Sample viewer

vx.netlux.org/Trojan.DOS.Makerd

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:44:07.969305799Z 48 PC: 1899c | Get DOS version
2018-12-17T22:44:07.971643177Z 74 PC: 189ec | Reallocate memory
2018-12-17T22:44:07.973550162Z 48 PC: 18a50 | Get DOS version
2018-12-17T22:44:07.974960082Z 53 PC: 18a58 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:07.976909279Z 37 PC: 18a6a | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:07.978437269Z 53 PC: 1b0f2 | Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:44:07.979572165Z 37 PC: 1b102 | Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:44:07.981554388Z 53 PC: 1b107 | Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:07.983027606Z 37 PC: 1b117 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:07.984435633Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:44:07.986383651Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:44:07.987694939Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:44:07.989066085Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:44:07.990819419Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:44:07.992013671Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:44:07.993656974Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:44:07.995400773Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:44:07.997385064Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:44:07.999232Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:44:08.007793676Z 53 PC: 18e46 | Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:44:08.009836165Z 37 PC: 18e75 | Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:44:08.011254616Z 37 PC: 18e75 | Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:44:08.012876184Z 37 PC: 18e75 | Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:44:08.014498386Z 37 PC: 18e75 | Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:44:08.016013165Z 37 PC: 18e75 | Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:44:08.017956565Z 37 PC: 18e75 | Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:44:08.019568182Z 37 PC: 18e75 | Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:44:08.021126337Z 37 PC: 18e75 | Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:44:08.023374717Z 37 PC: 18e7c | Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:44:08.024741148Z 37 PC: 18e81 | Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:44:08.026503879Z 68 PC: 18afb | I/O control for devices (Set for = 'j')
2018-12-17T22:44:08.028573766Z 68 PC: 18afb | I/O control for devices (Set for = '`bdfhjlnprtvxz|~����������������������������������������������������������������')
2018-12-17T22:44:08.030495157Z 68 PC: 18afb | I/O control for devices (Set for = '�3���ߋ���� ')
2018-12-17T22:44:08.032946396Z 68 PC: 18afb | I/O control for devices (Set for = 'D �u����D �u��ϋ��6')
2018-12-17T22:44:08.034784855Z 68 PC: 18afb | I/O control for devices (Set for = 'D �u����D �u��ϋ��6')
2018-12-17T22:44:08.037036747Z 53 PC: 16138 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:08.038763249Z 53 PC: 16145 | Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:44:08.040478339Z 53 PC: 16152 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:08.042153452Z 37 PC: 16167 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:08.044431267Z 37 PC: 1616f | Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:44:08.04546287Z 37 PC: 16177 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:08.048123808Z 53 PC: 16bf6 | Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:44:08.049924323Z 53 PC: 16c03 | Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:44:08.051116539Z 53 PC: 16c12 | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:44:08.052409743Z 37 PC: 16c1f | Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:44:08.054630841Z 53 PC: 16c26 | Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:44:08.056780944Z 37 PC: 16c33 | Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:44:08.058060072Z 53 PC: 16c3f | Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:44:08.063057942Z 48 PC: 16d01 | Get DOS version
2018-12-17T22:44:08.064440516Z 68 PC: 160ae | I/O control for devices (Set for = ' This will probably take about 2-3 minutes ')
2018-12-17T22:44:08.065986896Z 68 PC: 160ae | I/O control for devices (Set for = '')
2018-12-17T22:44:08.068542316Z 51 PC: 160cc | Get or set Ctrl-Break
2018-12-17T22:44:08.069663402Z 51 PC: 160d8 | Get or set Ctrl-Break
2018-12-17T22:44:08.077444183Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:08.088648001Z 26 PC: 13453 | Set disk transfer address
2018-12-17T22:44:08.089680522Z 78 PC: 1345a | Find first file
2018-12-17T22:44:08.100912813Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\WINLOGO.BMP')
2018-12-17T22:44:08.444842001Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.449419767Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\256COLOR.BMP')
2018-12-17T22:44:08.460193582Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.464432623Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\ARCADE.BMP')
2018-12-17T22:44:08.475651272Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.478703724Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\ARGYLE.BMP')
2018-12-17T22:44:08.489988076Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.49317146Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\CASTLE.BMP')
2018-12-17T22:44:08.504424564Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.508402452Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\EGYPT.BMP')
2018-12-17T22:44:08.520918752Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.524407705Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\HONEY.BMP')
2018-12-17T22:44:08.53592298Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.539304514Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\REDBRICK.BMP')
2018-12-17T22:44:08.550391906Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.554217573Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\RIVETS.BMP')
2018-12-17T22:44:08.566938904Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.570757422Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SQUARES.BMP')
2018-12-17T22:44:08.585563928Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.589549178Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\THATCH.BMP')
2018-12-17T22:44:08.601459967Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.606185413Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\ZIGZAG.BMP')
2018-12-17T22:44:08.617739777Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.621222786Z 26 PC: 13453 | Set disk transfer address
2018-12-17T22:44:08.623596686Z 78 PC: 1345a | Find first file
2018-12-17T22:44:08.630248563Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SETUP.TXT')
2018-12-17T22:44:08.642538893Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.645845573Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\BOOTLOG.TXT')
2018-12-17T22:44:08.657931312Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.661779391Z 26 PC: 13453 | Set disk transfer address
2018-12-17T22:44:08.663433619Z 78 PC: 1345a | Find first file
2018-12-17T22:44:08.670500587Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SYSTEM.INI')
2018-12-17T22:44:08.681425549Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.684836959Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\WIN.INI')
2018-12-17T22:44:08.696747405Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.700156878Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\MOUSE.INI')
2018-12-17T22:44:08.71162498Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.716276224Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\CONTROL.INI')
2018-12-17T22:44:08.727600663Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.731188828Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\MSD.INI')
2018-12-17T22:44:08.743385432Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.748641683Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\PROGMAN.INI')
2018-12-17T22:44:08.759339462Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.763750622Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\WINFILE.INI')
2018-12-17T22:44:08.776434845Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.779900528Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\DOSAPP.INI')
2018-12-17T22:44:08.791491734Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.795562897Z 26 PC: 13453 | Set disk transfer address
2018-12-17T22:44:08.796954733Z 78 PC: 1345a | Find first file
2018-12-17T22:44:08.804377993Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\CONTROL.HLP')
2018-12-17T22:44:08.816914738Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.820358266Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SETUP.HLP')
2018-12-17T22:44:08.832103845Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.836784411Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\WINFILE.HLP')
2018-12-17T22:44:08.851041983Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.854244549Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\CALC.HLP')
2018-12-17T22:44:08.864163563Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.867148604Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\CALENDAR.HLP')
2018-12-17T22:44:08.877220218Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.880684534Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\CARDFILE.HLP')
2018-12-17T22:44:08.890665384Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.894120388Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\GLOSSARY.HLP')
2018-12-17T22:44:08.905696464Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.908377716Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\PACKAGER.HLP')
2018-12-17T22:44:08.91774131Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.921879836Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\PBRUSH.HLP')
2018-12-17T22:44:08.932388294Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.935709027Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\PIFEDIT.HLP')
2018-12-17T22:44:08.947264825Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.950485702Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\PRINTMAN.HLP')
2018-12-17T22:44:08.962279858Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.966533362Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\PROGMAN.HLP')
2018-12-17T22:44:08.977022463Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.980318656Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\RECORDER.HLP')
2018-12-17T22:44:08.991427469Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:08.994548966Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\REGEDIT.HLP')
2018-12-17T22:44:09.005768919Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.009963473Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\REGEDITV.HLP')
2018-12-17T22:44:09.02068331Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.023844788Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\TERMINAL.HLP')
2018-12-17T22:44:09.035241323Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.038377184Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\WINHELP.HLP')
2018-12-17T22:44:09.049031546Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.053389128Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\WRITE.HLP')
2018-12-17T22:44:09.06382866Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.06718974Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\CHARMAP.HLP')
2018-12-17T22:44:09.078888885Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.082119712Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\CLIPBRD.HLP')
2018-12-17T22:44:09.110123568Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.114029845Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\MPLAYER.HLP')
2018-12-17T22:44:09.12502092Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.129355868Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\NOTEPAD.HLP')
2018-12-17T22:44:09.140593397Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.14411281Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SOL.HLP')
2018-12-17T22:44:09.156892951Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.160411509Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SOUNDREC.HLP')
2018-12-17T22:44:09.171617804Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.175900537Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\WINMINE.HLP')
2018-12-17T22:44:09.187063689Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.190817715Z 26 PC: 13453 | Set disk transfer address
2018-12-17T22:44:09.193009564Z 78 PC: 1345a | Find first file
2018-12-17T22:44:09.200107267Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SCRNSAVE.SCR')
2018-12-17T22:44:09.211057828Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.215047067Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SSFLYWIN.SCR')
2018-12-17T22:44:09.227130099Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.230511148Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SSMARQUE.SCR')
2018-12-17T22:44:09.242151643Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.245680282Z 65 PC: 133d1 | Delete file (Filename = 'C:\WINDOWS\SSSTARS.SCR')
2018-12-17T22:44:09.25650122Z 79 PC: 133d7 | Find next file
2018-12-17T22:44:09.260602669Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:09.266435634Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.274668266Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.286936772Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.302721961Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\MVPDRMPK.TXT')
2018-12-17T22:44:09.313277867Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MVPDRMPK.TXT')
2018-12-17T22:44:09.321270548Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.339465654Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.342137387Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MVPDRMPK.TXT')
2018-12-17T22:44:09.350519617Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.354286223Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.358114052Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.362823259Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.365484197Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.369620972Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.372204508Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.383021694Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MVPDRMPK.SCR')
2018-12-17T22:44:09.389893402Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.401944958Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.4039571Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MVPDRMPK.SCR')
2018-12-17T22:44:09.412055513Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.422282483Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.42547568Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.428629651Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.431130421Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.434707718Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.435960677Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.446495528Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MVPDRMPK.EXE')
2018-12-17T22:44:09.453101728Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.464585093Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.466850192Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MVPDRMPK.EXE')
2018-12-17T22:44:09.474024272Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.47756979Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.482259472Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.485610714Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.488072589Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.49255989Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.494138622Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.503455465Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:09.507923879Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.516261159Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.525913323Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.543654378Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PTCSCASQ.TXT')
2018-12-17T22:44:09.554429414Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PTCSCASQ.TXT')
2018-12-17T22:44:09.562878304Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.574788304Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.576874401Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PTCSCASQ.TXT')
2018-12-17T22:44:09.585817198Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.589331766Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.592745913Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.597528229Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.600091325Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.603954066Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.607481493Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.618633428Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PTCSCASQ.SCR')
2018-12-17T22:44:09.626690673Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.639330005Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.641518585Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PTCSCASQ.SCR')
2018-12-17T22:44:09.649011047Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.652641281Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.655909809Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.659650035Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.662537856Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.667131531Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.66852739Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.679657809Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PTCSCASQ.EXE')
2018-12-17T22:44:09.686749018Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.701126086Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.702900055Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PTCSCASQ.EXE')
2018-12-17T22:44:09.709898137Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.713160644Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.716313617Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.719588699Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.734652771Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.738535615Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.740065245Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.750227208Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:09.754566374Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.762979269Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.773859547Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.78763482Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\CNMIXFNX.TXT')
2018-12-17T22:44:09.794040026Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CNMIXFNX.TXT')
2018-12-17T22:44:09.799182821Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.806985238Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.808531653Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CNMIXFNX.TXT')
2018-12-17T22:44:09.814026209Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.816055724Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.818245572Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.82124067Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.822906318Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.825610778Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.827137934Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.834351742Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CNMIXFNX.SCR')
2018-12-17T22:44:09.838627713Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.845717499Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.847147121Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CNMIXFNX.SCR')
2018-12-17T22:44:09.852040531Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.85419782Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.856428759Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.85910475Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.860562593Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.862949871Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.864482508Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.871196955Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CNMIXFNX.EXE')
2018-12-17T22:44:09.875370852Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.886996161Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.888161751Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CNMIXFNX.EXE')
