Main Menu

Easy Sign In
RPX
Login

Avans Kilmberry

PostDateIcon Tuesday, 09 March 2010 06:10 PostAuthorIcon Author: AurelloSoft

Avans Kilmberry

E-Mails Used: welbedacht@hetnet.nl, kilmberryavns@hotmail.com
Subjects Used: Confidential Proposition
Telephone Numbers: N/A
First Seen by AurelloSoft Networks: March 8, 2010
Scam Origin: Netherlands
Scammer IP Area: 213.75.39.75
E-Mailed From: CPSMTPM-EML05.kpnxchange.com


Messages Collected:

Good day,
My name is Avans Kilmberry, I work as an external auditor for Bahrain Development Bank(BDB) in the Kingdom Of Bahrain, working as part of the team that covers the entire Middle East region. I had took much time to find your contact through a random web search using a deceased customer name.
I have Business Proposal of Twenty Seven Million, One hundred and fifty thousand United States Dollars ($27,150,000 USD) for you to handle with me from my bank. I will need you to help me in transferring the above funds from Bahrain to your country. I need to know if you will be able to handle this with me before I explain to you in details.

Contact on email via: kilmberryavns@hotmail.com
Kind regards
Avans Kilmberry
 

Trojan Found in Energizer Battery Software

PostDateIcon Sunday, 07 March 2010 02:46 PostAuthorIcon Author: AurelloSoft

Trojan found in Energizer Battery Software

US-CERT: http://www.kb.cert.org/vuls/id/154421

CVE Ref: CVE-2010-0103

AurelloSoft Article: Trojan.Arugizer

The software for Energizer Inc.'s USB Battery Charging Software contains a trojan horse that is installed during the program's installation process. The torjan horse opens a backdoor on TCP 7777, and awaits commands. The trojan is in the file Arugizer.dll.

Energizer Inc. has issued a Press Release stating their recall of the product, as well as the discontinuation of the USB DUO software download page which was available to download up until March 5th 2010.

The remote attacker is able to use the trojan to do the following:

  • Download Files
  • Execute Files
  • Transfer Files to the Attacker
  • Get Directory Listings for the System
  • Modify Certain Registry Entries

See more here: http://aurellosoft.org/site/index.php/threat-information-mainmenu-26/14-viruses/91-trojanarugizer.html

Add new comment

Last Updated ( Monday, 08 March 2010 13:46 )

 

W32.Twizzle

PostDateIcon Tuesday, 23 February 2010 19:40 PostAuthorIcon Author: AurelloSoft

W32.Twizzle

W32.Twizzle is a worm which spreads by posting links on the infected users' Twitter Pages. It also establishes connections to remote servers.

Discovered: February 23, 2010
Infection Length: 33889 bytes, 691865 bytes
MD5s: 2dba3c3d70b8bcc0356e58c971243ac0, 0b10fba0977c9b04e2dcb9f63fca8e93
SHA1s: 9E49F3D7BD246785E802ADCCAC5B8F42C51F8135, 4E11A98201F0A03347DE74D2A37E939BC25E041B
F050Bin: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Verified Type: EXE
File Errors: None
ANSI Signature: ­ÒÐEÝEGÒÐENÒÑE$ÒÐEi

The following files are created.

  • Creates file C:\ErrLog.txt (Contains Installer Log for Malware)
  • Creates file C:\Program Files\Common Files\alg.exe

 

The following network activity was detected.

  • Port 1049 UDP was opened.
  • Established connection to 72.29.77.243

The following registry entries were created/modified.

  • Deletes value "AppId" in key HKEY_LOCAL_MACHINE\software\classes\clsid\{ceff45ee-c862-41de-aee2-a022c81eda92}
  • Deletes Registry key HKEY_LOCAL_MACHINE\software\classes\clsid\{DBC80044-A445-435B-BC74-9C25C1C588A9}
  • Modifies value "Name=dw20.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication
  • Modifies value "ID=4889DC4E" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication

This worm was investigated, named, and analyzed by AurelloSoft. New threats discovered and analyzed by AurelloSoft contain a lot more information in the report than normal threats do. If you have any questions what the information means, please register and post a comment below.

 

W32.Scrshotvid

PostDateIcon Thursday, 04 March 2010 01:42 PostAuthorIcon Author: Aaron Harris

W32.Scrshotvid

W32.Scrshotvid is a worm that spreads through removable drives. It may log keystrokes, view the screen and or camera, and it may set up an FTP Server.

Discovered: February 27, 2010
Infection Length: 1,818,624 Bytes
Systems at Risk: Windows Operating Systems

The following files are created.

  • %System%\msnmsg.exe
  • %DriveLetter%\imagem.exe
  • %DriveLetter%\autorun.inf

The following registry entries are created/modified.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Msnmsg" = "%System%\msnmsg.exe"
  • HKEY_CURRENT_USER\Software\Intel\Indeo\5.0
  • HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{33D9A761-90C8-11D0-BD43-00A0C911CE86}
  • HKEY_CURRENT_USER\Software\TVideoGrabber

The worm may connect to the following servers.

  • http://www.hackersociety.net
  • http://hackersociety.no-ip.org

Removal:

Remove the files and registry entries listed above.

 

Rogueware.PCDefender

PostDateIcon Friday, 19 February 2010 05:59 PostAuthorIcon Author: AurelloSoft

Rogueware.PCDefender

Rogueware.PCDefender is a rogueware application that displays exaggerated reports of non-existing threats on a users systems in order to trick them in to purchasing a full version.

*** This is an Advanced Threat, and a removal tool for this threat will be available: February, 2010. ***
Please check back periodically for the removal tool that AurelloSoft is developing.
Partial Disable Tool: FIX_PCDEFENDER.exe (Updated: 02/19/2010 )

The following files are created.

  • C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender
  • C:\Program Files\Def Group
  • C:\Program Files\Def Group\PC Defender
  • C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}
  • C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a98.dat
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1255449998jtun_allccmsl0819.x00.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1265852195jtun_scd2.zip.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1266010716jtun_nav8enidfull25.x86.seg1.zip
  • C:\Documents and Settings\All Users\Desktop\PC Defender.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\PC Defender.lnk
  • C:\INF\clean.hiv
  • C:\Program Files\Def Group\PC Defender\Antispyware.exe
  • C:\Program Files\Def Group\PC Defender\hook.dll
  • C:\Program Files\Def Group\PC Defender\proccheck.exe
  • C:\WINDOWS\Installer\14d256.msi
  • C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_96222EB958BE7AE1F3D10F.exe
  • C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_E99A03E2B966DDBBBF0A73.exe
  • C:\WINDOWS\Prefetch\922EE651620485838F50FE09DF119-1680527D.pf
  • C:\WINDOWS\Prefetch\ANTISPYWARE.EXE-19ABB532.pf
  • C:\WINDOWS\Prefetch\PROCCHECK.EXE-03906D86.pf
  • C:\WINDOWS\Prefetch\REG.EXE-0D2A95F7.pf

The following files are then modified.

  • C:\Documents and Settings\Administrator\Cookies\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  • C:\Documents and Settings\Administrator\ntuser.dat.LOG
  • C:\INF\rgst152.dat
  • C:\WINDOWS\Debug\UserMode\userenv.log
  • C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
  • C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf
  • C:\WINDOWS\Prefetch\PERL.EXE-08A6F3BE.pf
  • C:\WINDOWS\Prefetch\REGSHOT.EXE-2A173C98.pf
  • C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
  • C:\WINDOWS\system32\config\default
  • C:\WINDOWS\system32\config\default.LOG
  • C:\WINDOWS\system32\config\Software
  • C:\WINDOWS\system32\config\software.LOG
  • C:\WINDOWS\system32\config\system.LOG
  • C:\WINDOWS\system32\wbem\Logs\wbemess.log
  • C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
  • C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
  • C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
  • C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

The following files may be deleted.

