
Boolean
TCustomForm
TCustomForm
Forms
TForm
TForm
FormsU
Action
ActiveControl
Align
AlphaBlendl
AlphaBlendValue
Anchors
AutoScroll
AutoSize4
BiDiMode
BorderStyle
BorderWidthlxC
CaptionT
ClientHeightT
ClientWidth
Color
TransparentColor
TransparentColorValuelyC
Constraints
Ctl3D
UseDockManager
DefaultMonitor
DockSite xC
DragKind
DragMode
Enabled
ParentFont
Font4
FormStyleT
Height
HelpFile8
HorzScrollBar
KeyPreviewh
OldCreateOrder
ObjectMenuItem
ParentBiDiModeT
PixelsPerInchT
PopupMenu
Position
PrintScale
Scaled
ScreenSnap
ShowHintT
SnapBuffer8
VertScrollBar
VisibleT
Width
WindowState
WindowMenu|
OnActivateT
OnCanResize|
OnClickl
OnClose
OnCloseQuery
OnConstrainedResizeP
OnContextPopup|
OnCreate|
OnDblClick|
OnDestroy|
OnDeactivate
OnDockDrop
OnDockOver
OnDragDrop
OnDragOver
OnEndDock
OnGetSiteInfo|
OnHide0
OnHelp
OnKeyDownP{C
OnKeyPress
OnKeyUp(zC
OnMouseDown
OnMouseMove(zC
OnMouseUpT
OnMouseWheel
OnMouseWheelDown
OnMouseWheelUp|
OnPaint|
OnResize
OnShortCut|
OnShow|~C
OnStartDock
OnUnDock
TCustomDockForm
TCustomDockForm|!E
Forms
PixelsPerInch
TMonitor
TScreen
TScreen
Forms
TApplication
TApplication
Forms
Uhp&E
t:GNu
^[YY]
Uha*E
;S$t6
;S0t6
]_^[
Uhj<E
Uhh?E
Uh0?E
_^[Y]
UhmCE
_^[Y]
Uh*GE
Sh$HE
PixelsPerInch
TextHeight
IgnoreFontProperty
_^[YY]
S,_^[]
Uh3QE
SVWUQ
$Z]_^[
;Cpu'
F(Z_^[
ShPRE
MDICLIENT
Uh}eE
_^[Y]
_^[Y]
;ADti
Uh.mE
f#CTf
UhGrE
_^[Y]
_^[YY]
t"GNu
$Z_^[
_^[YY]
_^[Y]
Y_^[]
_^[Y]
_^[Y]
_^[YY]
Ch;Ctt
Cd;Cpt
C\_^[
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
layout text
f;sDtsf
PWj W
CHYZ]_^[
RD;PD
_^[YY]
TApplication
MAINICON
XD;PHu
sx;P`u
;B0uGj
_^[YY]
vcltest3.dll
RegisterAutomation
SVWUQ
$Z]_^[
~D_^[Y]
_^[Y]
_^[Y]
_^[Y]
;{HtK
YZ_^[
Y_^[Y]
;^`u0
]_^[
^[YY]
YZ]_^[
User32.dll
SetLayeredWindowAttributes
TaskbarCreated
TEditMask
SVWUQ
Z]_^[
SVWUQ
$Z]_^[
_^[YY]
SVWUQ
Z]_^[
EDBEditError
TCustomMaskEdit
TCustomMaskEdith
>'u f
^[YY]
QQQQSV
^[YY]
_^[Y]
SVWUQ
Z]_^[
^[YY]
EInvalidGridOperation
TInplaceEdit
TInplaceEditx
Grids
TCustomGridX
TCustomGrid8
Grids
TabStop
_^[Y]
C4_^[
^[YY]
YZ_^[
_^[YY]
ColWidths
RowHeights
Y_^[Y]
G8;G<}@
C,_^[YY]
;p4}:U
;p4~!
Y^[YY]
;D$ ~
;D$P~
UhR+F
Uh5+F
_^[YY]
^[YY]
YZ_^[
_^[Y]
_^[Y]
Ht<Ht
R|_^[
^[YY]
_^[YY]
Uh>RF
_^[Y]
UhLSF
^[YY]
^[YY]
_^[Y]
p]_^[
D$DPj
6;D$$~0
;D$D}
;D$T~
OutlineError
EOutlineError
TOutlineNode
TOutlineNode
Outline
EOutlineChange
Sender
TObject
Index
Integer
TOutlineStyle
osText
osPlusMinusText
osPictureText
osPlusMinusPictureText
osTreeText
osTreePictureText
Outline
TOutlineType
otStandard
otOwnerDraw
Outline
TOutlineOption
ooDrawTreeRoot
ooDrawFocusRect
ooStretchBitmaps
Outline
TOutlineOptions
TCustomOutline
TCustomOutline
Outline
TOutline
TOutline|dF
Outline2
Lines<aF
OutlineStyle
OnExpand
OnCollapse\bF
Options
StyleT
ItemHeight
OnDrawItem
Align
Enabled
Color
ParentColor
ParentCtl3D
Ctl3DTxC
TabOrder
TabStop
Visible|
OnClick
DragMode xC
DragKind
DragCursor
OnDragDrop
OnDragOver
OnEndDock
OnEndDrag|~C
OnStartDockt|C
OnStartDrag|
OnEnter|
OnExit(zC
OnMouseDown
OnMouseMove(zC
OnMouseUp|
OnDblClick
OnKeyDownP{C
OnKeyPress
OnKeyUp
BorderStyle
ItemSeparator
PicturePlus
PictureMinus
PictureOpen
PictureClosed
PictureLeaf
ParentFont
ParentShowHint
ShowHintT
PopupMenu
ScrollBarsP
OnContextPopup
TOutlineStrings
TOutlineStrings
Outline
Uh=oF
^[YY]
YZ]_^[
SVWUQ
Z]_^[
_^[YY]
YZ]_^[
SVWUQ
Z]_^[
C ;F t
_^[Y]
PhxzF
Nodes
Uhw{F
UhR{F
Uh5{F
Uhj|F
UhM|F
QQQQSVW
MINUS
CLOSED
jHjZ
jdjxV
_^[Y]
_^[Y]
R|_^[YY]
tPHt*H
^[YY]
SVWUQ
Z]_^[
R|]_^[
EBcdException
EBcdOverflowException
TFMTBcdVariantType
TFMTBcdData
TFMTBcdData
FMTBcd
AsCurrency
AsDoubleT
AsInteger<
AsSmallInt
AsStringU
t)j j
QSVWf
_^[Y]
QQQQSVW
_^[Y]
_^[Y]
PSQRW
_ZY[X
_^[Y]
VWSQR
ZY[_^]
[_^Y]
QVWSQRf
ZY[_^Y]
QVWSQRf
ZY[_^Y]
QVWSRf
D$$Pj
\$&US3
H]_^[
_^[YY]
_^[YY]
D$/Pj
T]_^[
%s %s
(%s%s)
-%s%s
%s-%s
%s%s-
-%s %s
%s %s-
%s %s
%s -%s
(%s- %s)
(%s %s)
_^[YY]
TLiteralInfo
V,#tR,
TSQLTimeStampVariantType
TSQLTimeStampData
TSQLTimeStampData
SqlTimSt
AsDateTime
AsString
Fractions
Minute
Month
Second<
^[YY]
EOleError
EOleSysError
EOleException
Apartment
Neutral
_^[Y]
ole32.dll
CoCreateInstanceEx
CoInitializeEx
CoAddRefServerProcess
CoReleaseServerProcess
CoResumeClassObjects
CoSuspendClassObjects
QQQQQQQQSV
EDatabaseError
EUpdateError
TFieldType
ftUnknown
ftString
ftSmallint
ftInteger
ftWord
ftBoolean
ftFloat
ftCurrency
ftBCD
ftDate
ftTime
ftDateTime
ftBytes
ftVarBytes
ftAutoInc
ftBlob
ftMemo
ftGraphic
ftFmtMemo
ftParadoxOle
ftDBaseOle
ftTypedBinary
ftCursor
ftFixedChar
ftWideString
ftLargeint
ftADT
ftArray
ftReference
ftDataSet
ftOraBlob
ftOraClob
ftVariant
ftInterface
ftIDispatch
ftGuid
ftTimeStamp
ftFMTBcd
TCustomConnection
TCustomConnection\
TNamedItem
TNamedItem4
TDefCollection
TDefCollection
TFieldAttribute
faHiddenCol
faReadonly
faRequired
faLink
faUnNamed
faFixed
TFieldAttributes
TFieldDef
TFieldDef$
Attributes
ChildDefs|
DataTypeT
PrecisionT
TFieldDefs
TFieldDefsl
TIndexOption
ixPrimary
ixUnique
ixDescending
ixCaseInsensitive
ixExpression
ixNonMaintained
TIndexOptions
TIndexDef
TIndexDef
CaseInsFields
DescFields
Expression
Fields4
Options
SourceT
GroupingLevelT
TIndexDefs
TIndexDefsT
TFlatList
TFlatList
TFieldDefList
TFieldDefList
TFieldList
TFieldList,
TFieldKind
fkData
fkCalculated
fkLookup
fkInternalCalc
fkAggregate
TFields
TProviderFlag
pfInUpdate
pfInWhere
pfInKey
pfHidden
TProviderFlags
TFieldNotifyEvent
Sender
TField
TFieldGetTextEvent
Sender
TField
String
DisplayText
Boolean
TFieldSetTextEvent
Sender
TField
String
TAutoRefreshFlag
arNone
arAutoInc
arDefault
TLookupListEntry
TLookupList
TField
TField
Alignment
AutoGenerateValue
CustomConstraint
ConstraintErrorMessage
DefaultExpression
DisplayLabelT
DisplayWidth
FieldKind
FieldName
HasConstraintsT
Index
ImportedConstraintddG
LookupDataSet
LookupKeyFields
LookupResultField
KeyFields
LookupCache
Origin
ProviderFlags
ReadOnly
Required
Visible
OnChange<
OnGetText
OnSetText
OnValidate
TStringField
TStringField
EditMask
FixedCharT
Transliterate
TWideStringField
TWideStringField
TNumericField
TNumericField
Alignment
DisplayFormat
EditFormat
TIntegerField
TIntegerField
MaxValueT
MinValue
TSmallintField
TSmallintField
TLargeintField
TLargeintField
MaxValue
MinValue
TWordField
TWordField
TAutoIncField
TAutoIncField
TFloatField<2G
TFloatFieldL1G
currency
MaxValue
MinValueT
Precision
TCurrencyField
TCurrencyField43G
currency
TBooleanField
