1.4
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.88
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Stihat [Wrm] | 20191125 | 18.4.3895.0 |
| Baidu | Win32.Virus.Lamer.e | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20191125 | 2013.8.14.323 |
| McAfee | W32/Autorun.worm.aao | 20191125 | 6.0.6.653 |
| Tencent | Virus.Win32.Lamer.cb | 20191125 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(5 个事件)
| section | CODE |
| section | DATA |
| section | BSS |
| section | .aspack |
| section | .adata |
动态指标
在 PE 资源中识别到外语
(2 个事件)
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_TRADITIONAL | offset | 0x000752ec | size | 0x00001ca8 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_TRADITIONAL | offset | 0x000752d8 | size | 0x00000014 | ||||||||||||||||||
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(4 个事件)
| section | {'name': 'CODE', 'virtual_address': '0x00001000', 'virtual_size': '0x0005c000', 'size_of_data': '0x00026800', 'entropy': 7.998727554432647} | entropy | 7.998727554432647 | description | 发现高熵的节 | |||||||||
| section | {'name': 'DATA', 'virtual_address': '0x0005d000', 'virtual_size': '0x00002000', 'size_of_data': '0x00000a00', 'entropy': 7.101797874285142} | entropy | 7.101797874285142 | description | 发现高熵的节 | |||||||||
| section | {'name': '.idata', 'virtual_address': '0x00060000', 'virtual_size': '0x00003000', 'size_of_data': '0x00000e00', 'entropy': 7.861207490320903} | entropy | 7.861207490320903 | description | 发现高熵的节 | |||||||||
| entropy | 0.8839779005524862 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 62 个反病毒引擎识别为恶意
(50 out of 62 个事件)
| ALYac | Trojan.GenericKD.30594223 |
| APEX | Malicious |
| AVG | Win32:Stihat [Wrm] |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.30594223 |
| AhnLab-V3 | Trojan/Win32.Mepaow.R9232 |
| Arcabit | Trojan.Generic.D1D2D4AF |
| Avast | Win32:Stihat [Wrm] |
| Avira | BDS/Backdoor.Gen2 |
| Baidu | Win32.Virus.Lamer.e |
| BitDefender | Trojan.GenericKD.30594223 |
| BitDefenderTheta | AI:FileInfector.2CB3E42F0E |
| Bkav | W32.HelpMe.PE |
| CAT-QuickHeal | Trojan.Agent |
| CMC | Virus.Win32.Lamer!O |
| ClamAV | Win.Malware.Mepaow-6725391-0 |
| Comodo | TrojWare.Win32.Trojan.Mepaow.hwl0@1c5hff |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.175d42 |
| Cylance | Unsafe |
| Cyren | W32/Spybot.RGMP-5580 |
| DrWeb | Win32.HLLP.Stone.1 |
| ESET-NOD32 | Win32/AutoRun.Stihat.A |
| Emsisoft | Trojan.GenericKD.30594223 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Spybot.QYJ |
| F-Secure | Backdoor.BDS/Backdoor.Gen2 |
| FireEye | Generic.mg.629021f175d42864 |
| Fortinet | W32/GenericKD.4223!tr |
| GData | Trojan.GenericKD.30594223 |
| Ikarus | Trojan.Win32.Mepaow |
| Invincea | heuristic |
| Jiangmin | Trojan/Mepaow.d |
| K7AntiVirus | Trojan ( 000fa6611 ) |
| K7GW | Trojan ( 000fa6611 ) |
| Kaspersky | Virus.Win32.Lamer.cb |
| MAX | malware (ai score=85) |
| Malwarebytes | Worm.AutoRun |
| MaxSecure | Virus.Win32.Lamer.CB |
| McAfee | W32/Autorun.worm.aao |
| McAfee-GW-Edition | BehavesLike.Win32.Autorun.fc |
| MicroWorld-eScan | Trojan.GenericKD.30594223 |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| NANO-Antivirus | Virus.Win32.Mepaow.btvwx |
| Panda | Generic Malware |
| Qihoo-360 | Worm.Win32.Delf.A |
| Rising | Virus.Autorun!1.9B5D (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Silly |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/AutoRun-AQR |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
67533f79a87f4ce08c671dedbb7cb801
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| CODE | 0x00001000 | 0x0005c000 | 0x00026800 | 7.998727554432647 |
| DATA | 0x0005d000 | 0x00002000 | 0x00000a00 | 7.101797874285142 |
| BSS | 0x0005f000 | 0x00001000 | 0x00000000 | 0.0 |
| .idata | 0x00060000 | 0x00003000 | 0x00000e00 | 7.861207490320903 |
| .tls | 0x00063000 | 0x00001000 | 0x00000000 | 0.0 |
| .rdata | 0x00064000 | 0x00001000 | 0x00000200 | 0.2069200177871819 |
| .reloc | 0x00065000 | 0x00007000 | 0x00000000 | 0.0 |
| .rsrc | 0x0006c000 | 0x00008000 | 0x00002200 | 6.694039685873937 |
| .aspack | 0x00074000 | 0x00003000 | 0x00003000 | 4.9267165365233065 |
| .adata | 0x00077000 | 0x00001000 | 0x00000000 | 0.0 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_CURSOR | 0x0006d214 | 0x00000134 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_CURSOR | 0x0006d214 | 0x00000134 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_CURSOR | 0x0006d214 | 0x00000134 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_CURSOR | 0x0006d214 | 0x00000134 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_CURSOR | 0x0006d214 | 0x00000134 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_CURSOR | 0x0006d214 | 0x00000134 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_CURSOR | 0x0006d214 | 0x00000134 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_BITMAP | 0x0006e57c | 0x000000e8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x000752ec | 0x00001ca8 | LANG_CHINESE | SUBLANG_CHINESE_TRADITIONAL | None |
| RT_DIALOG | 0x0007030c | 0x00000052 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_STRING | 0x00072950 | 0x000002d8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x00072edc | 0x000001c0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x00072edc | 0x000001c0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x00072edc | 0x000001c0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_CURSOR | 0x00073114 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_CURSOR | 0x00073114 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_CURSOR | 0x00073114 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_CURSOR | 0x00073114 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_CURSOR | 0x00073114 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_CURSOR | 0x00073114 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_CURSOR | 0x00073114 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x000752d8 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_TRADITIONAL | None |
Imports
Library user32.dll:
• 0x475175 GetKeyboardType
Library advapi32.dll:
• 0x47517d RegQueryValueExA
Library oleaut32.dll:
• 0x475185 SysFreeString
Library advapi32.dll:
• 0x47518d RegSetValueExA
Library version.dll:
• 0x475195 VerQueryValueA
Library gdi32.dll:
• 0x47519d UnrealizeObject
Library user32.dll:
• 0x4751a5 CreateWindowExA
Library oleaut32.dll:
• 0x4751ad SafeArrayPtrOfIndex
Library ole32.dll:
• 0x4751b5 OleUninitialize
Library oleaut32.dll:
• 0x4751bd GetErrorInfo
Library comctl32.dll:
• 0x4751c5 ImageList_SetIconSize
Library shell32.dll:
• 0x4751cd SHGetSpecialFolderLocation
Library advapi32.dll:
• 0x4751d5 SetSecurityInfo
L!This program must be run under Win32
.idata
.rdata
.reloc
.aspack
.adata
4O=?rNNN
U X/ky"K@Z
1HA2Y,6
y<o|o_MA"[
Ot("*,{2.E
mfYw2=O
1~h0Zc;
a@V*>k
=Zo+03$
tQGWPZg
`:@GK%
>$#'!ql"uFa8
dZO]ynT
H.nD29J
{a?7B[!
)Jds#U'w'
A$FDL"
:w`A80
SHCA}vJ)$w
s(n^wP{l,t<p}>
waQ fyN:K[0
]DAgt<<
>7b{Kcdt]
H (rEf@s jI2:>%s
P4I4~r
JK;jo12
B=KVJ)
2-%DJcuK4Ub8
TN%:N^
;3=MKj4
NC94|6
8I:='bRe"
:dOXHXB
`#IJv'S
$DI}=E?}3+D
;YS:H6a^M*=p
SKBi:xP
Hn/DRJ|H
eSb>]"eN
{%,Z~Z
Wvq`?>X
-#d3A.;
A%]@#.
`T.8]c?G
ik[l`<
m?C/m/
rs',F[Wn
G&)G[eGA
M8i-Re4D$h]
k6z)i#
]Y+|E-.z`!_V3
\Jc<cDh
O[e$&&/O
U~|!,vn;V%r@,'.Vp8
?(DU-!e\q2
(=eYZ[ZB-
M==/m)y
5!au|j9
gTO9L4^99[
+D;wa-
SVSV9I
~YJDBx 0
Q}(<Pn
0m,@s "k
1,ze9s
mZC9m:B6O
EZP+YDr^=@{E A
HsOs7hV
FmHxd}V@B
On ZYII#_+r
@O1DwRD1
|[B :6
ckXP.
`kNWr|e
<eo1E*A
V=RRndqB_Xt
(B'p$a
3"2p H{Z
[f86Rgo
4uBvScR-r
.;qEk\ 5
.6>9bUA
^?wTgN]
+yHC{5M
y\>-rA;j
7EG1j\9.9b#Nsw39*V6
4bW3TV^d]:"A
,L<TZA"P
Rb\:DCyB
'SmoP!{s Z8IPOQ2Tm>;ZDWa\
=Py\\d>H{
N]fX>c{4
:b)EVjT-
\YF.F7
h=]0a}scI+
y#>I~'
3N1]{.x5|
:!T$J%[dH
vmTK'r
=E^tYmkoKT<KCBs
*]AQ/%
axeR8a-OU*?8
.5{n~^N
hp^j]}5X z
4E{) P!N
Ma[bhe5~Wj
1ZiZ6a=p}z
%NU 3Ts_#K_QppB
p|<z FiQ
+8C!e)TB
\&l;My$Y\&|
_E@:=j
Adx%_g/5OYz?
CIxeYk3vW,#c
an5$bRZ-so(a,EYO.P
)v4Xj9
@'MZ7 ]\LapBt8f%9}
fIZlMK
6q4'qK
eEh HK#+N.5 Jh
P@YW5Wf|~m
&!)B7I
}rB8g'
68W8@:f
R$Z~[Z
v* ).$<.uW
!Y#*\W*Q
d; ,>[
A[hzc2s
A^DbCi
go3Pt_#\}
]10eRn.PG?
s.#2!H?
GIp%l@2
nrNHon~
$U,OQ4
jCj;G_5
g<ZisO!
NA.K`4N2
eWQv*UMiI\
?SO^nV$
U:A|<r@%#lNt
t`L=~\s`
OkZ&TP$v!U/>
Ns>j 7
n=^"BM,&(
PIvE%d5Oa
o2O0II
rsGx$!iW__NqmE??fU{,S
8sEY$?B;g
mS7 W+[uqDg-*i>Jh
oZ\zjo@QhT02;3,
@@Gm i
lp?PAC
Y"Z,{\4N7Y
B8ZVcu4$ztkq^H^A
|i0z=IT
90Naqom7svIh5lW
cqgrLG7F
+iX|bn
vpT8aq
0[YRa${3A
H+Wn^mG$6
Hk88@tSETD
@tN4"m
__MXwK
|b6`V^I
gq=l"$<'
E3h!3KP
8KGs\~z
u}~)Qt2
XR CH/Zz9"
&1H&Wlv
68%Hnu'y
_zJ^$H
ln5z7]
3,H-T,#RB`E|']
J1MB:~i
Zb|La#u
`_H?1BK
x`K7Krx`
f ipDJ
4c9dhr<6OtQ'I-
GIC{M5m(
Q"NM$L8fo
J[SS>M
!gMEwn7Y$|l
d>tD^
dYF($;tlM3
n3n]F_V
OUpTvDEDbM
QNBF8pL#jS=
dLp&c?NXdj`{Jr|i>
R=MW%eV`m
8F?_67
f"Egjtq2h[
LXlbh7
f%~q4~U=ibCW$y',0A
@!!!lQ+
ox`D]clc
j6m,X
^F|ic D&y3C
c3;L]x`U
>B$=J'
8[Rg~2%
U7vb9/r>
``n>SM
,d/^#3v:x
mUISA
tqIbD!
*fo6&b
e!T[ml
.P0%"-
fR3jww*z
3[4apE
t>_L^H4`nE'x,Y
%b0-4<-[}
#YS Ru
+ kF.#
O^64o
qw_))dN(}m=X
ThW.1.a
Gms]U+
IHr)W4
SV^]B8[t2L 0<
P2TQJ#Y
{))gqS-
ZIQUtWT;>
t)25Oh7=o
w)qowP
m"y9:Dad
tbg!F6
{ 2*S>>
}0eD&<hBXUY
%KnUjt
><p5vk54^ #
^S%4d)
a]xvx?yO
d%<+?$
!JW;4<r
)OO/4I
]Ic9#k9YtB-q(\Y
)*4p2e
+I'`R=
%>-9o*6J9l
Gv"f`%CU&qY
Vn0ce+ W
Zq >nQ
NV|J^9v
5Os5zm(;,S
)lq,V_s
3{x(Ak5
q+OboEo
Aw7\B6i;
7"O#e}"+e"!
mUEjn
A1#Jbg"3
MTqfZhZ:<O
<1v"pWFe
py~Ep=O rxKsEM,
( lq]:
MA&A(A*@=
k)jp 8N
%`<.(aEW.
w|.W\X"r
Tay$/it*
-N,E-Z}@0
5wOWe"LZY]\b
)4<POX U5r
b(&D+,,[bav}zH
k_cIpR
*8v/!=S
! 1B\},wYP-
qvO!j2
a^,Zr@LQC}O0Si
l?o513\
K{Z,6
*M\Z]8=1
2!j2pD6#
b\,dvjKlU~<W\j+]34
%ZZ_b]\j
C6&OEXjA2G
e&FOZWEjm
,zhDbSe&
}7{]b8e
2]B#yk? YUE
Rc#mk-
fm[jJm
ufkiAW'[sy
*Os'Y.;AI
Q r78a
&8FJj'FK0.~:b%]J:bDH^u:m
h}%9998I9
:fj7lWhGf)HE{y,,B3Zuh
8qd(iX}:~zYS
uD\!Gy
$'O3 |!F0
YwS*"JQl
wheJbLz>t
KWs`VWu
ZlhNG]O
o>I"CT[yb(
1[1-z97$V w@f&v
brW#~H
$Qn.wO1Q|
),G$8b
Q gnV
Dr|l+
?9C%KY
Ox=j\Y<C>=<
iBwD0au$_h_RO7i7
,/=lc}
7l=Hvp
D-0Qm#;uLF
;*5iB;
F+h~3G'&
Rvxhhy
z=w>,3
|t?hx[
9Bu{92O
{.`)6'
ao_fSq{
{foL1]b"_WW}#nqDodD!C
&NLk;(\[DLQSExx7"v@ op
:K8CA~V~
k5jK;
S- R6_dY~
G^PZn^%
56C_cG
7oj>\cb
fj%%RT
/.Z9QX
4g,fywq
9K*)\t9@
ytI{C$
!]Qssq
d"q=-/:1
vB,rsQkq
sq2q`c]>
]De1_]==
&Pa,$-
OBCePb
t,K`RH}
^dRi!C$}?5`iW
=`A"}myH
"/ t9g5x
d\.dBL2
v2lV)B6$5
?dry~<
Wp(yLQm
"Z/6(i5
u19D7g
F\+q2J5
j""|;7Hxs
Lxpf25
=S-y 5b9c|[m\sG
N+*ZM]
kW<U%fM{E
dIV(Zx
J@z^q"a*|
W,S)7W
:/RrM=:_
)Lh297#ny
_.%EIF
ZZZUw74(
z55w.&OLS`)]
:p[<6~H
:Sg7sE2*=yI
o"2n0Fk
-U,tM$,aNY0U[
Hwj*f3ae
2kys25s!