  • C:\Config.Msi

The following registry entries are created/modified.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.exe,"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\Antispyware.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\PC Defender\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\"" = ""
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" "0x00002001"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"proccheck.exe" = "proccheck"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\VAS\"922RR651620485838S50SR09QS119674.rkr" = "1B 00 00 00 06 00 00 00 10 8D 5A 77 91 B0 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Mode" = "4"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ScrollPos1280x1024(1).x" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ScrollPos1280x1024(1).y" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Sort" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"SortDir" = "1"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Col" = "0xFFFFFFFF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ColInfo" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 04 00 20 00 10 00 28 00 3C 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 00 01 60 00 78 00 78 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\INF\"922EE651620485838F50FE09DF119674.exe" = "922EE651620485838F50FE09DF119674"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\"REG.exe" = "Registry Console Tool"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"Antispyware.exe" = "PC Defender application main executable"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" = "0x00002001"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"proccheck.exe" = "proccheck"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0C7636129D6C606AC34B4F77B98D933A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\48F1979EDA9389E44C3097C667211849
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AA7C3518924A9561AB587A3AED215D82
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E8CBA2CF517323A48B5B5539084F2528
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E8CBA2CF517323A48B5B5539084F2528
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC2ABC8E-3715-4A32-B8B5-559380F45282}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSISERVER\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSISERVER\0000\Control
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo
  • HKEY_USERS\.DEFAULT\Software\Def Group
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows Script
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo
  • HKEY_USERS\S-1-5-18\Software\Def Group
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = "53 E0 FB 62 45 48 79 84 CC 78 9F 8B C1 35 98 0A 23 FE 57 2B 3C 87 ED 65 5A 15 54 46 66 B5 33 66 37 19 AC 42 E8 49 F1 98 6F 69 83 00 28 0E 6E B5 35 EE 4F 8E 1E 1D E9 CF 52 65 22 90 CB 8A 3C AD 5B 5B 5B 8B 52 6B 84 87 1F E6 92 7E B5 DD 37 13"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = "0A 56 8A 09 B1 8B 9F 55 8D D2 1C 7B 14 F7 E5 77 D6 00 EF DB 11 3A AC C1 1A 9C 75 A1 48 57 38 D6 7C B3 67 44 EE 87 ED 60 E3 62 6C 13 6D 02 80 7A 41 4F E1 EA 71 FC 78 D5 6D 4F 15 59 6D D3 59 5A AC 20 E6 40 04 F7 33 D3 87 B5 0D 94 D7 4F D4 41"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\"Start" = "0xE853C38D"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\"Start" = "0x389F0129"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4A55E325"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4B7D2A9F"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\"" = "10"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\"" = "11"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\"" = "10"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\"" = "11"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002001"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002002"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\LocalService\Cookies"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\Administrator\Cookies"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\LocalService\Local Settings\Application Data"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\Administrator\Local Settings\Application Data"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\LocalService\Local Settings\History"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\Administrator\Local Settings\History"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Lines" = "73 6D 73 2E 70 6C 20 2D 66 20 44 39 32 32 36 31 31 38 36 37 44 37 38 44 33 44 46 32 41 46 38 36 37 32 33 43 36 39 37 33 31 35 00 73 6D 73 2E 70 6C 20 2D 66 20 66 66 66 66 31 35 61 38 5F 62 31 36 36 62 36 61 64 2E 45 58 45 00 73 6D 73 2E 70 6C 20 2D 66 20 30 35 32 31 35 33 45 36 39 45 46 38 30 39 34 41 37 43 41 30 33 30 32 38 42 31 36 36 42 36 41 44 00 37 7A 20 78 20 73 6D 73 53 63 72 69 70 74 2D 2D 33 39 35 33 32 2D 31 32 31 34 34 36 32 39 34 38 2E 7A 69 70 00 72 67 73 74 31 35 32 2E 64 61 74 00 77 69 6E 64 69 66 66 20 41 64 77 61 72 65 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 2E 78 6D 6C 20 20 44 69 61 6C 65 72 2E 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 6E 2E 78 6D 6C 00 77 69 6E 64 69 66 66 20 44 69 61 6C 65 72 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 2E 78 6D 6C 20 20 44 69 61 6C 65 72 2E 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 6E 2E 78 6D 6C 00 63 6F 70 79 20 44 69 61 6C 65 72 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 2E 78 6D 6C 20 20 44 69 61 6C 65 72 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 75 70 64 61 74 65 64 2E 78 6D 6C 00 65 63 6C 2E 70 6C 20 44 69 61 6C 65 72 2E 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 6E 2E 78 6D 6C 20 20 3E 63 6C 73 69 64 2E 74 78 74 00 67 63 68 2E 70 6C 20 2D 66 20 63 6C 73 69 64 2E 74 78 74 00 53 75 70 65 72 42 61 62 65 73 2E 6C 6E 6B 00 72 65 67 76 69 65 77 20 44 69 61 6C 65 72 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 