2018-12-17T22:44:09.892500773Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.894491432Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.896660058Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.899406653Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.901334521Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.904942084Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:09.906683321Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.91529097Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:09.919537327Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.928610065Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.936840335Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:09.955615452Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\BHMGCZIT.TXT')
2018-12-17T22:44:09.967349628Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BHMGCZIT.TXT')
2018-12-17T22:44:09.974195181Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:09.982374987Z 62 PC: 14789 | Close file
2018-12-17T22:44:09.984170971Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BHMGCZIT.TXT')
2018-12-17T22:44:09.988651128Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:09.991121893Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:09.993277691Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:09.995418917Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:09.997491749Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:09.999913065Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.000946011Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.008140246Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BHMGCZIT.SCR')
2018-12-17T22:44:10.014757845Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.025384149Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.028993468Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BHMGCZIT.SCR')
2018-12-17T22:44:10.036444114Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.039237896Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.042930658Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.045924229Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.047934269Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.051965657Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.053215066Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.064675681Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BHMGCZIT.EXE')
2018-12-17T22:44:10.071424875Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.082759123Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.085712403Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BHMGCZIT.EXE')
2018-12-17T22:44:10.094866193Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.098173833Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.102841564Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.106555716Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.109140299Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.113991718Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.115582401Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.124794805Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:10.130052129Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.138620245Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.147977132Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.164826634Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\MXDSJIBR.TXT')
2018-12-17T22:44:10.175109405Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MXDSJIBR.TXT')
2018-12-17T22:44:10.18271534Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.194169957Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.196029873Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MXDSJIBR.TXT')
2018-12-17T22:44:10.207076711Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.210024574Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.213114286Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.21712719Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.219195956Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.223257109Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.225586542Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.235972719Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MXDSJIBR.SCR')
2018-12-17T22:44:10.242897761Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.255153616Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.25687892Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MXDSJIBR.SCR')
2018-12-17T22:44:10.264742019Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.26842077Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.272004396Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.275761Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.278271663Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.281980938Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.2844326Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.296730505Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MXDSJIBR.EXE')
2018-12-17T22:44:10.303862928Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.315783747Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.317836999Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MXDSJIBR.EXE')
2018-12-17T22:44:10.325426499Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.329527363Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.332937626Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.336415091Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.339864541Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.343836617Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.345484227Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.359515587Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:10.364034085Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.37386975Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.383532573Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.405370315Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\HINENXRG.TXT')
2018-12-17T22:44:10.417583595Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HINENXRG.TXT')
2018-12-17T22:44:10.425377479Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.436541514Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.439035279Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HINENXRG.TXT')
2018-12-17T22:44:10.44669257Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.44979363Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.454830058Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.458341262Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.460710175Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.46853735Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.470202748Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.481735247Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HINENXRG.SCR')
2018-12-17T22:44:10.489555546Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.500970519Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.503343848Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HINENXRG.SCR')
2018-12-17T22:44:10.519820149Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.524724349Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.528343332Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.53180638Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.533415335Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.536995149Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.538063122Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.548337265Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HINENXRG.EXE')
2018-12-17T22:44:10.556049942Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.56372927Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.565676733Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HINENXRG.EXE')
2018-12-17T22:44:10.57065734Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.572589372Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.575507982Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.577827197Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.579295687Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.582307888Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.583772081Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.592949895Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:10.598370286Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.60710116Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.616621269Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.629201469Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\NTRWCBFF.TXT')
2018-12-17T22:44:10.635907147Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NTRWCBFF.TXT')
2018-12-17T22:44:10.641384975Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.649130417Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.650534504Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NTRWCBFF.TXT')
2018-12-17T22:44:10.65616309Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.658214606Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.660429941Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.663352589Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.664876412Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.667488805Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.669134348Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.676357696Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NTRWCBFF.SCR')
2018-12-17T22:44:10.681286343Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.688840767Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.69106734Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NTRWCBFF.SCR')
2018-12-17T22:44:10.6999889Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.703818312Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.707524289Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.712080902Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.714774672Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.718916701Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.721596841Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.732544862Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NTRWCBFF.EXE')
2018-12-17T22:44:10.740102848Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.752060282Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.754210537Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NTRWCBFF.EXE')
2018-12-17T22:44:10.762701138Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.766102749Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.769499325Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.774006286Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.776297643Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.780200881Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.782487689Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.792248812Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:10.798121269Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.80726589Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.816904535Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:10.832692318Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\TEWOWGIW.TXT')
2018-12-17T22:44:10.843254421Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TEWOWGIW.TXT')
2018-12-17T22:44:10.850461302Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.86273324Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.864952454Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TEWOWGIW.TXT')
2018-12-17T22:44:10.873611259Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.877149633Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.880364381Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.88466767Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.886902918Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.89081354Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.89303924Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.905498139Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TEWOWGIW.SCR')
2018-12-17T22:44:10.912205495Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.92370261Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.925548721Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TEWOWGIW.SCR')
2018-12-17T22:44:10.933547162Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:10.936319297Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:10.947064546Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:10.950975808Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:10.953124691Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:10.956796151Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:10.965854011Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.976473441Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TEWOWGIW.EXE')
2018-12-17T22:44:10.984215273Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:10.995337953Z 62 PC: 14789 | Close file
2018-12-17T22:44:10.997336072Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TEWOWGIW.EXE')
2018-12-17T22:44:11.006075155Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.010176505Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.013844449Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.01812463Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.020305403Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.024806275Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.027010353Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.036235221Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:11.041383844Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.049819095Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.058242464Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.074921928Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\HFTVUVNR.TXT')
2018-12-17T22:44:11.085199694Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFTVUVNR.TXT')
2018-12-17T22:44:11.093249942Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.10431998Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.106236912Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFTVUVNR.TXT')
2018-12-17T22:44:11.11477567Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.117857296Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.12137267Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.125517138Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.127757948Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.131911562Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.135483022Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.146812134Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFTVUVNR.SCR')
2018-12-17T22:44:11.15392805Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.165731548Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.167573331Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFTVUVNR.SCR')
2018-12-17T22:44:11.176115347Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.17920037Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.182349743Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.186416691Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.188677423Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.192745458Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.195046159Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.205643246Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFTVUVNR.EXE')
2018-12-17T22:44:11.213420997Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.225388839Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.227662015Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFTVUVNR.EXE')
2018-12-17T22:44:11.236484958Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.239545014Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.243677129Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.247039621Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.249323264Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.257266681Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.262839962Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.279982124Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:11.286051716Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.294970896Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.304935164Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.320350166Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\DIXCAYXP.TXT')
2018-12-17T22:44:11.330879989Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DIXCAYXP.TXT')
2018-12-17T22:44:11.338349073Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.345890114Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.347247501Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DIXCAYXP.TXT')
2018-12-17T22:44:11.352971817Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.3550307Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.357451599Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.359830662Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.361352785Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.36480085Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.366381127Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.377049182Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DIXCAYXP.SCR')
2018-12-17T22:44:11.385026107Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.396084229Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.397932256Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DIXCAYXP.SCR')
2018-12-17T22:44:11.406502157Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.410449048Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.414960383Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.41819136Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.420447732Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.425254482Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.426942763Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.437720186Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DIXCAYXP.EXE')
2018-12-17T22:44:11.445847498Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.457140632Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.459226699Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DIXCAYXP.EXE')
2018-12-17T22:44:11.467882065Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.471190755Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.475638544Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.479707731Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.482049343Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.487480599Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.489064923Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.498117694Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:11.503588409Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.512046082Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.521844955Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.536828961Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\FASSVVED.TXT')
2018-12-17T22:44:11.547997761Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\FASSVVED.TXT')
2018-12-17T22:44:11.555936566Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.566902256Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.569567677Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\FASSVVED.TXT')
2018-12-17T22:44:11.57791001Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.581015938Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.585307933Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.588731811Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.590994257Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.595470718Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.596966211Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.608555795Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\FASSVVED.SCR')
2018-12-17T22:44:11.616342161Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.627855138Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.630870659Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\FASSVVED.SCR')
2018-12-17T22:44:11.638444132Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.642578706Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.646229366Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.649906017Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.653435395Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.657891108Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.659752262Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.671297212Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\FASSVVED.EXE')
2018-12-17T22:44:11.678146819Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.690626814Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.692573359Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\FASSVVED.EXE')