@G(Owa3)Q
Ek!rMPQTM
A<!devR-G8BW9
Y$Cz %FY
y74!@M
~14q9c
EmkYxTVyuci
LV2ndF7
,fb[;S?
4}rdF=0
8*`[,U=ZEn(
c;:my}
m 9KUF
i[W*?J+
k174_h
F8,W?a/M(fk
nDw">87F
?&iU!r+f
%XlD.hU
~ev.p{uv
70d VoV7
j6)s5#Jd6
:p0MYc
$E^4vonV}V
%#3" 1
v(zkq=e
=!{.|Fo7&t3+
>$_U2gwi\U\rd
9Fnsb<39
J"8<dH(*=3o
%{Q6 l4
GazGrd
:{F3
u{{ykR"
<Zr,tn
yA&mV%
)(&yd*GW4
?J</p|
\VL^`u
o-JF:42
`2lwbu>
!gQjkP*
bY32Gi
I3|^dQf<Af:}
S.NU]K
t;&hjeZm-Z2'
:?E_ M"
|kR2R/
R&ihFF
WfaCYGl"X
g={nK%
G3bt;&
ljPO8F
FSlL@f
;hQ>;,~PwY!h
aJ^L@B}l
bcT}_6`p
?L)#9o
`"@4,W
d'U&B|~
'2*_W2FG
!]21=W@
b[n8Jo
8L#s\~L#$
WvT#xe!=t
1Dbe&'O
gc!O`PY"vN4' -
}u"04
T)ag)JAHm6#._$
K48;W,LAX!
6'xW +,!D_{]
8lLFtj#{]t
H$9<OI(
!PcmAe0L}
~'q38;
G`Lo1E!<
d;ouemm
2:6I.=
QIqGPE#?Wn>F[
Y >'d20D
wJ~p[KpjX(
,M1<@z5q
(f)5SM@
F2HpmK
sb XORB^
m'9o%ry
|3|.nez]
]S,|2Jqb_{f
u4PKT
5T}N_u
At=*}0.
> $)5#\{
?'W+)b|A[@f>}7
r\'JpPE
KI^J`2K!ue
}|^9pUi
nEJS3tas
<2]w!Hg6
nch;?"CF
GG/<J9
^ c"gEQf|
IC;P\;S
0QBBSQV54)
=];+I3_D
_xlk0V%r
.dUIB?n'4 D
6w8F,`cj
Ys+4RC
jAjLPjZR:
5I*ot05
c*ruOE
y X<bb
g8cTST`
7z@$`/
Le!E,k&]?[u-}:v
CSVP(:
Y;tje;=[bh
/;pJT;,+
"@*i6UD6z
JNtiqf^
h;-E,)
5xqj%N
'Ku/?]
nf|l`A/a71?
PWTVS!
uoB~`j
H|M\ze
xQIdL '
\2/Lta{`
Pc3.Ln6'
Q5s,\n>
zl87`v
4zt94I
P V>@l
/%E6 15
VF, qwty
nIg^Ne
V!_UM4W8n7y
*$?#RrugS
g`ytln'/+<
H5!I2g
=hyxpKJ
g3-cBEq]
4z)_i9
!b/RJK*Q\
%JO>zm>S\ebe
5e6lYe
$g5sL8P4&Ji!+aj
ILqh"$
%8>]cT4%Xm`|oLnW.S
6pc _b^
}/Kk|&9i
/f/KzxN
p8XOr>
>6jY)RB1!#}
=TK~4Ff$%$WR]*dK5*
<3[4\pm]C
3Vwj0%{
5/+!e7N
ij(VFn
f1hNJb8/
fbIC.C-`
v<5X^pFG
m3tZ.@
:I^58kE|
E.V/r*
K%=2cAf:x
O-WQj^#@S
3KP2~%
32'Iqvz K%
T$x;OS
6~b5U2
==V.OrE
D,C*n59$>M
v.8xR>
C"7f$%j
nWA5vuFq'V
<e_`)4cvzn
<I-B"l
.&Fu-VE".$jY
IQt~}c
g3TmJ|~7
W"nd2x{
q4QJn"h\sj(N
>eB7EycYh
\52Jy(
o%|]=cV4\hF~N
RaC*LUPn1&xI
|@XRj6
@hf0kWp
^#~xS^
%Ef@H'<
x5G\K,wcb
B,E@vSv
]qa~ _z
Bbb/d]{
i|Tw.Lj.-
,.4@%>/h-7:
S<G;$_3Vio=
;(CQXP
`@Fx#R
#^5A2"hp
-`^>t*0
e}Zb^+}*DX2Ue|3^n
s=6xUP
zs{"kt'fOn?Dn@
*l5Ny<){q[2
bf_w~Rl
Z}b8-[WE
v-Unm+IAW
6/L(/Bc
Es!W2O^*s^[cL
[lWVnj_ec<
IyhN~/?
XEh9JB
To/^m;S)&CKF[
,[i#%#VVZJ
3Z}F^ }
\o.(^-
Gvu:DTSJZ
~gQA'#
&.iOk9jo;hXt6!
G}C#ME
Br<j&8B
]3rOn3
%{3^2?
-"k%B$
K6,};[
1`!&M&Pj
j+o|F_MV
g+twpIC?
.gNXp$?R
{>Dh[Hf
lr<A6,7
|nErD"83pG0{vy
$@JRS#5W
z_%a%y
U{|+y%
8m?m ,\
g<L}$K^!/y#XwP[
r70<xV
S@$Ez\sD?
7s/1{uve5o`%gN
=?FHMQ(~q
bH8r7pl
(44|E+2|Wd
d]7sdU
{av=9~#
h\eV6)U+
:N0j^K
1Jl.ys
\0s8+]5eD
?QMevJ
s#zQH5va 0y'N
\>PTyG, CckE
EM]MQ8L5N+:dv
R;yBhI
M};8"zo>=0
r9OnGI0
BV'Jtj
(bQ,o40Z=
9~;:2p;
*hw{?lUvUq% ?
_ x#Q6GN
lc0l[$
sL]ck,
kz*jT]g
bPzE\|VX
AG# `<
mU_ \<tY:
.$/"wFH#zI&
Ir-.!~
RnUCfF:,5tWG
IU:=.ml
]P@{P%
@IlMrjkA
1l)mpeN1
vBwa"bjEQ
bC@"h@
*8+8[D bL
%oq@Fr<,'\
0Xkb&1kqZN
ERcz~-
238h!zVE}Y_
.<R733
8\IXpi
AM5,\=J A
lov??Lx&
,@WMq%Pq nYm
d3QZX-dF
2TSDC.?O]\
sW v6cv:H
5!V5YY1/5
-8!=|7:xWVK
*WJGM*w7
<e@H-\
5@^Y^Q
gWGrve/
=qsyO8Mt`
S~P" /Xl
=H*NU/
~J&,?JF=g8
D]0j=b64 gWMt
H>pi\6
"X5%zR
zRXblY
6PD-<O
ywQ_;6
W,:8}r
v5xGk>d
Tpk02q\d-
[>-f5N+
,=Tj@[
Z*_q&W9
D-?!n!edY;)cuJ}E|]
F```q.+
Y79(F3Sy
!ky6R<
/f&nn)
J,=l4.
skN8&@0dBHsC
QYI ~a^?g
Cm|D^F
SYpcWI3
46/4!(
##"g:}g+;r
p#iXPHef
Q,?&(,
[6Z\Kq?
J,j4tkeh'\
27i<*1
u<h?,w
#`*yQt>D
%G>f*w
zyhmcg
4TYm9g
=F9Fxy9
9~DN@*7k
2UlXO_m/GiK0}g
"-Ri_J{~v/5pSCm
~qBOHy
y6n8t*tQ
v0)! Dhp
?W)rMt
Ptr>On
K*xM^u
smey:|7>
25\7<z
^t}/@\
7'b%"h
571p`1wt
o~8&"&
z3*_cN
IBg+h7jVM/]#!
|St`uH26%$B
`Z50G4!)
HB8[A(T
:p(#})
aMX*SS
nKzr23
:X=:p>j
1kELc%b
}oxVzB:A>
8R~-efhy)
pZZnSo7$
nCw|U
[}p8wFb
&<Zb"4
HGC;]l
S-GC<L
2:g|,}
\x?GG`2o
15C>2t^I
;vut9"l<~am<
gvok-yT-@x>
$,yw SW/R/E
m(^QKj~F&2}FZd'
>PUZ^H/
hEN_=mP8@B
W(TJ#RI
vL6>`M v^%M\E=C ]
Ed(nKOjvr)g
URC-!J
E"-i1+`Khl6n3K
]OC#O$'
i=J61=
*Z2(HuW
x%nvA;SEW
\7w\!m
s7OSIbp
dEg"\DVv+
v5jL"^[n
:MD2U]u
A62W/R
wC(#Ge%W
ID-!a~:q
k3JhuTu:
m~5Do`0JZCt
+JSysM"\-9w(>:l
>_UTLVW
J*U)Ik8T
kYb&g92n
& Oa LE
m%rc`Q0
XL\g,Ve)
=N<nLP^>"-
n\tX@k
z!LG9U
Sk68R#vZ(s
RbbGY>
ZI4f,Z
d="-8],(7
?8\/XwrZX\
B|j,b<
rzAoAMn=7$Y
r5RP7%B5
pv C{pAgP 8D'FMT
~Dk4v]9
-HEux)S29
/d{A-&
kEWoN4
$E`pQ:
i%T.N)`JFmO6
o!` ~vo
@m%8t
5To.e_7
ro{LIG
NNK)CZ
-nJZ/aI
.,1IFoQ]7
[r:;"1j,s
"\'15.xz
S}M> `
~j/J<1&FYwdBE5l`bmx_/N
CNLN$R7wdl
d}w5\}
Z N!j/Q<qi<'
aDLL7WI
zc'ttB^H LHRtfP*
_1mnP7
j2X%RN)
dAtsd[o
Arm&xF
T*/;@Ew
<U%ONnY`x0
G5c|Tp=
A:%L`@l:
rpKO1d:~+ F ~)-1Vx5V
VUVh.f7
3T_89]GiX
6*^|% 7
_4\PN<^<B
QNgE@(_fx(5
xRxrJ/a
2]D*ZW&Fsvlq
>/e!g1>]
fbAk~nSXTWft855j
;F 7{iY_v
`u<,pJhkcyX
[/"k"'?
lewziF9L!?g
aTu1[^BtXj
6y"Am'
zQN'5bX8
h-xgBG
^jQB12
de:pbQz
6hweJxNiB?7[*
`,D8F/
?USr$Bn\q5
"?- t$4
:^%8]nc
Oa"O)(ps
6VRw/8pR<Q
9>zU=i<
tWT"j\,-
dU6(zD
H*uDgKA):U
zp!rvu
Sv(VK^H@xm
~5ukBQgb
~ZuZ*3
-&b50[x\
khyAR5
xnLl }?
iapt-t
GVmr4&gXAe#D}
<o0_E4Vz;dC
/>PZ#m
tMGB[a
5s#WySpA! k+F1a
)O{1yY
!:Q1-w
}J9RD69
Qi}fGQYD
\!!9.~u6>1!F
]q]wr7-Tu
5hz5p~O
=o$Pk*3$l<&bO
Yw.uyY
LS'p$kqK`
boFWm*]y
L{V5?}
=1??`gN4
Yj'V`9:
(&+`]R|
mDVbn@-2
*g7[dpA
eu]B=G
`GB12ug2'HN
=!2d;)ss5R
=oM`HT[F
pI$.>8n
[S\[X:M3
~-&:X=P]T
Wd%S[B
AU;!|S
L?nCLeGZ
3 ]2I3mg?
!*U/SP#
M<23l ]b9
\wb17G
c#uU0<
H_%#$<u(o
wu#R;';P!
;d#0VSd
_|jeY:H
calv$l
K1d\6V
1;X&qf
1r{<<[&Rf@
mZL4/o
3.}yj#8z%
%\>&#[ON
uc3{(i!["(pix6
6`Cc@Y
M=B}@}:
C2 #@/
;!%y6D5TUG
*GZ`{8z
c`;X=+
AoXt=no[G
Nf;H+\
h|vjqU_
0}Vj8E$mrAl~e[R
lRF8<
,z6-Q}
U 'wK>
Fo<J!6O
w+UE`FA
?UQ&v^
x8U"Cn*|Qw[p6b
&%'T/q
Hh|kWx
E:{Pz#
+*6J[F4t_=/%2g
R}^>l:DIUCpwFus
y2?@AX
k>^ 6;
-^?#Tng
u/(o+u R
IVHxTU
B{r[g^
s[z;cb
A{k2F <
UJ?!S)b
i_~unjy56bGt2.
k2~nVbFt3tTv^B
bm.6xj
\y;CO qsK
mWN?.N
(9qD>q
gM@XH?
}x}:"&
-.8.`(
%d!JF!]?
>Orr]Iq
WoH'4
G`;$#6{Z
Zm>[Q+;?|
xjJ=wUwU.!
_dKTK1+9
~'Ms6#]
OD5J})|
%OND u:
2`~{%T
m>i !-
G^{e!^
Mwz\H^1
zoK:A]
RfI`LiD
N(.xB-=xX
bux/:>Yd8"bR
b 8E_-H5F
.r({PS
*WooezCMMbpn^
u;c4}%<`Zr
A;lT \
+,)#>)
x93'hm@
2O?i8j\d
*y'RC1
`,|"$r0
aULego
#,jXktaV5
%F0d78C
V:%JqD^N3
{pVS<"Xia1
-==$BI'
tA!pgEO)o
0%V'd/29tG
'vJ'Yn\%y4,
w3}WjiA"
*W|9aDkpK^V
Ud ?E,#Tr
/!P~zge
%N)('0@j qs
Pz|XGp
T5Dziw6\
9gwy[#Rh
}cpAs-\R9FQ
@dbO]&
)EQM,;/nip
KRz)zC
y]^Z9r^{s
X_z_(}^Y:$
7ro7=]ECY
T?\2}+H+Y
aJVBl=!Tr
2 ]t`cQqNCg[
U@`1z0b,7E
9c2~/x
wh4$`6S+G
Y7t/ua!sX>
uh*=,HH
-@VSE{M
+7;m)#}
&^|lz#Yv`
{?L]{%
j`>$y%
(PhrEGTb\z
~g01E(
J{5g/U
A"thnB5_?
[_Vp*u
<5~4uNHE
urmf0u
3:Ow4}nR
Hd>V`2/
M<v+lg,Wpv
Ts>d^Z
Q'}n]/JdQk
a]<~5F_
Lj4Zk]wE!I
F';G]l+]
SqhB?}W>I
EmqJ'a!,fH-
s96|x2
}QS(r,
1H&%zv\
: :x9>
jQrYNY{(A
/7F}Sa
gCvn?* y
5u$EiNn)qd"
#,Hlw]*jd+
Rv8SNEhM
V }A,
/j:@O9;;HQk1lj^WCA
ta(W7(
kx+Tl(
!e V%
4lxM%zS{
F~.5_4=0
pn<LgT
ib)kk4>+
r5zbQg
&3!Y&\)>Eg
R1M8= fM
!nE"\j;=:
oA+Dhhca
n58(7?VD7^[W
T q(05
UYV/;{z;x
["V'{a[=3%|#T
=9(r`C
qp~=3`{oxJ'
cM9yYMq k
,)UA=.