75 70 64 61 74 65 64 2E 78 6D 6C 00 79 00 37 7A 20 78 20 2A 00 60 00 77 68 69 74 65 66 69 6C 74 65 72 2E 70 6C 00 47 6F 6F 67 6C 65 43 61 74 63 68 2E 63 6C 73 49 45 53 70 79 00 37 7A 20 78 20 57 69 6E 58 53 65 63 75 72 69 74 79 43 65 6E 74 65 72 2E 72 61 72 00 66 69 6E 64 70 65 2E 70 6C 00 63 64 20 70 73 00 63 6F 70 79 20 22 57 69 6E 58 20 53 65 63 75 72 69 74 79 20 43 65 6E 74 65 72 2E 65 78 65 22 20 20 61 2E 65 78 65 00 63 6F 70 79 20 49 6E 73 74 61 6C 6C 2E 65 78 65 20 20 6E 64 00 66 20 49 6E 73 74 61 6C 6C 2E 65 78 65 00 66 20 30 33 45 41 37 39 38 34 46 36 46 43 35 30 35 31 44 43 45 33 37 42 35 39 30 31 34 34 41 41 45 46 2E 73 61 6D 70 6C 65 00 66 20 52 65 73 74 61 72 74 2E 65 78 65 00 66 20 72 65 64 69 72 2E 64 6C 6C 00 68 69 65 77 33 32 20 22 43 3A 5C 53 70 79 77 61 72 65 5C 49 4E 42 4F 58 5C 4A 55 4E 5F 32 36 5C 6E 64 5C 30 33 65 61 37 39 38 34 66 36 66 63 35 30 35 31 64 63 65 33 37 62 35 39 30 31 34 34 61 61 65 66 5C 57 69 6E 58 20 53 65 63 75 72 69 74 79 20 43 65 6E 74 65 72 2E 65 78 65 22 20 2F 6F 63 3D 6F 65 70 00 5C 00 65 64 69 74 3A 67 63 72 63 30 61 2E 73 72 63 00 37 7A 20 65 20 63 6C 65 61 6E 2E 72 61 72 00 74 72 6F 6A 64 65 66 20 72 65 64 69 72 2E 64 6C 6C 00 74 72 6F 6A 64 65 66 20 75 6E 70 6B 30 30 30 30 2E 75 6E 70 00 73 66 20 75 6E 70 6B 30 30 30 30 2E 75 6E 70 00 74 72 6F 6A 64 65 66 20 52 65 73 74 61 72 74 2E 65 78 65 00 73 70 79 71 72 2E 70 6C 20 3E 72 65 70 6F 72 74 2E 63 73 76 00 73 20 2D 73 6D 73 00 73 65 6E 64 32 73 6D 73 00 64 65 6C 20 63 3A 5C 74 65 6D 70 5C 73 61 72 63 69 33 32 2E 65 78 65 00 73 61 72 63 00 66 00 73 69 76 20 61 64 00 70 72 6F 63 65 78 70 00 74 6F 6F 6C 73 75 70 64 74 2E 62 61 74 00 6D 79 70 65 69 64 00 63 6C 73 00 66 69 6C 74 65 72 2E 70 6C 20 2D 73 20 31 00 00
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Lines" = "73 6D 73 2E 70 6C 20 2D 66 20 44 39 32 32 36 31 31 38 36 37 44 37 38 44 33 44 46 32 41 46 38 36 37 32 33 43 36 39 37 33 31 35 00 73 6D 73 2E 70 6C 20 2D 66 20 66 66 66 66 31 35 61 38 5F 62 31 36 36 62 36 61 64 2E 45 58 45 00 73 6D 73 2E 70 6C 20 2D 66 20 30 35 32 31 35 33 45 36 39 45 46 38 30 39 34 41 37 43 41 30 33 30 32 38 42 31 36 36 42 36 41 44 00 37 7A 20 78 20 73 6D 73 53 63 72 69 70 74 2D 2D 33 39 35 33 32 2D 31 32 31 34 34 36 32 39 34 38 2E 7A 69 70 00 72 67 73 74 31 35 32 2E 64 61 74 00 77 69 6E 64 69 66 66 20 41 64 77 61 72 65 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 2E 78 6D 6C 20 20 44 69 61 6C 65 72 2E 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 6E 2E 78 6D 6C 00 77 69 6E 64 69 66 66 20 44 69 61 6C 65 72 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 2E 78 6D 6C 20 20 44 69 61 6C 65 72 2E 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 6E 2E 78 6D 6C 00 63 6F 70 79 20 44 69 61 6C 65 72 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 2E 78 6D 6C 20 20 44 69 61 6C 65 72 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 75 70 64 61 74 65 64 2E 78 6D 6C 00 65 63 6C 2E 70 6C 20 44 69 61 6C 65 72 2E 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 6E 2E 78 6D 6C 20 20 3E 63 6C 73 69 64 2E 74 78 74 00 67 63 68 2E 70 6C 20 2D 66 20 63 6C 73 69 64 2E 74 78 74 00 53 75 70 65 72 42 61 62 65 73 2E 6C 6E 6B 00 72 65 67 76 69 65 77 20 44 69 61 6C 65 72 5F 49 6E 73 74 61 6E 74 41 63 63 65 73 73 5F 75 70 64 61 74 65 64 2E 78 6D 6C 00 79 00 37 7A 20 78 20 2A 00 60 00 77 68 69 74 65 66 69 6C 74 65 72 2E 70 6C 00 47 6F 6F 67 6C 65 43 61 74 63 68 2E 63 6C 73 49 45 53 70 79 00 37 7A 20 78 20 57 69 6E 58 53 65 63 75 72 69 74 79 43 65 6E 74 65 72 2E 72 61 72 00 66 69 6E 64 70 65 2E 70 6C 00 63 64 20 70 73 00 63 6F 70 79 20 22 57 69 6E 58 20 53 65 63 75 72 69 74 79 20 43 65 6E 74 65 72 2E 65 78 65 22 20 20 61 2E 65 78 65 00 63 6F 70 79 20 49 6E 73 74 61 6C 6C 2E 65 78 65 20 20 6E 64 00 66 20 49 6E 73 74 61 6C 6C 2E 65 78 65 00 66 20 30 33 45 41 37 39 38 34 46 36 46 43 35 30 35 31 44 43 45 33 37 42 35 39 30 31 34 34 41 41 45 46 2E 73 61 6D 70 6C 65 00 66 20 52 65 73 74 61 72 74 2E 65 78 65 00 66 20 72 65 64 69 72 2E 64 6C 6C 00 68 69 65 77 33 32 20 22 43 3A 5C 53 70 79 77 61 72 65 5C 49 4E 42 4F 58 5C 4A 55 4E 5F 32 36 5C 6E 64 5C 30 33 65 61 37 39 38 34 66 36 66 63 35 30 35 31 64 63 65 33 37 62 35 39 30 31 34 34 61 61 65 66 5C 57 69 6E 58 20 53 65 63 75 72 69 74 79 20 43 65 6E 74 65 72 2E 65 78 65 22 20 2F 6F 63 3D 6F 65 70 00 5C 00 65 64 69 74 3A 67 63 72 63 30 61 2E 73 72 63 00 37 7A 20 65 20 63 6C 65 61 6E 2E 72 61 72 00 74 72 6F 6A 64 65 66 20 72 65 64 69 72 2E 64 6C 6C 00 74 72 6F 6A 64 65 66 20 75 6E 70 6B 30 30 30 30 2E 75 6E 70 00 73 66 20 75 6E 70 6B 30 30 30 30 2E 75 6E 70 00 74 72 6F 6A 64 65 66 20 52 65 73 74 61 72 74 2E 65 78 65 00 73 70 79 71 72 2E 70 6C 20 3E 72 65 70 6F 72 74 2E 63 73 76 00 73 20 2D 73 6D 73 00 73 65 6E 64 32 73 6D 73 00 64 65 6C 20 63 3A 5C 74 65 6D 70 5C 73 61 72 63 69 33 32 2E 65 78 65 00 73 61 72 63 00 66 00 73 69 76 20 61 64 00 70 72 6F 63 65 78 70 00 74 6F 6F 6C 73 75 70 64 74 2E 62 61 74 00 6D 79 70 65 69 64 00 63 6C 73 00 66 69 6C 74 65 72 2E 70 6C 20 2D 73 20 31 00 66 69 6C 74 65 72 2E 70 6C 20 2D 73 20 32 00 00