2018-12-17T22:44:11.699982968Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.703638581Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.70721615Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.726630898Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.730006577Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.733849689Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.736307913Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.746299963Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:11.750379351Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.759618543Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.768015802Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.783353594Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\TERDVBQL.TXT')
2018-12-17T22:44:11.793616634Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TERDVBQL.TXT')
2018-12-17T22:44:11.800463521Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.813018088Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.815018446Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TERDVBQL.TXT')
2018-12-17T22:44:11.822712266Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.826584986Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.829889283Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.83415113Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.836742398Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.840581526Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.843238997Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.85375409Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TERDVBQL.SCR')
2018-12-17T22:44:11.861384191Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.873141071Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.875376806Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TERDVBQL.SCR')
2018-12-17T22:44:11.883791213Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.887078223Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.890485934Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.89478695Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.897090592Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.901754552Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.903699635Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.916124789Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TERDVBQL.EXE')
2018-12-17T22:44:11.92406334Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:11.93496727Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.937605284Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TERDVBQL.EXE')
2018-12-17T22:44:11.945502545Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:11.9482367Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:11.952095177Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:11.955500571Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:11.957748766Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:11.962301291Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:11.963912803Z 62 PC: 14789 | Close file
2018-12-17T22:44:11.978083105Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:11.982352693Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:11.992366638Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.002237428Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.018444425Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\GHIPREJB.TXT')
2018-12-17T22:44:12.029851177Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GHIPREJB.TXT')
2018-12-17T22:44:12.037235655Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.048310076Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.051487907Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GHIPREJB.TXT')
2018-12-17T22:44:12.059305214Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.062847058Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.066688102Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.070794341Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.074389286Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.078429253Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.080307686Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.091751531Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GHIPREJB.SCR')
2018-12-17T22:44:12.098696576Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.111532879Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.113519116Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GHIPREJB.SCR')
2018-12-17T22:44:12.121652685Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.126274399Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.129775406Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.134263331Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.137377913Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.141284253Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.144187872Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.15500421Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GHIPREJB.EXE')
2018-12-17T22:44:12.162330543Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.174536875Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.176591858Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GHIPREJB.EXE')
2018-12-17T22:44:12.185468443Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.188617195Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.19204794Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.196691532Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.199508482Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.20513876Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.207106747Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.216547274Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:12.222033706Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.230492157Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.239935503Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.255507954Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\ZYGKRVGL.TXT')
2018-12-17T22:44:12.267003369Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ZYGKRVGL.TXT')
2018-12-17T22:44:12.275216018Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.286951693Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.290150656Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ZYGKRVGL.TXT')
2018-12-17T22:44:12.29887325Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.302034817Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.306353246Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.309947661Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.313335008Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.317153295Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.318728051Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.330265567Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ZYGKRVGL.SCR')
2018-12-17T22:44:12.338083807Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.349894694Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.351889447Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ZYGKRVGL.SCR')
2018-12-17T22:44:12.359430032Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.363451768Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.366720113Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.371229631Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.37396213Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.378104345Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.380903896Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.391884577Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ZYGKRVGL.EXE')
2018-12-17T22:44:12.399916344Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.411740221Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.414039872Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ZYGKRVGL.EXE')
2018-12-17T22:44:12.422365266Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.427691519Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.431819711Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.43514165Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.437012896Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.440985443Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.44264349Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.452359808Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:12.456847969Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.466749914Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.476287933Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.491497209Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\NRQACDDL.TXT')
2018-12-17T22:44:12.503227201Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NRQACDDL.TXT')
2018-12-17T22:44:12.510336116Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.522504846Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.524508516Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NRQACDDL.TXT')
2018-12-17T22:44:12.532683687Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.536592601Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.540158147Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.544111387Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.546109793Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.549621546Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.551228658Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.562497869Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NRQACDDL.SCR')
2018-12-17T22:44:12.571811494Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.583507681Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.595759396Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NRQACDDL.SCR')
2018-12-17T22:44:12.603528749Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.606479622Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.610971088Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.614169927Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.616211415Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.621860702Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.623211231Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.635167246Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NRQACDDL.EXE')
2018-12-17T22:44:12.642070196Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.65347742Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.656597457Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\NRQACDDL.EXE')
2018-12-17T22:44:12.665172152Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.669617893Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.673239147Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.677475199Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.680586514Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.684562985Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.687655377Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.696783885Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:12.702028377Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.711507657Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.720170631Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.738248275Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\VECHVSVF.TXT')
2018-12-17T22:44:12.748563803Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\VECHVSVF.TXT')
2018-12-17T22:44:12.756121778Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.767426415Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.769273222Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\VECHVSVF.TXT')
2018-12-17T22:44:12.777675916Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.781142524Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.78526746Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.788670381Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.790987081Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.795375367Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.797620843Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.808789158Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\VECHVSVF.SCR')
2018-12-17T22:44:12.815521032Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.82797862Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.829945317Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\VECHVSVF.SCR')
2018-12-17T22:44:12.837443793Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.841319146Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.844622328Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.848808092Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.851423019Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.855263673Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.857940805Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.869381291Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\VECHVSVF.EXE')
2018-12-17T22:44:12.876721156Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.888083209Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.889984042Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\VECHVSVF.EXE')
2018-12-17T22:44:12.89846778Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:12.901442661Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:12.905985098Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:12.909639886Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:12.911891651Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:12.916777132Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:12.918364427Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.927916557Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:12.933445277Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.942091399Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.951504472Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:12.966115918Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\EPCVBMME.TXT')
2018-12-17T22:44:12.977473342Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EPCVBMME.TXT')
2018-12-17T22:44:12.98440167Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:12.997338874Z 62 PC: 14789 | Close file
2018-12-17T22:44:12.999139894Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EPCVBMME.TXT')
2018-12-17T22:44:13.006433521Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.010374451Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.014370041Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.018843126Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.021035012Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.024880071Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.027028781Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.037513288Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EPCVBMME.SCR')
2018-12-17T22:44:13.045514741Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.057424156Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.060517907Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EPCVBMME.SCR')
2018-12-17T22:44:13.068638583Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.071836512Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.076371597Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.079903531Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.082768427Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.087060121Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.088760055Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.119039818Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EPCVBMME.EXE')
2018-12-17T22:44:13.126784544Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.139237023Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.141635918Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EPCVBMME.EXE')
2018-12-17T22:44:13.149255223Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.153491566Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.156901243Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.161297332Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.164020966Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.167945584Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.17070109Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.180301367Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:13.1857028Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.195241645Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.203736506Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.219660945Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\KIJXTEAE.TXT')
2018-12-17T22:44:13.236581814Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KIJXTEAE.TXT')
2018-12-17T22:44:13.244420205Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.256682447Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.258599629Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KIJXTEAE.TXT')
2018-12-17T22:44:13.268137322Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.271150353Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.275374096Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.279047611Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.281319202Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.286187115Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.287768449Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.299038869Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KIJXTEAE.SCR')
2018-12-17T22:44:13.306321064Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.317963551Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.320334553Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KIJXTEAE.SCR')
2018-12-17T22:44:13.327759056Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.331840541Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.335201795Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.339424242Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.342058039Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.346316887Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.349435234Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.360015442Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KIJXTEAE.EXE')
2018-12-17T22:44:13.367547123Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.378709483Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.38044267Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KIJXTEAE.EXE')
2018-12-17T22:44:13.39019195Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.393257015Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.397511612Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.401269435Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.403601314Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.408517525Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.410165031Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.419941552Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:13.424369305Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.432909471Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.442235603Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.457732881Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\KDNKIDJI.TXT')
2018-12-17T22:44:13.468904233Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KDNKIDJI.TXT')
2018-12-17T22:44:13.476140947Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.488236873Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.490412038Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KDNKIDJI.TXT')
2018-12-17T22:44:13.497953699Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.501514036Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.504867219Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.508910119Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.511032688Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.516498501Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.518108485Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.528607681Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KDNKIDJI.SCR')
2018-12-17T22:44:13.536054903Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.546988041Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.549863413Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KDNKIDJI.SCR')
2018-12-17T22:44:13.557708521Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.560894547Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.565158919Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.568541729Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.571895628Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.575747109Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.578212161Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.589689558Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KDNKIDJI.EXE')
2018-12-17T22:44:13.596537787Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.608599927Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.610590867Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\KDNKIDJI.EXE')