%`5+UgC
LANl29
:\_mWH~
hJk}}&'3
XdLA{9x[@
EG*=uNHhk:zI:
j]wKZF
^BK.SA%YTe(%B
*H-9jK+
QR6pM6._+En/
IAdf#31c+DfUB'4
4&kV`[~S
](-6f6e
u2FRY,%?bi&K
Jz@kDIeL
Xpv#L-Z
kG"C]m6dx
={E%h|,
)Eh.LL\ISfLhp
JsM^D5;z
*(yR~1
j,Eq*(
!+E~j{a%ld
q!TR1v=[S0wn
<"l Y$
oc@BLMH^!q
l(]@{2
4+1 .}
XGzk~h
Foi;?g?{o#Y#GV`xFP
"@W&ph)%cI%9sy
IKkO`#IIf
s2%Gh
axR &&v}V
0.H|j^yY^7
C j^s?o
CHO<&m4c
(@],EgH
j44JgJ?:
g%E)]KJ]
4qH^Vu%NS
c%3P36"4RFa'hSK
2Cmmge\)
l:~n~g2h^hU.T;FB3
D)]L0su[4c#eh|{Yt
}~bpcKV
VN;3eH6Z
Ofm|S{
P+>SE:rA}iG3
hZ&N&nmG
!;#J~`W
5Lc){-
?(=A!;
B9mLqC!
fA $3
1%%*eK
>#.NcyJ
Odq0`G
,}fhQ8
Qe(kL6YMX
l<lLzbqC(;H}
7(`#Lj
&kX5,>]|
e9ypw-
=y!n:$KO
99:t|ni=
))qoa6;4q
:TSYHi`u
jtm]M(SF
W7$gwG_|
uM7p@(Qy
.1QGkdj:,DaW
Eci;c9@zaOi
>t1.b't
hD5a9OYT`B9je
El NCmr
<v6!bF9T
6!D]eI
J3'Ymc
($:CBI
m|Tg06
+[@"zm(#)
@V&E%{W
]()5vt1
HuPKR9
u2@C%=|
|"(m{4
EN)i|&1
2>h !Ruv)
4=v0gzK
jqXxsy@slYx1>=!2
tSqae&
O*T&|94T/
J>[;H`C
.c0V=I
b5:>]kx
+/ER1:XZW
/g&$ Ku6f&T
sJ0xc3&^"
D/>b]?
zLPBOIsg:?
ouU5=l
X :[.jr
Yor7IM
44&!sq4pa
(yt`~Fm%G3<1^f<Am(E7k&(~>
{!nd7U^;h
*)WgLT>W|d
[KYe1Vy
7u#:t;
j\#}~I
!Dqzv^983YcH7
V$MM,^7c`
ZYM>-C
@,\>eh
Pj`}F_6
bsKGQY Gp
[\{#%Buk`8LUi2h9L
~V:&Ms`
=0x530k
PAxk)[eF)&
2\GT+Z
3k"l qNstPmQN!-
#X\f9 #I-<
8Fh_7]
01X/U`
StpjKfMD2
!'`y7Ae_54T
}H3%N'}
;`3j'V
#!%CK(E0x
h2z[6(
^c@gcN^|
m- 7G@7QG
Vwtfc/B
PP=u63O
`Q&a*2]pZ&~l["q=1KIRN
dxXp 'ieH)6B
"_,B-LP
*x(l97
2ayP@1|
MOyLZF}E
Bvk%F[[a*4
#f}x[_"l
QXO[(@_uNt3be
17>q_H
:8w5wk+V&+
j@>7G^7
u Gt.5
9| }^N+E9
KWYR&b"[
?5{$C"Ab
!pK}3e
qwzO7fEV
32oPxS:()e
44g ET
/P wO%
?T\9qy$Y#G#
{O6 aVbhU}>bu2
k..mBHjlX
`J#V#dj
W}FMZT
Oc%{*f):V
aWa}u\V
Wg5`7s
zkc}hj
Jb!JRp6
g\q$VWz
_4s1T; !
an,=QXVHZ?0
"&1Eh>@qS
Igu?U=;
MGffQVE5
9!w,?&8F-!"6?)U
Tnju3h (~`;t
$m="e-#gTZ
nLW1J<W
U4[=U|1M(XA
bI)L` HE
l:<_Q*
$g} ae0r
` *hz5
Oi.=*1I/'\u
?/+e*C
xO[2oz9C~
w<|_{o$>qyKs|)
[_Llzb
11?e/8g
003y>|^S
q_UP_3
QY\88[-&eu
w~Z"P6U_
BHs(csUB+
M)ET]?
7S/BB6
Qay2AY~^a#
"rHe'f4wB
"buOrXE
#\7SV#j
pr-7!U ^m
av>e!~nW/
cCh7w9
tX@:Nwq
s%J`E8h
T)?Df\|%[\-Oo:(ERl TK
#2xcQ!
]xUJcKt
PQeXU%(GCYV\1}=5$
Cj;HHmPNo
/GA#]p
hw]I|s9=P.3(FY
3F8]xb
mWT=`M`^+_
D"g!ENbWt5d
Qy<wHFz1
eaDcee
yOjts*f)V
NDI@,@2)O
lE}$a\<
>FY!,xeM
`iYp9KVVi^!,*o
q(vMLi6q6`
D.nVxZP{
XjHe,Ln
:6q< ;!H
(2Rol&
NFAr+Qvg
/kSNXl
x\H|9=4
G(3'd-Py W
5qhmx^rO.5^ s8p/PB9df/
M?7,ar|t
o2I0@f#g.21
n|}8duWKZ
\=Zl!q
H'_*bo
PzzGz'SgGB
RV_UAe]N]
]U.s\z*
!M_(H4*C
<QsM>X
P]rx,[)0{Nl
U-Ybl)<T._
y!)Sv=Ey*
-l{8Rd
MRd-_%u
TE2I6EH}
mi,-$hb
51Hb@=3
1r=vVv
rJ>eqI$^ZM1f
9Ygc3ihK
3fm4bl
zxX~;E
1ecc0XS
@yI[u'|8
W[Bk}NOU
-_Vr 8
+f7b[pP
nH'.XaCJ
w/V.8g0Lc<AD^
| CB(M{r
<qv\fW
FLpe B{^P
@av hXL
v + h$
p=qm,N7 6V
DRl5#Y&\K
qS,:a~(|(?
f;sv/8
_D6lx[y7o2,,~}ati>@A
!j$z?+>a
D+r"*C&|5!
mh`2Q#R
2"6GFq*LvY
P"~?z*
Fvyh%B_ye"i
<4-98Vo}
>=bD^A
JtYs? Jt<V?zf{ESmv$i;= O
a~8"0G!RD|ao!Q_|
yb+>32[
2r$W#1h+
GG_>~I[f
}k'8B)>
Sl_Xa32
xK~m|Gp:
JdM,G#@
HgnWG`)\YK
A(FQ H6S1S7C
sm&Gmf,{;K
ir%W._J
fM:64kbmE
JwPb&(b
RT'f&MH;)5
vBiv"|Raj
*u0jW(wY
RlBj1p\
c>:3,$2
B)2pnH
sT+%3-
ccHFo>~
.|_WKUI
fh>v&.
%dgHoS"6%
Hb"G/Y
4R`Q"_
wmXY_[
zmh7wl
2%.X2&d Qk
oLv$fH`
iP)+W9Ac1[
c^?oeN
,#Z!WAo
GLB@<J(B
"%)Pm\!*
oqfn~^I
HS7Mhh
9w%z.L"##
U9j0NXX@g
=0:|tED%u+7']ros`
B][}w1y{
Q40N=4|
eI~gXgZ
a)6j`e
N7*FlfF+RG`BZPe'WQ!:Q
84ZZ?bnuP
0K:^ANHv
(o'D)V3
M%ZTMHJ
n`Be@I+(6ul
LeOxQRM
na J6R
Lq9n:=leD @C
yS6kmS7
TWcRTKS
;0J)+Y
5^E[dT'?"&IKq
=eKo:'
G#!6h"*`HU-[=aT>iHxb
Hgi@(||S>KIA8f
mfkFX'k5E9U;f;[#c+qk0
6u17O\
KGm>kp
{a.x\)|?H5
4t"uUyPM1
|%@VFC_C#8gNHvrXpcZx
@B5RPTPk\TR
Zx(B(mi
Z-6ERP
1+yY,rz}bM[;W<[2z[U
Kvw"<=HOs
"U~39]]5-2|
._g:'!2.Kri
5T+X-V-W-X-Y-\-],Yhxk
a,Y!fRR
1idq2h@Ws}ZOY<V
~xR@*8
\.-`.*]pU
*@]RkEP
-T-Z]Z[
n8uOaF
vlZ}=6*b}
jDt2r23
M:fWLi
~oJZLzO
3Z6ibz
|8~`$'r
aop_ Vg&Na
/SpP]d4(
FiF0qAIc6:
3('67|9qi0
d^ZXsUs
lF#q6F
xUTxGu
da^ zxu?Nn<HD`ND5u<
<`c)={
&S(2[&
?wl*;o<G\Y7
jcr'yeS}|Ezh(l
,}bwTolv&VxlYO)
q%NUd]
N4,p8c
G!Y9d_
cU|:{,r:S-O
B7KL*YzU#
vN5Sel
,!Gz;@ Nd5
a<6f>dH83~Ir
2G+^'yj]-O1F
?'%XJ#E
s #SXb
o:;!0 *s#
j,qmQ)E;
zq"o94~ JW
EGm HD
? |6&P.d`~.
]p:HI~"0
?UpsfsE
^=JaO'Vsokp$!
9?.+b~l
o&c|u:YN_M
3Sew$v5
&uyKE#r
4?aSf/?b#$ DY _
=dlY*-F:vu;q
f9SLT
BCRD4_a
xo'VMTz<z
!MK':wdtD
.QJ)Sz*=
*?Bm7$8
g:-pt!C
}>L.|sm=
gi+l/u.R6$
:WQ%mN
kflF]lU
1ZlM5W
F^2s9vu6
6lm38 #Yz6;?g
Pt:s3+%~:
0Aq07E
.1TY*p
)MPSP9u
F54JN\
TM"T0!U
.=K%m;F^
i4[(|{aAc
UcFWr2
`{6"F ]jg
%b-%~x.
w+]>)
C'vrl!h-*]]7
?h:q7C$3IH~fRbzpS
^ ?<PE+o
Bf6w90<ng
ad}|;FY
TS)<-fO+*C2QL
PVQW'Q
8*HA6]Z
2OZ5sL
iI0Iv5'ZT
}x3P/P
N_ >.rZa
*^Ms)Z
w-_zp(p
LRUcg|?
MKa/DF!\8
3 ]r&)h4iH
!iwP/5WjIU@$+k
8cEMis|7'?-
s30@:is
\y!y)y1t
?/#.h-9{04l
O0`!#\,
YmKzkTod.`^r
J\wB$8
'^Rq{sqkdv7|9B1b
\j-{/-G
eP>'6 D
#R$u?u
PjsL8Ay%
l/z_c%:
;T23<I-O
w[433LL;
#y-DC ?k@g).
AA{"#:
8cYav`m!
-<3?;-nS
(kzz;r
?O0#y3D
'YDzwUba,NP6
24gnhjUQ
&TtG&yi}
7vm"zz0i
Onzn4rSFK
[]@Y >u
_+1G3\+|aJ_j
;w"-f#4
aOu` ZK;er A
7 E|ZqBQglFY*c
k'P}"s@
{2(}(v
WZhx;wj
5Ywk>7
yu$#[D7eVyZ2d#
R>Z($Xhu
(9%wkP|N
O*s|3X
qtcQ^l
jl)feNl[
Aiyjk_
3Rzp\8
O7jo7)
S2~?ft<e":B!r2
[c<l o
~q{iC3
S%hw>f>fh
x6`TESwk^N
YTT@ARR
P*V*hTZ
h03kj\-
Z@ !zf*p|
t+JqHh;
1d$Y-UO(Z"
T3=0D*#LMV7h
7 t`_`
oM2d5cwI
:o/H?)f}%
Mef+2O
1+;RO'/ ~sTpT,'B|FO3
z2J~x&Z@Z44V)2HbJ
t"8=5L@
AYqGNu!l
)8a(<B1_/
GiexjT
'GqMc`Lz^
>S$&|16 &
`q%]1$dZ
cG~}Fdl#B%
M)`NR*
gAFB&8
!.'pIo
/ER063>GOj|
1{vm@MTmA
dDL%$IqcX!
"-$O+@
zfn*Q1
EJJs&.t+4
:.yP2tZ
*LRZ)-Su$0X4
z%7(N2x
%vUuVC
ciW<qVj"g
Pc|0 C\(- kCK
vt6LC-YoC
L>aE G\
IhsdsM@0 B=EIl
'+BbK,mP
s=Vv4~0
gf1H/_Xy
(w2NyX
z\r!<LL
6m<@c?x2
M7u vm+_'|"${sJL
GxzOBa9a
y_eywE
1WX",gk
uBADXN5Ma89Fz
]@8S}c
<2s,w`IN6r\V
om!#]GpN|
WiY@|A
~BjIijqt%UQ$i
v&#Z|H\^
q-`w}Hy
g0|'%@
i+_>{v
2rm_OR3=Sh
,oeE+kd!1
oBf Fhj9*J
WnJIse
F$uH5E-}
KYDq?}
gw'9k6
a66L0L
b?1&^<8 Ur
V(;WhA
M[o~<GG*_<KdO?v
bkOj96O
]$=Pg|
6 l~{7b/
C_mcK1
F<Jxr"u>oXDj(1M
s?\w}WAq
c`XoTyl]uIvMu
U7oZ*J4
4r=x;r=R_j-s
3:*[-zz,
z;R\L<
9{3cY\~ Uom""I%
ovD36`
T=eOQzIq
y1 ELXl=
RlU8mP[hQt*M
At-ABZ7Ec~
]Fx`7vvC
(s :HgR7MfM
<E06>tJ
R! yBH{&@}EMf&
jq1k>S0aK
N,IX1;+
V?(zw"C*WU
,`Q(8
pJBNC\)
-@)8ZZZRAM
4L#c"d
)_hZ%}VW
4R23p;
|((NhIM
"Ds=g4
}K04wn(
%yek#F
s:LMvkun
(w4Kk1
wJDyAIr2'Zl1?
S*dl{.Ac%:
@~9Cyr p7
y;+=:DCoBy
2Br-}{{'
bt3[pj3{
|KPr9M
LCf'T%Aq
2EY;V5
$5}kZC
m9Bse8,#0;y
2"sSN(
/7+[V?
A;S_^4%+!s
G~\#Io
gz(4GU:.sz
;T("w.(
{3:&2U
ggtt4V
h| JZ/ B|-5dh
rNC P(A$+B1
{ h_s;T
5r6y<1-|v
Tn$[aO
#<+-a6V(^
rtwb9-d/J
ip!*mCK
#$.fisb
an>,O@/
\Fw95eD!VI
4?FW= [.
IF]v-wakcB= zO}g__vo
e;;<ltt|
z=AH8p>
vu|nr~|H
ajhFmBt
MPTz3yrO%g_W|
pu:RR-
x2g8cx
N[[L%Z
aZR~Y_VW
~9Z^ +J
~!_W+W+IV+
y#+S+A|
]FKqTw`QvC
0fJH1m
R}P;H~
c]P<$mD
g,j*,Ak
YU4<|7
-p] l4
AH$!!$/h
#3]CG,
m\a_I?
|E0%K;j&
gqu12aVa
E:cS=-
K)<.Op+
F<p&6[H
{"?gQ\0AlwE%0C
P"R=KQ
S}f"j#i$O"yE
i9+ZLjK
*XDXC/*\s
]41|+T
ao!Jk@V`R1ucG`K
(a,lD&
NN8vb+
kX\05!]
2725fkp'OiZ]c&xysZ
_1E- S#e!
fzYZ6 Uj
F<9E%.<do$
\Ezyvbsw
qf|O20Xq,JZRAM
VR`m-$Ee!
@(ZP+@| B6N
EVod>Ug3L
T y]@f$
t{'b#\?
-YcBM@sg!OKBiAY_,l3
b<]KR!#
B/oDI16t8
;^~z}.
i:jG}~
9?|ZJN= P
QD=W)vh
kJ6eO:
2sCp4D
^t8'.DU
x6vF.wU
;!X[[eL
2x4NeAQ
NvfJ0B
m[eJGQr'yzwd
*]n.2+
"|KmkHj
gzZ:Jj|
3xX|D[v:d9z
)/_4~|
|w$VM_b
XJfkq^<ucmTTA
6 p+{d.