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Position" = "2E"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Position" "2F"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU" = "1A 00 00 00 A6 01 00 00 90 50 33 F9 94 00 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU" = "1B 00 00 00 A7 01 00 00 10 8D 5A 77 91 B0 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\"ItemPos1280x1024(1)" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 02 00 00 00 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 15 00 00 00 52 00 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 A2 00 00 00 46 00 3A 00 6C 02 00 00 2D 35 BB 61 20 00 41 50 49 4D 6F 6E 2E 6C 6E 6B 00 00 2C 00 03 00 04 00 EF BE 25 35 AF 78 C3 3A 8D 52 14 00 00 00 41 00 50 00 49 00 4D 00 6F 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 15 00 00 00 F2 00 00 00 4C 00 3A 00 54 02 00 00 2D 35 BC 61 20 00 41 75 74 6F 52 75 6E 73 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 2A 35 00 77 C3 3A 8D 52 14 00 00 00 41 00 75 00 74 00 6F 00 52 00 75 00 6E 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 42 01 00 00 48 00 3A 00 4A 02 00 00 2D 35 BC 61 20 00 43 6F 6E 54 45 58 54 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 2D 35 BC 61 C3 3A 8D 52 14 00 00 00 43 00 6F 00 6E 00 54 00 45 00 58 00 54 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 15 00 00 00 92 01 00 00 5E 00 3A 00 72 03 00 00 DA 38 B3 45 20 00 43 55 52 52 45 4E 7E 31 2E 4C 4E 4B 00 00 42 00 03 00 04 00 EF BE B7 38 9B 11 E9 3A 75 61 14 00 00 00 43 00 55 00 52 00 52 00 45 00 4E 00 54 00 20 00 56 00 69 00 72 00 75 00 73 00 44 00 65 00 66 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E2 01 00 00 4E 00 3A 00 4D 02 00 00 2D 35 BC 61 20 00 44 45 42 55 47 56 7E 31 2E 4C 4E 4B 00 00 32 00 03 00 04 00 EF BE 25 35 AF 78 C3 3A 8D 52 14 00 00 00 44 00 65 00 62 00 75 00 67 00 76 00 69 00 65 00 77 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 02 00 00 40 00 3A 00 49 00 00 00 24 35 30 6B 20 00 64 69 66 66 2E 62 61 74 00 00 28 00 03 00 04 00 EF BE 25 35 CD 76 2A 38 44 61 14 00 00 00 64 00 69 00 66 00 66 00 2E 00 62 00 61 00 74 00 00 00 18 00 15 00 00 00 82 02 00 00 48 00 3A 00 06 02 00 00 2D 35 BC 61 20 00 64 6E 73 74 6F 6F 6C 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 2A 35 00 77 C3 3A 8D 52 14 00 00 00 64 00 6E 00 73 00 74 00 6F 00 6F 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 15 00 00 00 D2 02 00 00 40 00 3A 00 3A 00 00 00 24 35 30 6B 20 00 64 72 6F 70 2E 62 61 74 00 00 28 00 03 00 04 00 EF BE 25 35 CD 76 2A 38 44 61 14 00 00 00 64 00 72 00 6F 00 70 00 2E 00 62 00 61 00 74 00 00 00 18 00 15 00 00 00 22 03 00 00 50 00 3A 00 86 02 00 00 25 35 32 77 20 00 45 44 49 54 50 4C 7E 31 2E 4C 4E 4B 00 00 34 00 03 00 04 00 EF BE 25 35 32 77 C3 3A 8D 52 14 00 00 00 45 00 64 00 69 00 74 00 50 00 6C 00 75 00 73 00 20 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 72 03 00 00 48 00 3A 00 4D 02 00 00 2D 35 BC 61 20 00 46 69 6C 65 4D 6F 6E 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8D 52 14 00 00 00 46 00 69 00 6C 00 65 00 4D 00 6F 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 60 00 00 00 02 00 00 00 4C 00 3A 00 E5 01 00 00 2D 35 BB 61 20 00 46 69 6C 65 76 69 65 77 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 25 35 AF 78 C3 3A 8D 52 14 00 00 00 46 00 69 00 6C 00 65 00 76 00 69 00 65 00 77 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 52 00 00 00 40 00 3A 00 CD 01 00 00 2D 35 D3 7A 20 00 47 4D 45 52 2E 6C 6E 6B 00 00 28 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8D 52 14 00 00 00 47 00 4D 00 45 00 52 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 60 00 00 00 A2 00 00 00 4C 00 3A 00 BD 05 00 00 25 35 50 77 20 00 47 56 49 4D 37 30 7E 31 2E 4C 4E 4B 00 00 30 00 03 00 04 00 EF BE 25 35 50 77 C3 3A 8D 52 14 00 00 00 67 00 56 00 69 00 6D 00 20 00 37 00 2E 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 F2 00 00 00 54 00 3A 00 82 02 00 00 9A 36 7A 7D 20 00 48 45 58 57 4F 52 7E 31 2E 4C 4E 4B 00 00 38 00 03 00 04 00 EF BE 9A 36 7A 7D C3 3A 8C 52 14 00 00 00 48 00 65 00 78 00 20 00 57 00 6F 00 72 00 6B 00 73 00 68 00 6F 00 70 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 42 01 00 00 4C 00 3A 00 E5 01 00 00 2D 35 D3 7A 20 00 49 63 65 53 77 6F 72 64 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 49 00 63 00 65 00 53 00 77 00 6F 00 72 00 64 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 92 01 00 00 48 00 3A 00 C1 01 00 00 25 35 58 77 20 00 49 44 41 35 31 7E 31 2E 4C 4E 4B 00 2E 00 03 00 04 00 EF BE 25 35 58 77 C3 3A 8C 52 14 00 00 00 49 00 44 00 41 00 20 00 35 00 2E 00 31 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 60 00 00 00 E2 01 00 00 4C 00 3A 00 38 02 00 00 2D 35 54 63 20 00 49 4F 4C 5F 46 52 45 45 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 2D 35 54 63 E9 3A 7A 61 14 00 00 00 49 00 4F 00 4C 00 5F 00 46 00 52 00 45 00 45 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 32 02 00 00 5A 00 3A 00 14 06 00 00 2A 37 7A 61 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 2A 37 7A 61 C3 3A 8C 52 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 82 02 00 00 68 00 3A 00 0F 03 00 00 9A 36 B1 7B 20 00 4D 53 4E 45 54 57 7E 31 2E 4C 4E 4B 00 00 4C 00 03 00 04 00 EF BE 9A 36 B1 7B C3 3A 8C 52 14 00 00 00 4D 00 53 00 20 00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 20 00 33 00 2E 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 D2 02 00 00 5C 00 3A 00 B1 07 00 00 3A 37 F3 6A 20 00 4E 4F 52 54 4F 4E 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 3A 37 F3 6A C3 3A 8C 52 14 00 00 00 4E 00 6F 00 72 00 74 00 6F 00 6E 00 20 00 41 00 6E 00 74 00 69 00 56 00 69 00 72 00 75 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 22 03 00 00 48 00 3A 00 4A 02 00 00 42 37 E0 81 20 00 4F 6C 6C 79 64 62 67 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 25 35 AF 78 E9 3A 75 61 14 00 00 00 4F 00 6C 00 6C 00 79 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 60 00 00 00 72 03 00 00 40 00 3A 00 CD 01 00 00 43 37 9B 6A 20 00 50 45 49 44 2E 6C 6E 6B 00 00 28 00 03 00 04 00 EF BE 25 35 72 77 E9 3A 75 61 14 00 00 00 50 00 45 00 49 00 44 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 AB 00 00 00 02 00 00 00 48 00 3A 00 4D 02 00 00 2D 35 D3 7A 20 00 50 72 6F 63 45 78 70 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 50 00 72 00 6F 00 63 00 45 00 78 00 70 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 AB 00 00 00 52 00 00 00 56 00 3A 00 63 00 00 00 24 35 31 6B 20 00 52 45 42 4F 4F 54 7E 31 2E 42 41 54 00 00 3A 00 03 00 04 00 EF BE 25 35 CD 76 2A 38 44 61 14 00 00 00 72 00 65 00 62 00 6F 00 6F 00 74 00 61 00 63 00 74 00 69 00 6F 00 6E 00 73 00 2E 00 62 00 61 00 74 00 00 00 1C 00 AB 00 00 00 A2 00 00 00 46 00 3A 00 48 02 00 00 2D 35 BC 61 20 00 52 65 67 4D 6F 6E 2E 6C 6E 6B 00 00 2C 