2018-12-17T22:44:13.619014247Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.626582064Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.630241705Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.634645661Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.636971167Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.641975715Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.643608272Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.654294729Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:13.659145981Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.667716704Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.681705516Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.696513586Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\YFADYQOW.TXT')
2018-12-17T22:44:13.708240166Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YFADYQOW.TXT')
2018-12-17T22:44:13.714929528Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.727441272Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.729291947Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YFADYQOW.TXT')
2018-12-17T22:44:13.736592963Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.739481694Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.742589647Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.74625366Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.748286309Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.752330055Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.75368459Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.764400108Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YFADYQOW.SCR')
2018-12-17T22:44:13.772199425Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.783224373Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.786319809Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YFADYQOW.SCR')
2018-12-17T22:44:13.79359325Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.797007008Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.800098594Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.80373491Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.805732501Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.809252058Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.810776629Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.821112973Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YFADYQOW.EXE')
2018-12-17T22:44:13.828038256Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.839407067Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.841665368Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YFADYQOW.EXE')
2018-12-17T22:44:13.848858172Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.85213455Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.855120492Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.858404984Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.860621406Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.864094174Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.865685069Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.874451304Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:13.879062115Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.887296468Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.895789997Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:13.911163817Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\RRKAUVBC.TXT')
2018-12-17T22:44:13.921177473Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RRKAUVBC.TXT')
2018-12-17T22:44:13.927921403Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.938865621Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.941261299Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RRKAUVBC.TXT')
2018-12-17T22:44:13.948563024Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:13.951525043Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:13.954543811Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:13.958385288Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:13.96030127Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:13.963808957Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:13.966133684Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.976767341Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RRKAUVBC.SCR')
2018-12-17T22:44:13.984536489Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:13.995443125Z 62 PC: 14789 | Close file
2018-12-17T22:44:13.998583765Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RRKAUVBC.SCR')
2018-12-17T22:44:14.006003125Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.008746512Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.012313569Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.015417055Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.017957542Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.021695905Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.023546001Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.034660652Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RRKAUVBC.EXE')
2018-12-17T22:44:14.041509353Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.052893486Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.05448453Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RRKAUVBC.EXE')
2018-12-17T22:44:14.062216794Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.064875889Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.068389868Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.071575003Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.074347448Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.077857111Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.07907431Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.088655811Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:14.092838602Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.102111355Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.110618969Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.126156082Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\HFSJAQAR.TXT')
2018-12-17T22:44:14.136339264Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFSJAQAR.TXT')
2018-12-17T22:44:14.143389485Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.155921258Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.157536252Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFSJAQAR.TXT')
2018-12-17T22:44:14.16578266Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.168443475Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.17166012Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.174907058Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.177386097Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.180901601Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.182118623Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.192519026Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFSJAQAR.SCR')
2018-12-17T22:44:14.199076324Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.210046618Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.211663844Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFSJAQAR.SCR')
2018-12-17T22:44:14.219706328Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.223023958Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.225981764Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.229508379Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.231454785Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.23577265Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.237133719Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.247764961Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFSJAQAR.EXE')
2018-12-17T22:44:14.255058455Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.266471047Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.269670875Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFSJAQAR.EXE')
2018-12-17T22:44:14.276936983Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.281352361Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.284365669Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.287593021Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.295857476Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.299663609Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.301523488Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.310266234Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:14.314890968Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.323153124Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.331999107Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.347076647Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\XHPIOHVK.TXT')
2018-12-17T22:44:14.357379097Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\XHPIOHVK.TXT')
2018-12-17T22:44:14.364266195Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.377501353Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.379557035Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\XHPIOHVK.TXT')
2018-12-17T22:44:14.386877438Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.38988815Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.39320112Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.396949467Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.399010348Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.402942716Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.4043521Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.415416609Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\XHPIOHVK.SCR')
2018-12-17T22:44:14.423837637Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.435023122Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.437685968Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\XHPIOHVK.SCR')
2018-12-17T22:44:14.445316102Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.44942963Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.452523275Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.45647777Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.458517673Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.462046221Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.463534789Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.473837128Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\XHPIOHVK.EXE')
2018-12-17T22:44:14.481729629Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.494107889Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.496235135Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\XHPIOHVK.EXE')
2018-12-17T22:44:14.503514028Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.506640971Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.509624255Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.513943486Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.516076507Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.519692033Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.521639175Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.530530344Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:14.539389216Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.548347311Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.558419486Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.57288592Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\TPLDBSWA.TXT')
2018-12-17T22:44:14.58362081Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TPLDBSWA.TXT')
2018-12-17T22:44:14.590268126Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.601344548Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.603377693Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TPLDBSWA.TXT')
2018-12-17T22:44:14.609167725Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.612722911Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.615784197Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.619536871Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.62225476Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.627176903Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.6285178Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.639403283Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TPLDBSWA.SCR')
2018-12-17T22:44:14.646352589Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.657693979Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.659380517Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TPLDBSWA.SCR')
2018-12-17T22:44:14.666681336Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.669375747Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.672976113Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.67598066Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.677813535Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.681277596Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.682480232Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.692518455Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TPLDBSWA.EXE')
2018-12-17T22:44:14.698954898Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.710175053Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.712080078Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\TPLDBSWA.EXE')
2018-12-17T22:44:14.720012478Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.722775353Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.72845873Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.73153636Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.733895659Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.737983721Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.739335515Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.747899209Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:14.75188077Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.759956992Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.767892523Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.782911755Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\JREKRUTQ.TXT')
2018-12-17T22:44:14.792608808Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JREKRUTQ.TXT')
2018-12-17T22:44:14.808393094Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.819551315Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.825444209Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JREKRUTQ.TXT')
2018-12-17T22:44:14.832768405Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.835915529Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.839137097Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.842378915Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.844675595Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.848843153Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.850566737Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.860854318Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JREKRUTQ.SCR')
2018-12-17T22:44:14.867986893Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.879534574Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.881973319Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JREKRUTQ.SCR')
2018-12-17T22:44:14.890072746Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.893195292Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.896179011Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.900046127Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.902110762Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.908484314Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.909772309Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.920497204Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JREKRUTQ.EXE')
2018-12-17T22:44:14.927186209Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:14.939021167Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.94138163Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JREKRUTQ.EXE')
2018-12-17T22:44:14.948911649Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:14.952642428Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:14.955626529Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:14.959630989Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:14.964320015Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:14.969036222Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:14.9704128Z 62 PC: 14789 | Close file
2018-12-17T22:44:14.979625301Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:14.983761795Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:14.992392381Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.001062077Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.029243355Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\CZTGDQCM.TXT')
2018-12-17T22:44:15.039501457Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CZTGDQCM.TXT')
2018-12-17T22:44:15.046121263Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.070166555Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.071830954Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CZTGDQCM.TXT')
2018-12-17T22:44:15.079795381Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.082539519Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.086509187Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.088755654Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.091340932Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.097834366Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.099201869Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.109952989Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CZTGDQCM.SCR')
2018-12-17T22:44:15.117769834Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.133668756Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.13613648Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CZTGDQCM.SCR')
2018-12-17T22:44:15.144660354Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.147768964Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.151902124Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.155484112Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.159172172Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.163151465Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.165259677Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.17625243Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CZTGDQCM.EXE')
2018-12-17T22:44:15.183579423Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.195800354Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.197455974Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CZTGDQCM.EXE')
2018-12-17T22:44:15.205408254Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.20857722Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.212397103Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.21567883Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.230300998Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.237032516Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.239522547Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.248568128Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:15.254198781Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.263561749Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.277988737Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.292614457Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\LDPVSQMO.TXT')
2018-12-17T22:44:15.30342182Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LDPVSQMO.TXT')
2018-12-17T22:44:15.310117681Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.322896876Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.325122556Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LDPVSQMO.TXT')
2018-12-17T22:44:15.332801387Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.336258095Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.33967532Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.343967941Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.347017867Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.350675341Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.353228735Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.363748335Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LDPVSQMO.SCR')
2018-12-17T22:44:15.371430493Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.382717738Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.385428426Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LDPVSQMO.SCR')
2018-12-17T22:44:15.393518681Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.396583894Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.400371097Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.404057458Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.406298115Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.410191183Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.412330259Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.422799413Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LDPVSQMO.EXE')