{rKlpXYZKM_w
A^iVAT50
r'NtkS
8J-]/X
tVO5UR
4fzYx?
O+v#GSq{40G;<
E~P-yC%N/
#q$jv,e#;TW2RoCf
tPDLfb!>zn
Cr'SOw
'N/KMO?
'`Qm!-]e@Z
L\@A'V
KgS2!@
J88QCF$>%
H`AC:^
j/vBJ/'T`
\Oa'fp
@ >dO"#LY0
c[@OnC_U
?NZ^B|Q
3bq}9z)C
$24EbR%(r4b
3o[#aB
?"ju?MMy#,2>)?
0ko:`l
r*e^?A
$lI];GjHM
zt}]A&
@JkS1&w
UeS2zV
A{N^]L_Eqh
CZn#/ Q7l1a
=;V"6jF&O3T{
NKY/6Rw
ROIK{!6[*
?9R\xku,
dU~gz/
bQ^gJZt
*l<Z'pK.
V^HQoPD{:
Hp^4A/.SA
dmO-! Q
w!8DrkJm
Yt=;Ov4xs;W9
8)SpTqfscDOk
v%/nkadz4
FJ8Dqx
v9A~y0R;iJ
MFNY%>V?
2J:Nu%rn
_juhwK5
l[pFu*V
4cUUo:e>
T^tah%t:
T SxuRP
.kRat]uJ
F@+4k%HXCa
!/9I3L
Ml05)z
d6pEj4*QL
KSx.$<6L\
SyBZLF
#U[ly$
?\RFM)K$eUdGl
)-v,g\@z
z@ _$~
|9nypU,
vL;A/*.
`t#Rh+ICp%n4.
~!>>J_
;&"7d$l>C`
Yzr3u\x@
Wb?k 3P_)`
nE&_~yQt
^d6#`y/l@bgL}qVY-
*0R'".
JWS1j).
@! UaM
,JI1sN
kh(`{v
d/etQa
P,=Kglm$
Gu}*w#
P870@fmP
_e~g{%m0ilx]mn
{/26#9
3k3>E\
GC3<6J
rA?ugix
qtTnIM^Z2Oj2
La6Ily
&{>u:]
ZZ SK
1TX.y.R
I.g$OrFr
#'dh>i)\e$X
1tv Tb
yXsS@N]
EP\K$lr*Vb
q456&9k{
*'=Z86
L&?n4i
PqeO0#RTx.x
&fFR5`R
j0sPxI
2rvrxIm}RM
(qlEH6)FV zPw4
%[AaIF
TZ;;GR
c[\pN"F
D{h|`8
\n%.hb,D
-@-YPX
TL``iS
F qWrwX
cS0>W!d.HX
N$UM3j
Z<\VPx
PmFhdzQ`
g'[}&U{
}Kx!g!lUW5xt ~e
n"<PhC
Ni2g|va_`pt`>,@%G**IA~
fvY`*\
=dkGoNa
a3s2#$i}cGiMe
fl:d/{
1,^N;{
1.3xXq
]b8*k*N-}Xyl_
U>&D9s~JyJ
Hb -m4G
8=!Jswk0=
CT8 =3#T~S0c
#Q62O*`=
JSP?*X4 _
XR#I/`.R/a^
.][8~i}vu+I$
%LH5oPX
a$tN$T,
dxNlI+ aIm
PVgZ*8+u,g
ohA*X*e+*B/9Z?+T$^mP4uX
)<PSQI
io~\'RB
l4Cb"t:x,1!Q%9p{
. T)Z|
cf(:15>1N
G1E%2Fj4CX0
{zo,Y"h_=Z
I9.u_+'
Fue!;`E
|&tSFcI4
e50(\DB
5oY`941Xp>/
fhe?NJS &
]9gTK["
Q?h@|,Ixu!8
Fp/a:.
Eyjm2"\R
Qxl(Mn7
9kK+eLwuQ
(e5@PE
@MgcsnJ
yTPjeQ9t
N(wQ.s
S|+Q)R
nGD\N'
8s86 cnB
/ch6DWDY3%-n?jw
mJHJ']
uQH!L!
sHH"i)~
gx!AGz;%|*xCm)bM+b
L* h6
m#" a6l(0x
SHwFr%P
v{(z2{
TuZpS
1/06lMSR7<X
(W?Vmq
MpgYxDfLN
fKuv(at
i7ocCI\9
OhTJ>#O
J<qHW$u
zk1G2 t?xDJ-rc:#yv
Q8Yqg8`
=?91wD
od'b:ve
q,HDf9sQTJ,
Sh6 ~hz)%5
[yU^b\U
(&j,7P
rmhsX;X
ud8;=0d
NX,8Su
qxMWil8-
I,lgL$qs
_#M_ >i
-&:[0#1&8
Ey2>tp
Q3NkeoQ
W{#tKY,
^z0]6,&]Du3
,7^afa
7Yo(#T4a=#V
1[e]Bl24
=PLRo3
>.[i|kt1L
~)JE J=
n|:; *x:Tk
4I.[Y/9
g[cX1U
3~F{]-5}CX
R%7VR3E$
cla&:R]Mq
k4y79h;
73B}68
7"t$`Kp
nb5.<6E!W
tP c?'
nR2o8g/n6@q1
]2q7Cu={6t+/
wlq|!zs@
N/c/A+5y\8[B)F
RT7`^$Q
G xN*xOx
^u2nfKu
=R$I={
l(QOS0
}2kd9I*
|$2v}\
b@?,ER<LXG>5|xO
EV=9T0
fpia@lvol
q}Z&oebn.
?jP!E}
D?tW3>
o.MKPi]
h%bU=P
ZM*{CQd
R#'[% 7EU/~|O
'iHsV!W{
:|XQ&)E
xPtMzp$jt H
Xaq7&sr
Bf42$yAjFyEGe2
>Jc !Cw"Vk)
pW]{mOE
O.89J+ITy
3/zV'$qcoV|
:erYA'
tZY%'>J~@\
RAo0,/H{[zmeK
6f<PLSt
=|L J'
k,5Ocfq8VA|
l<S)a_9
(.1:A/
iJz@jSY9ED
myFi_:>
Ns!V I~ ~0u
a=kxaZA
*0F;Fu"
Z2H}q9C
nuZMRF\]#b
#qz`y*
2f/{6,;
Ove Wlr
)p|[U]0/
x;p*\G
GqJ?$<
x'FDtn
X%Lh~,
i05U-RaM=;3&
TtVp`^GwIZSI&`]
+`lyQF
lg']V9]
*fN*xEnH
.FkmotGsb/%5`
}D\Cq3p3hk
z!-r-r!
fujR7E
R;OMcf
%'H(}7W
ZwFfiW/
;^I6<,bU
i]:w>.
<=<N\D
O[ ~0=`G
]:D,#d
K6Q-"W?$fW
H\2:qe
y_T:pA
YYa1mG
p WjsR
6ahd$X
2(A+ck
YCbGO-0qa8j
:0,5gb!%C
Gh&WsX9,
!GUe 8w
iI]ZZl
o@RQ`=}/
G[HkkH}CX
=6[Ba|
"S|?!(
m</ X8
bC8sMI/ F=f
2xwNtI%
iqXAx<T<K
qQuBZYQ
r#>bbE
ki][=:8+qGO
|LwT7#
Bd"Ls<t
M!6Egr`I92cf
c2"KHG
`1K>cDWlRg
-T&pQ1"
;*XOke?'d$Qw$d
xqM[&r)XUp
<n}Ti )}Uu&
ks<edI
Q-$v=G>
3T</H-T
z1/YAVoy
X%HIUj
IN-3K}<D{T
>9R/;{BJ}
6e"JSu
H)P(xR&
2/EtYHvS
vxK9/$8X.ImEQ/#G
&@BBAxD>`<c
Ds/'_3>
Sr3)K9
.gQX7.P
Ll a;Otz
gF 08DSs
GSa[Mf0
;FoZ;?
;z:.SJ#%t
y<.?-bp
P$hUG@
{hu<h$`
M#_Q[KFwc!/3
v!"?|>
F:N9u8zAHu7
R8W"J;
JOAn!LZf!\j2TSlT#'"
zJ{2AZz?P}
gXrs']
J&r2x8
I/x-qum
-m`16; )
C4Mgjv(
R&}|(?x
v<wf7c@$
!_J{+94
$kH}T>
Btc 6jD^jON{r:
C=19GQe('g H~
61@ 4vA
i_;FQ0
qrh;*j(
xk%e6b
h0'QSw
J`r.qP
36Qy4g=r
|[X$V{W
8A@?|L
XFSr*i{C!TR9$"zI
G_q%!#
1Bqk RK#'
V6yU#O#]_Pn
')VD.~@w(
t6cw+bk
y+d6a'2cnk
2+&z\h\
TFn"%U+2:@
,-1[hN>)
Pw#*~|Ib}\'*
K]D[I?9o
U#r~&Ty-Dvg[c
I- )q&xX
`-'Qt]Zac-
}k)}SYgC)3P
0<D:n-
O*RSAg<
:5y{.5o4
x{`\e)
QbCFT'
_CLB%mt
7t^3?9
z\@OQ23#Cc
{hZ)[1
s^mrPVb
nk/Lc'=2T$
{PI14P
Ej?i.$
QtPaNRX
^4'L4K
9!#bEysVJ'd>m= J$M
k#}pE>>
prpAfxx9K
TEWtnY
P:la\63
{m?tk[
esW|f3:G
~ SXuE
F0+QBl
$;if^=
eY iPV_W
5,K?fb~l*W
w(d[bA6
[wHf}n
*RB_{{
4]K>hsr%,
1CEUz(We
~uQ!VHW
Uc1xA}&
.$BMM'8xaA
()'A&W8&{3
;5wKR*ml,
-GA|OP
i ^|dIvR"C
]$.:W`N\
d0~Z&u
/.AYlb3
uJpkRl
$ = c1r
J.q(-O<3
|&.$'W
"X31%3d
a{{'0h ck
e_4}@[
d) h$H
+c-;pePR:t /|1
%#%ny]j
yG<+4x
m+8*J!
CY+PZmj6
dcUQ`i
TJP8<8
m5u#Qs]KA
5e]_"7
+<BGK:
q(E;oU-
#B!F|Zv$|Fx
+4=$ 3
(?<<S=L9ZG
cCB%]9K4%_bGf
F[mDF{ZI
jt~f}FW<[r6
Vz_9Ho5/vy
(q{EZ ,
Aw9/9t
SP.'71q>IH
)5"hpuY
E\[>62
GH2O:smc
d&PHUet++
{>O1r{
'5(zRG
V ti?!e@m(XS
Y0 3Z8
;yBT\@
umtN*phI<kTZ8nv&C>
D?fg1vdM5i
{=CBYzk5D6-
`[:Z1}
06?jaY
E6* Jn@
LJ"&eMU}0
c&s*/C
w_a ;e}I
n_w@Klx4ArJ<bS3me!
_c,R%m+q0&Av}Yu:VT}}2h*2L
4Hq}-c
.ooECP4B+" #+-R|
~Z(kZu
SG-wY/E
3EjsCh@&
<U9DH[`5
6,2SgQ
VBgD#4P"Q
P!()@0
WZhc2ca,:d#
H^Dq9Gw(
y =lNa
qS016'J;Op
amHRBlrI1.<
mz0&rz
r|I}4(
\_D%e~QE
@>D?b'
3nUF~9Zu
?!E:I!M8
Ob%a>Ou&C<~N
z;4m>>v:
R~"\alX
KHE&3cPcE
?Yt[)3r
r#.f'EN4_k
=CX{^R2q?
H"q=W}3
n[3>o(5
!?:`n'fDm,J?)
HF1}riO.H
oo+'+?
cXf#\Q%
P@6u>,
v'Q6|n
$S|v06
jl@C%A jm
3 OM.q
O/nb66U{l9[^Ry
Y#Dv+4A"N
}97cvQ
#UK$9v
BlxVlogY+Z`
!Yz4"8f%8h7
pZ~{G7.Miw
!Ivt>q
<=,xZ7(wu[2r
}RcHM"
xwQ4]i
Yf5 {k
uG6f{r
cBt=ysz
Zml=>*x
>\ki^P
oF26%E
%3#%mY
<~:J;1
fmH&tr',-,
pJX)56pt!+
<l\2c Ls1
auT/$=
Z,tqKT
dUJp|1+am
fr:*G[o,h
o3eMGkY0
-2^)^z
+:e<o}|=
Z cC">-zVj=P+ubcJ zn
z1F2.:
7}&w|%T=tli$)
?!xmGJ.
aRox}umDpX
rhw+Qz
,jI*[%
>z[k}5
BpLa5TsIW-e
BK[~)t
l^U2&\
HxM2O#
s|-tq<bY
WO*ON1Z}<Xu4)s'D*o
t)W{oixJ]dA"nM|eb=~
X-%'g*
gS6>VA@
Q4t);=(Cb
6aq)]=pg
w&yN/Y\wm
k11sF6OKX
2u@8Z|{l
i1,B>k\CPe
_y4`#;
TX_]~nh
d@qNvl
B5^S3,
7 e~kRi%V-7dw/]2=_g
G\ueJJ+
&#TY*O
mH3>@tc?n;`l
hsj&+'xY:Q
5}d8S_0
@HVN(F~n
Ca.qq#
?~Q]n4
JU9eXl|}d
rsHt&G:
!T`>@i
TWv>B>c/u
++4 OI
.DrtPiq
jZOnkqs4o
H81SWB{VY9YG
ze4`Cyl
,=t<=I
2aChh66u0S}5
#yH z4a-$L
#w0+($&x%JOm\
s5nI}'
\{)R^2
.qa-qxm
bgh,12e{*-%D
Nqc9Ds
5,~ (7]Y&pg
Wq[K4 *@V:^
$}W+s(
dF!>E:
x<#r8nI
>}q>1QZKcg=vP
!Rv+XfI
389k.+`X*j4
JO*.i\e
yV2ED4[2Jm
+{,({v*
ZC[FT1l<n
Z?kQ~!Zz/z3
*DKYwHr
'I+%m~xWx
^mD6rY g
rC6Ygr#9F)
j-v0:Kxc5
OsKa}r
O++kG\
LY[mt\RJ
8:(}7*K
XgNCh:,td
VWtGqALM
4B(@:j
-v~QOl
K!:z^A@
2m;C+R&GZ
uTKMLn
~ik%E1.%_W
BE*UC
:\!* |o>?^?
M~U,{/w)eJW
|C-"_$
^Sk%S}?
t`ia`tFi4G
.hT}_?
