Auto Tasks

#17813: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 13:50:37 2020-06-30 13:52:40 123 seconds Show Options Show Log
procdump = yes
2020-05-13 09:25:47,805 [root] INFO: Date set to: 20200630T13:39:03, timeout set to: 200
2020-06-30 13:39:03,046 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-06-30 13:39:03,046 [root] DEBUG: Storing results at: C:\gDlKsLh
2020-06-30 13:39:03,046 [root] DEBUG: Pipe server name: \\.\PIPE\MxTZYFV
2020-06-30 13:39:03,046 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-30 13:39:03,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 13:39:03,062 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 13:39:03,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 13:39:03,203 [root] DEBUG: Imported analysis package "exe".
2020-06-30 13:39:03,203 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 13:39:03,203 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 13:39:03,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 13:39:03,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 13:39:03,453 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 13:39:03,515 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 13:39:03,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 13:39:03,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 13:39:03,562 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 13:39:03,625 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 13:39:03,625 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 13:39:03,625 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 13:39:03,625 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 13:39:03,656 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 13:39:03,656 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 13:39:03,703 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 13:39:03,703 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 13:39:03,703 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 13:39:03,703 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 13:39:03,703 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 13:39:03,703 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 13:39:03,734 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 13:39:03,734 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 13:39:05,078 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 13:39:05,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 13:39:05,125 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 13:39:05,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 13:39:05,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 13:39:05,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 13:39:05,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 13:39:05,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 13:39:05,156 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 13:39:05,156 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 13:39:05,156 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 13:39:05,156 [root] DEBUG: Started auxiliary module Browser
2020-06-30 13:39:05,156 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 13:39:05,171 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 13:39:05,171 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 13:39:05,171 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 13:39:05,171 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 13:39:05,171 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 13:39:05,171 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 13:39:05,171 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 13:39:05,828 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 13:39:05,843 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 13:39:05,843 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 13:39:05,843 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 13:39:05,843 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 13:39:05,843 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 13:39:05,859 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 13:39:05,859 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 13:39:05,859 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 13:39:05,875 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 13:39:05,875 [root] DEBUG: Started auxiliary module Human
2020-06-30 13:39:05,875 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 13:39:05,875 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 13:39:05,875 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 13:39:05,890 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 13:39:05,890 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 13:39:05,890 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 13:39:05,890 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 13:39:05,890 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 13:39:05,890 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 13:39:05,890 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 13:39:05,890 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 13:39:05,890 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 13:39:05,906 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 13:39:05,906 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 13:39:05,906 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 13:39:05,906 [root] DEBUG: Started auxiliary module Usage
2020-06-30 13:39:05,906 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 13:39:05,906 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 13:39:05,906 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 13:39:05,906 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 13:39:06,000 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.exe" with arguments "" with pid 4128
2020-06-30 13:39:06,000 [lib.api.process] INFO: Monitor config for process 4128: C:\tmp2ssujfce\dll\4128.ini
2020-06-30 13:39:06,000 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:39:06,000 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\UndPaK.dll, loader C:\tmp2ssujfce\bin\Rlpqqxd.exe
2020-06-30 13:39:06,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MxTZYFV.
2020-06-30 13:39:06,046 [root] DEBUG: Loader: Injecting process 4128 (thread 4532) with C:\tmp2ssujfce\dll\UndPaK.dll.
2020-06-30 13:39:06,062 [root] DEBUG: Process image base: 0x013A0000
2020-06-30 13:39:06,062 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:39:06,078 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:39:06,078 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\UndPaK.dll.
2020-06-30 13:39:06,093 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4128
2020-06-30 13:39:08,093 [lib.api.process] INFO: Successfully resumed process with pid 4128
2020-06-30 13:39:08,249 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:39:08,249 [root] DEBUG: Process dumps disabled.
2020-06-30 13:39:08,249 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:39:08,265 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4128 at 0x6fa70000, image base 0x13a0000, stack from 0x1f5000-0x200000
2020-06-30 13:39:08,265 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.exe".