2018-12-17T22:44:15.430348708Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.441271083Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.444499454Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LDPVSQMO.EXE')
2018-12-17T22:44:15.452045112Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.456162544Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.459910158Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.463914679Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.465922473Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.470114221Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.471483905Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.481453152Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:15.48607534Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.494935969Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.503122782Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.518411228Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\MWTMGIVV.TXT')
2018-12-17T22:44:15.525797596Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MWTMGIVV.TXT')
2018-12-17T22:44:15.531381497Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.542426421Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.545378264Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MWTMGIVV.TXT')
2018-12-17T22:44:15.552894747Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.556946885Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.560089739Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.564515296Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.56669161Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.570976031Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.573614353Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.584223528Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MWTMGIVV.SCR')
2018-12-17T22:44:15.595392141Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.606637867Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.609429028Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MWTMGIVV.SCR')
2018-12-17T22:44:15.617048186Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.620342207Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.623408824Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.626920487Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.628851996Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.636317116Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.637847111Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.645224914Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MWTMGIVV.EXE')
2018-12-17T22:44:15.64955012Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.657067706Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.65875272Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MWTMGIVV.EXE')
2018-12-17T22:44:15.666563337Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.669242659Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.672629627Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.675671313Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.678022803Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.681496481Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.683242729Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.692003343Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:15.696303923Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.704529126Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.712828721Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.728200712Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\RWRBVXSB.TXT')
2018-12-17T22:44:15.738233574Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RWRBVXSB.TXT')
2018-12-17T22:44:15.744798501Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.755721353Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.761008529Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RWRBVXSB.TXT')
2018-12-17T22:44:15.768538754Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.771429367Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.774567356Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.778374256Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.781175365Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.784818822Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.78596843Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.797408442Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RWRBVXSB.SCR')
2018-12-17T22:44:15.804446361Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.81708858Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.819133471Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RWRBVXSB.SCR')
2018-12-17T22:44:15.827410688Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.83027393Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.834436527Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.837950343Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.840594761Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.844127075Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.845851879Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.857271077Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RWRBVXSB.EXE')
2018-12-17T22:44:15.864424667Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.875330652Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.877269254Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\RWRBVXSB.EXE')
2018-12-17T22:44:15.884834603Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.887593627Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:15.891644686Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:15.89485232Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:15.897443455Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:15.901490909Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:15.904037134Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.913758708Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:15.91886046Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.927311101Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.945928333Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:15.961144858Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\HFPYOUTH.TXT')
2018-12-17T22:44:15.97303841Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFPYOUTH.TXT')
2018-12-17T22:44:15.980828375Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:15.990124052Z 62 PC: 14789 | Close file
2018-12-17T22:44:15.991350185Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFPYOUTH.TXT')
2018-12-17T22:44:15.996302401Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:15.998527104Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.002018878Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.004995042Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.007450479Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.010892399Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.012918897Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.023214986Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFPYOUTH.SCR')
2018-12-17T22:44:16.03069093Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.04192435Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.043506308Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFPYOUTH.SCR')
2018-12-17T22:44:16.048539024Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.050750262Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.052972817Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.055093131Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.056794758Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.059171218Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.060648741Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.067804307Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFPYOUTH.EXE')
2018-12-17T22:44:16.072053177Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.082265092Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.083977062Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HFPYOUTH.EXE')
2018-12-17T22:44:16.091252656Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.093998832Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.097028512Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.100525238Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.102444738Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.106747416Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.107946895Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.416883248Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:16.421080751Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.429629519Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.437950281Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.453381719Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\ECQTNUEL.TXT')
2018-12-17T22:44:16.463328912Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ECQTNUEL.TXT')
2018-12-17T22:44:16.471289387Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.482021167Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.484752315Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ECQTNUEL.TXT')
2018-12-17T22:44:16.492046093Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.495967132Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.499072497Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.502789997Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.504780543Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.509444873Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.510741386Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.522018859Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ECQTNUEL.SCR')
2018-12-17T22:44:16.528643895Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.540324191Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.541944524Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ECQTNUEL.SCR')
2018-12-17T22:44:16.550184557Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.553125551Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.556823405Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.559860168Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.562815238Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.566296993Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.568155607Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.590964769Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ECQTNUEL.EXE')
2018-12-17T22:44:16.598655626Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.612928032Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.616557977Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\ECQTNUEL.EXE')
2018-12-17T22:44:16.624430078Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.628141465Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.631243159Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.635670456Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.637775793Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.642480866Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.643895061Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.653026806Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:16.658481898Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.667735776Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.676945334Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.692633031Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\UGVEHEAD.TXT')
2018-12-17T22:44:16.702504693Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UGVEHEAD.TXT')
2018-12-17T22:44:16.710288882Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.720958881Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.722851217Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UGVEHEAD.TXT')
2018-12-17T22:44:16.730760472Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.733610681Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.737352309Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.740560556Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.74418715Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.747893534Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.749943382Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.760845314Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UGVEHEAD.SCR')
2018-12-17T22:44:16.768247222Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.779367409Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.782322816Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UGVEHEAD.SCR')
2018-12-17T22:44:16.791069859Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.800337693Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.803785202Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.807456255Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.810624154Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.815301815Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.816563769Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.827990323Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UGVEHEAD.EXE')
2018-12-17T22:44:16.834738196Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.846004111Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.847641205Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UGVEHEAD.EXE')
2018-12-17T22:44:16.855092801Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.857743508Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.861261121Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.864344201Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.866414283Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.870500192Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.872591948Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.882647654Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:16.886841678Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.895264124Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.904647394Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:16.919845211Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\EHGTRHPG.TXT')
2018-12-17T22:44:16.930700997Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EHGTRHPG.TXT')
2018-12-17T22:44:16.938174872Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:16.949360123Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.951199235Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EHGTRHPG.TXT')
2018-12-17T22:44:16.959181636Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:16.961935579Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:16.965408989Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:16.968544502Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:16.970709753Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:16.974281628Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:16.976617999Z 62 PC: 14789 | Close file
2018-12-17T22:44:16.987354117Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EHGTRHPG.SCR')
2018-12-17T22:44:16.994496079Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.005979291Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.008114631Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EHGTRHPG.SCR')
2018-12-17T22:44:17.015756055Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.019327861Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.022435295Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.026436164Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.028402028Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.032421397Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.033780428Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.044532147Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EHGTRHPG.EXE')
2018-12-17T22:44:17.053679716Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.065201498Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.06694175Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\EHGTRHPG.EXE')
2018-12-17T22:44:17.076073295Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.07854367Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.082421089Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.08636523Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.089295394Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.09272864Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.094956502Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.104074363Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:17.109430916Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.117690785Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.126533877Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.142140778Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\CTPFRWXA.TXT')
2018-12-17T22:44:17.152234768Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CTPFRWXA.TXT')
2018-12-17T22:44:17.15910654Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.170581436Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.17254678Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CTPFRWXA.TXT')
2018-12-17T22:44:17.181855936Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.184885796Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.189576291Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.193949042Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.197050171Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.200704062Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.203472748Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.213916912Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CTPFRWXA.SCR')
2018-12-17T22:44:17.222262843Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.233171516Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.236228244Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CTPFRWXA.SCR')
2018-12-17T22:44:17.243665475Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.247914943Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.251071352Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.254283686Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.256606976Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.260632431Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.261967167Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.274027049Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CTPFRWXA.EXE')
2018-12-17T22:44:17.28148059Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.292728073Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.294526461Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CTPFRWXA.EXE')
2018-12-17T22:44:17.3032819Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.306077977Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.310449155Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.313612879Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.317276297Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.320769603Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.324201703Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.331961133Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:17.337652939Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.345928128Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.354925254Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.369948048Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\UITDFRED.TXT')
2018-12-17T22:44:17.380718371Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UITDFRED.TXT')
2018-12-17T22:44:17.387517055Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.400589164Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.402321112Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UITDFRED.TXT')
2018-12-17T22:44:17.409971124Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.412944426Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.416184491Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.420001936Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.422311709Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.426144413Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.427536455Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.438079954Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UITDFRED.SCR')
2018-12-17T22:44:17.445388359Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.45636117Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.458235052Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UITDFRED.SCR')
2018-12-17T22:44:17.466326117Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.469125296Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.472207908Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.475801873Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.477847337Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.481599154Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.48367901Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.494490728Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UITDFRED.EXE')