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 52 00 65 00 67 00 4D 00 6F 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 AB 00 00 00 F2 00 00 00 48 00 3A 00 F0 01 00 00 2D 35 BB 61 20 00 52 65 67 73 68 6F 74 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 AB 00 00 00 42 01 00 00 5C 00 3A 00 C3 01 00 00 2D 35 BC 61 20 00 52 4F 4F 54 4B 49 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 2A 35 00 77 C3 3A 8C 52 14 00 00 00 52 00 6F 00 6F 00 74 00 4B 00 69 00 74 00 20 00 52 00 65 00 76 00 65 00 61 00 6C 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 AB 00 00 00 92 01 00 00 42 00 3A 00 6C 00 00 00 24 35 CC 6E 20 00 73 6E 69 66 66 2E 62 61 74 00 2A 00 03 00 04 00 EF BE 25 35 CD 76 2A 38 44 61 14 00 00 00 73 00 6E 00 69 00 66 00 66 00 2E 00 62 00 61 00 74 00 00 00 18 00 AB 00 00 00 E2 01 00 00 4C 00 3A 00 04 02 00 00 2D 35 D3 7A 20 00 53 59 4D 50 41 52 53 45 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 53 00 59 00 4D 00 50 00 41 00 52 00 53 00 45 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 AB 00 00 00 32 02 00 00 46 00 3A 00 48 02 00 00 2D 35 BC 61 20 00 54 44 49 4D 6F 6E 2E 6C 6E 6B 00 00 2C 00 03 00 04 00 EF BE 25 35 AF 78 C3 3A 8C 52 14 00 00 00 54 00 44 00 49 00 4D 00 6F 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 AB 00 00 00 82 02 00 00 5A 00 3A 00 58 02 00 00 2D 35 BB 61 20 00 54 4F 54 41 4C 43 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 2C 35 12 72 C3 3A 8C 52 14 00 00 00 54 00 4F 00 54 00 41 00 4C 00 20 00 43 00 4F 00 4D 00 4D 00 41 00 4E 00 44 00 45 00 52 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 AB 00 00 00 D2 02 00 00 54 00 3A 00 84 02 00 00 42 37 D5 69 20 00 55 4C 54 52 41 45 7E 32 2E 4C 4E 4B 00 00 38 00 03 00 04 00 EF BE 25 35 27 78 E9 3A 75 61 14 00 00 00 55 00 6C 00 74 00 72 00 61 00 45 00 64 00 69 00 74 00 2D 00 33 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 AB 00 00 00 22 03 00 00 3C 00 3A 00 3E 02 00 00 2D 35 D3 7A 20 00 57 43 57 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 57 00 43 00 57 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 AB 00 00 00 72 03 00 00 5C 00 31 00 00 00 00 00 43 37 22 57 10 00 4E 45 54 57 4F 52 7E 31 00 00 44 00 03 00 04 00 EF BE 42 37 54 52 C3 3A CC 45 14 00 00 00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 43 00 6F 00 6E 00 66 00 69 00 67 00 20 00 53 00 63 00 72 00 69 00 70 00 74 00 73 00 00 00 18 00 F6 00 00 00 02 00 00 00 56 00 32 00 FC 01 00 00 43 37 DB 52 20 00 41 53 53 4E 49 46 7E 31 2E 4C 4E 4B 00 00 3A 00 03 00 04 00 EF BE 43 37 DB 52 E9 3A 75 61 14 00 00 00 61 00 73 00 73 00 6E 00 69 00 66 00 66 00 65 00 72 00 2E 00 62 00 61 00 74 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 52 00 00 00 42 00 32 00 88 02 00 00 3E 39 C8 62 20 00 42 45 54 4F 4E 2E 6C 6E 6B 00 2A 00 03 00 04 00 EF BE 65 38 EE 48 E9 3A 75 61 14 00 00 00 42 00 45 00 54 00 4F 00 4E 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 F6 00 00 00 A2 00 00 00 64 00 32 00 70 54 07 00 2F 38 72 4A 20 00 44 45 45 50 41 4B 7E 31 2E 52 45 47 00 00 48 00 03 00 04 00 EF BE 2F 38 72 4A 2F 38 72 4A 14 00 00 00 64 00 65 00 65 00 70 00 61 00 6B 00 5F 00 66 00 61 00 72 00 5F 00 32 00 36 00 5F 00 64 00 65 00 63 00 5F 00 30 00 37 00 2E 00 72 00 65 00 67 00 00 00 1C 00 F6 00 00 00 F2 00 00 00 40 00 32 00 6D 01 00 00 3A 35 72 50 20 00 44 45 46 53 2E 6C 6E 6B 00 00 28 00 03 00 04 00 EF BE 3A 35 6C 50 C3 3A 8C 52 14 00 00 00 44 00 45 00 46 00 53 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 F6 00 00 00 42 01 00 00 54 00 32 00 EF 02 00 00 3A 37 64 6E 20 00 45 52 41 53 45 52 7E 31 2E 4C 4E 4B 00 00 38 00 03 00 04 00 EF BE 3A 37 52 6E C3 3A 8C 52 14 00 00 00 45 00 72 00 61 00 73 00 65 00 72 00 45 00 6E 00 67 00 69 00 6E 00 65 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 92 01 00 00 4E 00 32 00 EE 05 00 00 9A 36 37 7C 20 00 46 49 4C 45 5A 49 7E 31 2E 4C 4E 4B 00 00 32 00 03 00 04 00 EF BE 9A 36 37 7C C3 3A 8C 52 14 00 00 00 46 00 69 00 6C 00 65 00 5A 00 69 00 6C 00 6C 00 61 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 E2 01 00 00 52 00 32 00 F0 01 00 00 3E 39 AE 62 20 00 47 45 54 5F 43 4C 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 3E 39 A9 62 E9 3A 75 61 14 00 00 00 67 00 65 00 74 00 5F 00 63 00 6C 00 69 00 70 00 2E 00 70 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 E2 01 00 00 8A 00 32 00 9D 61 26 00 50 36 D3 80 20 00 49 4E 54 45 4C 41 7E 31 2E 50 44 46 00 00 6E 00 03 00 04 00 EF BE 42 37 C4 7D 2A 38 25 61 14 00 00 00 49 00 6E 00 74 00 65 00 6C 00 20 00 41 00 73 00 6D 00 20 00 49 00 6E 00 73 00 74 00 72 00 75 00 63 00 74 00 69 00 6F 00 6E 00 20 00 53 00 65 00 74 00 20 00 52 00 65 00 66 00 65 00 72 00 65 00 6E 00 63 00 65 00 20 00 41 00 2D 00 4D 00 2E 00 70 00 64 00 66 00 00 00 1C 00 F6 00 00 00 32 02 00 00 8A 00 32 00 A7 F1 1F 00 50 36 D3 80 20 00 49 4E 54 45 4C 41 7E 32 2E 50 44 46 00 00 6E 00 03 00 04 00 EF BE 42 37 C4 7D 2A 38 25 61 14 00 00 00 49 00 6E 00 74 00 65 00 6C 00 20 00 41 00 73 00 6D 00 20 00 49 00 6E 00 73 00 74 00 72 00 75 00 63 00 74 00 69 00 6F 00 6E 00 20 00 53 00 65 00 74 00 20 00 52 00 65 00 66 00 65 00 72 00 65 00 6E 00 63 00 65 00 20 00 4E 00 2D 00 5A 00 2E 00 70 00 64 00 66 00 00 00 1C 00 F6 00 00 00 82 02 00 00 4C 00 32 00 40 02 00 00 2A 37 84 68 20 00 4D 57 53 4E 41 50 7E 31 2E 4C 4E 4B 00 00 30 00 03 00 04 00 EF BE 2A 37 84 68 C3 3A 8C 52 14 00 00 00 4D 00 57 00 53 00 6E 00 61 00 70 00 20 00 33 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 D2 02 00 00 5A 00 32 00 79 02 00 00 75 35 48 45 20 00 50 52 4F 43 45 53 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 75 35 48 45 C3 3A 8C 52 14 00 00 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 20 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 22 03 00 00 52 00 32 00 F0 01 00 00 31 38 D2 05 20 00 50 55 54 5F 43 4C 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 31 38 C9 05 E9 3A 75 61 14 00 00 00 70 00 75 00 74 00 5F 00 63 00 6C 00 69 00 70 00 2E 00 70 