2020-06-30 13:39:08,296 [root] INFO: Loaded monitor into process with pid 4128
2020-06-30 13:39:08,312 [root] DEBUG: set_caller_info: Adding region at 0x00100000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 13:39:08,312 [root] DEBUG: set_caller_info: Adding region at 0x00AB0000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 13:39:08,328 [root] DEBUG: DumpMemory: Exception occured reading memory address 0xab0000
2020-06-30 13:39:08,328 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00AB0000 size 0x400000.
2020-06-30 13:39:08,328 [root] DEBUG: DumpPEsInRange: Scanning range 0xab0000 - 0xab1000.
2020-06-30 13:39:08,328 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xab0000-0xab1000.
2020-06-30 13:39:08,390 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gDlKsLh\CAPE\4128_153188642481931372020 (size 0xffe)
2020-06-30 13:39:08,390 [root] DEBUG: DumpRegion: Dumped stack region from 0x00AB0000, size 0x1000.
2020-06-30 13:39:08,390 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00100000.
2020-06-30 13:39:08,406 [root] DEBUG: set_caller_info: Adding region at 0x00470000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 13:39:08,546 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x5f7fff
2020-06-30 13:39:08,546 [root] DEBUG: DumpMemory: Nothing to dump at 0x00470000!
2020-06-30 13:39:08,546 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00470000 size 0x188000.
2020-06-30 13:39:08,546 [root] DEBUG: DumpPEsInRange: Scanning range 0x470000 - 0x478000.
2020-06-30 13:39:08,546 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x470000-0x478000.
2020-06-30 13:39:08,593 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gDlKsLh\CAPE\4128_132436191081931372020 (size 0x7ff2)
2020-06-30 13:39:08,593 [root] DEBUG: DumpRegion: Dumped stack region from 0x00470000, size 0x8000.
2020-06-30 13:39:08,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 amd local view 0x72D60000 to global list.
2020-06-30 13:39:08,593 [root] DEBUG: DLL loaded at 0x72D60000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 13:39:08,609 [root] DEBUG: DLL unloaded from 0x760C0000.
2020-06-30 13:39:08,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf0 amd local view 0x00270000 to global list.
2020-06-30 13:39:08,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x00270000 to global list.
2020-06-30 13:39:08,656 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:39:08,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F4B0000 for section view with handle 0xec.
2020-06-30 13:39:08,671 [root] DEBUG: DLL loaded at 0x6F4B0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-30 13:39:08,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F410000 for section view with handle 0xf0.
2020-06-30 13:39:08,718 [root] DEBUG: DLL loaded at 0x6F410000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80 (0x9b000 bytes).
2020-06-30 13:39:08,921 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4128, handle 0xfc.
2020-06-30 13:39:08,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x000E0000 to global list.
2020-06-30 13:39:08,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x100 amd local view 0x000F0000 to global list.
2020-06-30 13:39:08,953 [root] INFO: Disabling sleep skipping.
2020-06-30 13:39:08,953 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4128.
2020-06-30 13:39:08,968 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-30 13:39:08,984 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:39:08,984 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4128.
2020-06-30 13:39:09,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x6DF20000 to global list.
2020-06-30 13:39:09,046 [root] DEBUG: DLL loaded at 0x6DF20000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-30 13:39:09,046 [root] DEBUG: set_caller_info: Adding region at 0x04030000 to caller regions list (kernel32::SetErrorMode).
2020-06-30 13:39:09,046 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-06-30 13:39:09,046 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x406ffff
2020-06-30 13:39:09,062 [root] DEBUG: DumpMemory: Nothing to dump at 0x04030000!
2020-06-30 13:39:09,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00370000 for section view with handle 0x1d0.
2020-06-30 13:39:09,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FBC0000 for section view with handle 0x1d0.
2020-06-30 13:39:09,093 [root] DEBUG: DLL loaded at 0x6FBC0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-06-30 13:39:09,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e0 amd local view 0x6EC60000 to global list.
2020-06-30 13:39:09,218 [root] DEBUG: DLL loaded at 0x6EC60000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-30 13:39:09,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6EAD0000 for section view with handle 0x1e0.
2020-06-30 13:39:09,218 [root] DEBUG: DLL loaded at 0x6EAD0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-30 13:39:09,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6D340000 for section view with handle 0x1e0.