^n6}NWL>
0F)[Dk
QPpPV;
ddhCSh'j
b[|R6Z
S<">;/V>]=&F,u(A0
4!.NbEy p3>//C*
7I";v<
WJjZU[ugmIG
u Kc480c1<` Mcp%IG
&I[z!X
yJ!%RpQJP
Ke$H!('j
/?_Tdhx,(b
@&-TXU
6mJ>T5%D
JCq0pr
Q&qE.d<Z0l0
{\[U{E
F;PVVet
WSd,cY
f;2r1eC
eJ6wJa
40i-mT
5djh~P
"tH:GK]
Br0zj/
UcFV"1#
RT-T|}-v7
WX$PZf
Xk8 9X
Mey{7Iv~
F1 2#n
zv<FA'
acSUZUJ
:=K-14jn2}
d%U"hsyA<
i?gJPH|
'w!-`4
SC]^%^
xXm7DSX^Ku46}7
6<l@CHg
@:u8{
~o|_osk
TAb'j
TSPIE!
|tFrov
^Z/mGFf
0Gk~gzl [kb
`1M'hIkSW.S;F,O>za+L
38p"*m%
f.^+w\|M)y a@#
BD$gmI$
)tk>'gG8tg-
f+8TIi$o
=i(g0)
\i*nkk
38/-+|
bH4ccV
XBLZcwPt
:|lA~+9N
&&WsgJ}
$}* }mk`
.!QWf,wR)HkPK
E9/Z,nx
lyFn<),
0x)_\q
u|HxF2
|i9Y8]
Op?`-17
Nf1fK*
yCcV:b$
0fx'*eK/CeJ_AB"l
koEWoBVg
<h9{U8^-
JeaWI;
i<`wvJ^-
1Xbm%[G
6KMh>"my=
byN>Ga
OG'?KS;>=q
)3}]wA).x6"Yy
O{j\SQp
3~ua;eR%
>}0qj^i
W4>.6LD
Y2/Zjz4bQg
!AyRXC||
^m\ vNdm
KcoI,
eBua2q#in
Pe%Pik~
\&jC=t
G}GzCDt
[v=(,^!
f!=c_usQ
2;-o]W
^<jym2x2&c~p
SmBPbn?
sC{L2]u
eLBoh
1z7LqBmvv
9t`@JzC
n8%pi3ZqU3
rfQE@.Vq
wQ7nl{\j
WL'T 8-y>
}?36w('61.a
YWoMJN
qXDo+|-
mGq#^FSU
C"4%LP
K!I}~X
AEi&Kwx
T'T@Lkw
2su[Uw@
x+\9Ajd
V-SUz
R }{4PH
WO+8[q27
<3A uU
,T}E3Lo4H
5{}` VxiM>
p<&*aSd.DfDr
DTi[fKz
gQ{c,~
)?TtdJ:I}@{
\k &!7
Au$KQtL.
Efa!b_\)/7C@+
C1rau4<r
I|O36Vy
kpPbm-*
n~ZRJ*\}om
n4A<Jh&
;.f6 m
e}\>*I
ED3zqdw
cWThn\d9n
W$~Gl<g
TRDd;u
G-prk-
".&6#H.
W8DcYBSL3#H
#H3#G#
CUjjU8s{]
KzMQt%>J[
mz iA"m
?0vk]t
*JARU]L
EL`%MJZ
S%$`<@
vF\mVl]FBwM
Qf(cbt
kr[px_O
fAR;TIQ
=uzoV>W
UFbneuH
)I9\I\oG4
t:Xa]1qDbj
+s3q:2
~&NQ=L }!z 7sasQ805
\.c7MS
-tI&, l
Bc;QF]rTE
F&{;3P
kcM/!.&tF{t
4e]=asv_
K1T>p0!
Qi!RC<W
zg5dHGj S 'x
yaH}c<`qr"H[
5AYYsH,6Z]8+
6.:peB
:!"4r#6
-eT)">Fc
y#F^t%}cm
JNQw(&WK
HiV1Ne"
YwbAgh`
A+REiI2=/F<
("spf1
m2] Bi>#p&1fF@i\
BPnjE{+
p|~9)?.M PRc
,RoF~iC
BWCDi&
!*_^|I2Zd
3:V:+"b
cL8/ohRV
8rDHiF([bG)=r0vv
kceU<@
4&>6p"W]n n
ThKS]8
2ieR)=5#-
hp*r0*
KEv"e:g:Xz
ye-W?ZV&
AgD1?8AW?]\z3r3
cI%)3Eup
w)=%*}.
(vE\av1 "mMZS
XYe^x:xuhz
<hGg@'3HG'k[e8
:3^%aH
S]!p[^,s<
G,8AqO
qgnrNVv<
,.lF$c6:.bISi
2@ r 'aa
wp<'pg
g_T> Ftd
?w1@40
2gDtH_
'453q^AQbeU/
s#-9n+s7{lu&
y<RR)o%%n
n{[0FP#p x
'@mZ'!/
o> Ax)aM
j-]UEw
qUJ]EQr
<;wO"n
YM&^fS?v5
7CUj"iW Z^rl
}8(?/ VR
-T*`sNNb
{2 H/x
As]x/SL6JmX
c*s+C:
'Gth#XP
jS=hh8
vev]b`sZ6nXXQ@t./
hU?"JR
#L]W^S
/'A1D"Fx
@8Jzba
fWa1p#,+
z*7ZJF6>2:`
]v2Awj
h 6w:w
^}4hX#V;Q9k
dZo,d-
{%r3E4P+K
6vvHqF/E
}-A)!_a
v #'hb|f
l|6SqJpamL
GnWL8[%g
PHYQfL-R
;:;H"j1!
!qm64fmr:Q=VY
f0@{}{~}6
oyj|aF!
kr=s0>UBiCy
xIt+(e4 4!
q0GWf,09
6#Mc7-
RyHbp3N|T
n/Sr/czGZ=
/$>~yh
eT[ .HQ
IU%G/@
5X~m>sr|5
xL>=[i!
Ys>ajpm9
s2=Q}sv^x^g
JTcdtrFnHNo@
CRGWikaaJ
f.YrT
S8FH,6r9)^
Zls)(q,J{7\8G1LTP`
"A*y|$
)!Xw&DpovJ
>dR|NG
!u "Ak
%[sd7# t'0iW
atR%.T|}
2+0gc."H
y^-<e[QB4#)
5.*yNzMD
w^(&O`,z2
6s& z?:>
Q_9^2[
7mc0)>jw%
~*9P[@3
ATVRJc
9:7{93cBMXdWFg,x
MpQ@6_
l}7C5~
M%`MIi.v
U]ZiH"H[hw
<Py"0.j
E58+LH
Xod.Ir;@PNV
W*? )F92
~\;JCtdK3_bu
v\PP;ns(.4
'Uwtvf
lz?iX$
+V*L K\Db4
f0xU,iDm
9}XIB^5IZ
c'RtlDw
C"Nw0-v
E;7>lRN
mO9l@$
O=<8161
^ZO:.o
)+6Mw0u
[LiXoa]d
["jOv|a~8
"7~!O:h2O#
_QI=6j@
Kgt&i}
.ep mzu
N*x=]OM:}CS
krH"MPTSfi7v &1\
G-*'R>
{E@0L^
H+?3ND5~U;
>wX'=gEY
i -C
xK+W1fPb3J87+Al
/9|vUI6a
tZBY[00
{_{?aZ7"3eQ
I_<&-HuU
!BXHKu
"C{.,3et
A,.DPo
E<q/L[
<0X5eF
1;wJ%0aJIytBA
5I2P\+
qL") F
lF*Q{L
\,A| |nrs
Ql%|lyW
|{~E~5
}aO;Lfk3k
REVq%lIn
7\8-ZZ,7R
T6i%u0
m5H?l:26-u}
JKuE6^XEOdw
F'u)]|H 7I
o`vd\W$
QjH:I]
>SufTYo
xhz"%qizPS
!bbrcyMMS
CV1{dp
_ f%:e
KL6^P6
VWyT(n5
JQ>o5YH
[z#Ul+24aD
qUbkJt[ X
[uOB8Hq
'}4_yCF
}%y3I'$
%!fRsyfN
OPED"z^05'nhGs&@
MQ{j1Us
6RMymx._rc"Jb:!
N=lQ,kj1l[_
ZJx{BE
"V;S>{-B}(a
B/a3bf
RqC3fI,
F+8laH9;p(
n,JML]l
`+U[]KfG9u9m
U/NQ!6P
HeW.]s
L4$?<[
OQ.u?c
@YetBX6
5gl]B%
|Uh]J1Zwj
>',A4]7-3?}58bt]f
? Gk3S
kqj@@dSUUR)a)"
{G2292fN<
#0viz;"D12
K]TP"G
aWu`#*CUKpiF
Ya.U;'-<+T_y>k
!^k%65V
r`{%q#l
U$IA-UQ[IivL
%ut$5YU%
R{uWx,JqmYTX
mNWu`@w0+.r9if0
CM6Z6r
Vojee
Vb-&o7dTz
_S05\'vH4P
/638mG"e
DHYn~{
BYhz71 /
(vq(O=
w2'tIn
xeff,o+@Z&
K*^{sPr3'o
KC]Ck6o'D
W~Fa1"
>?m8QdV
sW-++26}
9zhpQt/Z
[$ng:b7O'>
|A Ji#
(T/=)$s8IY
Pfs+mOF`
|7W9[p#
9D!cSbk;
>ZSi6Y
fDQ-Jt&
'0!8JD<R\Gmml82d
rB+f!w
xuv>Q'n
#YIFOJ
.ex=Rl
k"3+1h'D#>4
u&ol%-
Xy?pC_GO
Z^$N0{
X;?;{W4tyI
|K7Cs%tFKS
qh1K<h
X'jhKE;B*
_3g,%t$Bq7`
zQzdsSS4'b_b w@
ht57_v]L\gQ
NwhLzS5-W.
+/r`hA c/d
\dN3c]N
2LktSzt
yX>q6u
#1wM,01CSm"'-[
3o hl5&bS
F=XK0./Z6K`[rV2.?7
]"oF|P8h4
&Ag4OrF`
&Yqhnu`F=Q0
#KX8]HvUM
{):]vI
tWo0W&
##qQ,
'xU0R6WN
[Zm7'-d<`U
3w\l;R
-pi$+S
}Cf6|i
8! KuB%
o(M6L.3=&<@
-*y^0Q
SZXMW^
}Z"Unb
79uVrZ
V@=wJ'
D Kvs0h#\
neM{UmI+
Ul{ea(;z
x3(+ `
*>^4|~
_sHVtjZC
7yeu+#
@r#ODqyRa'S}G
l;<f#BO&~^
?tG18$_+u
6^X[e}h'
Kt>q|q(
8BS",b
^LH])wf
B)Y%Ud,yiLJ@p^p
OKy`3dNCh7uJ"[/@
3=]S |<
/%k7hb
wAYb"fmo@
WS66CTl:b
O@[n&"#m}w
p|ttDf8U;5@
MYF"n`}
GLneb* |l?n!IjYq{S*-`q)s
*?M-{$hM-#j
0{e:'O}h
lkh~JG
_C56A@
yCoJ!z
&:_-y(!
LC'i6{?z
YV&H^V
T>X1q[+
zgkBw[$2
i<|un+orr
x$ '/Hn'$ghn8
k6!zwk
S "^mY
zt2<1D5c
X fAG@
_+J"'
"#*pL>HK(@
T)QOnn3fa5`T:Y#
D}a2QE}
!>[Pghj=7\R
?>z<-PG1,]_qB
U^^<x(HJZ
shV\+XJrq
0\ :HK6u'X4
<tu:O*mU|
Wu];|E-y7W
~@JKW8DeYpPO}X
eIKef{
k7joQA*
sI/,w;/
jB@#;;;!;
=5itmm;t[f
-2v] $O^
gUU$N!.CJyv
ltQdB:y6j
E3yDAS
rk"l!2bp!3
00|g#4\KV]\F
WY+FT6
2!~#$Pq
n<?twAtt&
e{4FeCyF
+(|CP1*>)}
O}K_IFE
=,01C8
95 1\j
k?-9h'?7t
`>.g;O
v!g~tN
~^J[HO
*;EnY;
__[T=d
=%AahKrdX[|_
6NWu $mM
Yul |3&VNWB-]
5Uc4lf
eV<TH`T
$5lKJSF2k$?S(s
mTJ(7+!E
%S0F;v
'-u[[[a
'l2$8uD?F*
UoXCIUB
O3_).$
J{~Ps6A]d/-#o3O7
']*n\\
xjT04nPgYI
<@RYNT
5w4n"zH'}e.<g
_sPDsc:F
?DEU>A:^&
?/RZ;V
X=`<nW
8Au,|$#W
tWJ\mLn
(%{h)[
sF7R/`qX
wSIi&B
oMpH)OQ&$Cv
'M&Nx:6
7V&<~n9G%
w/3Mc.Nq
%L~gx=u4%
+<Q;WA
>YO8OZ
id;;#_\
Yw~Qx@sJ!
WBV.8b>n(U[V
;v`W[g
O4~^Yzg{:
0Q} T/Z8
>rpNv ,lgw
rhfw)=&
c2%pTs
=NWniX
gB&Za>]}&v)_f:7hR
Pl:Di^y
8WndN^i
|:xF^g}b
%fD0U->n\YXzv
,#u(mZl`
/LFS'X5
bCU5h=
qdd"]M
?L`0{-
DddhcM
Oh[qYL
V?HoEga3
u,eEc/x#Dd H|6E4Ti/%i
Ak{Eh& E6~p>3CGH@ufHcNOx4
K9VyF
QY3Af0.e
n)U|T679<b
.?LPR4
g<CA,p#>
fFHU
t#N=P%h
%?5$n`ic
eP'w+wexBgmz_{'}PS
WvUwsqH(*&
y`/?$Zz6jF
TVYXn|M4Y ^<S
X}ngy)g";54
gWs!l+Nc`wevh
D);?Df~p
M{;l2h>/#
; mo10_1|
TW2K#V
SQm7&"
[gy'r?RJh=GrS`
.hWtU/"
%WAe)el
sVi~Glw8
\)\)\)e
k*U06Zl66w
LG}D3K
Hpise:ppJJ
4@odsl-Iq4
7jHF~tI/<F^
`r-O^$=-
J-vceF
p3hqdyOZU%$
y^^/T~:qzguw/
P/hl,j
;t2R6FV
,$U@5e
lKAQUGtxF*
4Xa541
k@a@xVJQ
v`:E(B:
CGddgpG
j`&tv3f;D5e
G1%9o[ew;[{(@9O!lK
6K04[q&
2T%F\PU5
?9DAMF S>^Q
OM|~UGW
'<iXo-)
} L9B(J)V+
:&EXQLs$h:R~
&*A&+D
Y=rBN@
}kpN#)s4
3t@r7-9
(D!=LJ4M
*HbzXB(B
Q"3%jr!!fbv
Bu%}vh4
Y_6$#7OM473
1{e-O=:.ng |{oy3_
n5up6m
,{$&Ewcu;M5M5M5V<-Sg
#LA&=6;?
=vy>C+
AN4ax`
Z*OXY{,r#Ozk
!Fv$<Iy~+w5
j ;).7)kq
8]xLz)4
Gw^E&RcD7I
0'x@{YZqQ
NqCF\%Qsh1iSWn
L[5^Sb
'^Zl#cT
T 37{Z
G'Oi\5Xj6
Yx0i4zaR
'H}0J1
iY^#0{
5SX;|ms#
E~7{"%6'
]vowU)DJ6R&dlW+#&1
JiHQ)J"Q)J"Q
Vf6[[V"H
+m+bEI
l$k0#j]Tm~^y<?~
97zTCEw#
z x^^^
,':V2k
R$ 6*,aZ
h%4TT&
4K0vgB/
0Bsb}T:
w0BAEP8
`WC]d%
<^`%K?
@:@,a`H
$}HU@=`
E[\z<
[E]G~/}CN9
+&,$TRQ^:h|Jb TB
1eDEp9>
BNGnl"U3
NtK*SG
On~i,#Huk
"rC {|
Yh9Y :
=r\%IS
|k^ VX
Q$.;AB
cf<e\Y'C
tGOKQ*ef5
:Hz)PU4'g>
<SR7yV$
zDI|'
6>N2@a_R
8"f~j1rX,qH3e[eK
&S~pk?t
2EwM~ |CB
#*N%O+s
M(!yE5A>agxwF
<'{t{/
FwkS(92p&
jX]=Ot
NNKjjs
-P?2\.A|
isv=)]B
eXJMc%
Q2Ck 37nfso
\QNB%5nSC6=-bB_^N
(~o{{7c9
*`<02;
Fe"j6[
AXnVb.zL
QKhMOcZ
^ p6;c4Ywme
p!fQt0
T Jo,V
+M7e76v
/\G&+XeMR+:
aP Yv]p
f"hl`Jc}
d1|oX I
5Y{dTTJ[EV3oX#
1sFb [e
K(>il?AMH[
]G?s$/
k,o65;ff$
Gezbx#\JL5
}/q Sl9U
GU x3`qw
*0|F8n9
vJ3k$c
rm[Kz"U*V
Mm]WUFtMc
[QKz_(
[iqxo=7
/` +FX
|:k71_O?;Rr%dm++{R2t1
K?}[*W
]yZaUyYNN1
I;es'LeUR~xIK
4v)t=2
sA%:L"
,-Kd|MQ%
WyTypR
zoN?w6
D&7&z:C`
ad|F]noA
dsGm _g4TNG9L
XUuC,%s-
fuDciO`TgA
r7d~1:RY
^`wk=1g
pWTxE)
}Dy}T
;F@z;Z
u>{3pg
z0}c(w@
q.tDE~?')}<<~S
I(Cm.h
y{]Wx!
dS#HFV}Zvk1
}8q~}jN
}z{&Zu /OP
yx`utxO
KKm ?YK7W_
:gM YaTk
+Te^w'*&Kv/oOL
K K{.qwz.