TBooleanField
DisplayValues
TDateTimeField
TDateTimeFieldp6G
DisplayFormatt
EditMask
TSQLTimeStampField
TSQLTimeStampField08G
DisplayFormatt
EditMask
TDateField
TDateField
TTimeField
TTimeFieldP;G
TBinaryField
TBinaryField
Size$>G
TBytesField
TBytesField$>G
TVarBytesField
TVarBytesField|?G
TBCDField
TBCDField
currency
MaxValue
MinValueT
PrecisionT
TFMTBCDField
TFMTBCDField
currency
MaxValue
MinValueT
PrecisionT
TBlobType
TBlobField
TBlobField$EG
BlobType
GraphicHeaderT
TMemoField
TMemoField
Transliterate
TGraphicField
TGraphicFieldpHG
TObjectField
TObjectField
ObjectType
TADTField
TADTField
TArrayField
TArrayField
TDataSetField
TDataSetFieldLNG
IncludeObjectField
TReferenceField
TReferenceField
ReferenceTableNameT
TVariantField
TVariantField
TInterfaceField
TInterfaceField
TIDispatchFielddUG
TIDispatchFieldpTG
TGuidField
TGuidField
TDataLink
TDataLink(WG
TDetailDataLinklXG
TDetailDataLink
TDataChangeEvent
Sender
TObject
Field
TField
TDataSourceXYG
TDataSource
AutoEditddG
DataSet
Enabled|
OnStateChange
OnDataChange|
OnUpdateData
TCheckConstraint
TCheckConstraint
CustomConstraint
ErrorMessage
FromDictionary
ImportedConstraint
TCheckConstraints
TCheckConstraints
TParamType
ptUnknown
ptInput
ptOutput
ptInputOutput
ptResult
TParam
TParam
DataTypeT
PrecisionT
NumericScale
Name|\G
ParamTypeT
Value
TParams
TParams
TBufferList
DB<_G
TDataSetNotifyEvent
DataSet
TDataSet
TPacketAttribute
TBlobByteData
TDataSet
TDataSet
Unknown
String
SmallInt
Integer
Boolean
Float
Currency
DateTime
Bytes
VarBytes
AutoInc
Graphic
FmtMemo
ParadoxOle
dBaseOle
TypedBinary
Cursor
FixedChar
WideString
LargeInt
Array
Reference
DataSet
HugeBlob
HugeClob
Variant
Interface
Dispatch
SQLTimeStamp
FMTBcdField
%s: %s
_^[Y]
_^[YY]
UhyjG
_^[Y]
Uh,mG
_^[Y]
Uh^nG
Uh&pG
Required
_^[YY]
%s[%d]
UhkxG
SVWUQ
Z]_^[
F(0{G
Uhz{G
%s[%d]
^[YY]
Q8FKu
_^[Y]
SVWUQ
Z]_^[
SVWUQ
Z]_^[
QQQQSV
AttributeSet
Calculated
Lookup
Boolean
,$YZ[
$YZ^[
DateTime
$YZ^[
Float
Integer
SQLTimeStamp
Variant
FIELD
Gd_^[
Boolean
DateTime
Float
Integer
SQLTimeStamp
String
s4_^[
:^Btc
^B^[Y]
Variant
^[YY]
Variant
QQQQSVW
YZ_^[
,$YZ[
,$YZ[
_^[Y]
UnNamed
^[YY]
PBGNu
PBGNu
_^[YY]
R<FKu
QQQQQSVW
Qd_^[
QQQQQQSVW
_^[Y]
QQQQSV
QQQQS
QQQQQQS
QQQQSV
QQQQQQS
QQQQS
QQQQSV
QQQQSV
QQQQSV
QQQQS
QQQQSV
QQQQS
QQQQSV
QQQQSV
^[YY]
<Primary>
Q$]_^
VP_^[
SVWUQ
Z]_^[
SVWUQ
Z]_^[
^[YY]
_^[Y]
QQQQQQSV
_^[Y]
QQQQSV
QQQQS
QQQQSV
QQQQS
QQQQS
QQQQS
,$YZ[
QQQQSV
QQQQSV
QQQQSV
QQQQSV
QQQQSV
QQQQS
QQQQS
QQQQS
QQQQSV
QQQQSV
^[YY]
_^[Y]
Uh{ H
_^[Y]
t;;^4t
Uh>#H
UhA$H
Uh3%H
SVWUQ
Z]_^[
%s.%s
Uho(H
UhO-H
R<FKu
Uh{.H
_^[YY]
UhU2H
UhA3H
^[YY]
Uh(4H
^[YY]
UhC5H
Uh&5H
_^[Y]
Uh:<H
Uh\=H
Y_^[YY]
SVWUQ
Z]_^[
sX_^[
FX;FTu;
FP;FL}
Uh1CH
CP;CL}
CP;CL}
PT;PP
QQQQQQSV
UhtHH
_^[YY]
Uh6RH
UhATH
TDefaultDBScreenApplication
UhpVH
DISTINCT
ASCENDING
DESCENDING
SELECT
WHERE
GROUP
HAVING
UNION
UPDATE
ORDER
UhA_H
uEh4aH
and
%s = ?
%s = :%s
where
QQQQQQSV
Uh/cH
UhIdH
6h`dH
inner join
outer join
ShXfH
UhuhH
UhFhH
ISQLDriver
DBXpress
ISQLConnection
DBXpress
ISQLCommand
DBXpress
ISQLCursor
DBXpress
ISQLMetaData
DBXpress
SPParamDesc
TSQLBlobStream
TTableScope
tsSynonym
tsSysTable
tsTable
tsView
SqlExpr
TTableScopes
TSQLConnectionLoginEvent
Database
TSQLConnection
LoginParams
TStrings
TSQLConnection
TSQLConnectionHnH
SqlExpr
ConnectionName
DriverName
GetDriverFunc
KeepConnection
LibraryName
LoadParamsOnConnect
LoginPrompt
Params
TableScope
VendorLib|
AfterConnect|
AfterDisconnect|
BeforeConnect|
BeforeDisconnect
OnLogin
Connected
TSQLDataLink
TSQLDataLink
SqlExpr
TSQLCommandType
ctQuery
ctTable
ctStoredProc
SqlExpr
TSQLSchemaInfo
SqlExpr
TCustomSQLDataSetxvH
TCustomSQLDataSet
SqlExpr
SchemaName
NoMetadata
GetMetadata
NumericMapping
ObjectView8_G
BeforeOpen8_G
AfterOpen8_G
BeforeClose8_G
AfterClose8_G
BeforeScroll8_G
AfterScroll8_G
BeforeRefresh8_G
AfterRefresh8_G
OnCalcFields
Active
TSQLDataSet
TSQLDataSet$yH
SqlExpr
CommandText
CommandTypeTYG
DataSourceT
MaxBlobSize
ParamCheck
Params
SortFieldNames
SQLConnection
\Software\Borland\DBExpress
dbxdrivers.ini
Driver Registry File
dbxconnections.ini
Connection Registry File
SqlExpr
4E<DI
@<PVS3
C<EOu
YZ]_^[
_^[YY]
TSQLParams
TSQLParams
SqlExpr
select
delete
insert
update
select
values
select
select *
select
values(
values (
;wPt7
f;CUt
USER_NAME
PASSWORD
DriverName
LibraryName
VendorLib
GetDriverFunc
Database
QQQQQQS
BlobSize
ErrorResourceFile
PASSWORD
USER_NAME
Database
PASSWORD
%s=%s
USER_NAME
Database
v?;Chw:
Clone1
PARAM_POSITION
PARAM_TYPE
PARAM_DATATYPE
PARAM_SUBTYPE
PARAM_PRECISION
PARAM_SCALE
PARAM_LENGTH
PARAM_NAME
Result
VendorLib
LibraryName
GetDriverFunc
VendorLib
LibraryName
GetDriverFunc
DriverName
^[YY]
VendorLib
LibraryName
HostName
RoleName
WaitOnLocks
CommitRetain
AutoCommit
BlockingMode
ServerCharSet
%s TransIsolation
repeatableread
dirtyread
SqlDialect
OS Authentication
Server Port
Multiple Transaction
Trim Char
Custom String
Connection Timeout
LocaleCode
QQQQSVW
BlobSize
(]_^[
^[YY]
%s_%d
R|H}"
QQQQQQSVW
select * from
where
0 = 1
_^[YY]
SVWUQ
Z]_^[
_^[YY]
RowsetSize
QQQQQSV
select * from
order by
_^[Y]
select
select count(*) from
distinct
where
order by
SVWUQ
Z]_^[
DesignerData
INDEX_NAME
COLUMN_NAME
INDEX_TYPE
SORT_ORDER
^[YY]
Q8GNu
_^[Y]
Database
USER_NAME
OpenDialog1
MainMenu1
PopupMenu1
Outline1
SQLDataSet1
TForm1
TForm1T
Unit1
GetSystemTimeAsFileTime
kernel32
FileTimeToSystemTime
Error
Runtime error at 00000000
0123456789ABCDEF
0123456789ABCDEF
MS Sans Serif
O)C+CCCK)
K)C+\CLC
yCC)C
CCC%x
[+GBCC
?#CC)
+GKCC
;CCC)G
+GKCC
BCCCz
KCCC+
s[+KACC
^ZCC)G+CsCC+CSCC
ZCCCL
CC+CKCC
CCC+GBCC
vCCC)
CCC)'
ICCCp
ICCCp
SCC),
YCCx6
6O)C+CCSC)@+K+
[CCC)
GBCC+
OACCx
ECCCL
WCCC)C
CCCBL
WCCC)C
JCCCz
KCCC)C
CCC+C
NCCC%z
kCCC)C+
[nCCp
8aCC)G+CsCC
[[CCx
)A+CCC
CC%zBL
+wDCC
-eCC+C
KCCC)C
rCC~GBCCL
KCCC)C
KKACC
oACCp
fCCCL
4CC%x
7CC%x
+CsCC
GCCC)C
CCC+5
+Tt;(
O+KACC
iCC)G+CsCC+CSCC
CACBC
JCCCz>
cCC)S
gCCCL
uCCC%zwRL
LCC)B
tyCCp
+GBCC
gCC)5
)G+CsCC
wCCCp
)C)C%
+GBCC
{CCC),
GBCC+C
dCC%z
hCCC+
60&1%
CCC+l
SBCC)
CSCC+CsCC
)B+CCC
oACC)y
+GBCC
DCC)S
BCCC)s
@CCCp
z]CCp
+KACC
+GBCC
CACBC
SCCCz
)G+CsCC
+GBCC
pSCCp
)G+CsCC
sCCC'
+GBCC
sCCC'
CCCz>
_CCCh
A%xBL
FCCCp
)G+CsCC+
CCC)F
CCCCL
JCCCz
+GBCC
CC%zDL
KCCC)C
KCCC)C
+CsCC
+2Vo(
+2Vo(
@CCCp
CCCCL
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegFlushKey
RegCloseKey
kernel32.dll
lstrcpyA
WriteFile
WaitForSingleObjectEx