2020-06-30 13:39:09,234 [root] DEBUG: DLL loaded at 0x6D340000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-30 13:39:09,328 [root] DEBUG: set_caller_info: Adding region at 0x00390000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:39:09,328 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x39ffff
2020-06-30 13:39:09,328 [root] DEBUG: DumpMemory: Nothing to dump at 0x00390000!
2020-06-30 13:39:09,328 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00390000 size 0x10000.
2020-06-30 13:39:09,328 [root] DEBUG: DumpPEsInRange: Scanning range 0x390000 - 0x391000.
2020-06-30 13:39:09,328 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x390000-0x391000.
2020-06-30 13:39:09,375 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gDlKsLh\CAPE\4128_205898571291931372020 (size 0x9e)
2020-06-30 13:39:09,390 [root] DEBUG: DumpRegion: Dumped stack region from 0x00390000, size 0x1000.
2020-06-30 13:39:09,390 [root] DEBUG: DLL loaded at 0x736C0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-06-30 13:39:09,390 [root] DEBUG: set_caller_info: Adding region at 0x00280000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-30 13:39:09,390 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00280000.
2020-06-30 13:39:09,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1ec amd local view 0x6CE70000 to global list.
2020-06-30 13:39:09,781 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4128.
2020-06-30 13:39:09,781 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:39:09,796 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:39:10,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x244 amd local view 0x72E20000 to global list.
2020-06-30 13:39:10,046 [root] DEBUG: DLL loaded at 0x72E20000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-06-30 13:39:10,046 [root] DEBUG: DLL unloaded from 0x72E20000.
2020-06-30 13:39:10,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x01100000 for section view with handle 0x244.
2020-06-30 13:39:10,062 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x240 amd local view 0x03EE0000 to global list.
2020-06-30 13:39:10,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x25c amd local view 0x6D2B0000 to global list.
2020-06-30 13:39:10,265 [root] DEBUG: DLL loaded at 0x6D2B0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader (0x8d000 bytes).
2020-06-30 13:39:10,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 amd local view 0x00650000 to global list.
2020-06-30 13:39:10,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x268 amd local view 0x008F0000 to global list.
2020-06-30 13:39:10,968 [root] DEBUG: DLL unloaded from 0x013A0000.
2020-06-30 13:39:11,031 [root] DEBUG: OpenProcessHandler: Image base for process 4128 (handle 0x26c): 0x013A0000.
2020-06-30 13:39:11,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x270 amd local view 0x00A00000 to global list.
2020-06-30 13:39:11,140 [root] INFO: Announced 32-bit process name: dw20.exe pid: 2548
2020-06-30 13:39:11,140 [lib.api.process] INFO: Monitor config for process 2548: C:\tmp2ssujfce\dll\2548.ini
2020-06-30 13:39:11,140 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-30 13:39:11,140 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\UndPaK.dll, loader C:\tmp2ssujfce\bin\Rlpqqxd.exe
2020-06-30 13:39:11,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MxTZYFV.
2020-06-30 13:39:11,187 [root] DEBUG: Loader: Injecting process 2548 (thread 1856) with C:\tmp2ssujfce\dll\UndPaK.dll.
2020-06-30 13:39:11,187 [root] DEBUG: Process image base: 0x10000000
2020-06-30 13:39:11,187 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\UndPaK.dll.
2020-06-30 13:39:11,187 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-30 13:39:11,187 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 13:39:11,281 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-06-30 13:39:12,313 [root] DEBUG: Error -1073741515 (0xc0000135) - InjectDllViaThread: RtlCreateUserThread injection failed: (null)
2020-06-30 13:39:12,313 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-06-30 13:39:12,313 [root] DEBUG: Failed to inject DLL C:\tmp2ssujfce\dll\UndPaK.dll.
2020-06-30 13:39:12,329 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2548, error: 4294967288
2020-06-30 13:39:12,329 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:39:12,579 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x280 amd local view 0x06C60000 to global list.
2020-06-30 13:39:13,384 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-06-30 13:39:14,626 [root] INFO: Process with pid 4128 has terminated
2020-06-30 13:39:20,189 [root] INFO: Process list is empty, terminating analysis.
2020-06-30 13:39:21,205 [root] INFO: Created shutdown mutex.