2018-12-17T22:44:17.502103945Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.513609192Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.515480681Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UITDFRED.EXE')
2018-12-17T22:44:17.523254774Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.528179587Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.531507456Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.535503589Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.537488235Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.541910649Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.543513959Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.553492709Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:17.557746878Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.56770853Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.576312331Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.592341173Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\UMKKQRDQ.TXT')
2018-12-17T22:44:17.60299269Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UMKKQRDQ.TXT')
2018-12-17T22:44:17.610446467Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.622881982Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.624885679Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UMKKQRDQ.TXT')
2018-12-17T22:44:17.633356309Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.636287624Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.640888149Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.644393829Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.646952807Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.649292863Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.650975657Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.657922702Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UMKKQRDQ.SCR')
2018-12-17T22:44:17.662792147Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.66987416Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.671800295Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UMKKQRDQ.SCR')
2018-12-17T22:44:17.677152034Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.679823116Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.681976963Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.684700059Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.686214635Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.688671835Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.690533603Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.697382986Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UMKKQRDQ.EXE')
2018-12-17T22:44:17.702262353Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.709432722Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.711518783Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\UMKKQRDQ.EXE')
2018-12-17T22:44:17.716370815Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.718947233Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.721184898Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.723924231Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.725395185Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.728719813Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.729692401Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.736062842Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:17.739122956Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.744416242Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.750368126Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.759662685Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\GRMNVHCT.TXT')
2018-12-17T22:44:17.766670216Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRMNVHCT.TXT')
2018-12-17T22:44:17.770912758Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.778503161Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.77978424Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRMNVHCT.TXT')
2018-12-17T22:44:17.784637837Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.786639966Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.788843918Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.791721944Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.793548975Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.796738462Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.79841565Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.809159656Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRMNVHCT.SCR')
2018-12-17T22:44:17.8157539Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.827911594Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.830313734Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRMNVHCT.SCR')
2018-12-17T22:44:17.838548771Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.842967194Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.846427644Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.851265849Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.853701215Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.858090888Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.860189531Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.872079931Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRMNVHCT.EXE')
2018-12-17T22:44:17.878904474Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.890408233Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.892527073Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRMNVHCT.EXE')
2018-12-17T22:44:17.900072378Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:17.90351972Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:17.906819665Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:17.911327561Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:17.913423443Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:17.917472748Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:17.919222089Z 62 PC: 14789 | Close file
2018-12-17T22:44:17.929051515Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:17.935260715Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.943904616Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.953607589Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:17.96878953Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\GRLYOTXR.TXT')
2018-12-17T22:44:17.979126562Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRLYOTXR.TXT')
2018-12-17T22:44:17.986680199Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:17.99810371Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.000090992Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRLYOTXR.TXT')
2018-12-17T22:44:18.008225604Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.011678411Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.015207654Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.018599607Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.021136415Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.024843937Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.026678735Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.037114912Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRLYOTXR.SCR')
2018-12-17T22:44:18.044174561Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.055175076Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.058420995Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRLYOTXR.SCR')
2018-12-17T22:44:18.065867544Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.069815768Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.072842085Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.076095056Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.078180957Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.081698422Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.083895881Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.094468952Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRLYOTXR.EXE')
2018-12-17T22:44:18.101914668Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.112777035Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.114461903Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GRLYOTXR.EXE')
2018-12-17T22:44:18.123659137Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.126394767Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.130057326Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.133164926Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.13591351Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.139460551Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.141704305Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.150499998Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:18.154667158Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.165570092Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.173930566Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.194529244Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\CMVJSWEP.TXT')
2018-12-17T22:44:18.204497655Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMVJSWEP.TXT')
2018-12-17T22:44:18.211180861Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.222023235Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.22420353Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMVJSWEP.TXT')
2018-12-17T22:44:18.231572846Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.2346756Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.237816193Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.240880285Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.243444487Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.247833863Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.249432954Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.25978408Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMVJSWEP.SCR')
2018-12-17T22:44:18.266746481Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.27921077Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.280981691Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMVJSWEP.SCR')
2018-12-17T22:44:18.289117907Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.292263764Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.296313672Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.300215465Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.30263271Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.307958268Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.309381982Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.322611799Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMVJSWEP.EXE')
2018-12-17T22:44:18.331174311Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.344192Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.346329163Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMVJSWEP.EXE')
2018-12-17T22:44:18.355582263Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.358779732Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.363418763Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.367367573Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.369807276Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.374321284Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.375713053Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.386454465Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:18.390565581Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.399484653Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.408364505Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.421542265Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\DRYGIQPX.TXT')
2018-12-17T22:44:18.428293908Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DRYGIQPX.TXT')
2018-12-17T22:44:18.435007894Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.446419722Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.448711949Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DRYGIQPX.TXT')
2018-12-17T22:44:18.456118454Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.459813445Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.462876767Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.466359501Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.468313895Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.471888721Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.473869485Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.484814041Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DRYGIQPX.SCR')
2018-12-17T22:44:18.491849669Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.505130029Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.507013218Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DRYGIQPX.SCR')
2018-12-17T22:44:18.516948449Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.519985787Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.524552506Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.528387284Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.531097119Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.534688473Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.536386284Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.547666129Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DRYGIQPX.EXE')
2018-12-17T22:44:18.554547703Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.567139993Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.569262598Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DRYGIQPX.EXE')
2018-12-17T22:44:18.579133848Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.582249962Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.585650391Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.590140993Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.592414229Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.596249391Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.599083119Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.60827934Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:18.614062421Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.62252327Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.632111442Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.6486498Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\MYZVAUMR.TXT')
2018-12-17T22:44:18.660712916Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MYZVAUMR.TXT')
2018-12-17T22:44:18.66816476Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.679025235Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.681046314Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MYZVAUMR.TXT')
2018-12-17T22:44:18.688498343Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.691201222Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.694655471Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.697721999Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.699828936Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.703752235Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.705102996Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.71593705Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MYZVAUMR.SCR')
2018-12-17T22:44:18.72342378Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.744155468Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.749556983Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MYZVAUMR.SCR')
2018-12-17T22:44:18.756848606Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.759508827Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.76261752Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.765750251Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.768785146Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.77231579Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.774593929Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.785950217Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MYZVAUMR.EXE')
2018-12-17T22:44:18.793505246Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.804965751Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.808030655Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MYZVAUMR.EXE')
2018-12-17T22:44:18.816003901Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.818982621Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.82218558Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.825997871Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.829023875Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.833088035Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.834852629Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.845617021Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:18.850059256Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.859217198Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.868108614Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:18.88478952Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\DMRSUOKO.TXT')
2018-12-17T22:44:18.895256543Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DMRSUOKO.TXT')
2018-12-17T22:44:18.902132648Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.914570945Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.916246416Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DMRSUOKO.TXT')
2018-12-17T22:44:18.924558459Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.927323151Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.93162269Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.93470625Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:18.937085314Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:18.940704482Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:18.941950477Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.953187699Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DMRSUOKO.SCR')
2018-12-17T22:44:18.959969838Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:18.971466309Z 62 PC: 14789 | Close file
2018-12-17T22:44:18.985534239Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DMRSUOKO.SCR')
2018-12-17T22:44:18.990242515Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:18.99277106Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:18.996743531Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:18.999469693Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.001404256Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.003858375Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.005953519Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.013683564Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DMRSUOKO.EXE')
2018-12-17T22:44:19.019042888Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.026747208Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.028327623Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DMRSUOKO.EXE')
2018-12-17T22:44:19.034837927Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.037308109Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.045810624Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.053612584Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.06422151Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.068419968Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.071352861Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.081253743Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:19.086962413Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.095667353Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.104762633Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.121641005Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\MRKWZEAJ.TXT')
2018-12-17T22:44:19.132044418Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MRKWZEAJ.TXT')
2018-12-17T22:44:19.139639119Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.151600459Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.153751615Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MRKWZEAJ.TXT')
2018-12-17T22:44:19.16285064Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.16853115Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.172407462Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.175835528Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.17814012Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.183143618Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.185131319Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.194296104Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MRKWZEAJ.SCR')
2018-12-17T22:44:19.202303244Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.212938618Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.214795011Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MRKWZEAJ.SCR')
2018-12-17T22:44:19.221270912Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.224939823Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.229016573Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.233753475Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.236376505Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.240104009Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.242764526Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.254992314Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MRKWZEAJ.EXE')