.Ze7+Nz
X'|O@0
<Z4U)vjNa.'M-8pg'p
g6<p/u!O]
>vX,BkL$
YUlF]m
s6J&1"PF
X9Lu%
oci@CWR
#+5*wPh
EzAT6W:
x*UX*Rb
BEY,A.
u E'ILRK{
&Dq6D+HL:c4t9Lz4MoX
]]GA2M8%
k0s`a=d%
GMf^rqft.
n;JKF.
2{,kMd
HJetu/
[EVj015f*KE
rNX4@3~g
Tf6i+|
I<hJwH
v Bk)wD8A^5Xe4
68&R_sr
pL=4,NW'
E!G/rHP}
Xz M)F
L RZQ3
IO"{p.LA
1-Kz8M:s
/nLdxe
ZJ%#H8
%N!J_H!r1
EVa>$:
Fm;6S`;RxTn/m
z{=3kfw
[,kh)u8
vX0i%:+t[
db*=K.
K6M1|z
Ct08}]2
g\S<+^WbZd
m9W6pMbf*U
Be/(7J!
!BWDub<nr
>blKJj~
3ZaT!euR
u`mFz"8
223`R Mh:O\o
-sQ.O}[L
X}/k9EN_^K_+Ce
Fuc,{%
#b|lsrG
(PZ<VX
9he}']
n+bKw|"
ex9i#~c
{H+gcW?G%
u{8v=4+9=]P
-!28_#
2VwKn]
tRf(TE
cKoi ks"HS7
/x;$FQc[
$/"+JU)
qqd$@aE
i?2 F<
IN:7./
a`r$N|ll/
8w!`!8o
g"1 Qa
1}W:(Sq
&Y2WmWvH
ED8)wS
G*\-E*x8
ch5fn1
EwVirtualAlloc
VirtualFree
t.x,<t
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
(08@P`p
8\(L(C@;
rDt$h3t$
E@D4l|Mu
1|hDhG8
A;r_^]
YSVW33h
T4$F`u(j
}RL4#HL4$F
D$$W3|$
3Vm0"@D
3V5>@D
D$,8_^]
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
user32.dll
advapi32.dll
oleaut32.dll
advapi32.dll
version.dll
gdi32.dll
user32.dll
oleaut32.dll
ole32.dll
oleaut32.dll
comctl32.dll
shell32.dll
advapi32.dll
GetKeyboardType
RegQueryValueExA
SysFreeString
RegSetValueExA
VerQueryValueA
UnrealizeObject
CreateWindowExA
SafeArrayPtrOfIndex
OleUninitialize
GetErrorInfo
ImageList_SetIconSize
SHGetSpecialFolderLocation
SetSecurityInfo
""!!!!!!!!!!!!!!!!!!!!!!
$L$M$N$O$P
2$J$I$G$Fk
+U+U+V+X+Y+Z+Z+[+\
@(U+V+U+T+S+Q+P+O~
0Z0[0\0]0^0_0`0a0b0c0c0d0d-b
O'Z0`0_0^0]0\0[0Z0X0W0V0T
8b8c8d8f8g8h8i8i8j8k8k8l8l8m8m8m8n8n8n8n8m8m8m8l8l8k8k8j8i8h8g8g8e8d8c8b8a8`8^8]
?t?u?u?u?u?u?u?u?u?t?t?s?s?rIx
8R8S8T8T8U8V8W8W8X8X8Y8ZEzE{E{E{E{E{E{EzEzEzEyEyEx
8\8\8\8[8[8[8Z8Y8Y8Y8X
YYYYYYY
aaaaaaaaaaa
hhhhhhhhhhh
mmmmmmmmmmm
uuuuuuuuuuu
||}}}||||||
[.ShellClassInfo]
LocalizedResourceName=@shell32.dll,-21774
desktop.ini
2|2|2|<
My Documents.mydocs
2|2|2|N
L!This program cannot be run in DOS mode.
`.data
.rdata
.idata
NUS-1-WVuS<H`@
9weH`@
*e1[^_]
]]0uu,}}(D$(\$$t$ |$
tfu8u2u,]$u%] u
$e[^_]lq@
1e[^_]
D$(11D$
t$ 4$E
T$$t$ L$
s(CH`0@
U[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
,|,|Q-|X-|
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
,|,|Q-|X-|
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
,|,|Q-|X-|
wordpfct.wpd
,|,|Q-|X-|
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
"20191123144656.460","2032","HelpMe.exe","1116","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Borland\Locales"
"20191123144656.460","2032","HelpMe.exe","1116","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Borland\Locales"
"20191123144656.460","2032","HelpMe.exe","1116","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Borland\Delphi\Locales"
"20191123144656.460","2032","HelpMe.exe","1116","memory","VirtualAllocEx","SUCCESS","0x01010000","th32ProcessID->2032","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->1048576","flAllocationType->0x00002000","flProtect->0x00000001"
"20191123144656.460","2032","HelpMe.exe","1116","memory","VirtualAllocEx","SUCCESS","0x01010000","th32ProcessID->2032","szExeFile->HelpMe.exe","lpAddress->0x01010000","dwSize->16384","flAllocationType->0x00001000","flProtect->0x00000004"
"20191123144656.460","2032","HelpMe.exe","1116","memory","VirtualAllocEx","SUCCESS","0x01310000","th32ProcessID->2032","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->4096","flAllocationType->0x00001000","flProtect->0x00000040"
"20191123144656.470","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123144656.470","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123144656.470","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123144656.470","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123144656.470","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123144656.470","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123144656.470","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123144656.470","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x00000090","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20191123144656.470","2032","HelpMe.exe","1116","filesystem","ReadFile","SUCCESS","","hFile->0x00000090","nNumberOfBytesToRead->268"
"20191123144656.470","2032","HelpMe.exe","1116","filesystem","CreateFileW","FAILURE","","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123144656.470","2032","HelpMe.exe","1116","memory","VirtualAllocEx","SUCCESS","0x00990000","th32ProcessID->2032","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->65536","flAllocationType->0x00002000","flProtect->0x00000004"
"20191123144656.470","2032","HelpMe.exe","1116","memory","VirtualAllocEx","SUCCESS","0x00990000","th32ProcessID->2032","szExeFile->HelpMe.exe","lpAddress->0x00990000","dwSize->257","flAllocationType->0x00001000","flProtect->0x00000004"
"20191123144656.480","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000088","hKey->0x0000009c","lpSubKey->Software\Microsoft\Windows\CurrentVersion\ThemeManager"
"20191123144656.480","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000088","lpValueName->Compositing"
"20191123144656.490","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000088","hKey->0x0000009c","lpSubKey->Control Panel\Desktop"
"20191123144656.490","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000088","lpValueName->LameButtonText"
"20191123144656.490","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x5ad70000","lpFileName->uxtheme.dll"
"20191123144701.477","2032","HelpMe.exe","1116","process","CreateRemoteThread","SUCCESS","0x0000009c","lpStartAddress->0x00404008","th32ProcessID->2032","szExeFile->HelpMe.exe"
"20191123144701.477","2032","HelpMe.exe","1116","process","CreateRemoteThread","SUCCESS","0x000000a0","lpStartAddress->0x00404008","th32ProcessID->2032","szExeFile->HelpMe.exe"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x000000a8","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SoftWare\Microsoft\Windows NT\CurrentVersion\Winlogon"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegSetValueExA","SUCCESS","","hKey->0x000000a8","lpValueName->Shell","dwType->1","lpData->Explorer.exe HelpMe.exe","cbData->25"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x000000ac","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegSetValueExA","SUCCESS","","hKey->0x000000ac","lpValueName->CheckedValue","dwType->4","lpData->0","cbData->4"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x000000b4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->Startup"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x000000b4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegSetValueExW","SUCCESS","","hKey->0x000000b4","lpValueName->Startup","dwType->1","lpData->C:\Documents and Settings\janettedoe\Start Menu\Programs\Startup","cbData->130"
"20191123144701.487","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000b8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000b8","lpValueName->NoNetHood"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000b8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000b8","lpValueName->NoPropertiesMyComputer"
"20191123144701.487","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20191123144701.487","2032","HelpMe.exe","1116","filesystem","CopyFileExW","FAILURE","","lpExistingFileName->C:\WINDOWS\system32\HelpMe.exe","lpNewFileName->C:\AutoRun.exe"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000a0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000a0","lpValueName->NoInternetIcon"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\HelpMe.exe"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000a0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000a0","lpValueName->NoCommonGroups"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000a0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000a0","lpValueName->NoControlPanel"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000a0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000a0","lpValueName->NoSetFolders"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegOpenKeyExA","SUCCESS","0x000000a2","hKey->HKEY_CLASSES_ROOT","lpSubKey->CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"
"20191123144701.487","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000a2","lpValueName->(null)"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\Setup"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->SystemSetupInProgress"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\CurrentControlSet\Control\MiniNT"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\WPA\PnP"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->seed"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->OsLoaderPath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->OsLoaderPath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->SystemPartition"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->SystemPartition"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->SourcePath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->SourcePath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->ServicePackSourcePath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->ServicePackSourcePath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->ServicePackCachePath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->ServicePackCachePath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->DriverCachePath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->DriverCachePath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000bc","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000bc","lpValueName->DevicePath"
"20191123144701.497","2032","HelpMe.exe","1116","synchronization","CreateMutexW","SUCCESS","0x000000b8","lpName->(null)"
"20191123144701.497","2032","HelpMe.exe","1116","synchronization","CreateMutexW","SUCCESS","0x000000c4","lpName->(null)"
"20191123144701.497","2032","HelpMe.exe","1116","synchronization","CreateMutexW","SUCCESS","0x000000cc","lpName->(null)"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000d0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000d0","lpValueName->LogLevel"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000d0","lpValueName->LogLevel"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000d0","lpValueName->LogPath"
"20191123144701.497","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000d0","lpSubKey->AppLogLevels"
"20191123144701.507","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x77920000","lpFileName->SETUPAPI.dll"
"20191123144701.507","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc\PagedBuffers"
"20191123144701.507","2032","HelpMe.exe","1116","registry","RegOpenKeyExA","SUCCESS","0x000000d0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc"
"20191123144701.507","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpMe.exe\RpcThreadPoolThrottle"
"20191123144701.507","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Policies\Microsoft\Windows NT\Rpc"
"20191123144701.507","2032","HelpMe.exe","1116","system","LoadLibraryW","SUCCESS","0x77e70000","lpFileName->rpcrt4.dll"
"20191123144701.507","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x000000f4","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123144701.517","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x000000f0","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123144701.517","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f8","dwIoControlCode->0x004d0008","lpInBuffer->0x00000000","nInBufferSize->0x00000000","lpOutBuffer->0x0120f37c","nOutBufferSize->0x00000208","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20191123144701.517","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x000000f8","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20191123144701.527","2032","HelpMe.exe","1116","device","DeviceIoControl","FAILURE","","hDevice->0x000000f8","dwIoControlCode->0x006d0008","lpInBuffer->0x00157ae8","nInBufferSize->0x00000046","lpOutBuffer->0x00156e98","nOutBufferSize->0x00000020","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20191123144701.527","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f8","dwIoControlCode->0x006d0008","lpInBuffer->0x00157ae8","nInBufferSize->0x00000046","lpOutBuffer->0x00146030","nOutBufferSize->0x000000ee","lpBytesReturned->0x0120f374","lpOverlapped->0x00000000"
"20191123144701.527","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123144701.527","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->0x000000f8","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.527","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fc","lpValueName->Data"
"20191123144701.527","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123144701.527","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->0x000000fc","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.527","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->Generation"
"20191123144701.527","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x000000f8","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20191123144701.527","2032","HelpMe.exe","1116","device","DeviceIoControl","FAILURE","","hDevice->0x000000f8","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b20","nInBufferSize->0x00000208","lpOutBuffer->0x00158d30","nOutBufferSize->0x00000008","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20191123144701.537","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f8","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b20","nInBufferSize->0x00000208","lpOutBuffer->0x00158d40","nOutBufferSize->0x00000010","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20191123144701.537","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x000000f8","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20191123144701.537","2032","HelpMe.exe","1116","device","DeviceIoControl","FAILURE","","hDevice->0x000000f8","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b20","nInBufferSize->0x00000208","lpOutBuffer->0x00158d30","nOutBufferSize->0x00000008","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20191123144701.537","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x000000f8","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b20","nInBufferSize->0x00000208","lpOutBuffer->0x00158d58","nOutBufferSize->0x00000010","lpBytesReturned->0x0120f884","lpOverlapped->0x00000000"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegSetValueExW","SUCCESS","","hKey->0x000000f8","lpValueName->BaseClass","dwType->1","lpData->Drive","cbData->12"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->0x000000f8","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fc","lpValueName->Generation"
"20191123144701.537","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x7c9c0000","lpFileName->SHELL32.dll"
"20191123144701.537","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000fe","hKey->HKEY_CLASSES_ROOT","lpSubKey->Directory"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000fe","lpSubKey->CurVer"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000fa","hKey->0x000000fe","lpSubKey->(null)"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fc","lpValueName->DontShowSuperHidden"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x000000fc","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->0x000000fc","lpSubKey->(null)"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->ShellState"
"20191123144701.537","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->ShellState"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000100","lpValueName->ForceActiveDesktopOn"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000100","lpValueName->NoActiveDesktop"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\System"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000100","lpValueName->NoWebView"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000100","lpValueName->ClassicShell"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000100","lpValueName->SeparateProcess"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000100","lpValueName->NoNetCrawling"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000100","lpValueName->NoSimpleStartMenu"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000100","hKey->0x000000fc","lpSubKey->Advanced"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->Hidden"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->ShowCompColor"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->HideFileExt"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->DontPrettyPath"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->ShowInfoTip"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->HideIcons"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->MapNetDrvBtn"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->WebView"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->Filter"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->ShowSuperHidden"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->SeparateProcess"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000100","lpValueName->NoNetCrawling"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000fa","lpSubKey->ShellEx\IconHandler"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fa","lpValueName->DocObject"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fa","lpValueName->BrowseInPlace"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000fa","lpSubKey->Clsid"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000106","hKey->HKEY_CLASSES_ROOT","lpSubKey->Folder"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000106","lpSubKey->Clsid"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fa","lpValueName->IsShortcut"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000fa","lpValueName->AlwaysShowExt"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x000000fa","lpValueName->NeverShowExt"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000104","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000104","lpValueName->UseDesktopIniCache"
"20191123144701.547","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x77120000","lpFileName->oleaut32.dll"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000104","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000104","lpValueName->Com+Enabled"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3\Debug"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3\Debug"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000104","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\OLE"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000104","lpValueName->MinimumFreeMemPercentageToCreateProcess"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000104","lpValueName->MinimumFreeMemPercentageToCreateObject"
"20191123144701.547","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x76fd0000","lpFileName->CLBCATQ.DLL"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000104","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000104","lpValueName->Com+Enabled"