2020-06-30 13:39:22,205 [root] INFO: Shutting down package.
2020-06-30 13:39:22,205 [root] INFO: Stopping auxiliary modules.
2020-06-30 13:39:22,423 [lib.common.results] WARNING: File C:\gDlKsLh\bin\procmon.xml doesn't exist anymore
2020-06-30 13:39:22,439 [root] INFO: Finishing auxiliary modules.
2020-06-30 13:39:22,439 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 13:39:22,439 [root] WARNING: Folder at path "C:\gDlKsLh\debugger" does not exist, skip.
2020-06-30 13:39:22,439 [root] WARNING: Monitor injection attempted but failed for process 2548.
2020-06-30 13:39:22,439 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-06-30 13:50:38 2020-06-30 13:52:40

File Details

File Name DOCUMENT_PDF.exe
File Size 380928 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-30 05:08:50
MD5 1dba5b473921df961ea28abf48658e8f
SHA1 b36d4f261b9443841d3b5717ddcf5f9fdfec96e1
SHA256 89324c8c402f268c3348061e16af6cf60e37ec46d14a96bc965adb3c94cae044
SHA512 750408a6e550cbc704b66bacfa7de8cd91d06ae7517b20c8e9973e56814e858d30dbf0bdbe4cdce2ea6530d77388bece7442edb9dbf4fe5e073ee325356187f2
CRC32 DBE9BAA2
Ssdeep 6144:o00zi0L3+pLPG5CuIyIeEfPK5TdVqnBKzY50wUe9D6WPMaL/uJdPzLA:x0F+1YIxsG56e92WPMGQLL
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/SwitchToThread
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/CreateIoCompletionPort
DynamicLoader: KERNEL32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: MSCOREE.DLL/DllGetClassObject
DynamicLoader: mscoreei.dll/DllGetClassObject_RetAddr
DynamicLoader: mscoreei.dll/DllGetClassObject
DynamicLoader: diasymreader.dll/DllGetClassObjectInternal
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: MSCOREE.DLL/DllGetClassObject
Reads data out of its own binary image
self_read: process: DOCUMENT_PDF.exe, pid: 4128, offset: 0x00000000, length: 0x00001000
self_read: process: DOCUMENT_PDF.exe, pid: 4128, offset: 0x000080c2, length: 0x00000200
CAPE extracted potentially suspicious content
DOCUMENT_PDF.exe: Unpacked Shellcode
DOCUMENT_PDF.exe: Unpacked Shellcode
DOCUMENT_PDF.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.78, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0005a000, virtual_size: 0x00059754
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.exe
Network activity detected but not expressed in API logs
File has been identified by 24 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Gen:Variant.Razy.692990
FireEye: Generic.mg.1dba5b473921df96
McAfee: GenericRXLE-YG!1DBA5B473921
Alibaba: Trojan:MSIL/Kryptik.d970f5fe
Cybereason: malicious.61b944
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Avast: Win32:MalwareX-gen [Trj]
BitDefender: Gen:Variant.Razy.692990
Endgame: malicious (high confidence)
Emsisoft: Gen:Variant.Razy.692990 (B)
Trapmine: suspicious.low.ml.score
Fortinet: MSIL/Kryptik.WGV!tr
Arcabit: Trojan.Razy.DA92FE
Cynet: Malicious (score: 100)
ALYac: Gen:Variant.Razy.692990
MAX: malware (ai score=80)
Ad-Aware: Gen:Variant.Razy.692990
ESET-NOD32: a variant of MSIL/Kryptik.WGV
Ikarus: Trojan.Inject
eGambit: Unsafe.AI_Score_95%
GData: Gen:Variant.Razy.692990
AVG: Win32:MalwareX-gen [Trj]
CrowdStrike: win/malicious_confidence_60% (W)

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.exe.config
C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\System32\l_intl.nls
C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Globalization\en-us.nlp
C:\Users\Louise\AppData\Local\Temp\TJrduJL8RICTIdn.dll
C:\Users\Louise\AppData\Local\Temp\TJrduJL8RICTIdn\TJrduJL8RICTIdn.dll
C:\Users\Louise\AppData\Local\Temp\TJrduJL8RICTIdn.exe
C:\Users\Louise\AppData\Local\Temp\TJrduJL8RICTIdn\TJrduJL8RICTIdn.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\VERSION.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.PDB