WaitForSingleObject
VirtualQuery
VirtualAlloc
Sleep
SizeofResource
SetThreadLocale
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
ReadFile
MultiByteToWideChar
MulDiv
LockResource
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetVersionExA
GetVersion
GetTickCount
GetThreadLocale
GetSystemInfo
GetStringTypeExA
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetCPInfo
GetACP
FreeResource
InterlockedExchange
FreeLibrary
FormatMessageA
FindResourceA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
ExitProcess
EnumCalendarInfoA
EnterCriticalSection
DeleteCriticalSection
CreateThread
CreateFileA
CreateEventA
CompareStringA
CloseHandle
version.dll
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
gdi32.dll
UnrealizeObject
StretchBlt
SetWindowOrgEx
SetWindowExtEx
SetWinMetaFileBits
SetViewportOrgEx
SetViewportExtEx
SetTextColor
SetStretchBltMode
SetROP2
SetPixel
SetMapMode
SetEnhMetaFileBits
SetDIBColorTable
SetBrushOrgEx
SetBkMode
SetBkColor
SelectPalette
SelectObject
SelectClipPath
SaveDC
RestoreDC
RectVisible
RealizePalette
PolyPolyline
PlayEnhMetaFile
PatBlt
MoveToEx
MaskBlt
LineTo
IntersectClipRect
GetWindowOrgEx
GetWinMetaFileBits
GetTextMetricsA
GetTextExtentPoint32A
GetSystemPaletteEntries
GetStockObject
GetPixel
GetPaletteEntries
GetObjectA
GetEnhMetaFilePaletteEntries
GetEnhMetaFileHeader
GetEnhMetaFileBits
GetDeviceCaps
GetDIBits
GetDIBColorTable
GetDCOrgEx
GetCurrentPositionEx
GetClipBox
GetBrushOrgEx
GetBitmapBits
ExtCreatePen
ExcludeClipRect
DeleteObject
DeleteEnhMetaFile
DeleteDC
CreateSolidBrush
CreatePenIndirect
CreatePalette
CreateHalftonePalette
CreateFontIndirectA
CreateDIBitmap
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
CreateBrushIndirect
CreateBitmap
CopyEnhMetaFileA
BitBlt
user32.dll
CreateWindowExA
WindowFromPoint
WinHelpA
WaitMessage
ValidateRect
UpdateWindow
UnregisterClassA
UnionRect
UnhookWindowsHookEx
TranslateMessage
TranslateMDISysAccel
TrackPopupMenu
SystemParametersInfoA
ShowWindow
ShowScrollBar
ShowOwnedPopups
ShowCursor
SetWindowsHookExA
SetWindowTextA
SetWindowPos
SetWindowPlacement
SetWindowLongA
SetTimer
SetScrollRange
SetScrollPos
SetScrollInfo
SetRect
SetPropA
SetParent
SetMenuItemInfoA
SetMenu
SetKeyboardState
SetForegroundWindow
SetFocus
SetCursor
SetClipboardData
SetClassLongA
SetCapture
SetActiveWindow
SendMessageA
ScrollWindowEx
ScrollWindow
ScreenToClient
RemovePropA
RemoveMenu
ReleaseDC
ReleaseCapture
RegisterWindowMessageA
RegisterClipboardFormatA
RegisterClassA
RedrawWindow
PtInRect
PostQuitMessage
PostMessageA
PeekMessageA
OpenClipboard
OffsetRect
OemToCharA
MessageBoxA
MessageBeep
MapWindowPoints
MapVirtualKeyA
LoadStringA
LoadKeyboardLayoutA
LoadIconA
LoadCursorA
LoadBitmapA
KillTimer
IsZoomed
IsWindowVisible
IsWindowEnabled
IsWindow
IsRectEmpty
IsIconic
IsDialogMessageA
IsChild
IsCharAlphaNumericA
IsCharAlphaA
InvalidateRect
IntersectRect
InsertMenuItemA
InsertMenuA
InflateRect
GetWindowThreadProcessId
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowLongA
GetWindowDC
GetTopWindow
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSysColor
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMessageTime
GetMenuStringA
GetMenuState
GetMenuItemInfoA
GetMenuItemID
GetMenuItemCount
GetMenu
GetLastActivePopup
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetIconInfo
GetForegroundWindow
GetFocus
GetDoubleClickTime
GetDlgItem
GetDesktopWindow
GetDCEx
GetDC
GetCursorPos
GetCursor
GetClipboardData
GetClientRect
GetClassNameA
GetClassInfoA
GetCaretPos
GetCapture
GetActiveWindow
FrameRect
FindWindowA
FillRect
EqualRect
EnumWindows
EnumThreadWindows
EnumClipboardFormats
EndPaint
EnableWindow
EnableScrollBar
EnableMenuItem
EmptyClipboard
DrawTextA
DrawMenuBar
DrawIconEx
DrawIcon
DrawFrameControl
DrawFocusRect
DrawEdge
DispatchMessageA
DestroyWindow
DestroyMenu
DestroyIcon
DestroyCursor
DeleteMenu
DefWindowProcA
DefMDIChildProcA
DefFrameProcA
CreatePopupMenu
CreateMenu
CreateIcon
CloseClipboard
ClientToScreen
CheckMenuItem
CallWindowProcA
CallNextHookEx
BeginPaint
CharNextA
CharLowerBuffA
CharLowerA
CharUpperBuffA
CharToOemA
AdjustWindowRectEx
ActivateKeyboardLayout
kernel32.dll
Sleep
oleaut32.dll
SafeArrayPtrOfIndex
SafeArrayPutElement
SafeArrayGetElement
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopyInd
VariantCopy
VariantClear
VariantInit
ole32.dll
CoUninitialize
CoInitialize
oleaut32.dll
GetErrorInfo
SysFreeString
comctl32.dll
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_GetDragImage
ImageList_DragShowNolock
ImageList_SetDragCursorImage
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_ReplaceIcon
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
comdlg32.dll
GetOpenFileNameA
kernel32.dll
MulDiv
0(0<0T0l0
1$1D1P1T1X1\1`1d1h1l1x1
3"3*323:3B3J3R3Z3b3j3r3z3
4&4/4P4X4
7)8]8i8
;%;8;B;H;V;\;d;v;
<0<6<><H<_<j<
<"=8=
>/?5?N?W?`?k?t?{?
0.141D1M1
2H2b2
4$4*4\4
4!5,555;5K5T5
6M7S7[7
;Z;c;
.2m2}2
4'5;7
8:8V8b8v8
8+949i9p9
<'=.=F=h=
=;>N>b>
>H?P?|?
030=0B0a0f0k0
151B1}2
9J<S<Z=c=
8Q:o:
<-=>=~=
2(3q3
4/484A4M4W4~4
4 5.535L5\5m5~5
5;6G6T6f6l6}6
727:7B7J7R7Z7b7j7r7z7
8"8*828:8B8J8R8Z8b8j8r8z8
9"9*929:9B9J9R9Z9b9j9r9z9
:":*:2:::B:J:R:Z:b:j:r:z:
;";*;2;:;B;J;R;Z;b;j;r;z;
<"<*<2<:<B<J<R<Z<b<j<r<z<
="=*=2=:=B=J=R=Z=b=j=r=z=
>">*>2>:>B>J>R>Z>b>j>r>z>
?"?*?2?:?B?J?R?Z?b?j?r?z?
0"0*020:0B0J0R0Z0b0j0r0z0
1"1*121:1B1
4 4([email protected]`4h4p4x4
5 5([email protected]`5h5p5x5
6 6([email protected]`6h6p6x6
8 8(8,8084888<[email protected]|8
:<:D:H:L:P:T:X:\:`:d:t:
;$;D;L;P;T;X;\;`;d;h;l;
< <0<P<X<\<`<d<h<l<p<t<x<
= =$=(=8=X=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8>L>l>t>x>|>
?$?,?0?4?8?<[email protected]?D?H?L?`?
1,1L1T1X1\1`1d1h1l1p1t1
282X2`2d2h2l2p2t2x2|2
4;4C4P4U4[4U7;8n;
<$</<<<A<
=[=l=
4u5y5}5
9E9M9U9]9e9
: :$:a;$<,<
0A1S1
4&5A5\5{5
;@<{<
>L>P>T>X>\>`>d>h>l>p>t>x>|>
0$080i0
5K5c5U6
:Z:p:}:
;!;M;
;.<[<
02070C0f0
1C1M1s1
1/2>2X2j2
5[5`5h5
5a6k6
6 7'7
9/9Q9_9f9~9
9':E:p:
='=s=
>>>E>O>U>\>f>k>q>v>|>
?"?+?4?\?e?n?t?
+0Y0|0
0$1>1\1
1$2X2
3I3y3
7"7,767H7]7h7m7r7
8!8>8P8
9(9;9N9W9r9
:1:O:q:
;4;A;
=6=L=
>N>U>h>t>y>
><?O?W?f?v?
474v4
5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6$6(60646<[email protected]`6d6l6p6x6|6
7 7$7,70787<7D7H7P7T7\7`7h7l7t7x7
8*858?8J8T8_8i8s8y8
9$9.989B9L9V9h9
: ;-;V;
<.<d<q<
<%=c=
>G>f>n>v>~>
?%?*?5?;[email protected]?K?Q?V?a?g?l?w?}?