"20191123144701.547","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x76fd0000","lpFileName->CLBCATQ.DLL"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000104","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000010c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000011c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000012c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000134","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000013c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes\CLSID"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000144","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000014c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000015c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000164","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000016c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Classes\CLSID"
"20191123144701.547","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000174","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000174","lpValueName->REGDBVersion"
"20191123144701.557","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x00000174","lpFileName->C:\WINDOWS\Registration\R000000000007.clb","dwDesiredAccess->GENERIC_READ"
"20191123144701.557","2032","HelpMe.exe","1116","filesystem","ReadFile","SUCCESS","","hFile->0x00000174","nNumberOfBytesToRead->22512"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000174","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\COM3"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000174","lpValueName->REGDBVersion"
"20191123144701.557","2032","HelpMe.exe","1116","memory","VirtualAllocEx","SUCCESS","0x00a10000","th32ProcessID->2032","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->65536","flAllocationType->0x00002000","flProtect->0x00000001"
"20191123144701.557","2032","HelpMe.exe","1116","memory","VirtualAllocEx","SUCCESS","0x00a10000","th32ProcessID->2032","szExeFile->HelpMe.exe","lpAddress->0x00a10000","dwSize->4096","flAllocationType->0x00001000","flProtect->0x00000004"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000176","hKey->0x000000fa","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000176","lpSubKey->TreatAs"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000182","hKey->0x000000fa","lpSubKey->(null)"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000176","hKey->0x00000182","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000186","hKey->0x00000176","lpSubKey->InprocServer32"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000186","lpValueName->InprocServer32"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000176","lpSubKey->InprocServerX86"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000176","lpSubKey->LocalServer32"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000186","hKey->0x00000176","lpSubKey->InprocServer32"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000186","lpValueName->(null)"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000176","lpSubKey->InprocHandler32"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000176","lpSubKey->InprocHandlerX86"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000176","lpSubKey->LocalServer32"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000176","lpSubKey->LocalServer"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000186","hKey->0x00000182","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000186","lpValueName->AppID"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000176","hKey->0x00000182","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000176","hKey->0x00000182","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000186","hKey->0x00000176","lpSubKey->InprocServer32"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000186","lpValueName->ThreadingModel"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000176","hKey->HKEY_CLASSES_ROOT","lpSubKey->CLSID\{00021401-0000-0000-C000-000000000046}"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000176","lpSubKey->TreatAs"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000184","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000188","hKey->0x00000184","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000188","lpValueName->Generation"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000018a","hKey->HKEY_CLASSES_ROOT","lpSubKey->Drive\shellex\FolderExtensions"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000186","hKey->HKEY_CLASSES_ROOT","lpSubKey->Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000186","lpValueName->DriveMask"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000188","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000188","lpValueName->AllowFileCLSIDJunctions"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x00000188","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000188","lpValueName->Personal"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x00000188","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegSetValueExW","SUCCESS","","hKey->0x00000188","lpValueName->Personal","dwType->1","lpData->C:\Documents and Settings\janettedoe\My Documents","cbData->100"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000188","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000184","hKey->0x00000188","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000184","lpValueName->Generation"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x00000184","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000184","lpValueName->Common Documents"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x00000184","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegSetValueExW","SUCCESS","","hKey->0x00000184","lpValueName->Common Documents","dwType->1","lpData->C:\Documents and Settings\All Users\Documents","cbData->92"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000184","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000188","hKey->0x00000184","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000188","lpValueName->Generation"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x00000188","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000188","lpValueName->Desktop"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x00000188","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegSetValueExW","SUCCESS","","hKey->0x00000188","lpValueName->Desktop","dwType->1","lpData->C:\Documents and Settings\janettedoe\Desktop","cbData->90"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000188","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000184","hKey->0x00000188","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000184","lpValueName->Generation"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x00000184","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000184","lpValueName->Common Desktop"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegCreateKeyExW","SUCCESS","0x00000184","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegSetValueExW","SUCCESS","","hKey->0x00000184","lpValueName->Common Desktop","dwType->1","lpData->C:\Documents and Settings\All Users\Desktop","cbData->88"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000184","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000188","hKey->0x00000184","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000188","lpValueName->Generation"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000188","hKey->0x000000fc","lpSubKey->FileExts"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000188","lpSubKey->.exe"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000188","lpSubKey->.exe"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000186","hKey->HKEY_CLASSES_ROOT","lpSubKey->.exe"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000186","lpValueName->(null)"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000018e","hKey->HKEY_CLASSES_ROOT","lpSubKey->exefile"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000018e","lpSubKey->CurVer"
"20191123144701.557","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000192","hKey->0x0000018e","lpSubKey->(null)"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000192","lpSubKey->ShellEx\IconHandler"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_CLASSES_ROOT","lpSubKey->SystemFileAssociations\.exe"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_CLASSES_ROOT","lpSubKey->SystemFileAssociations\application"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000192","lpValueName->DocObject"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000192","lpValueName->BrowseInPlace"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x00000192","lpSubKey->Clsid"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000018e","hKey->HKEY_CLASSES_ROOT","lpSubKey->*"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->0x0000018e","lpSubKey->Clsid"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000192","lpValueName->IsShortcut"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000192","lpValueName->AlwaysShowExt"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000192","lpValueName->NeverShowExt"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000192","hKey->0x00000062","lpSubKey->Network\SharingHandler"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000192","lpValueName->(null)"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000190","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\winlogon"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000190","lpValueName->UserEnvDebugLevel"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000190","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\winlogon"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000190","lpValueName->ChkAccDebugLevel"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000190","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\CurrentControlSet\Control\ProductOptions"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000190","lpValueName->ProductType"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000184","hKey->0x0000018c","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000184","lpValueName->Personal"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000184","lpValueName->Local Settings"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000018c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\winlogon"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x0000018c","lpValueName->RsopDebugLevel"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000018c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\winlogon"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x0000018c","lpValueName->UserEnvDebugLevel"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x0000018c","lpValueName->RsopLogging"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Policies\Microsoft\Windows\System"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x0000018c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\winlogon"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x0000018c","lpValueName->UserEnvDebugLevel"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Policies\Microsoft\Windows\System"
"20191123144701.567","2032","HelpMe.exe","1116","system","LoadLibraryW","SUCCESS","0x773d0000","lpFileName->comctl32.dll"
"20191123144701.567","2032","HelpMe.exe","1116","system","LoadLibraryW","SUCCESS","0x76990000","lpFileName->ntshrui.dll"
"20191123144701.567","2032","HelpMe.exe","1116","system","LoadLibraryA","SUCCESS","0x76980000","lpFileName->LINKINFO.dll"
"20191123144701.567","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x00000194","lpFileName->\\.\PIPE\srvsvc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000194","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\CurrentControlSet\Control\ProductOptions"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000194","lpValueName->ProductType"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegOpenKeyExW","SUCCESS","0x00000194","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\CurrentControlSet\Services\LanmanServer\DefaultSecurity"
"20191123144701.567","2032","HelpMe.exe","1116","registry","RegQueryValueExW","FAILURE","","hKey->0x00000194","lpValueName->SrvsvcDefaultShareInfo"
"20191123144701.567","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x0000018c","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123144701.577","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x00000194","lpFileName->\\.\PIPE\srvsvc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123144701.577","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x00000194","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->0x00000080"
"20191123144701.577","2032","HelpMe.exe","1116","device","DeviceIoControl","SUCCESS","","hDevice->0x00000194","dwIoControlCode->0x000900c0","lpInBuffer->0x00000000","nInBufferSize->0x00000000","lpOutBuffer->0x0120ece4","nOutBufferSize->0x00000040","lpBytesReturned->0x0120ecdc","lpOverlapped->0x00000000"
"20191123144701.577","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x0000018c","lpFileName->C:\WINDOWS\system32\","dwDesiredAccess->ATTRIBUTES"
"20191123144701.577","2032","HelpMe.exe","1116","device","DeviceIoControl","FAILURE","","hDevice->0x0000018c","dwIoControlCode->0x000900a8","lpInBuffer->0x00000000","nInBufferSize->0x00000000","lpOutBuffer->0x00167438","nOutBufferSize->0x00004000","lpBytesReturned->0x0120e5ac","lpOverlapped->0x00000000"
"20191123144701.587","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x00000194","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->0x80000100"
"20191123144701.587","2032","HelpMe.exe","1116","filesystem","ReadFile","SUCCESS","","hFile->0x00000194","nNumberOfBytesToRead->64"
"20191123144701.587","2032","HelpMe.exe","1116","filesystem","ReadFile","SUCCESS","","hFile->0x00000194","nNumberOfBytesToRead->64"
"20191123144701.587","2032","HelpMe.exe","1116","filesystem","ReadFile","SUCCESS","","hFile->0x00000194","nNumberOfBytesToRead->4"
"20191123144701.587","2032","HelpMe.exe","1116","filesystem","ReadFile","SUCCESS","","hFile->0x00000194","nNumberOfBytesToRead->4"
"20191123144701.587","2032","HelpMe.exe","1116","filesystem","CreateFileW","SUCCESS","0x00000194","lpFileName->C:\Documents and Settings\janettedoe\Start Menu\Programs\Startup\Soft.lnk","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
2032.csv
,|,|Q-|X-|
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
"20191123145926.223","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123145926.223","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123145926.223","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123145926.223","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123145926.223","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123145926.223","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123145926.223","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191123145926.264","1836","HelpMe.exe","1792","filesystem","CreateFileW","SUCCESS","0x00000084","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20191123145926.264","1836","HelpMe.exe","1792","filesystem","ReadFile","SUCCESS","","hFile->0x00000084","nNumberOfBytesToRead->268"
"20191123145926.264","1836","HelpMe.exe","1792","filesystem","CreateFileW","FAILURE","","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123145926.264","1836","HelpMe.exe","1792","memory","VirtualAllocEx","SUCCESS","0x00990000","th32ProcessID->1836","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->65536","flAllocationType->0x00002000","flProtect->0x00000004"
"20191123145926.264","1836","HelpMe.exe","1792","memory","VirtualAllocEx","SUCCESS","0x00990000","th32ProcessID->1836","szExeFile->HelpMe.exe","lpAddress->0x00990000","dwSize->257","flAllocationType->0x00001000","flProtect->0x00000004"
"20191123145926.264","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x00000080","hKey->0x00000090","lpSubKey->Software\Microsoft\Windows\CurrentVersion\ThemeManager"
"20191123145926.264","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x00000080","lpValueName->Compositing"
"20191123145926.264","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x00000080","hKey->0x00000090","lpSubKey->Control Panel\Desktop"
"20191123145926.264","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x00000080","lpValueName->LameButtonText"
"20191123145926.264","1836","HelpMe.exe","1792","system","LoadLibraryA","SUCCESS","0x5ad70000","lpFileName->uxtheme.dll"
"20191123145931.231","1836","HelpMe.exe","1792","process","CreateRemoteThread","SUCCESS","0x00000090","lpStartAddress->0x00404008","th32ProcessID->1836","szExeFile->HelpMe.exe"
"20191123145931.231","1836","HelpMe.exe","1792","process","CreateRemoteThread","SUCCESS","0x00000094","lpStartAddress->0x00404008","th32ProcessID->1836","szExeFile->HelpMe.exe"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegCreateKeyExW","SUCCESS","0x0000009c","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SoftWare\Microsoft\Windows NT\CurrentVersion\Winlogon"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegSetValueExA","SUCCESS","","hKey->0x0000009c","lpValueName->Shell","dwType->1","lpData->Explorer.exe HelpMe.exe","cbData->25"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegCreateKeyExW","SUCCESS","0x000000a0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegSetValueExA","SUCCESS","","hKey->0x000000a0","lpValueName->CheckedValue","dwType->4","lpData->0","cbData->4"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegCreateKeyExW","SUCCESS","0x000000a8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000a8","lpValueName->Startup"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegCreateKeyExW","SUCCESS","0x000000a8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegSetValueExW","SUCCESS","","hKey->0x000000a8","lpValueName->Startup","dwType->1","lpData->C:\Documents and Settings\janettedoe\Start Menu\Programs\Startup","cbData->130"
"20191123145931.231","1836","HelpMe.exe","1792","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000ac","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000ac","lpValueName->NoNetHood"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000ac","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.231","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000ac","lpValueName->NoPropertiesMyComputer"