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.exe.config
C:\Users\Louise\AppData\Local\Temp\DOCUMENT_PDF.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Fonts\staticcache.dat
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DOCUMENT_PDF.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\48524502\b79fa73
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|DOCUMENT_PDF.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|DOCUMENT_PDF.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|DOCUMENT_PDF.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\ForceQueueMode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\ShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\DoReport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\AllOrNone
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x23f8\xb7EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\DOCUMENT_PDF.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\ForceQueueMode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\ShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\DoReport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\AllOrNone
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x23f8\xb7EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetVersionExW
kernel32.dll.GetFullPathNameW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
user32.dll.GetSystemMetrics
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
kernel32.dll.GetUserDefaultUILanguage
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
kernel32.dll.DeactivateActCtx
kernel32.dll.SwitchToThread
ole32.dll.CoCreateGuid
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.CreateEventW
kernel32.dll.CloseHandle
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtQuerySystemInformation
ntdll.dll.NtGetCurrentProcessorNumber
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
mscoree.dll.DllGetClassObject
mscoreei.dll.DllGetClassObject
diasymreader.dll.DllGetClassObjectInternal
advapi32.dll.CheckTokenMembership
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
dw20.exe -x -s 624
Global\CLR_CASOFF_MUTEX
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x0045b74e 0x00000000 0x00067651 4.0 2020-06-30 05:08:50 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00002000 0x00059754 0x0005a000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.78
.rsrc 0x0005b000 0x0005c000 0x000003f8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.07
.reloc 0x0005c000 0x0005e000 0x0000000c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.02

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x0005c058 0x000003a0 LANG_NEUTRAL SUBLANG_NEUTRAL 3.47 None

Imports


Assembly Information

Name TJrduJL8RICTIdn
Version 68.0.0.11

Assembly References

Name Version
mscorlib 2.0.0.0
System.Windows.Forms 2.0.0.0
System 2.0.0.0
System.Drawing 2.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute MK Restaura
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 68.23.1
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Makong King Yee CEO Rit Thirakomen 20
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 38cebe60-3d2b-4beb-ab6e-f82b14b7eb
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute Makong King Ye
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute Coca Group of Restauran
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute MK Restaura

Type References

Assembly Type Name
mscorlib System.Object
System.Windows.Forms System.Windows.Forms.Form
mscorlib System.EventArgs
System.Windows.Forms System.Windows.Forms.KeyPressEventArgs
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.TabControl
System.Windows.Forms System.Windows.Forms.TabPage
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.ListView