2018-12-17T22:44:19.263515066Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.274856468Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.276633031Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MRKWZEAJ.EXE')
2018-12-17T22:44:19.285194683Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.288086913Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.291544731Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.296252282Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.298465901Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.303290356Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.30454242Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.314981395Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:19.319720523Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.328560972Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.338869622Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.356864076Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\JUAQDUEE.TXT')
2018-12-17T22:44:19.375665304Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JUAQDUEE.TXT')
2018-12-17T22:44:19.383084724Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.39672404Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.402213393Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JUAQDUEE.TXT')
2018-12-17T22:44:19.418113482Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.42256713Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.426669107Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.431961101Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.434583514Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.438568073Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.440738966Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.45120475Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JUAQDUEE.SCR')
2018-12-17T22:44:19.455978435Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.472185359Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.474403297Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JUAQDUEE.SCR')
2018-12-17T22:44:19.48246949Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.486411584Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.489591059Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.493445859Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.495854414Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.499845874Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.50292126Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.513642167Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JUAQDUEE.EXE')
2018-12-17T22:44:19.521322787Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.528627763Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.530706189Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\JUAQDUEE.EXE')
2018-12-17T22:44:19.535853948Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.538489709Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.540642688Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.542775561Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.544895065Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.547298922Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.548905046Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.554858883Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:19.557529272Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.563470515Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.568896859Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.579158195Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\OMKKAVMD.TXT')
2018-12-17T22:44:19.586111563Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\OMKKAVMD.TXT')
2018-12-17T22:44:19.590728187Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.599822801Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.601231932Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\OMKKAVMD.TXT')
2018-12-17T22:44:19.606822863Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.608915704Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.611040603Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.613977762Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.615719928Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.618716201Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.61999144Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.626778907Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\OMKKAVMD.SCR')
2018-12-17T22:44:19.631762025Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.638835971Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.640138068Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\OMKKAVMD.SCR')
2018-12-17T22:44:19.645888619Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.647833403Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.650680196Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.653041748Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.654638862Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.65947152Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.66151235Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.670943385Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\OMKKAVMD.EXE')
2018-12-17T22:44:19.675693522Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:19.683156468Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.684448058Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\OMKKAVMD.EXE')
2018-12-17T22:44:19.689675361Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:19.691885209Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:19.693974625Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:19.697467071Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:19.699158523Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:19.702315093Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:19.703410857Z 62 PC: 14789 | Close file
2018-12-17T22:44:19.709048176Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:19.712736169Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.718387859Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.727878434Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:19.86504606Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\HKDHAXRS.TXT')
2018-12-17T22:44:19.8722243Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HKDHAXRS.TXT')
2018-12-17T22:44:19.878137537Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.055385494Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.058293239Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HKDHAXRS.TXT')
2018-12-17T22:44:20.066900366Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.069948484Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.07440101Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.077778879Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.07997749Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.085237186Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.087244602Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.109175202Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HKDHAXRS.SCR')
2018-12-17T22:44:20.117692449Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.131723872Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.134904527Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HKDHAXRS.SCR')
2018-12-17T22:44:20.142794875Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.147345386Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.150600304Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.154101991Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.157507589Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.164242954Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.167054618Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.198506761Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HKDHAXRS.EXE')
2018-12-17T22:44:20.205291765Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.217324516Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.219169243Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\HKDHAXRS.EXE')
2018-12-17T22:44:20.227849137Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.230778267Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.233982079Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.238758028Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.240907645Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.244500771Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.246406028Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.273856318Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:20.27952222Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.288884977Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.298307844Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.331383866Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\YBDIVHOF.TXT')
2018-12-17T22:44:20.3414755Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YBDIVHOF.TXT')
2018-12-17T22:44:20.35095529Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.37853336Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.381054611Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YBDIVHOF.TXT')
2018-12-17T22:44:20.389540099Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.392338088Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.395888867Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.398918597Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.400821294Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.405256786Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.406540908Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.41843416Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YBDIVHOF.SCR')
2018-12-17T22:44:20.42567495Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.436734302Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.438904646Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YBDIVHOF.SCR')
2018-12-17T22:44:20.446203737Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.450599901Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.453671724Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.456757942Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.459346142Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.463031506Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.464473535Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.475606461Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YBDIVHOF.EXE')
2018-12-17T22:44:20.482266822Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.492992564Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.495272716Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YBDIVHOF.EXE')
2018-12-17T22:44:20.502603201Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.50529804Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.508684331Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.512169464Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.515255452Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.519730659Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.521097047Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.529966772Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:20.53471342Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.543112263Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.551352016Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.566160906Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\MMITKHRQ.TXT')
2018-12-17T22:44:20.576813506Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MMITKHRQ.TXT')
2018-12-17T22:44:20.584453963Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.5953499Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.596970656Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MMITKHRQ.TXT')
2018-12-17T22:44:20.604911154Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.607599754Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.610571482Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.61392884Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.616131518Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.619864024Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.621643307Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.632167064Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MMITKHRQ.SCR')
2018-12-17T22:44:20.638754854Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.650357807Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.652465755Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MMITKHRQ.SCR')
2018-12-17T22:44:20.660514665Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.664050127Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.6676218Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.67070462Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.673118093Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.677001991Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.678271657Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.689392884Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MMITKHRQ.EXE')
2018-12-17T22:44:20.696494442Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.707979009Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.709968559Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\MMITKHRQ.EXE')
2018-12-17T22:44:20.71728862Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.719941163Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.724273606Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.727326008Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.72924982Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.732899321Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.734208843Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.743545725Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:20.74782991Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.755987036Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.764695127Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.780549318Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\IOKSQLAN.TXT')
2018-12-17T22:44:20.79050503Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\IOKSQLAN.TXT')
2018-12-17T22:44:20.797558858Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.80854854Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.810418503Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\IOKSQLAN.TXT')
2018-12-17T22:44:20.819917978Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.822718012Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.825925603Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.829666625Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.831610355Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.836340267Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.837628096Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.847998834Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\IOKSQLAN.SCR')
2018-12-17T22:44:20.855288677Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.866151223Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.869034225Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\IOKSQLAN.SCR')
2018-12-17T22:44:20.876375771Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.879035766Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.882625107Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.885669147Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.887552554Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.892311648Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.893548821Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.905446032Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\IOKSQLAN.EXE')
2018-12-17T22:44:20.914866203Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:20.925763914Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.928074816Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\IOKSQLAN.EXE')
2018-12-17T22:44:20.935303443Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:20.938152969Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:20.941245707Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:20.944286911Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:20.94659279Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:20.950214407Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:20.951399823Z 62 PC: 14789 | Close file
2018-12-17T22:44:20.961061458Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:20.965015519Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.973096813Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.981639666Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:20.990905685Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\CMQIIYVS.TXT')
2018-12-17T22:44:20.996847454Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMQIIYVS.TXT')
2018-12-17T22:44:21.001315646Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.008215555Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.009371282Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMQIIYVS.TXT')
2018-12-17T22:44:21.014103229Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.016017213Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.018365373Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.0212643Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.023239633Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.026725707Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.028114693Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.038526698Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMQIIYVS.SCR')
2018-12-17T22:44:21.04577279Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.056565458Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.058885941Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMQIIYVS.SCR')
2018-12-17T22:44:21.066648104Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.069838668Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.075067025Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.078363181Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.081201616Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.085324769Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.086668262Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.097890852Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMQIIYVS.EXE')
2018-12-17T22:44:21.102267154Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.109451123Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.110713622Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\CMQIIYVS.EXE')
2018-12-17T22:44:21.115195831Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.117182249Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.120316274Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.123413121Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.125784401Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.12929335Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.130522965Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.140230812Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:21.144634812Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.154139648Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.163937798Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.178872548Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\QTKFGMOI.TXT')
2018-12-17T22:44:21.190043492Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\QTKFGMOI.TXT')
2018-12-17T22:44:21.202337129Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.214150121Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.216107549Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\QTKFGMOI.TXT')
2018-12-17T22:44:21.223869637Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.226695572Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.230346677Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.233497202Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.235521036Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.239504292Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.240776171Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.251318829Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\QTKFGMOI.SCR')
2018-12-17T22:44:21.259592226Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.27080531Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.272794704Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\QTKFGMOI.SCR')