0'0-020=0C0H0S0Y0^0i0o0t0
2>2B2F2^2l2p2
3 3$383
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
6 6<6\6d6h6l6p6t6x6|6
7$7,7074787<[email protected]
888X8`8d8h8l8p8t8x8|8
9$9,9094989<[email protected]
:?:{:
;+;:;Q;
<*<A<n<
=%=4=K=Z=q=
>&>X>g>~>
?B?y?
275E5;6]6a6e6i6m6q6u6y6}6
7\8u8
9)9P9u9
;!;%;);-;1;5;9;=;A;E;I;M;Q;U;Y;];i;
1#1'1+1/131
3O4V4l4p4t4x4|4
4C5J5a5e5i5m5q5u5
6&6>6B6F6J6N6R6V6c6
=6>x>
>b?f?j?n?r?v?z?~?
0,0A0$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1
3x4|4
4=5U6Y6]6a6e6i6m6q6u6y6}6
8"8&8*8.82868:8>8B8F8J8N8R8V8Z8^8b8f8j8z8=9
:6;O;h;
< <$<(<,<0<4<8<<<P<
>5?Y?
0P1T1X1\1`1d1h1l1p1t1x1|1
1N2i2
2U3Y3]3a3e3i3m3q3u3y3}3
3)4F4c4
4 5X5
6P6g6
767M7
8!8%8)8-8185898=8A8E8I8M8Q8U8Y8]8a8e8i8m8q8u8
<E=\=u=
>1>l>
>.?J?N?R?V?Z?^?b?f?j?n?r?v?z?~?
2!2%2
526}6
9-:F:]:
<7=o=
0&0?0X0
3P5k5z5
:&;z;
000M0
0*1l1
3,5K5c5{5
6&6H7
8P;y;
;O<P=
0)1l1p1t1x1|1
1:3W3`3s3
4T6q6
7Q8`8
9+9:9g9v9
:4:b:t:
;';B;H;\;a;
2<2J2
3-323g3v3
5"5'5,51575<5A5G5N5T5[5a5h5n5u5{5
6$6,646<6D6L6T6\6d6l6t6|6
7E7I7M7Q7i7x7|7
808P8X8\8`8d8h8l8p8t8x8
8/969
:!:%:):-:1:5:9:=:
;:<A<~<
><?r?
0 0*010y0
1h3o3
4C4J4c4
4k5r5
;<<@<D<H<L<P<
?'?9?J?P?j?r?z?
040L0
1,1D1d1|1
2$2,2024282<[email protected]
4 [email protected]\4`4d4h4|4
5 505P5X5\5`5d5h5l5p5t5x5
6 6$6(6,606D6d6l6p6t6x6|6
7 7(7,7074787<[email protected]
8 8,80888<[email protected]\8`8d8n8r8
9 9(9,9094989<[email protected]
:&:*:@:U:Y:l:x:|:
;);-;@;P;\;`;h;l;p;t;x;|;
<4<@<D<T<\<`<d<h<l<p<t<x<|<
> >$>(>,>0>4>8><>@>D>T>e>i>|>
? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?d?
0 0$0(0,0004080<0T0t0|0
1 1$1(1,10141
2"2&2*2.22262N2\2`2|2
3 3$3(3,[email protected]`3h3l3p3t3x3|3
4"444T4\4`4d4h4l4p4t4x4|4
4"5&5*5.52565:5R5n5|5
6,6064686<[email protected]\6`6d6h6x6
7 7$7(7,7074787<[email protected]\7l7x7|7
808L8
9 9$9(989X9`9d9h9l9p9t9x9|9
;2<9<Z<
?>?P?g?
2 2P2U2
2$3)3b3}3
374D4S4^4p4
5$5B5O5^5p5u5
6 6$6(6,606
8A8L8s8
9Q:}:
;(<K<e<w<
0?0[0
3c3j3
3!4<4
4R5n5~5
7B7p7
=5>R>
001F1
5<5h5
6J7{7
849F9c9
:A:[:
:%;C;
;'<X<
=5=K=
>.?D?
90V0Q1
1;2q2
7M8T8
:+;;;[;
20282<[email protected]\2j2r2
424z4
4n5{5
7)787
7 8%8D8U8s8z8
;A;];
=$>V>
3;4]4
515G5
8K8Y8g8u8
;K<O<r<v<
<+=Y=
=#>E>
? ?$?(?,?0?4?8?
353H3
9#9'9+9/93979;9?9C9G9K9O9J:p:
:2;l;
=<=L=Y=
>%>,>Z>w>
?"?&?*?.?2?6?:?>?B?F?J?N?R?V?Z?^?b?
2=3M3i3s3
474D4S4c4
5>5[5`5
9)969<9L92:9:
2+3*4
626<6K6
737;7A7
8'818C8[8g8t8
9 9([email protected]`9h9p9x9
: :(:0:8:@:H:P:X:`:h:p:x:
; ;(;0;8;@;H;P;X;`;h;p;x;
< <$<(<,<0<4<8<<<@<T<t<|<
=,=E=|=
>4?D?P?T?\?`?d?h?l?p?t?x?|?
0$0(0004080<[email protected]\0j0v0
1"1&1*1B1F1J1a1e1i1
2#2+2B2F2J2b2f2j2
3%3)3-3H3X3h3p3t3x3|3
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5
6 6$6,606<[email protected]\6`6d6h6l6p6t6x6
7,7L7T7X7\7`7d7h7l7p7t7x7
8 8$8(8,8084888H8W8[8l8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :0:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;$;(;,;0;4;8;<;@;D;
>C>u>
> ?*?<?_?
7N7k7
7>8N8`8
8Y9j9
;#<N<k<
<"=2=D=
?6?O?g?x?
0 0>0
0V1[1
222D2N2
5C5m5
7J7t7
9"9`9
:@:`:q:}:
;5;<;
=%=9=G=V=m=
0/1-2
;0;S;
=3>F?
1%1<1L1
4#444
425<5F5K5
728O8
3.4L5
5,6[6
8'8+8C8S8
9I9N9
9A:S:
:,;>;
3L394
5&6=6
6M7R7
061g1t1
1U2c2
4#5j5
8&8;8
0_0'1
1$242
4)4^4m4r4
546e6u6t7
8"8,868E8O8Y8c8m8w8
9/9?9I9T9^9i9s9z9
:<:D:H:L:P:T:X:\:`:d:h:l:p:t:
; ;$;(;,;0;4;8;<;@;
="=*=2=:=B=J=R=Z=b=j=r=z=
>$>*>C>a>l>z>
>F?N?T?`?h?
k0s0y0
1#1+1g1r1
1;2F2f2
5#505B5W5c5p5
606I6l6
7 7$7(7,7H7T7h7p7t7x7|7
7?8C8G8K8O8S8W8[8_8c8g8k8o8s8w8
9,949<9D9l9x9
:1;F;o;
=!>m>
1D1j1q1
2Y2|2
3R3~3
3 4?5K5S5]5j5z5
656B6[6o6z6
7 7)7.737A7J7O7T7b7k7p7u7
9<9D9H9L9P9T9X9\9`9d9h9l9
; ;';.;5;<;C;J;Q;X;_;f;m;t;{;
<#<*<1<8<?<F<M<T<[<h<m<
[email protected]=E=R=W=d=i=v={=
>*>/><>A>N>S>`>e>r>w>
?&?+?8?=?J?O?\?a?n?s?
0$0)0
4'454=4O4b4l4v4
5+575D5V5c5o5|5
6 626:6G6S6`6r6
7 7$7(7,7074787H7L7P7T7X7l7
:5:@:|:
;&;.;6;>;R;V;Z;^;b;t;
<(<0<M<o<
=-=T=
=N>V>h>z>
90N0`0n0
494D4
5"5<5
6(626<6F6P6\6
:p;z;
<$<(<0<4<<<@<H<L<T<X<`<d<l<p<x<|<
=&=5=?=J=O=\=l=x=|=
>+>3>N>V>
?8?y?
D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,30343?3K3R3]3o3
4 4$4(4,4044484<[email protected]\4l4p4
5(5G5N5
5 6;6
777h7
9B9L9V9[9n9
:.:6:A:F:Q:X:
;$;(;0;4;<;@;H;L;[;g;{;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<[email protected]=D=R=h=x=
> >$>(>,>0>4>8><>@>D>H>`>w>{>
? ?$?(?,?
0N0{0
171;1C1\1
2M2~2
363_3c3k3
4F4v4
5L5t5
617I7Y7
;>;a;
>"?;?
(080`0
111u1
3*4:4b4
5C5O5V5a5s5
6 6$6(6,60646B6g6n6
8#9M9
;+;>;_;k;s;{;
<(<:<@<`<h<l<p<t<x<|<
<G=S=[=c=o=w=
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
3]6<7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
96:::B:d:n:x:
=1>\>|>
3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
334?4L4^4d4
5 5$5(5,5054585<5T5p5
5$6^6i6t6
7+777P7v7
:F:N:l:z:
<-<^<
1/1;1E1O1T1c1u1
2 2$2(2,2024282<[email protected]\2`2d2t2
3,3H3L3`3
4 4$4(4,4044484<[email protected]\4`4|4
5)[email protected]`5h5l5p5t5x5|5
6 6$6(6,6064686<6P6d6h6|6
7 7$7(7,7074787<[email protected]
7 888T8l8|8
9 9$9(9,9094989<[email protected]
;C;G;K;P;
<a<e<i<m<t<
=m=q=u=y=
>l>p>t>x>|>
>>?B?N?T?
>0B0F0J0N0T0
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
263:3>3B3F3J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
4"4&4*4.42464:4>4B4F4J4N4R4V4Z4^4l4z4~4
5.5:5M5p5x5|5
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
9"9&9*9.92969:9>9B9F9J9N9R9V9Z9^9b9f9j9n9r9v9z9~9
:":&:*:.:2:6:::>:B:F:J:N:R:V:Z:^:b:f:j:n:r:v:z:~:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <4<D<P<T<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=j=n=r=v=
?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?
20:0I0Q0l0r0
0 111
4 4$4(4,4044484<[email protected]
7(7e7~7
<J=e=x=
==>O>Z>
?e?w?