System.Windows.Forms System.Windows.Forms.ColumnHeader
System.Windows.Forms System.Windows.Forms.GroupBox
System.Windows.Forms System.Windows.Forms.RadioButton
System.Windows.Forms System.Windows.Forms.CheckBox
System.Windows.Forms System.Windows.Forms.TextBox
System.Windows.Forms System.Windows.Forms.ComboBox
System.Windows.Forms System.Windows.Forms.PictureBox
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyVersionAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.STAThreadAttribute
System.Windows.Forms System.Windows.Forms.Application
System.Windows.Forms System.Windows.Forms.ListViewItem
System.Windows.Forms System.Windows.Forms.ListViewItem/ListViewSubItemCollection
System.Windows.Forms System.Windows.Forms.ListViewItem/ListViewSubItem
System.Windows.Forms System.Windows.Forms.ListView/ListViewItemCollection
System.Windows.Forms System.Windows.Forms.Control
mscorlib System.Convert
mscorlib System.Double
mscorlib System.Collections.IEnumerator
mscorlib System.IDisposable
System.Windows.Forms System.Windows.Forms.ComboBox/ObjectCollection
mscorlib System.Char
mscorlib System.String
System.Windows.Forms System.Windows.Forms.MessageBox
System.Windows.Forms System.Windows.Forms.DialogResult
System.Windows.Forms System.Windows.Forms.MessageBoxButtons
mscorlib System.Threading.Thread
mscorlib System.AppDomain
mscorlib System.Reflection.Assembly
mscorlib System.Type
mscorlib System.Reflection.BindingFlags
mscorlib System.Reflection.Binder
mscorlib System.Text.StringBuilder
mscorlib System.Math
mscorlib System.CrossAppDomainDelegate
mscorlib System.Environment
System System.ComponentModel.ISupportInitialize
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Size
System.Drawing System.Drawing.Color
System.Windows.Forms System.Windows.Forms.Padding
System.Windows.Forms System.Windows.Forms.ButtonBase
mscorlib System.EventHandler
System.Windows.Forms System.Windows.Forms.KeyPressEventHandler
System.Windows.Forms System.Windows.Forms.PictureBoxSizeMode
System.Windows.Forms System.Windows.Forms.ListView/ColumnHeaderCollection
System.Windows.Forms System.Windows.Forms.View
System.Windows.Forms System.Windows.Forms.ComboBoxStyle
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Windows.Forms System.Windows.Forms.ScrollableControl
System.Windows.Forms System.Windows.Forms.FormBorderStyle
mscorlib System.Console
mscorlib System.Nullable`1

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
l#333333
l#333333
#l#333333
'l#333333
+l#333333
/l#333333
@][(;
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^T
XeEm^
Dsaz-
`@M&Z
S.`Qr[
8kV`F
D7q"J1IF
(2td%
}:~v[m[
DNZ(c
`bX{o
+&DdDKB
<)$JHb8
iq2`+
JaO8{
<(Stnu
<!))v*_
*k9p[
@'xRT=
7+ p7
q%\}}
4!Q[M
MT#-I
=YFfj']
(\o)F
a]3m)Nx|z
lNS6V]
#8vwKx
jG_]>
0bIf<
]x`\.
~D,Z6&
U UU37#(
=T>CN
}p,M$
iiZZ'h
10P#@
WI%yD
kw(+u|%
)fBmO
X0vp]
Y)To\
@;st$G'
p1UE`
.&xRUA
#nF-dN
vpvdXE
No]VQ
uh}/J
yM-t`h
QW&=pXc
, gH1
r?O;-
l:$Xb$k
eE0M6
~Pzhk_r
42=9AG
3W6yb
{\{-v3cAz
`IneL
$].xr
uG<rH
$<c$z
D!Mfu
OL^WbkZ}4
G=Vuo
n>?Pw
IoiD}.ve
8p:L~<"
^0U3~
p;wI;6
;4,Ma
jI$X)1
/JMD9
Z=+8
o|KC#
s_H',X
p/QTNm
]G.<>V[y
)<%XQ
2k+wh
K2TP,
\M8C&4
{s YW
JvIh/
Dt}fy
0\f\3
sN#v?
U)b "
4$P>%
Plo dNr
;\X^V*
Cs2]3
w?2.K
{?[fC
._wq.<
p9aNU
FG">
d>AV$P
m0M8{:<;*
}`O:Wzb
b}|Il
^7rC=
O$Ii0
h?xG:!t
o3./UV
zVcuK
GO#%k
lhTxF
vOb,i
Sk_[vYe
Fk3CV
zF+Wi
vfD9Qo
}x}|"
mS9h1
_U3l(
h0Wfg;#(B
+kqAn
94Lp')
hh#~Zq
d6>W>
P<@rAJ
yGP:E
3)A$aD`
|[BZ}
wRTA,
kL64b
ZU{3K5
^Jt^x
Xqohl!
#I?Fg
E1RM,
qy7yz
C(A[~
64MAe
*M4rq
<!C\}
g(9'>}=
liiy0
0k9Zn
?`.KR~
Vk6Xk
Zh[f?`o
Hq$.Q
Jq&.!
bP}Ke[
=*SP\q
Ow,W[
s"v%<
"g]EY
3^VT2Z+!
lUjN%
Pzbkqq
ahS iN6!
gBOPnY
g0>fK
dk7RL
#>$%F9
vE(hO]=
b)4y{
{n6P.
'v[&<~=
E](l"
J[.y+
kmC-)
ClKX(
^x`S.
RYh:pw
_qSNt
|mXg-
2aut`
u!EFH
{^<4fg
}>O}.