"20191123145931.231","1836","HelpMe.exe","1792","filesystem","CreateFileW","SUCCESS","0x000000ac","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20191123145931.231","1836","HelpMe.exe","1792","filesystem","CopyFileExW","FAILURE","","lpExistingFileName->C:\WINDOWS\system32\HelpMe.exe","lpNewFileName->C:\AutoRun.exe"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x00000094","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x00000094","lpValueName->NoInternetIcon"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\HelpMe.exe"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x00000094","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x00000094","lpValueName->NoCommonGroups"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x00000094","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x00000094","lpValueName->NoControlPanel"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x00000094","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x00000094","lpValueName->NoSetFolders"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExA","SUCCESS","0x00000096","hKey->HKEY_CLASSES_ROOT","lpSubKey->CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x00000096","lpValueName->(null)"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\Setup"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->SystemSetupInProgress"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\CurrentControlSet\Control\MiniNT"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->System\WPA\PnP"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->seed"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->OsLoaderPath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->OsLoaderPath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->SYSTEM\Setup"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->SystemPartition"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->SystemPartition"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->SourcePath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->SourcePath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->ServicePackSourcePath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->ServicePackSourcePath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->ServicePackCachePath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->ServicePackCachePath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->DriverCachePath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->DriverCachePath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000b0","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000b0","lpValueName->DevicePath"
"20191123145931.251","1836","HelpMe.exe","1792","synchronization","CreateMutexW","SUCCESS","0x000000ac","lpName->(null)"
"20191123145931.251","1836","HelpMe.exe","1792","synchronization","CreateMutexW","SUCCESS","0x000000b8","lpName->(null)"
"20191123145931.251","1836","HelpMe.exe","1792","synchronization","CreateMutexW","SUCCESS","0x000000c0","lpName->(null)"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000c4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Setup"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000c4","lpValueName->LogLevel"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000c4","lpValueName->LogLevel"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000c4","lpValueName->LogPath"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000c4","lpSubKey->AppLogLevels"
"20191123145931.251","1836","HelpMe.exe","1792","system","LoadLibraryA","SUCCESS","0x77920000","lpFileName->SETUPAPI.dll"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc\PagedBuffers"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExA","SUCCESS","0x000000c4","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Rpc"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpMe.exe\RpcThreadPoolThrottle"
"20191123145931.251","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Policies\Microsoft\Windows NT\Rpc"
"20191123145931.251","1836","HelpMe.exe","1792","system","LoadLibraryW","SUCCESS","0x77e70000","lpFileName->rpcrt4.dll"
"20191123145931.251","1836","HelpMe.exe","1792","filesystem","CreateFileW","SUCCESS","0x000000e8","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123145931.301","1836","HelpMe.exe","1792","filesystem","CreateFileW","SUCCESS","0x000000e4","lpFileName->\\.\PIPE\lsarpc","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191123145931.321","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x000000ec","dwIoControlCode->0x004d0008","lpInBuffer->0x00000000","nInBufferSize->0x00000000","lpOutBuffer->0x0121f37c","nOutBufferSize->0x00000208","lpBytesReturned->0x0121f374","lpOverlapped->0x00000000"
"20191123145931.331","1836","HelpMe.exe","1792","filesystem","CreateFileW","SUCCESS","0x000000ec","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20191123145931.331","1836","HelpMe.exe","1792","device","DeviceIoControl","FAILURE","","hDevice->0x000000ec","dwIoControlCode->0x006d0008","lpInBuffer->0x00157b10","nInBufferSize->0x00000046","lpOutBuffer->0x00156d10","nOutBufferSize->0x00000020","lpBytesReturned->0x0121f374","lpOverlapped->0x00000000"
"20191123145931.331","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x000000ec","dwIoControlCode->0x006d0008","lpInBuffer->0x00157b10","nInBufferSize->0x00000046","lpOutBuffer->0x00146030","nOutBufferSize->0x000000ee","lpBytesReturned->0x0121f374","lpOverlapped->0x00000000"
"20191123145931.331","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000ec","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123145931.331","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->0x000000ec","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123145931.331","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f0","lpValueName->Data"
"20191123145931.331","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123145931.331","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000ec","hKey->0x000000f0","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123145931.331","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000ec","lpValueName->Generation"
"20191123145931.331","1836","HelpMe.exe","1792","filesystem","CreateFileW","SUCCESS","0x000000ec","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20191123145931.351","1836","HelpMe.exe","1792","device","DeviceIoControl","FAILURE","","hDevice->0x000000ec","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00156eb0","nOutBufferSize->0x00000008","lpBytesReturned->0x0121f884","lpOverlapped->0x00000000"
"20191123145931.351","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x000000ec","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00158d40","nOutBufferSize->0x00000010","lpBytesReturned->0x0121f884","lpOverlapped->0x00000000"
"20191123145931.351","1836","HelpMe.exe","1792","filesystem","CreateFileW","SUCCESS","0x000000ec","lpFileName->\\.\MountPointManager","dwDesiredAccess->ATTRIBUTES"
"20191123145931.351","1836","HelpMe.exe","1792","device","DeviceIoControl","FAILURE","","hDevice->0x000000ec","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00156eb0","nOutBufferSize->0x00000008","lpBytesReturned->0x0121f884","lpOverlapped->0x00000000"
"20191123145931.371","1836","HelpMe.exe","1792","device","DeviceIoControl","SUCCESS","","hDevice->0x000000ec","dwIoControlCode->0x006d0034","lpInBuffer->0x00158b30","nInBufferSize->0x00000208","lpOutBuffer->0x00158d58","nOutBufferSize->0x00000010","lpBytesReturned->0x0121f884","lpOverlapped->0x00000000"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegCreateKeyExW","SUCCESS","0x000000ec","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegSetValueExW","SUCCESS","","hKey->0x000000ec","lpValueName->BaseClass","dwType->1","lpData->Drive","cbData->12"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000ec","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->0x000000ec","lpSubKey->{a20cd692-8e41-11e1-9999-806d6172696f}\"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f0","lpValueName->Generation"
"20191123145931.371","1836","HelpMe.exe","1792","system","LoadLibraryA","SUCCESS","0x7c9c0000","lpFileName->SHELL32.dll"
"20191123145931.371","1836","HelpMe.exe","1792","system","LoadLibraryA","SUCCESS","0x774e0000","lpFileName->ole32.dll"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f2","hKey->HKEY_CLASSES_ROOT","lpSubKey->Directory"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000f2","lpSubKey->CurVer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000ee","hKey->0x000000f2","lpSubKey->(null)"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f0","lpValueName->DontShowSuperHidden"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f0","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->0x000000f0","lpSubKey->(null)"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->ShellState"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->ShellState"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->ForceActiveDesktopOn"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->NoActiveDesktop"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\System"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->NoWebView"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.371","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->ClassicShell"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->SeparateProcess"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->NoNetCrawling"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f4","lpValueName->NoSimpleStartMenu"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f4","hKey->0x000000f0","lpSubKey->Advanced"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Hidden"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->ShowCompColor"
"20191123145931.381","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->HideFileExt"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->DontPrettyPath"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->ShowInfoTip"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->HideIcons"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->MapNetDrvBtn"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->WebView"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->Filter"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->ShowSuperHidden"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->SeparateProcess"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000f4","lpValueName->NoNetCrawling"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000ee","lpSubKey->ShellEx\IconHandler"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000ee","lpValueName->DocObject"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000ee","lpValueName->BrowseInPlace"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000ee","lpSubKey->Clsid"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000fa","hKey->HKEY_CLASSES_ROOT","lpSubKey->Folder"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->0x000000fa","lpSubKey->Clsid"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000ee","lpValueName->IsShortcut"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","SUCCESS","","hKey->0x000000ee","lpValueName->AlwaysShowExt"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000ee","lpValueName->NeverShowExt"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegOpenKeyExW","SUCCESS","0x000000f8","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
"20191123145931.411","1836","HelpMe.exe","1792","registry","RegQueryValueExW","FAILURE","","hKey->0x000000f8","lpValueName->UseDesktopIniCache"
1836.csv
,|,|Q-|X-|
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
L!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
Qs[QsrKPs
RsaTQscDsZQs
PsPDs.Ps
eOsHDs
TQs?DsADsTQs\BDsUQstQssADsCsxCsBRs[Qs%Rs
QsmYOs KDs0XQsaUQs
RsQsOs4CsTQsUQsADsUPstEDs
UQsPOQs
BsqPsLQs
RsFQsQs"DDs
QsMDsDDs
Left Project1
= 12
xCAT - Anti-Shutdown v1.00
Command1
Label5
Shutdowns stopped this session
Label4
Label3
Shutdowns stopped by xCAT- Anti-Shutdown
Label2
Label1
mnu_home
mnu_allow
Allow Shutdown
mnu_sep1
mnu_shutter
Shutdown
mnu_logoff
Normal LogOff
mnu_forcelogoff
Force LogOff
mnu_eferferfer
mnu_reboot
Normal Reboot
mnu_forcereboot
Force Reboot
mnu_nullzzzz
mnu_manual
Normal Shutdown
mnu_force
Force Shutdown
mnu_null1
mnu_about
mnu_exit
VB5! *
antishutdown
Project1
Project1
/o"CR8
Project1
mdlStopShutdown
Module1
Module2
UE[OJ>
mnu_reboot
+3qC:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
mnu_shutter
mnu_eferferfer
mnu_force
mnu_allow
mnu_logoff
mnu_manual
mnu_exit
Label5
mnu_nullzzzz
Command1
Label4
Label1
Label2
Label3
mnu_forcelogoff
mnu_forcereboot
mnu_about
mnu_null1
mnu_home
mnu_sep1
+3q"=h
shell32.dll
Shell_NotifyIconA
ExitWindowsEx
user32
CallWindowProcA
SetWindowLongA
GetMessageA
VBA6.DLL
__vbaFreeVar
__vbaVarOr
__vbaI4Var
__vbaSetSystemError
__vbaErrorOverflow
__vbaStrCopy
__vbaRecUniToAnsi
__vbaFpI4
__vbaOnError
__vbaStrI2
__vbaStrI4
__vbaI4Str
__vbaFreeObjList
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaFreeStr
__vbaCastObj
__vbaObjSet
__vbaFreeObj
__vbaHresultCheckObj
__vbaObjSetAddref
__vbaNew2
__vbaRecAnsiToUni
__vbaLateIdCallLd
__vbaLsetFixstr
\SVWeE
EPVRX;}
EUPh-@
]PSQT}
UERMPQj
UMRh$,@
]]PESPT}
MUQERPj
]PSRT}
EMPUQRj
EUPh,.@
]PSQT}
UERMPQj
UMRh.@
]]PESPT}
MUQERPj
MEQh.@
]PSRT}
EMPUQRj
]PSQT}
(MUQERPj
SVWeEP
SVWeEX
SVWeEh
SVWeEp
3f9=P@
Qd;}?.f=P@
8SVWeE
3EVMPUQuRu
8SVWeE
3EVMPUQuRu
8SVWeE
EEVMPUQRu
PjQl%0
SVWeE
PPj QR
mSVWeE
URQXE}
dQh,P@
MSVBVM60.DLL
__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaFreeVar
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaRecAnsiToUni
__vbaStrCat
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
DllFunctionCall
__vbaVarOr
_adj_fpatan
__vbaLateIdCallLd
__vbaRecUniToAnsi
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaErrorOverflow
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaI4Var
__vbaFpI4
_CIatan
__vbaCastObj
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
chrome.exe
,|,|Q-|X-|
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
lowXAtN
"20191124225653.669","200","HelpMe.exe","1344","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Borland\Locales"
"20191124225653.669","200","HelpMe.exe","1344","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_LOCAL_MACHINE","lpSubKey->Software\Borland\Locales"
"20191124225653.669","200","HelpMe.exe","1344","registry","RegOpenKeyExA","FAILURE","","hKey->HKEY_CURRENT_USER","lpSubKey->Software\Borland\Delphi\Locales"
"20191124225653.669","200","HelpMe.exe","1344","memory","VirtualAllocEx","SUCCESS","0x01030000","th32ProcessID->200","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->1048576","flAllocationType->0x00002000","flProtect->0x00000001"
"20191124225653.679","200","HelpMe.exe","1344","memory","VirtualAllocEx","SUCCESS","0x01030000","th32ProcessID->200","szExeFile->HelpMe.exe","lpAddress->0x01030000","dwSize->16384","flAllocationType->0x00001000","flProtect->0x00000004"
"20191124225653.679","200","HelpMe.exe","1344","memory","VirtualAllocEx","SUCCESS","0x008f0000","th32ProcessID->200","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->4096","flAllocationType->0x00001000","flProtect->0x00000040"
"20191124225653.689","200","HelpMe.exe","1344","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191124225653.689","200","HelpMe.exe","1344","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191124225653.689","200","HelpMe.exe","1344","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191124225653.699","200","HelpMe.exe","1344","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191124225653.699","200","HelpMe.exe","1344","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191124225653.699","200","HelpMe.exe","1344","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191124225653.699","200","HelpMe.exe","1344","device","DeviceIoControl","SUCCESS","","hDevice->0x00000034","dwIoControlCode->0x00390008","lpInBuffer->0x77e46318","nInBufferSize->0x00000100","lpOutBuffer->0x0012fc34","nOutBufferSize->0x00000100","lpBytesReturned->0x0012fc2c","lpOverlapped->0x00000000"
"20191124225653.699","200","HelpMe.exe","1344","filesystem","CreateFileW","SUCCESS","0x00000090","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ"
"20191124225653.699","200","HelpMe.exe","1344","filesystem","ReadFile","SUCCESS","","hFile->0x00000090","nNumberOfBytesToRead->268"
"20191124225653.699","200","HelpMe.exe","1344","filesystem","CreateFileW","FAILURE","","lpFileName->C:\WINDOWS\system32\HelpMe.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
"20191124225653.699","200","HelpMe.exe","1344","memory","VirtualAllocEx","SUCCESS","0x00910000","th32ProcessID->200","szExeFile->HelpMe.exe","lpAddress->0x00000000","dwSize->65536","flAllocationType->0x00002000","flProtect->0x00000004"
"20191124225653.699","200","HelpMe.exe","1344","memory","VirtualAllocEx","SUCCESS","0x00910000","th32ProcessID->200","szExeFile->HelpMe.exe","lpAddress->0x00910000","dwSize->257","flAllocationType->0x00001000","flProtect->0x00000004"
"20191124225653.719","200","HelpMe.exe","1344","registry","RegOpenKeyExW","SUCCESS","0x00000088","hKey->0x0000009c","lpSubKey->Software\Microsoft\Windows\CurrentVersion\ThemeManager"
"20191124225653.719","200","HelpMe.exe","1344","registry","RegQueryValueExW","FAILURE","","hKey->0x00000088","lpValueName->Compositing"
"20191124225653.719","200","HelpMe.exe","1344","registry","RegOpenKeyExW","SUCCESS","0x00000088","hKey->0x0000009c","lpSubKey->Control Panel\Desktop"
"20191124225653.719","200","HelpMe.exe","1344","registry","RegQueryValueExW","FAILURE","","hKey->0x00000088","lpValueName->LameButtonText"
"20191124225653.719","200","HelpMe.exe","1344","system","LoadLibraryA","SUCCESS","0x5ad70000","lpFileName->uxtheme.dll"
"20191124225658.706","200","HelpMe.exe","1344","process","CreateRemoteThread","SUCCESS","0x0000009c","lpStartAddress->0x00404008","th32ProcessID->200","szExeFile->HelpMe.exe"
"20191124225658.706","200","HelpMe.exe","1344","process","CreateRemoteThread","SUCCESS","0x000000a0","lpStartAddress->0x00404008","th32ProcessID->200","szExeFile->HelpMe.exe"
200.csv
,|,|Q-|X-|
[autorun]
open=AutoRun.exe
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
AUTORUN.INF
B�B�A�B�O�R�T�
B�B�C�A�N�C�E�L�
B�B�C�L�O�S�E�
B�B�H�E�L�P�
B�B�I�G�N�O�R�E�
B�B�R�E�T�R�Y�
P�R�E�V�I�E�W�G�L�Y�P�H�
D�L�G�T�E�M�P�L�A�T�E�
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
T�F�R�M�_�M�A�I�N�
M�A�I�N�I�C�O�N�
d� � � � � �
S�"�"�"�"�"�"�!�!�!� �
%�%�%�%�%�%�%�%�$�$�$�#�"�
� � � �&�'�'�'�'�'�'�'�'�'�'�&�&�%�%�$�"�
� �"�#�$�%�&�&�'�(�(�)�)�*�*�*�+�+�+�+�*�*�*�)�)�(�(�'�&�%�$�$�"�!� � �
"�#�%�&�'�(�)�)�*�+�,�,�-�-�-�.�.�.�.�.�.�-�-�-�,�,�+�*�)�(�'�'�&�$�#�"� � �
$�%�'�(�)�*�+�+�,�-�.�.�/�/�0�0�0�0�0�0�0�/�/�/�.�.�-�,�,�+�)�)�'�&�%�$�"�!� �
'�(�*�+�,�-�.�/�0�0�1�2�2�2�3�3�3�3�3�3�3�3�2�2�1�1�0�/�/�.�-�,�+�)�(�'�%�$�#�
*�+�-�.�/�0�1�2�3�4�4�5�5�6�6�6�7�7�7�7�6�6�6�5�5�4�3�2�2�1�0�/�.�,�+�*�(�'�%�
?�.�0�1�2�3�4�5�6�6�7�7�8�8�9�9�9�9�9�8�8�8�7�7�6�5�4�4�3�2�1�0�.�-�,�*�)�
@�6�7�8�9�9�:�;�;�;�<�<�<�<�<�<�;�;�;�:�9�9�8�7�6�5�4�2�1�
E�=�>�>�?�?�?�?�?�?�?�?�>�>�=�<�<�;�:�9�
H�A�A�A�A�A�A�@�@�?�
J�K�K�L�L�M�M�M�N�N�N�N�N�
@�*�\�A�E�:�\�v�b�p�r�o�j�e�c�t�s�\�s�h�u�t�d�o�w�n�s�t�o�p�\�P�r�o�j�e�c�t�1�.�v�b�p�
x�C�A�T� �-� �A�n�t�i�-�S�h�u�t�d�o�w�n�
P�r�o�g�r�a�m�m�e�r�:� �S�k�u�n�k�A�h�
H�e�l�p�d�e�s�k�:� �h�t�t�p�:�/�/�w�w�w�.�x�c�a�t�-�i�n�d�u�s�t�r�i�e�s�.�c�o�m�/�f�o�r�u�m�
W�e�b�s�i�t�e�:� �h�t�t�p�:�/�/�w�w�w�.�x�c�a�t�-�i�n�d�u�s�t�r�i�e�s�.�c�o�m�
(�C�)�o�p�y�r�i�g�h�t� �2�0�0�2� �-� �x�C�A�T�-�I�n�d�u�s�t�r�i�e�s�
a�n�t�i�-�s�h�u�t�d�o�w�n�
D�i�s�a�l�l�o�w� �S�h�u�t�d�o�w�n�
A�l�l�o�w� �S�h�u�t�d�o�w�n�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
P�r�o�d�u�c�t�N�a�m�e�
P�r�o�j�e�c�t�1�
F�i�l�e�V�e�r�s�i�o�n�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
I�n�t�e�r�n�a�l�N�a�m�e�
a�n�t�i�s�h�u�t�d�o�w�n�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
a�n�t�i�s�h�u�t�d�o�w�n�.�e�x�e�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.