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 72 03 00 00 50 00 32 00 73 02 00 00 43 37 7A 6A 20 00 52 4B 55 4E 48 4F 7E 31 2E 4C 4E 4B 00 00 34 00 03 00 04 00 EF BE 43 37 7A 6A E9 3A 75 61 14 00 00 00 52 00 6B 00 55 00 6E 00 68 00 6F 00 6F 00 6B 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 02 00 00 00 58 00 32 00 C8 02 00 00 3B 37 23 47 20 00 53 59 4D 50 52 4F 7E 31 2E 4C 4E 4B 00 00 3C 00 03 00 04 00 EF BE 3B 37 2A 46 E9 3A 75 61 14 00 00 00 53 00 59 00 4D 00 50 00 52 00 4F 00 54 00 45 00 43 00 54 00 20 00 4F 00 46 00 46 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 52 00 00 00 56 00 32 00 BC 02 00 00 3B 37 34 47 20 00 53 59 4D 50 52 4F 7E 32 2E 4C 4E 4B 00 00 3A 00 03 00 04 00 EF BE 3B 37 2A 46 E9 3A 75 61 14 00 00 00 53 00 59 00 4D 00 50 00 52 00 4F 00 54 00 45 00 43 00 54 00 20 00 4F 00 4E 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 A2 00 00 00 5E 00 32 00 CD 02 00 00 3B 37 2C 47 20 00 53 59 4D 50 52 4F 7E 33 2E 4C 4E 4B 00 00 42 00 03 00 04 00 EF BE 3B 37 2A 46 E9 3A 75 61 14 00 00 00 53 00 59 00 4D 00 50 00 52 00 4F 00 54 00 45 00 43 00 54 00 20 00 53 00 54 00 41 00 54 00 55 00 53 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 F2 00 00 00 42 00 32 00 B6 01 00 00 43 37 3D 51 20 00 54 4F 4F 4C 53 2E 6C 6E 6B 00 2A 00 03 00 04 00 EF BE 3A 37 68 62 E9 3A 75 61 14 00 00 00 54 00 4F 00 4F 00 4C 00 53 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 41 01 00 00 42 01 00 00 4E 00 32 00 FB 02 00 00 3A 37 49 6E 20 00 56 49 52 55 53 44 7E 31 2E 4C 4E 4B 00 00 32 00 03 00 04 00 EF BE 3A 37 35 6E C3 3A 8B 52 14 00 00 00 56 00 69 00 72 00 75 00 73 00 44 00 65 00 66 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 92 01 00 00 46 00 32 00 D3 01 00 00 2A 37 16 5E 20 00 57 45 42 50 4C 7E 31 2E 4C 4E 4B 00 2C 00 03 00 04 00 EF BE 2A 37 05 5E C3 3A 8B 52 14 00 00 00 77 00 65 00 62 00 2E 00 70 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 41 01 00 00 92 01 00 00 00 00 00 00"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\"ItemPos1280x1024(1)" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 02 00 00 00 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 15 00 00 00 52 00 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 A2 00 00 00 46 00 3A 00 6C 02 00 00 2D 35 BB 61 20 00 41 50 49 4D 6F 6E 2E 6C 6E 6B 00 00 2C 00 03 00 04 00 EF BE 25 35 AF 78 C3 3A 8D 52 14 00 00 00 41 00 50 00 49 00 4D 00 6F 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 15 00 00 00 F2 00 00 00 4C 00 3A 00 54 02 00 00 2D 35 BC 61 20 00 41 75 74 6F 52 75 6E 73 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 2A 35 00 77 C3 3A 8D 52 14 00 00 00 41 00 75 00 74 00 6F 00 52 00 75 00 6E 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 42 01 00 00 48 00 3A 00 4A 02 00 00 2D 35 BC 61 20 00 43 6F 6E 54 45 58 54 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 2D 35 BC 61 C3 3A 8D 52 14 00 00 00 43 00 6F 00 6E 00 54 00 45 00 58 00 54 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 15 00 00 00 92 01 00 00 5E 00 3A 00 72 03 00 00 DA 38 B3 45 20 00 43 55 52 52 45 4E 7E 31 2E 4C 4E 4B 00 00 42 00 03 00 04 00 EF BE B7 38 9B 11 EA 3A 29 2B 14 00 00 00 43 00 55 00 52 00 52 00 45 00 4E 00 54 00 20 00 56 00 69 00 72 00 75 00 73 00 44 00 65 00 66 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E2 01 00 00 4E 00 3A 00 4D 02 00 00 2D 35 BC 61 20 00 44 45 42 55 47 56 7E 31 2E 4C 4E 4B 00 00 32 00 03 00 04 00 EF BE 25 35 AF 78 C3 3A 8D 52 14 00 00 00 44 00 65 00 62 00 75 00 67 00 76 00 69 00 65 00 77 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 02 00 00 40 00 3A 00 49 00 00 00 24 35 30 6B 20 00 64 69 66 66 2E 62 61 74 00 00 28 00 03 00 04 00 EF BE 25 35 CD 76 2A 38 44 61 14 00 00 00 64 00 69 00 66 00 66 00 2E 00 62 00 61 00 74 00 00 00 18 00 15 00 00 00 82 02 00 00 48 00 3A 00 06 02 00 00 2D 35 BC 61 20 00 64 6E 73 74 6F 6F 6C 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 2A 35 00 77 C3 3A 8D 52 14 00 00 00 64 00 6E 00 73 00 74 00 6F 00 6F 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 15 00 00 00 D2 02 00 00 40 00 3A 00 3A 00 00 00 24 35 30 6B 20 00 64 72 6F 70 2E 62 61 74 00 00 28 00 03 00 04 00 EF BE 25 35 CD 76 2A 38 44 61 14 00 00 00 64 00 72 00 6F 00 70 00 2E 00 62 00 61 00 74 00 00 00 18 00 B8 02 00 00 F2 00 00 00 50 00 3A 00 86 02 00 00 25 35 32 77 20 00 45 44 49 54 50 4C 7E 31 2E 4C 4E 4B 00 00 34 00 03 00 04 00 EF BE 25 35 32 77 C3 3A 8D 52 14 00 00 00 45 00 64 00 69 00 74 00 50 00 6C 00 75 00 73 00 20 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 72 03 00 00 48 00 3A 00 4D 02 00 00 2D 35 BC 61 20 00 46 69 6C 65 4D 6F 6E 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8D 52 14 00 00 00 46 00 69 00 6C 00 65 00 4D 00 6F 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 60 00 00 00 02 00 00 00 4C 00 3A 00 E5 01 00 00 2D 35 BB 61 20 00 46 69 6C 65 76 69 65 77 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 25 35 AF 78 C3 3A 8D 52 14 00 00 00 46 00 69 00 6C 00 65 00 76 00 69 00 65 00 77 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 52 00 00 00 40 00 3A 00 CD 01 00 00 2D 35 D3 7A 20 00 47 4D 45 52 2E 6C 6E 6B 00 00 28 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8D 52 14 00 00 00 47 00 4D 00 45 00 52 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 60 00 00 00 A2 00 00 00 4C 00 3A 00 BD 05 00 00 25 35 50 77 20 00 47 56 49 4D 37 30 7E 31 2E 4C 4E 4B 00 00 30 00 03 00 04 00 EF BE 25 35 50 77 C3 3A 8D 52 14 00 00 00 67 00 56 00 69 00 6D 00 20 00 37 00 2E 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 F2 00 00 00 54 00 3A 00 82 02 00 00 9A 36 7A 7D 20 00 48 45 58 57 4F 52 7E 31 2E 4C 4E 4B 00 00 38 00 03 00 04 00 EF BE 9A 36 7A 7D C3 3A 8C 52 14 00 00 00 48 00 65 00 78 00 20 00 57 00 6F 00 72 00 6B 00 73 00 68 00 6F 00 70 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 42 01 00 00 4C 00 3A 00 E5 01 00 00 2D 35 D3 7A 20 00 49 63 65 53 77 6F 72 64 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 49 00 63 00 65 00 53 00 77 00 6F 00 