2018-12-17T22:44:21.282409023Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.285095066Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.28857325Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.291653934Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.293595864Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.29731143Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.299328566Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.309759261Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\QTKFGMOI.EXE')
2018-12-17T22:44:21.316787768Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.327806382Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.329485139Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\QTKFGMOI.EXE')
2018-12-17T22:44:21.337322053Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.340963313Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.344019856Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.347755053Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.349691919Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.353213169Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.35488613Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.363846776Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:21.368432044Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.373948789Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.382093407Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.40737594Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\LSBHYBJN.TXT')
2018-12-17T22:44:21.417589996Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LSBHYBJN.TXT')
2018-12-17T22:44:21.424281571Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.435695242Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.437507414Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LSBHYBJN.TXT')
2018-12-17T22:44:21.445269393Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.448320476Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.451523829Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.454624054Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.457609729Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.465007283Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.466535027Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.481705113Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LSBHYBJN.SCR')
2018-12-17T22:44:21.488590025Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.502950411Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.504781494Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LSBHYBJN.SCR')
2018-12-17T22:44:21.512200105Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.515628141Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.518786428Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.52198945Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.524763045Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.528552918Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.52990688Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.541858312Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LSBHYBJN.EXE')
2018-12-17T22:44:21.548656864Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.559601006Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.561536983Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\LSBHYBJN.EXE')
2018-12-17T22:44:21.568912221Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.57167747Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.575080014Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.578192387Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.580243034Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.58509178Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.586702832Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.595679242Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:21.600941813Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.609264845Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.617835723Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.633790985Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\BAJUMHWN.TXT')
2018-12-17T22:44:21.640261062Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BAJUMHWN.TXT')
2018-12-17T22:44:21.644862127Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.651988411Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.653810927Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BAJUMHWN.TXT')
2018-12-17T22:44:21.662692007Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.665808193Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.668922506Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.672474791Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.674654988Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.678432016Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.680374535Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.690353419Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BAJUMHWN.SCR')
2018-12-17T22:44:21.69722624Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.709205811Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.710924136Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BAJUMHWN.SCR')
2018-12-17T22:44:21.718517262Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.721737816Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.725063277Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.72928887Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.731491624Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.735057007Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.736658643Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.747320489Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BAJUMHWN.EXE')
2018-12-17T22:44:21.754157486Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.766739495Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.768565514Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\BAJUMHWN.EXE')
2018-12-17T22:44:21.776418029Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.780117278Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.783262846Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.78673339Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.789923197Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.794649162Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.797813625Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.806999787Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:21.811355038Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.821803712Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.830456082Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:21.846633472Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\DERVFJJM.TXT')
2018-12-17T22:44:21.857550897Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DERVFJJM.TXT')
2018-12-17T22:44:21.864221156Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.876443734Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.878591534Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DERVFJJM.TXT')
2018-12-17T22:44:21.88625957Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.889756411Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.89287966Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.895958735Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.900069556Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.903659373Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.904856437Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.916098319Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DERVFJJM.SCR')
2018-12-17T22:44:21.923419758Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.935027157Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.937631914Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DERVFJJM.SCR')
2018-12-17T22:44:21.944909887Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:21.948503097Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:21.951542397Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:21.954548632Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:21.956776361Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:21.960857727Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:21.962398863Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.973249634Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DERVFJJM.EXE')
2018-12-17T22:44:21.979934621Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:21.991327942Z 62 PC: 14789 | Close file
2018-12-17T22:44:21.993359183Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\DERVFJJM.EXE')
2018-12-17T22:44:22.000620039Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.003241743Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.006542411Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.009630045Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.011573173Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.015410057Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.016746103Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.026210933Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:22.032133092Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.043154085Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.052392096Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.069264514Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PCACMWKY.TXT')
2018-12-17T22:44:22.079244628Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PCACMWKY.TXT')
2018-12-17T22:44:22.08638222Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.097810386Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.099391955Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PCACMWKY.TXT')
2018-12-17T22:44:22.108550017Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.112460648Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.115515635Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.12012471Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.1221705Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.125741745Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.128429354Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.138851114Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PCACMWKY.SCR')
2018-12-17T22:44:22.147330465Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.158060635Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.159619115Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PCACMWKY.SCR')
2018-12-17T22:44:22.167399134Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.170014846Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.172849331Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.177155447Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.179066443Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.182437295Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.184179106Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.194837822Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PCACMWKY.EXE')
2018-12-17T22:44:22.201417994Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.212403935Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.214263009Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\PCACMWKY.EXE')
2018-12-17T22:44:22.221941688Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.22535979Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.228491102Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.231709865Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.234170306Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.237940784Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.239654267Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.251135897Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:22.255648454Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.264376427Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.274421701Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.290799701Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\YPXTOPIK.TXT')
2018-12-17T22:44:22.301848677Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YPXTOPIK.TXT')
2018-12-17T22:44:22.311031987Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.322920323Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.32475703Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YPXTOPIK.TXT')
2018-12-17T22:44:22.334149559Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.337121626Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.340323967Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.345983662Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.348321692Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.351967198Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.353824111Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.365313721Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YPXTOPIK.SCR')
2018-12-17T22:44:22.371994132Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.38488179Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.386771161Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YPXTOPIK.SCR')
2018-12-17T22:44:22.394184272Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.398245234Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.402283519Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.405765108Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.408334338Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.412871679Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.414257704Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.425142653Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YPXTOPIK.EXE')
2018-12-17T22:44:22.432069781Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.443763771Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.445606968Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\YPXTOPIK.EXE')
2018-12-17T22:44:22.453063729Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.455740454Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.458971396Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.462351496Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.464319228Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.468180472Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.469602565Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.478433214Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:22.481578475Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.486952308Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.492129112Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.509662561Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\GDJCTEAB.TXT')
2018-12-17T22:44:22.525802299Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GDJCTEAB.TXT')
2018-12-17T22:44:22.53283562Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.54703675Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.549126484Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GDJCTEAB.TXT')
2018-12-17T22:44:22.556981848Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.562277174Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.565832805Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.56995224Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.574015901Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.578132158Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.579950739Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.589454674Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GDJCTEAB.SCR')
2018-12-17T22:44:22.593797317Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.601241677Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.603010291Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GDJCTEAB.SCR')
2018-12-17T22:44:22.607682462Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.609892794Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.612307566Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.614381676Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.615982321Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.620085815Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.62141664Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.632100103Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GDJCTEAB.EXE')
2018-12-17T22:44:22.639783926Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.651010774Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.654386989Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GDJCTEAB.EXE')
2018-12-17T22:44:22.661865326Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.665066501Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.669799227Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.673007218Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.675178885Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.68032393Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.681619783Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.691741685Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:22.695847974Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.705043077Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.715972752Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.73160126Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\GJCMTJKL.TXT')
2018-12-17T22:44:22.741862104Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GJCMTJKL.TXT')
2018-12-17T22:44:22.751220648Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.762680253Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.76704762Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GJCMTJKL.TXT')
2018-12-17T22:44:22.775374806Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.778321617Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.783577361Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.787342229Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.78990562Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.794315176Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.7958618Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.807910272Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GJCMTJKL.SCR')
2018-12-17T22:44:22.81464527Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.825945161Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.829312608Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GJCMTJKL.SCR')
2018-12-17T22:44:22.837295268Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.840611439Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.846403396Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.850062575Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.854205539Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.858282807Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.85990566Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.870362637Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GJCMTJKL.EXE')
2018-12-17T22:44:22.879032102Z 60 PC: 1481b | Create or truncate file
2018-12-17T22:44:22.890209227Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.893595454Z 61 PC: 14956 | Open file (Filename = 'C:\WINDOWS\GJCMTJKL.EXE')
2018-12-17T22:44:22.901077446Z 68 PC: 148af | I/O control for devices (Set for = 'picture show loads...7')
2018-12-17T22:44:22.903967088Z 42 PC: 14d30 | Get date 0x14d30: pop bx
0x14d31: mov al, dh
0x14d33: call 0x14e21
0x14d36: mov al, 0x2d
0x14d38: call 0x14e29
0x14d3b: mov al, dl
0x14d3d: call 0x14e21
0x14d40: mov al, 0x2d
0x14d42: call 0x14e29
0x14d45: sub cx, 0x76c
0x14d49: cmp cl, 0x64
0x14d4c: mov ch, 0x13
0x14d4e: jb 0x14d55
0x14d50: sbb cl, 0x64
0x14d53: inc ch
0x14d55: mov al, ch
0x14d57: call 0x14e21
0x14d5a: mov al, cl
0x14d5c: call 0x14e21
0x14d5f: pop ax
2018-12-17T22:44:22.908888523Z 44 PC: 14da5 | Get time 0x14da5: cmp dl, 0x32
0x14da8: jb 0x14dbe
0x14daa: inc dh
0x14dac: cmp dh, 0x3c
0x14daf: jb 0x14dbe
0x14db1: mov dh, 0
0x14db3: inc cl
0x14db5: cmp cl, 0x3c
0x14db8: jb 0x14dbe
0x14dba: mov cl, 0
0x14dbc: inc ch
0x14dbe: pop bx
0x14dbf: mov al, ch
0x14dc1: call 0x14e21
0x14dc4: mov al, 0x3a
0x14dc6: call 0x14e29
0x14dc9: mov al, cl
0x14dcb: call 0x14e21
0x14dce: mov al, 0x3a
0x14dd0: call 0x14e29
2018-12-17T22:44:22.912745093Z 64 PC: 14778 | Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:44:22.917273004Z 64 PC: 14778 | Write file or device (Write 248 bytes on handle 5)
2018-12-17T22:44:22.921004161Z 66 PC: 1452b | Move file pointer
2018-12-17T22:44:22.922430916Z 62 PC: 14789 | Close file
2018-12-17T22:44:22.931546697Z 44 PC: 1874f | Get time 0x1874f: mov al, 0x3c
0x18751: mul ch
0x18753: xor ch, ch
0x18755: add ax, cx
0x18757: mov bx, ax
0x18759: push dx
0x1875a: call 0x28664
0x1875d: pop dx
0x1875e: mov ax, 0x3c
0x18761: call 0x1878b
0x18764: mov al, dh
0x18766: mov ah, 1
0x18768: call 0x1878b
0x1876b: mov ax, 0x64
0x1876e: call 0x1878b
0x18771: mov al, dl
0x18773: mov ah, 1
0x18775: call 0x1878b
0x18778: mov ax, 0x264
0x1877b: call 0x1878b
2018-12-17T22:44:22.937505069Z 57 PC: 14cbe | Create subdirectory
2018-12-17T22:44:22.946079626Z 57 PC: 14cbe | Create subdirectory