(050>0G0b0
1$1/151N1W1_1m1r1|1
2!2.2P2]2q2{2
3"3*3<3c3l3u3
5!5B5J5[5y5
7&787H7Q7z7
9'929G9Q9[9d9w9|9
:#:.:B:S:
:S;c;
<V<q<
=V=[=
=F>.?Y?l?
0#1&2D2b2
3*3/3;3O3
7S8W:
?<?B?
5+5:5}5
828J8f8o8
9%9F9
0)5`5k5y5
:<:,<7<E<
273g6
7 7A7s7
839f9
>#>:?C?
132C2
5(7L7
8-9g9
:7<~<
0&141P1v1
'0J0W0r0
161K1^1{1
647[7`:
=+=:=Q=`=,>
5-7n7u7
061<1
4)4C4
8A8c8t8
:7;a;
5D658<8
1x2q5
8l:|:
>&>7>O>g>x>
=0[0D1
3)5r5
?G?Q?[?e?o?y?
1)111=1H1N1Z1d1j1v1{1
2#2.23282C2P2b3s3
4-4C4K4Z4d4m4y4
5'545>5O5X5x5
6 6%6/6?6J6W6
7/7;7S7]7g7r7w7
8 8$8(8,8084888<[email protected]
9 9$9(9,9094989<[email protected]\9j9n9r9v9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;~;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
7A8[9
:":+:0:;:@:L:h:l:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;\;t;
=8=|=
=5?L?u?
0M0j0
0*1"2
3+484H4q4
4F5c5
6;7e7t7
9/9?9j9
=C=l=|=
>/>\>y>
>Q?Y?c?i?t?
1*101P1X1\1`1d1h1l1p1t1x1
2 2{2
3b3f3j3n3t3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]~5
6,646X6\6`6y6
7'7/737I7Q7n7z7
8'8+8A8M8c8
9 9$9(9,9094989<[email protected]\9`9d9r9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:h:w:{:
;";*;C;K;g;o;
<4<R<
= =$=(=,=0=4=8=<[email protected]=D=T=d=h=v=
>3>7>;>Y>a>z>
?8?\?|?
2*2E2
4.6H6{6
:K;\;
<.<:<F<
=->K?
$0M0X0
1}1W2
<*?=?
1(3y3
495C5M5`5j5}5
8}8W9
9U:y:f;
>(?_?
4=5h5m5u5z5
5K6}6
2A2N2p2u2
7,:Q:]:q:}:
>n>~>
070T0
2E2a2
3&3:3
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6{6
7"7,787B7I7S7Z7d7l7
8 888O8S8a8i8
: :;:h:x:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <@<_<
=4=M=
>$???l?
,000x0}0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
1j2n2r2v2z2~2
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3l3}3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5"5>5F5^5f5
6#6:6B6F6`6h6l6
7#7'7;7C7f7n7
8.868Q8t8
9!9)9-9B9e9m9q9
:!:%:B:k:o:s:
; ;E;M;Q;h;
<%<)<B<N<g<s<
<&=O=[=r=~=
>,>8>Q>]>v>
?(?4?M?Y?o?{?
010Z0f0|0
[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]\2`2d2h2l2
3(3034383<[email protected]`3l3p3
4/484D4H4X4`4d4h4l4p4t4x4|4
5!5)5}5
6%6,646B6O6_6v6
7+747<7E7U7\7c7j7{7
8=8S8
:.:=:T:
33393
434d4
6"686
6G7W738
=N>Y>h>
?!?W?\?x?
0=0Q0e0
0&1h1{1
2G3v3
4D4j4
5i5}5
7R7]7j7p7{7
>P?`?}?
Z0g0w0
5U5s5
7P7f7
7P8Z8B:Q:h:|:
>5>Q>t>
???Q?o?
040K0c0u0
1)2C2m2
8+868M8p8S9
;";6;s;
2(2:2N3Z324
6Y9|9
:L:h:
;);i;
<(<A<
=7=\=x=
?_?o?
3 3*3B3X3
4$4)4:4H4Z4q4{4
=y>e?
0-0<0i0s0~0
<1=~=
?.?=?M?Z?`?u?{?
1[1m1r1
4!404A4T4m4
505O5
5$6M697
878x8/9
>H>p?
838V8
0!0/0O0l0
1D3j3
384[4
949w9
9J:Z:e:
;";2;:;I;S;X;t;
<`=k=
6(6,686<6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7n7v7
8'8k:
;p<w<
0(1N1m1
>0?t?
7,7<7H7L7T7X7\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
; ;$;(;,;0;4;8;<;@;D;T;e;i;w;
?+?u?
:W:d:
80:@:
:%;E;n;~;
2#6*6
3 3J5
3:3m3
405y5
0 0(0,0004080<[email protected]\0h0l0|0
02161<1X1
2\2r2x2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4 [email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5p5~5
5!6)6C6K6c6k6
7.767T7\7z7
8#8F8i8
8 9F9l9
:D:h:
;#;';+;/;J;N;R;V;p;t;x;|;
</<7<S<[<x<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=
=G> ?
:(;E;j;
;@<]<
<(=R=
1,1E1y1
1,2A2o2
464f4j4r4
5,60686
7>7t7
898=8E8d8
8%9)9
02161:1>1B1F1J1
7P7s7L8P8T8X8\8`8d8
;a?|?
0B0R0
041b1A2w2
2C3O3\3n3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6
75797=7X7\7`7|7
8<8T8b9
> >M>m>
>%?[?
151L1e1
2F2o2
657F7j748F8
9.9=9[9i96:H:
:_;2<A=L=(>
3'444[4
6:7a7o7~7
;<;$<
3/4d4
5 6V6
8;9b9|9
9W:h:y:
:{;9<e<
=+=5=
?9?_?
030\0
1)1R1{1
2E2k2
2k3z3
5*5K5l5
5_6n6
8E8i8
<L<{<
=F>U>
050O0[0h0z0
1<1L1\1d1h1l1p1t1x1|1
2$2:2B2^2f2}2
2O3[3
3 4,4d4p4L8e8
8'9G9
90:]:
::;J;e;
;(<D<S<j<D=c=~=
?T?c?z?
0'040F0L0l0t0x0|0
1 1(1,1014181<[email protected]^132c2
2=3{3
4Z5q5
:4:;:
;';:;g;[<
<f=o=u=~=
>#>0>;>M>^>k>q>x>~>
?0?8?<[email protected]?D?H?L?P?T?X?f?|?
1 10181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<[email protected]^2t2
3 3$383L3P3\3z3
4 4$4(4,4044484<[email protected]_4c4n4v4
5 [email protected]\5`5d5h5l5p5t5x5|5
546H6L6X6\6l6t6x6|6
727:7W7[7_7|7
8(8084888<[email protected]\8`8d8h8l8p8t8x8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
<P<p<x<|<
=5=<=
>6>>>H>h>p>t>x>|>
? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
1K1O1S1W1r1v1z1~1
2*2W2_2
4;4`4p4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6#6L6\6l6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
9*929N9V9v9~9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;%;@;P;`;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
=">H>X>h>p>t>x>|>
? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?d?h?l?p?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1 1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2 2$2(282I2M2X2`2{2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4$484<4G4O4l4}4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6$60646D6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
989P9T9_9g9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;$;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<<<L<P<\<l<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
?!?%[email protected]?P?X?\?`?d?h?l?p?t?x?|?
0 0$0(0,0004080<[email protected]
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2,242O2W2s2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4,444O4W4r4z4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6$6(63676;6V6~6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
7$848D8L8P8T8X8\8`8d8h8l8p8t8x8|8
9 9$9(9,9094989<[email protected]{9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
;8;H;X;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<|<
= =$=(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?0?4?H?[?_?j?r?
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1E1d1t1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4$444D4L4P4T4X4\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]`5u5y5
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7
8 8$8(8,8084888<[email protected]}8
9 9$9(9,9094989<[email protected]
:*:T:`:d:t:|:
;!;D;L;k;
< <$<(<,<0<4<<<T<k<o<|<
= =$=(=,=0=4=8=F=N=V=h=t=x=
>4>S>W>[>_>t>
?8?f?l?
1!1%1)1-1115191=1A1E1I1M1Q1U1Y1]1a1y1
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4 4$4(4,4:4B4P4T4d4r4v4Q7
8?8N8c8z8
;&<N<
4*5_5
777C7_7
9<:x:
:<;P;m;
<)=w=
>,?<?
4M5z5
7^8g8u8
9(:Y:
?#?J?
1B1r1
2:2C2
2 3Q3}3
4B4F4i4
4,5T5
97:U:q:
: ;d;
>4>[>
>+?v?
1=1g1{1
2F2o2
434]4
4+5R5
9n:i;
:/;A;n;E=
>M?f?
0;1b1
1*2H2s2
3.4L4
4%585T5
7D8W8j8
8L9|9f:w:
=P>`>
1 1H1p1
2F2n2
4,4c4q4
4/5f5
6=6P6a6
7!8>8q8
999q9
;o<a=j=x=
0M1e1
3$4o4
9>9g9
:@:g:
;5;c;
<=<h<
>E?X?t?
3>3_3
>M?X?
556B6
7!7%7)7-7175797=7A7E7U7
9#9'9+9<9
<A<`<g<
?"?O?t?
080f0
1#2P2z2
444`4
5K5v5
6K6x6
6%737\7
:G:r:
:H;Y;j;{;
313`3w3
7V7|7
7)8]8
:/:B:
;M<==
>L>n>
2 2H2
565z5
6#6E6I6M6Q6U6Y6]6
7P:T:X:\:`:d:h:l:p:t:x:
<-<g<
6S788E9F:
3/3[3w3
344q4
5"5&5*5.5F5b5p5t5|5
5'636:6D6N6Y6k6
6&7j7
8>8N8e8u8
8*9?9p9
: :5:I:^:
3<4}4/5s5
506v6
6#8V8
9,9=9`9p9
: :(:0:8:@:H:P:X:`:h:p:x:
; ;(;0;8;@;H;P;X;`;h;w;
< <$<(<,<0<4<8<<<@<D<H<L<P<V<^<o<{<
>$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
?0?4?D?H?L?m?u?
070]0e0~0
2 2$2(2,2024282<[email protected]~2
383D3H3X3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6"6*626:6B6J6R6Z6t6
8>8f8
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
;%<-<J<R<p<
==>R>b>z>
>Z?_?