72 00 64 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 92 01 00 00 48 00 3A 00 C1 01 00 00 25 35 58 77 20 00 49 44 41 35 31 7E 31 2E 4C 4E 4B 00 2E 00 03 00 04 00 EF BE 25 35 58 77 C3 3A 8C 52 14 00 00 00 49 00 44 00 41 00 20 00 35 00 2E 00 31 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 60 00 00 00 E2 01 00 00 4C 00 3A 00 38 02 00 00 2D 35 54 63 20 00 49 4F 4C 5F 46 52 45 45 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 2D 35 54 63 E9 3A 7A 61 14 00 00 00 49 00 4F 00 4C 00 5F 00 46 00 52 00 45 00 45 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 03 03 00 00 42 01 00 00 5A 00 3A 00 14 06 00 00 2A 37 7A 61 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 2A 37 7A 61 C3 3A 8C 52 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 82 02 00 00 68 00 3A 00 0F 03 00 00 9A 36 B1 7B 20 00 4D 53 4E 45 54 57 7E 31 2E 4C 4E 4B 00 00 4C 00 03 00 04 00 EF BE 9A 36 B1 7B C3 3A 8C 52 14 00 00 00 4D 00 53 00 20 00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 20 00 33 00 2E 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 D2 02 00 00 5C 00 3A 00 B1 07 00 00 3A 37 F3 6A 20 00 4E 4F 52 54 4F 4E 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 3A 37 F3 6A C3 3A 8C 52 14 00 00 00 4E 00 6F 00 72 00 74 00 6F 00 6E 00 20 00 41 00 6E 00 74 00 69 00 56 00 69 00 72 00 75 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 22 03 00 00 48 00 3A 00 4A 02 00 00 42 37 E0 81 20 00 4F 6C 6C 79 64 62 67 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 25 35 AF 78 EA 3A 28 2B 14 00 00 00 4F 00 6C 00 6C 00 79 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 B8 02 00 00 92 01 00 00 40 00 3A 00 CD 01 00 00 43 37 9B 6A 20 00 50 45 49 44 2E 6C 6E 6B 00 00 28 00 03 00 04 00 EF BE 25 35 72 77 EA 3A 28 2B 14 00 00 00 50 00 45 00 49 00 44 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 AB 00 00 00 02 00 00 00 48 00 3A 00 4D 02 00 00 2D 35 D3 7A 20 00 50 72 6F 63 45 78 70 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 50 00 72 00 6F 00 63 00 45 00 78 00 70 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 AB 00 00 00 52 00 00 00 56 00 3A 00 63 00 00 00 24 35 31 6B 20 00 52 45 42 4F 4F 54 7E 31 2E 42 41 54 00 00 3A 00 03 00 04 00 EF BE 25 35 CD 76 2A 38 44 61 14 00 00 00 72 00 65 00 62 00 6F 00 6F 00 74 00 61 00 63 00 74 00 69 00 6F 00 6E 00 73 00 2E 00 62 00 61 00 74 00 00 00 1C 00 AB 00 00 00 A2 00 00 00 46 00 3A 00 48 02 00 00 2D 35 BC 61 20 00 52 65 67 4D 6F 6E 2E 6C 6E 6B 00 00 2C 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 52 00 65 00 67 00 4D 00 6F 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 AB 00 00 00 F2 00 00 00 48 00 3A 00 F0 01 00 00 2D 35 BB 61 20 00 52 65 67 73 68 6F 74 2E 6C 6E 6B 00 2E 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 AB 00 00 00 42 01 00 00 5C 00 3A 00 C3 01 00 00 2D 35 BC 61 20 00 52 4F 4F 54 4B 49 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 2A 35 00 77 C3 3A 8C 52 14 00 00 00 52 00 6F 00 6F 00 74 00 4B 00 69 00 74 00 20 00 52 00 65 00 76 00 65 00 61 00 6C 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 AB 00 00 00 92 01 00 00 42 00 3A 00 6C 00 00 00 24 35 CC 6E 20 00 73 6E 69 66 66 2E 62 61 74 00 2A 00 03 00 04 00 EF BE 25 35 CD 76 2A 38 44 61 14 00 00 00 73 00 6E 00 69 00 66 00 66 00 2E 00 62 00 61 00 74 00 00 00 18 00 AB 00 00 00 E2 01 00 00 4C 00 3A 00 04 02 00 00 2D 35 D3 7A 20 00 53 59 4D 50 41 52 53 45 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 53 00 59 00 4D 00 50 00 41 00 52 00 53 00 45 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 AB 00 00 00 32 02 00 00 46 00 3A 00 48 02 00 00 2D 35 BC 61 20 00 54 44 49 4D 6F 6E 2E 6C 6E 6B 00 00 2C 00 03 00 04 00 EF BE 25 35 AF 78 C3 3A 8C 52 14 00 00 00 54 00 44 00 49 00 4D 00 6F 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 AB 00 00 00 82 02 00 00 5A 00 3A 00 58 02 00 00 2D 35 BB 61 20 00 54 4F 54 41 4C 43 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 2C 35 12 72 C3 3A 8C 52 14 00 00 00 54 00 4F 00 54 00 41 00 4C 00 20 00 43 00 4F 00 4D 00 4D 00 41 00 4E 00 44 00 45 00 52 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 AB 00 00 00 D2 02 00 00 54 00 3A 00 84 02 00 00 42 37 D5 69 20 00 55 4C 54 52 41 45 7E 32 2E 4C 4E 4B 00 00 38 00 03 00 04 00 EF BE 25 35 27 78 EA 3A 28 2B 14 00 00 00 55 00 6C 00 74 00 72 00 61 00 45 00 64 00 69 00 74 00 2D 00 33 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 AB 00 00 00 22 03 00 00 3C 00 3A 00 3E 02 00 00 2D 35 D3 7A 20 00 57 43 57 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 25 35 FA 76 C3 3A 8C 52 14 00 00 00 57 00 43 00 57 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 AB 00 00 00 72 03 00 00 5C 00 31 00 00 00 00 00 43 37 22 57 10 00 4E 45 54 57 4F 52 7E 31 00 00 44 00 03 00 04 00 EF BE 42 37 54 52 C3 3A CC 45 14 00 00 00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 43 00 6F 00 6E 00 66 00 69 00 67 00 20 00 53 00 63 00 72 00 69 00 70 00 74 00 73 00 00 00 18 00 F6 00 00 00 02 00 00 00 56 00 32 00 FC 01 00 00 43 37 DB 52 20 00 41 53 53 4E 49 46 7E 31 2E 4C 4E 4B 00 00 3A 00 03 00 04 00 EF BE 43 37 DB 52 EA 3A 28 2B 14 00 00 00 61 00 73 00 73 00 6E 00 69 00 66 00 66 00 65 00 72 00 2E 00 62 00 61 00 74 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 6D 02 00 00 42 01 00 00 42 00 32 00 88 02 00 00 3E 39 C8 62 20 00 42 45 54 4F 4E 2E 6C 6E 6B 00 2A 00 03 00 04 00 EF BE 65 38 EE 48 EA 3A 28 2B 14 00 00 00 42 00 45 00 54 00 4F 00 4E 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 F6 00 00 00 A2 00 00 00 64 00 32 00 70 54 07 00 2F 38 72 4A 20 00 44 45 45 50 41 4B 7E 31 2E 52 45 47 00 00 48 00 03 00 04 00 EF BE 2F 38 72 4A 2F 38 72 4A 14 00 00 00 64 00 65 00 65 00 70 00 61 00 6B 00 5F 00 66 00 61 00 72 00 5F 00 32 00 36 00 5F 00 64 00 65 00 63 00 5F 00 30 00 37 00 2E 00 72 00 65 00 67 00 00 00 1C 00 F6 00 00 00 F2 00 00 00 40 00 32 00 6D 01 00 00 3A 35 72 50 20 00 44 45 46 53 2E 6C 6E 6B 00 00 28 00 03 00 04 00 EF BE 3A 35 6C 50 C3 3A 8C 52 14 00 00 00 44 00 45 