-)q&[
g|?NBU'
G 1l"N
!DA)X
n^%JG
rHPe4W
|m)x1
DXh O
Hc:;2
y>TsHk
2L9|R
e"yBl
w+Yjx
(rI|@,ag
}qfGh
EQHY_
'z5Fw#k
p&}CFc
tgKwm}
shRZ!
3k^1m
HkB*O
/8|6o
xK[,_Pf
_H,sO
+;tJZ
0r~!;
F)oy;oR
*'$q6
Vj_,7
sL}#8
`#PbM
f1VGD
wvXNE
7]7]'
7ybN7Q
Cr+?eDse2
6)`8eet
l\aC\
RBO<o
+Qu`&
(;#_d4
Dr47S
hrdpW
GrUFqfyK
]b{#p
N>;/f
yb(wR
vUOo{
V*x*u
l<:pc
CC2H)}6'
X<2OY
)~h/f
I=}I0]S
6AiD-
e)4qm
V=>d?
jr\qm8
o sN\
)#Dr,
idIgp
J{ &s~
-Fh*J?
z:(Tb
E}sgZ{S
0SNK`
Dx7{R
jPZiK
Qx z+
sxqq"
8C0-Z
NIva+
&WB!|i(
s}{)rf|@
1.BP[O
98Knyh[(
?A6][T
%RVJP
}O&TB
&"tW*
zEG(7}:7
6F{!S]
R8f;O
Da}XW?i
*i4J`_Al
#@0c:
\Ygb9
/&e3W
9X+^W-
gVWFb
B-FE/J
cJO5o
g]X6.
@#6,]
7fDpm_
2Nmwx
{vIcZ
O2LiL
"&e*s
5;"ZF>
\MCvJD
j_{P6
;o-t
|Ijxw
F}Srl
O+q*=,
tg!_^
vUd|j%
;djHM
b^nhIj
*=RgW\}
_ fDQ
+9p-#l
/z{'S
c,WmKbs0
qZU|
r$U/4
uPsw,
)gYMy
}a|n?
<J[e7
|LWML
3t|GOL
@lA"1
1"HbK
*p;2'h
ow1m<
oy|?9I
C7#dHYt
![X^gp
=/0{`_
2 Ix}i
$M|#c
<[d'k)^
'_C60T
ysCh=
/tj&7
K3S-m
4#J;]
!<D~`
0l-lye]
?sMnv(
vBGzTu
C:1BS52
Q6tO$
oH`]c
Ntk^gDa/I$
Kq31k
c_+z>
8L_I&xI
Qvji[
d3a{u
!{2#YWR
,@lWw
?t*a-
YbE}[
)[#gp
j%@`U
Y_7XV
/j~|iS
U2x~/h
r4E5
j3ZaS
uPr81
& u| 2
l_GZH
nOp0/
M<(Z?!
X%,!h
|*/X?<mW
pXC[y
X]Q_y
?_yrj
]uERy
's.$2
jh5W:-
hMX$wEw!:
*?gW=b
6)7Z9
F,KFk
kIH4p
4?`b%
r/g7J\ry
(J4rWMZn
o<>_w &
A:rNz
b!EfFb
vDd{B
p$(d[-
MB;l6'
y;cL9
t>1s;-W
"!PU"
:|g41
~=Eej
<7)}@C
qCl<g
4?swa
^l"FJ
yj7>p
~fr*E
>wbK[
IP7gF
>q{Lp
I.GT~
t-TM9
C-Jo0
@Ow_s
+kRu'
Hgm3B
hFf<~\
xck[>
/,yCS
(I:\N
EwuS4
_B?Ct
Bb|-c
^3F<q
B~`o`
O>Fl+
XwD'8
zU~,U
x2)5y
:9P3x
;89?C
Biv-T'~
Y:9Tb
_>.Ml
OSTCD
Z$!!oo
y.C5X
lNH|1Q-
/%Q>/
kT)17
*{?.2
f;`{g
[u!Rx
[I_6X'
?X|gZ
hwr`F
@%|~o
I+!JO3U
5[#>^
9Lem2
Gf(Dm
:*xeU
t<~Mk
z+ig*6
WRS~$
cm[vZXE^
q={!