1?2I2
3%3C3d3
3>4y4
4-565P5e5
5G6r6
:0:F:
:1;K;h;
;X<h<x<
>)>F>o>
7?7t7
7%8A8
9<9V9
;!;)<
?;?]?p?
0D0w0
121S1r1
4.4>4p4
4R5k5
6M7c7
8-8B8\8z8
<+<b<
<==s=
>(>,>0>4>8><>@>"?Q?
2V2u2
5b5s5
5>6s6
6?7_7h7d9
<G<l<
1!292~2
2 393b3
3*4L4b4
5F5x5
6!6_6
667[7t7
728K8
;K;};
<D<R<k<
?C?_?
3+4\4|4
7G8m8(9/9M9Q9U9Y9]9a9e9i9
91:D:[:
:,;c;y;U<o<
<^=v=
=T>p>
?:?>?B?F?J?N?R?V?Z?^?b?f?
,1e1~192z2
526[6k6
8G9W9X:
=<>e>v>
>%?C?
1W1j1
2S3[3
3a4v4
5$5?5g5
:$:-:
;c;q;
=G=X=j=
3Z4+5X5]5
6!6D6P6
727^718{8
8'9+9/93979;9?9C9G9?;
1j273M3
3;4D4
6)7N7{7
;(;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<J<
<$=8=X=
='>3>@>U>f>s>|>
0 0$0(0,0004080<[email protected]\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<[email protected]\1`1d1h1l1p1t1x1|1
2X2`2h2p2x2
8 8([email protected]`8h8p8x8
:T<X<\<`<d<h<l<p<t<x<|<
=P=`=h=p=x=
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<[email protected]\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<[email protected]\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<[email protected]\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<[email protected]\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<[email protected]\8`8d8h8l8p8t8x8|8
333333333333333333
33333333?333333
33?33
33338
33333
33833
333338
33333833
33333
333838
3333339
3333333333333338
333333333333333333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*"*"$3338
"C338
"*"$33
"*:"$
"J"$3
:33:"$
"C8338
"J"C3333
3333:"$
#33338
33333
"J333333
33333:"$3333338
333333
$3333333
333333:"33333338
3333333
33333333
333333333333333333
33333333?333333
33?33
33338
33333
33833
333338
33333833
33333
333838
3333339
3333333333333338
333333333333333333
33DDDDD3333
33333333333
333333?
333333
333333
3333f3333333?
3336Dc3333338
333>fC333333
c333333
3333333333338
3333Dc3333333
3336fC3333338
333>fC333333
333>fd333333
fC33333
3333>fd333338
334C3
fC333?3
33fd3>fC333
fDFfC338
33>ffffc338
fff3333
33833
33338
3333333333338
4DF334DC33
333*C33
c33*C333
338?3
33338?383
F*F333383
"$c33333
"dc3333833
CjC338
CjC338
D*C33383
33333
3332*
C33333833?33
3333"
3333333
3334JC33333338?333
C3333333
C3333333
3333fc33333338
333333333333?
33333?
333333
333333333333333333
333333333333333333
333333333333
33333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
"C333
3333:"$3333338
33333
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
333DDD33333?
2C4"""D338
2$B""""C38
2""333:"C8
83338
2""#33:DC8
333338
33333
333333333333333
333333DDD3
:DC33:""$8
:"C333
$334B"$3
"DDB""$3
3:"""""
333333
333333333333333333
333333333333333333
333333333333
33333
334C33333338
33333
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
"C3338
:*3:"$3338
"C333
3333:"$3333338
33333
"C333333
33333:"$3333338
333333
"C333333
333333:"C3333338
3333333
#3333333
3333333:3333333383
333333333333333333
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
3333333
3333333
3333333
3333333
3333333
33333333
WRU9>:<~+(*
onn)+()_423
bbbB566
JJJ1333u)**
Gz||>
\[[qHHH>
7Project1
SqlExpr
8Registry
"RTLConsts
System
SysInit
KWindows
UTypes
^Classes
SysConst
3Messages
SysUtils
CVariants
$VarUtils
QTypInfo
sActiveX
IniFiles
"SqlConst
wDBConsts
DBConnAdmin
FComObj
qComConst
5MaskUtils
rSqlTimSt
_DateUtils
dFMTBcd
aDBCommon
~DBXpress
Outline
Consts
Forms
Printers
WWinSpool
+Graphics
CommCtrl
FlatSB
StdActns
Clipbrd
YStrUtils
*ShellAPI
&Controls
5Themes
nComCtrls
ComStrs
ExtActns
0Mapi
EActnList
vMenus
Contnrs
ImgList
dStdCtrls
Dialogs
ExtCtrls
IDlgs
3CommDlg
(ShlObj
RegStr
?WinInet
UrlMon
ExtDlgs
Buttons
CUxTheme
SyncObjs
RichEdit
ToolWin
ListActns
MultiMon
WinHelpViewer
RHelpIntfs
XGrids
Unit1
TForm1
Form1
Width
Height
Caption
0KJeutVldBm0IqiYC9TU6
Color
clBtnFace
Font.Charset
DEFAULT_CHARSET
Font.Color
clWindowText
Font.Height
Font.Name
MS Sans Serif
Font.Style
MainMenu1
OldCreateOrder
PixelsPerInch
TextHeight
TOutline
Outline1
Width
Height
ItemHeight
TabOrder
ItemSeparator
TOpenDialog
OpenDialog1
TMainMenu
MainMenu1
TPopupMenu
PopupMenu1
TSQLDataSet
SQLDataSet1
Params
ngJ-(b)C
;3zjW
BL91NO
wl|u,
).;W3
loUdx
o;FFm
]cevm
:M^>N
@OgT7_h
Oe5F~
zyV(za
rv&zPb
.VJ/"
k)4#(
?u6Qu
t9%OE
<xIPS
Qoe-8
xyn(k
n)'K
;;L>5gZ
2prQ*
6GT27
?BU'h
8=n{r8
<~z\!A
Hs*(_,,S
+Mm(I
o"c=qr
VfSKH
[SHU^
t0;8T
:0vm`
!_jaMLTh
R`*s<2$'
{Sfle
<f4\Z
f#E;1
{J],3
VRbIgk
B2eG.D]+ im
Uz&emX
g<j\T
|%Vqv
+'<a0&
WoY\Y:
{>'-*
l#*Y"P
^^.]G
;4RMQm
99CH'"l
7X}|L
5/V7|
e{=[`2
h?S>G
#01G\
*/AM3
UCgak
$Kq&7
Msh-%5
F'.cG
{Fpj.
0ABe7A
&oC>|
`q9uV
ZOo]b}
FJ#W,=
(v*J
$D#P9
xh~oM
>zL&g
4&\lcg.8Ctrb
's`[S
?|9j7
PPd-g(
C#a Qt7
OB1wD[
gjdy>
g$`Frr
f7++jz~t
>WJbsT
o"v>3
t9`Q]
Js^ncT
2}-Mg
1|a/r
znC[:)=
h47=M
9E8:_
?wJ0-B
L|g0v
uz+%W
Q,;c`
W~.-+
9\jx&3
[tW%=~
kfU$ew
ZY9gVgxD
)cmf"c
LR sI
B>Fmx
7B+{
@)p~T
g\dPwW
wii^<
Y^~PE
%G!l<
8&KOq
[%6;h
7%"c5
7B.t(
xr]Sc
:x|~Wc
iCRC2M
$=OtM?S
X+"Ju
q>ew]
/Yo(&
:P[w'/
"1>NP
hUbJ7=%9
fY8x]s;z
agIa*
GxlPr
RqC,4aX
$3^Zr^
@@M<8
+G.[K
oS`B
a}V;#
Y/sV(
inG%T
N9'~y
KV}&@
/za:@
j6IM%|
<~yfdU
oev53
d#WLeG
)/*^W
"[:\8
zCS:h
z]w(R
".QQDAd
U}c/p4
-YPKB
ocIdK
gBhz]
}?2O.
Jt()Y
62]OK
H`|!Y]
N64Y_
AV<#*
KwU(vAN
IWeUT;
&[O`k
SHT%$;
S'neV
sHGM.
Y>C%9]#
dy]4g
;Z{$Z
"GI=K
=tpWg
KsG$O
87cVE
B5'5c
OIaZq
]+nyk}=
El)HHR7
~>:RKVr
2fm*M
lIj7^
keP8]:
q82+lK
D^z>:
TmQM>\L
+Gn8j
,d7w[
&HTWY;
<br~k
9Jhz:
:?aQ]/
#6R?(g
F_O#o
G{A:" /
%jTG}wE
37DHX
hO}9!
S)i2>
ao=KS
^Cipn|
Jfq=k
uX?Oh>
`zx^7
%ys)W
,oZc>
eICw#
/{-Hb#=
nk\|8Q
+3{l:
,/>t8
mkH3<
Qf]DB
|01T7Pn
Txgl;
%U08N
P`V$N
&NvfIZ
l|f$TWD
+ysOb1r
8V<~`,
K7xsa5N
h(YZY
|gKKq
;ovew
oCPh]rWW;
@w$%Q
<&5 RXL
;X\)x
@f1A'u
)J,HN
7"X/1R
4^S?6
AK#aK"
+kn}&
(]+d
(++yc
]aMcB
2Ktpf.
/p~L2x
]ut=6
B1)MWr
hV4:L?
WE-i+34{
Wya"e
jT.q$
LT6VQ
<DDG+
nsVB?
C)c+!9
n*o#E
$VSLw
g;~n.!
'*g!TB
H|[Pi
2X2~O
$S$R'
3Apk/
m42FD
rL*VQ
/o0\A*R~
aD[K:
O'0+EOm
)m}S^LS?x
yev+$)
>&%q\<
u Jqq.Z
\uPNgyV
{D')^
8R&+=
@9bL5E
$}<4+
0y:z)
(By?|
T(9=o5
Ez%|_
cmLp?
YWLKG
-C&k/
UrhsF
0xc2&'8
2.4JD2PI
sa0,!*6l
B>jfy
B1*D{
v}"xj
&5FvH
x+ MC
H>zp:
L6*=R
p)q\-UY
o5A$W&
JITP*(
IltI/fl
pmyjm
Al/*W%
!58NS
TxN]f
vi`NV^
wWql<j
TCJl,
</2;V"?