00 46 00 53 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 F6 00 00 00 42 01 00 00 54 00 32 00 EF 02 00 00 3A 37 64 6E 20 00 45 52 41 53 45 52 7E 31 2E 4C 4E 4B 00 00 38 00 03 00 04 00 EF BE 3A 37 52 6E C3 3A 8C 52 14 00 00 00 45 00 72 00 61 00 73 00 65 00 72 00 45 00 6E 00 67 00 69 00 6E 00 65 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 92 01 00 00 4E 00 32 00 EE 05 00 00 9A 36 37 7C 20 00 46 49 4C 45 5A 49 7E 31 2E 4C 4E 4B 00 00 32 00 03 00 04 00 EF BE 9A 36 37 7C C3 3A 8C 52 14 00 00 00 46 00 69 00 6C 00 65 00 5A 00 69 00 6C 00 6C 00 61 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 E2 01 00 00 52 00 32 00 F0 01 00 00 3E 39 AE 62 20 00 47 45 54 5F 43 4C 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 3E 39 A9 62 EA 3A 28 2B 14 00 00 00 67 00 65 00 74 00 5F 00 63 00 6C 00 69 00 70 00 2E 00 70 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 E2 01 00 00 8A 00 32 00 9D 61 26 00 50 36 D3 80 20 00 49 4E 54 45 4C 41 7E 31 2E 50 44 46 00 00 6E 00 03 00 04 00 EF BE 42 37 C4 7D 2A 38 25 61 14 00 00 00 49 00 6E 00 74 00 65 00 6C 00 20 00 41 00 73 00 6D 00 20 00 49 00 6E 00 73 00 74 00 72 00 75 00 63 00 74 00 69 00 6F 00 6E 00 20 00 53 00 65 00 74 00 20 00 52 00 65 00 66 00 65 00 72 00 65 00 6E 00 63 00 65 00 20 00 41 00 2D 00 4D 00 2E 00 70 00 64 00 66 00 00 00 1C 00 F6 00 00 00 32 02 00 00 8A 00 32 00 A7 F1 1F 00 50 36 D3 80 20 00 49 4E 54 45 4C 41 7E 32 2E 50 44 46 00 00 6E 00 03 00 04 00 EF BE 42 37 C4 7D 2A 38 25 61 14 00 00 00 49 00 6E 00 74 00 65 00 6C 00 20 00 41 00 73 00 6D 00 20 00 49 00 6E 00 73 00 74 00 72 00 75 00 63 00 74 00 69 00 6F 00 6E 00 20 00 53 00 65 00 74 00 20 00 52 00 65 00 66 00 65 00 72 00 65 00 6E 00 63 00 65 00 20 00 4E 00 2D 00 5A 00 2E 00 70 00 64 00 66 00 00 00 1C 00 F6 00 00 00 82 02 00 00 4C 00 32 00 40 02 00 00 2A 37 84 68 20 00 4D 57 53 4E 41 50 7E 31 2E 4C 4E 4B 00 00 30 00 03 00 04 00 EF BE 2A 37 84 68 C3 3A 8C 52 14 00 00 00 4D 00 57 00 53 00 6E 00 61 00 70 00 20 00 33 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 D2 02 00 00 5A 00 32 00 79 02 00 00 75 35 48 45 20 00 50 52 4F 43 45 53 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 75 35 48 45 C3 3A 8C 52 14 00 00 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 00 20 00 4D 00 6F 00 6E 00 69 00 74 00 6F 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 22 03 00 00 52 00 32 00 F0 01 00 00 31 38 D2 05 20 00 50 55 54 5F 43 4C 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 31 38 C9 05 EA 3A 28 2B 14 00 00 00 70 00 75 00 74 00 5F 00 63 00 6C 00 69 00 70 00 2E 00 70 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 F6 00 00 00 72 03 00 00 50 00 32 00 73 02 00 00 43 37 7A 6A 20 00 52 4B 55 4E 48 4F 7E 31 2E 4C 4E 4B 00 00 34 00 03 00 04 00 EF BE 43 37 7A 6A EA 3A 28 2B 14 00 00 00 52 00 6B 00 55 00 6E 00 68 00 6F 00 6F 00 6B 00 65 00 72 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 02 00 00 00 58 00 32 00 C8 02 00 00 3B 37 23 47 20 00 53 59 4D 50 52 4F 7E 31 2E 4C 4E 4B 00 00 3C 00 03 00 04 00 EF BE 3B 37 2A 46 EA 3A 28 2B 14 00 00 00 53 00 59 00 4D 00 50 00 52 00 4F 00 54 00 45 00 43 00 54 00 20 00 4F 00 46 00 46 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 52 00 00 00 56 00 32 00 BC 02 00 00 3B 37 34 47 20 00 53 59 4D 50 52 4F 7E 32 2E 4C 4E 4B 00 00 3A 00 03 00 04 00 EF BE 3B 37 2A 46 EA 3A 28 2B 14 00 00 00 53 00 59 00 4D 00 50 00 52 00 4F 00 54 00 45 00 43 00 54 00 20 00 4F 00 4E 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 A2 00 00 00 5E 00 32 00 CD 02 00 00 3B 37 2C 47 20 00 53 59 4D 50 52 4F 7E 33 2E 4C 4E 4B 00 00 42 00 03 00 04 00 EF BE 3B 37 2A 46 EA 3A 28 2B 14 00 00 00 53 00 59 00 4D 00 50 00 52 00 4F 00 54 00 45 00 43 00 54 00 20 00 53 00 54 00 41 00 54 00 55 00 53 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 F2 00 00 00 42 00 32 00 B6 01 00 00 43 37 3D 51 20 00 54 4F 4F 4C 53 2E 6C 6E 6B 00 2A 00 03 00 04 00 EF BE 3A 37 68 62 EA 3A 28 2B 14 00 00 00 54 00 4F 00 4F 00 4C 00 53 00 2E 00 6C 00 6E 00 6B 00 00 00 18 00 41 01 00 00 42 01 00 00 4E 00 32 00 FB 02 00 00 3A 37 49 6E 20 00 56 49 52 55 53 44 7E 31 2E 4C 4E 4B 00 00 32 00 03 00 04 00 EF BE 3A 37 35 6E C3 3A 8B 52 14 00 00 00 56 00 69 00 72 00 75 00 73 00 44 00 65 00 66 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 41 01 00 00 92 01 00 00 46 00 32 00 D3 01 00 00 2A 37 16 5E 20 00 57 45 42 50 4C 7E 31 2E 4C 4E 4B 00 2C 00 03 00 04 00 EF BE 2A 37 05 5E C3 3A 8B 52 14 00 00 00 77 00 65 00 62 00 2E 00 70 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1A 00 41 01 00 00 92 01 00 00 00 00 00 00"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\"MRUListEx" = "05 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\"MRUListEx" = "06 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\ToasterAlerts\"lastSavedTime" = "20090709T143648"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\ToasterAlerts\"lastSavedTime" = "20100218T120019"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\"ProgramCount" = "5"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\"ProgramCount" = "6"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002001"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002002"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\LocalService\Cookies"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\Administrator\Cookies"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\LocalService\Local Settings\Application Data"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\Administrator\Local Settings\Application Data"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\LocalService\Local Settings\History"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\Administrator\Local Settings\History"

Last Updated ( Friday, 19 February 2010 20:58 )

 

More Articles...

Page 1 of 7

Latest News
Translate
Users Online
None
We have 1 guest online

Copyright © 2009 by TechLine.de
All Rights Reserved.

Powered by Joomla! and Joomla template created by TechLine.