Qu_?H
lVh8S
PitcHK
d8YYX
@Ji])
`t-6e
}Bg0I
l'm(3.
g^BRI5A
4&8Lz
Cu(Zw
QT8ab
:ZaCl<l
%O3\T
l`~DF
;3QZB
+3YSl
GDP;m
n`ZPA
*53vL
V4YXT
Y3YM!
RC7)y
4t.W)
,uMvG
7Q2Rj
5[)#w
}|#x#q
xn{5D
T,Aah
N`4E)"
D69u0
:1*.%l
`PI.0
iDnav.
X.:?%
!w1A^
y&?Mr
C!!f$
8[I*
8Aha>
vJ^q
KSA2]
+'vb#
*!6\V
p%!56Rw
l9RZi
4^cWl
VLN-[z
~R$I#VrTu^
w8zk?
gDI,gG.
w=yA-
+X&l
ta$Pm
t#IM9
GEhW%Qf
Xpn^+
lL7Ez
gc*JY
G}O/I
1[2CY)
]DM8:
qFo-P
r/oS\
b]m?A
p:ZZD
"-}SI
X|p)c
?0u#a+S
x*7"(z
z-2%V
"8}[{
?{q,F<9
kd05{
3eVL_
0CO5a
4.z`$
/<*6&LB,6
oubt:
0Ym'~
IB KlQ9
g%rq#
Tj($mUwbz
Vn<,I
"h"b#
gI]\W8sD^
)5zdj
9W1}S
@E>~$vV
eB8t6/
Ss`ZB
rfea;
P)"]c
?(i=*
ObAo9~}
!NHWj
Pl>Tav
y$U1N
/0|Tt
?"V^:
iKdwk
f3q\`<
xEW>5
k3b=T!
-BnJ_
tLmRuj
<4~qu
pVlD6
'xg*i
8^>.G
@5Cul7{T
7(]SS
x5Bkh`
-le[=
2j8&G3
H%T?r2
FmyB2Y
9hlEi
Gz:GW
I")S2
U\T9f
LVX#P~
~y+_M
Y[yM3
G&kqY
gs9C~
?OsEx
Dx?uU0
rbEwz
<;r.D
R73jXOnwR
ect[\
a{ymu
4V9Wf9v
Z|UIl
4m)4>
bR(&Z4
-#ysHB
2;\_Z9
G.Bot
m9[H%
v_o<$z
z,^9ntSE
O&E6$C
|%H/g
W[h\+
~;?lb
vPz8f
;[aE`
3+"N:
+ss1~Z
rjVYQ
+I^_u8
`'YRj|
nro?>^gGC
9`tTP
]-]=Q
X8s,!
1NkV$]$Z
H6"Smzd
vtjyD
g<PSwV
"X697
%MWe.I
Jn^c\
izX0Y
O+e]\
e*&:}#YS-t
})<Q)I(
3mU6P
0'";PE
}D0mT
BAkJ?:
VSnG'
|#EMn
KQShU
C\]{D
`I3-o
X&aTOZ
5s 4e
Ob>Cg2
3TcYiw
P4j5jo
4le )_B
"0)Iv
4obqd
{_wCE
m<-!/r
0%E)D
-68`-
]0DZXS
cM&[eq
{8}Y"
<5eF!Wtz
+v$B'p
Z"m[y
7s{T?
rgx;nS
U^w(b
Jxhbl
{TCspq
mt0'?
Kt,t!=8
r7.xSk2c}
22/=^
AJP}0
CTF>k
=m"p,
mgeE<
:DVN3
4TG0[
?a^~>U
Y`_,!
+EX_[
z7jhP'&
w/,Z9Eka
U;NBB
Fu^C
M N)H
i39}+
G\dCsfm
S}^qF
ve*6A([
Dql`E
pfEH}
#lF"=
|*Y{G3q
s<dw&l
&Ha:\'
X*|t9_
/0#*r
RA#cU
FGbTz
/R"fI
CaS~)
@kTX5
:B*H6X
*'1he
c8'xq
7\3^(
%Nq~~
1)tIf;
|sX,s{+u
nY$CB
&?L~,
:B1i0
Q7D=n
ky,#9;
3:K!I
]Y5<Q
/h%&A
m" y$O3r
g\q?i
<V4Z,
YW0pd
k)Z;`
6jlJ`(
]k\1;
Z6{i(.
:AXMM+qM
@B13H
/pV.E
E63K\
{1o4r[
<='\ qF[tj
{^'YM
@ls.~V
0-E'p
(yMAE
=+H& 1-ED<g
X5)zLo3
XpVN)
mrhI9
K"iTt
TW%kz
=Hy0g
f}nrKH
gbsiT
SB#ji'
IEz=Zm
nj9iFToLD
h`4o}C
PX&9+
nhfH]
;gqM-
)qQ-u,
>n!nk
]sj=_
!mzVc
Y"33b
4ar+E
WI,?6
f>W0CB
kEGK4a
2Ay>X$
hZmXw
mR77n
1'n!6
J<gy\
i |'3
,`,<V
$isFw
oj*zD
%iWQx
On\7}
~m](Z{
U4'Gt!
"uaw#w
d[8R-
#;!a8>
e|s$N
ETfp#
~[[#P
soa*
`M_`f6
#% k9
DChU+
?,;2>W
CoqX3
'dY4r_
-GzI(
f?2On
)nxthn
-/8qA
G}qTW0a
v2M~A
)A2gA
8FnoBL
3tu25
6sNy9
0Q2q<
&TQqZ-0
4ks#E$
>|&uH
*N[k+
d.[};
2P3s&
LLx,m
kDD3p
<zKk$aAY
'0;Sgg/
knk*t
N>'.aWRt
u/n,e;
~dgCP1<xP
g=j'_
GrQ44
0uwZ^
6z?X5
wd8D)
qd>= T
-1SX<
)NiSnB
7v|ZYrW
~EJ`,
;2L,U
k%D\j
B;|ib^
sPv[^
jen'?x
kc&f)
Aq$r++
@E-Io
D/P*D9bq
Gq{NW
D\+j9
eCE J
+~aYM
3&{CP)1
[yC"PGU
NsKj-W
MsY+7]%t
Wd[Ap
N_ Ia
NWQZC
4>/p?
VxTHy
Q6['2
_{6w|
2|4!-
HFob*s
83)e5
nb1_'!
"^$7O
gH0bl
v^N%`
@W,LI
.&.]c
\D9`.y2
xaJS%W
%SA,'
{WBtp
9-!4G
X,g'YWeR.
SE^w_3
"-2_S
DweV8=
I\RNtA\
3ro5-
eh{~S7$
n&44t
!K-'Tf
Avwg4T
c[kwDOPm+?7
CcV(X
&ipTr
ezN(m
k{p:
vT$+.ai_
6"#SE
nU~50Wg
GENE X
uj^kP
mSZSM
ITd(2
t?.r5G
7#h0S%
<Zbt%
; P^=A
d;4)}j
Xi=*$
j}@,c
gQ~_!r
P^wxi
vqj5H
1En2u
xB'<QW
X$3%.
@]6T.y
Xbh<
(~J[~5
\7.q0
]4!{8
2ax"g2r
SLh$-
Mk!s$
f\%b:
_;1hK
r$l,v
?wV-sy
g?1&Z
D/EmI
HtPAn
8(Z4Iw
_n3DM
*I6=yX
g*Wh>e\e
G{i d
6Y2>!3#
?{<\r
Ho[[s
9u0}!
PQ#qXJ
j:%tj6
nT\a;
ID?}&
w=^[wd
8Cr|0
u9tWW
hp!^"
2/6_a
@IB x-
`o1J-I
a]<Z{4
>8RN!k
n"3i.
|ki&X*-
71-.U
%"YYy
PYdds
~ai7Q
yH{A,
?FF4h[]
t^Wo{
J4lSK
v'g-h{m
znAnV
+,Icp
YdtkrW
J)gMf<
&>"/tA6
[6d,j
KKY|#
W9Mwwp
NDY,@r
m7mTAr
|o^]s
T>T[|
?=_]a
6GyntKs]
n*%|M
<yI>b
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
jjjjj
jjjjjj
ebutton
clock
combobox
explorerbar
header
listview
progress
rebar
scrollbar
startpanel
status
taskband
taskbar
toolbar
tooltip
trackbar
traynotify
treeview
window
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjj
jjjjjjjj
jjjjj
jjjjjjj
jjjjj
jjjjjjj
jjjjjjj
jjjjjj
jjjjj
jjjjjjjj
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBRETRY
BBYES
CLOSED
MINUS
PREVIEWGLYPH
DLGTEMPLATE
DVCLAL
PACKAGEINFO
TFORM1
MAINICON
MS Sans Serif
"dbExpress Error: Invalid Precision
dbExpress Error: Invalid Length4dbExpress Error: Invalid Transaction Isolation Level'dbExpress Error: Invalid Transaction ID)dbExpress Error: Duplicate Transaction [email protected] Error: Application is not licensed to use this feature1dbExpress Error: Local Transaction already active2dbExpress Error: Multiple Transactions not Enabled/Multiple Connections not supported by %s driver&Driver (%s) not found in Cfg file (%s),Object type name required as parameter value
Cannot create file %s
DLL/Shared Library Name not Set.Driver/Connection Registry File '%s' not found
Cursor not returned from Query
SQL Error: Error mapping failed*DBX Error: No Mapping for Error Code Found2dbExpress Error: Insufficient Memory for Operation#dbExpress Error: Invalid Field Type
dbExpress Error: Invalid Handle
dbExpress Error: Invalid Time(dbExpress Error: Operation Not Supported)dbExpress Error: Invalid Data Translation"dbExpress Error: Invalid Parameter.dbExpress Error: Parameter/Column out of Range"dbExpress Error: Parameter Not Set"dbExpress Error: Result set at EOF*dbExpress Error: Invalid Username/Password
3Cannot perform this operation on an open connection4Cannot perform this operation on a closed connection2SQLConnection property required for this operation
Connection name missing
No SQL statement available
No value for parameter '%s'+Missing query, table name or procedure name
Missing Database property
Missing DriverName property
Unable to execute Query
Table/Procedure not found&Unable to determine field names for %s
There is no active transaction
A transaction is already active
Unable to Load %s
Unable to Find Procedure %s
Execute not supported: %s1Operation not allowed on a unidirectional dataset
Unassigned variant value
Record not found!FileName property cannot be blank
BCD overflow
%s is not a valid BCD value
Invalid format type for BCD$Could not parse SQL TimeStamp string
Invalid SQL date/time values
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot connect to database '%s'*Cannot change connection on Active Monitor
1Field '%s' cannot be a calculated or lookup field
Duplicate index name '%s'
Index '%s' not found"Circular datalinks are not allowed/Lookup information for field '%s' is incomplete
DataSource cannot be changed0Cannot perform this operation on an open dataset"Dataset not in edit or insert mode1Cannot perform this operation on a closed dataset#Nested dataset must inherit from %s
False
Parameter '%s' not found
Unable to load bind parameters$Field '%s' is of an unsupported type
SQL not supported: %s
Field name missing
Duplicate field name '%s'
Field '%s' not found#Cannot access field '%s' as type %s
Invalid value for field '%s'E%g is not a valid value for field '%s'. The allowed range is %g to %gE%s is not a valid value for field '%s'. The allowed range is %s to %s0'%s' is not a valid integer value for field '%s'0'%s' is not a valid boolean value for field '%s'7'%s' is not a valid floating point value for field '%s'6Type mismatch for field '%s', expecting: %s actual: %s6Size mismatch for field '%s', expecting: %d actual: %d+Invalid variant type or size for field '%s'#Value of field '%s' is out of range
Field '%s' must have a value
Field '%s' has no dataset
Inactive Caption Text
Info Background
Info Text
Menu Background
Menu Text
Scroll Bar
3D Dark Shadow
3D Light
Window Background
Window Frame
Window Text
No help keyword specified.
Invalid field size
Invalid FieldKind Field '%s' is of an unknown type
Medium Gray
Active Border
Active Caption
Application Workspace
Background
Button Face
Button Highlight
Button Shadow
Button Text
Caption Text
Default
Gray Text
Highlight Background
Highlight Text
Inactive Border
Inactive Caption
Olive
Purple
Silver
Yellow
Fuchsia
White
Money Green
Sky Blue
Cream
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Docked control must have a name%Error removing control from dock tree
- Dock zone not found
- Dock zone has no control"Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Black
Maroon
Green
Enter
Space
Right
Shift+
Ctrl+
Warning
Error
Information
Confirm
Cancel
&Help
&Abort
&Retry
&Ignore
N&o to All
Yes to &All
&Close
&Ignore
&Retry
Abort
Cannot drag a form
Outline index not found
Parent must be expanded
Invalid value for current item
Invalid input value7Invalid input value. Use escape key to abandon changes
Invalid outline index
Invalid selection
File load error
Line too long
Maximum outline depth exceeded
!Control '%s' has no parent window
Cannot hide an MDI Child Form)Cannot change Visible in OnShow or OnHide"Cannot make a visible window modal
Menu index out of range
Menu inserted twice
Sub-menu is not in menu
Not enough timers [email protected] cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
Cancel
&Help
Stream write error
Bitmap image is not valid
Icon image is not valid
Metafile is not valid!Cannot change the size of an icon
Unsupported clipboard format
Out of system resources
Canvas does not allow drawing
Invalid image size
Invalid ImageList
Invalid ImageList Index)Failed to read ImageList data from stream(Failed to write ImageList data to stream$Error creating window device context
Error creating window class+Cannot focus a disabled or invisible window
Invalid property value
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
Error reading %s%s%s: %s
Stream read error
Property is read-only
Failed to get data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list Too many rows or columns deleted$%s not in a class registration group
Property %s does not exist
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s1Fixed column count must be less than column count+Fixed row count must be less than row count
Cannot open file "%s". %s
Grid too large for operation
Grid index out of range
Invalid stream format$''%s'' is not a valid component name
Invalid property value
Invalid property element: %s
Invalid property path
Invalid property type: %s
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
January
February
March
April
August
September
October
November
December
?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
A call to an OS function failed/Application is not licensed to use this feature
/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Variant overflow
Invalid argument
Invalid variant type
Operation not supported
Unexpected variant error
External exception %x
Assertion failed
Interface not supported
Exception in safecall method
%s (%s, line %d)
Abstract Error
(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Write
Format string too long$Error creating variant or safe array)Variant or safe array index out of bounds
Variant or safe array is locked
Invalid variant type conversion
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range
Invalid numeric input
Division by zero
Range check error
Integer overflow Invalid floating point operation
Floating point division by zero
Floating point overflow
Floating point underflow
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Access violation
Stack overflow
Control-C hit
Privileged instruction
Operation aborted
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp
Invalid argument to time encode
Invalid argument to date encode
Out of memory
I/O error %d
File not found
Invalid filename
Too many open files
File access denied
Read beyond end of file
Disk full

Full Results

Engine Signature Engine Signature Engine Signature
Bkav W32.AIDetectVM.malware2 MicroWorld-eScan Trojan.Delf.FareIt.Gen.4 FireEye Generic.mg.7e68ae591116e242
CAT-QuickHeal Clean Qihoo-360 HEUR/QVM05.1.40EA.Malware.Gen McAfee Clean
Cylance Clean VIPRE Clean Sangfor Clean
K7AntiVirus Clean BitDefender Trojan.Delf.FareIt.Gen.4 K7GW Clean
Cybereason malicious.e304f1 TrendMicro Clean BitDefenderTheta Gen:[email protected]!sni
F-Prot Clean Symantec Clean ESET-NOD32 a variant of Win32/GenKryptik.ENJN
Baidu Clean APEX Malicious Avast Clean
ClamAV Clean GData Trojan.Delf.FareIt.Gen.4 Kaspersky UDS:DangerousObject.Multi.Generic
Alibaba Clean NANO-Antivirus Clean ViRobot Clean
AegisLab Clean Tencent Clean Ad-Aware Trojan.Delf.FareIt.Gen.4
Sophos Clean Comodo Clean F-Secure Clean
DrWeb Clean Zillya Clean Invincea heuristic
Trapmine Clean CMC Clean Emsisoft Trojan.Delf.FareIt.Gen.4 (B)
Ikarus Win32.Outbreak Cyren Clean Jiangmin Clean
Webroot Clean Avira Clean MAX malware (ai score=87)
Antiy-AVL Clean Kingsoft Clean Endgame malicious (high confidence)
Arcabit Trojan.Delf.FareIt.Gen.4 SUPERAntiSpyware Clean AhnLab-V3 Clean
ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean Microsoft Trojan:Win32/Wacatac.C!ml
Cynet Clean TotalDefense Clean Acronis suspicious
VBA32 BScope.TrojanSpy.Swotter ALYac Trojan.Delf.FareIt.Gen.4 TACHYON Clean
Malwarebytes Clean Panda Clean Zoner Clean
TrendMicro-HouseCall Clean Rising [email protected] (RDML:e6mqPHHTUk+Hod6fOLoFEQ) Yandex Clean
SentinelOne Clean eGambit Unsafe.AI_Score_99% Fortinet W32/Injector.EEHO!tr
AVG Clean Paloalto generic.ml CrowdStrike win/malicious_confidence_70% (D)
MaxSecure Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 51.145.123.29 [VT] United Kingdom
Y 13.107.42.23 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.8 49173 13.107.42.23 443
192.168.1.8 49175 13.107.42.23 443
192.168.1.8 50202 13.88.28.53 21190
192.168.1.8 13690 13.88.28.53 59137
192.168.1.8 49189 13.88.28.53 443
192.168.1.8 49192 93.184.220.29 80

UDP

Source Source Port Destination Destination Port
192.168.1.8 49744 1.1.1.1 53
192.168.1.8 137 192.168.1.255 137
192.168.1.8 49744 8.8.8.8 53
192.168.1.8 51064 8.8.8.8 53
192.168.1.8 55051 8.8.8.8 53
192.168.1.8 63225 8.8.8.8 53
192.168.1.8 63471 8.8.8.8 53
192.168.1.8 65129 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-30 13:55:51.186 192.168.1.8 [VT] 49172 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 13:55:51.519 192.168.1.8 [VT] 49173 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 13:55:51.610 192.168.1.8 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 13:55:51.669 192.168.1.8 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 13:55:51.669 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-30 13:55:51.393 192.168.1.8 [VT] 49172 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:55:51.641 192.168.1.8 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:55:51.719 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:55:51.729 192.168.1.8 [VT] 49173 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:55:51.754 192.168.1.8 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:56:29.559 192.168.1.8 [VT] 49189 13.88.28.53 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-30 13:56:31.393 192.168.1.8 [VT] 49191 67.27.153.254 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0d23747eb5b0cb5e application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-06-30 13:56:32.103 192.168.1.8 [VT] 49192 93.184.220.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.8 49172 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49189 13.88.28.53 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name svchost.exe
PID 588
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 fd54122244783010b9ec6570d8bc490b
SHA1 e3012d1dd879cdfcc271a7336ec693a95a341fdc
SHA256 6b49dcd2d6b4681dd29054e7c5728554e06c65cedb2555b89c72ec5b649251d8
CRC32 4BCF1305
Ssdeep 384:zvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCEyrlWVSsEsj45RCOvojvPKW9C5bW:bWkX7q+f5TYvVeZMmn+0C4xZEbvKvPK
Dump Filename 6b49dcd2d6b4681dd29054e7c5728554e06c65cedb2555b89c72ec5b649251d8
Download Download Zip

BinGraph Download graph

Process Name services.exe
PID 472
Dump Size 327680 bytes
Module Path C:\Windows\sysnative\services.exe
Type PE image: 64-bit executable
PE timestamp 2015-04-13 02:02:59
MD5 4ec1ba36f4e6d19a146cc32302980ca4
SHA1 f6696dcc9af133e06398f8866d69a0bb82f236db
SHA256 a7be326e9f34b2cd79810023029d5ececbac48ca9ff4355a3fe0ffea2c49db32
CRC32 810359A7
Ssdeep 6144:HX+dGqMuImU4Zkt8kjM7vFLFb/2JBH4EtLcN8ZE21uqw3LIMm:HX+dGluImU4s8m/zMJI
Dump Filename a7be326e9f34b2cd79810023029d5ececbac48ca9ff4355a3fe0ffea2c49db32
Download Download Zip

BinGraph Download graph