\K#iw
,jaG)
{!/75
`@KHWwl}
L3N^0
TTqIX
4e_V}4
'>FH+
>@6_=}
pLcv0
oNkJAW%
(@v]7
uo>lo0
C^a[s
JwOpg#
5jWW4"
DEf=+Y
Y;7(4G
}ydxM6
suYeL"x
EVyk>P
254p
UBw|x
O96CyF
O[Fq"
3mh6pd
;i8ac
8mEa5
;R`/v
xh>ul
?FfOj|
dEuP[
Xr~GC9
z{/3v{.o
?Z'_b
*<zY.E_
F4'G}
&f_ej
eTUt4
JlHKL
h/u K
=6=A=[
CNfi=
5:$$=
<jTg6o=
?9_phV
ON-L;
GQlimkl
@}<o"{
_Foo"6
YU9#8
}Put?Xq
./~a"4>
nVl{y
8Cy_S:pQJ
q/NOV
wZ(hU
arTqk
U3-T*
M~cHq'E
q<h//0
OjLNC
zR-pJZ
-!+},
dr^&I
GX0C#6
s|qXt
jJz53,
y/hp4
,[<S1
U{v{Y
3qEW&z
~QwCl
,{|4.K
p#mnf
otV{v
s^<qOq
9&AC.
~CDa_
rr3Lo
$[rWh
~pH4N
;S*a`
EdoH>
H`@{V%
Zk{Jy
(Jz<Y
b EIA
P}@B$
%"|_|
=b\.8[X
OOQ5i
'?K'8
1Sw}xm
t9%|Q
/[z9;
bvIAg
'5]i2ZSkK
(& hWg
A+/[ZZ
HNZ|T[
R~wrwT
(i~37
F{0X_
f12$|
:?pGt
%<1tB,
ygWS>
D*{J!'
<B]@2e{o^
,@oNM"0
BjtwQX0
f9ZNa
Z,G""
o[TQt
!1kvp p
pTaoX
a^uGe#
^D8>qKf
<e'dF5
5/`6G
CsofT
-!{X/1
0'?RM
!MyO$u
r.sSo\
.7;%)%'
7N) M
xh~jQ
/Zg-h"
M~^{4+
xu6DQ
Zq)~
AMaSQz
#5,g8
jgC]%
Kj~NR
,<+cLo
9]x{i
|[jKa
i[w<o=
a#WsHb
}Gakd
,+n>XKu
rVWt7zx
d&}<=
B\X+<
#z!([
[f6l(i"
|eC}a:j
QA__`R
cV>`k
K3:&4
7H?JS
h",F9
xWi=#Mm
_))t#
+G*Qm)
vem)8
9xIc[1
j]g1I
zk[sr
UV6(Km
vGoze
d]o*|
np%|M
//kbd
llGge
YSsbMZ
-?r|ZW
)P''p
iihn6V
~9GCD[
CnqI<
Zi7_1
bf*.vhA
<l$q[~
ytrb)E
L$ttv
8 :D19
Kcs?3V
Z$xnHzc
I ^+6
)!il*
Q:\9e
1f1k'
Y[Tet\0:
Y!Dp~
U8~?"{
z~"/>
,6~&cZ.
'a/O-^
lg9Z}`\
zHpaj
>aq6y
Z`m30
.m&<^
3wy^bR$Eh
q/C3"
k0ETo
~$6{f+
a}@QQ
$\<p)
%Zbh=3
kNyVm
sA(|'
=Iv3)
r[H/y
l*WxM
1_/-j
|@hzh
esC>/
mjAN8=
(8ore
[g/vm
2zkxG
:vzW:g
(c=N:
']N~uk
TIO2l
,Rdb_
~+q R
GUFpv
6cZa~
~0xqb
zoF~"}
'7=Gz
9nR5[
mQ2tk
z}>6b
*^LJ#]Z]
?fRHu}p
}mIIb
wB4wq
qF:wm
$}?'K2T
<f%*]
1|I(I
)|d{j
aQYfo
V-}.n
*dkxZE
&F/.]
&6W!e
mM22Q
7&.3c
_yG 0}
R:)PA
`\HbT
/OAeJ
Nqs|j
ty>HG
Jc>T|
(&%>N);
79%) g
!TUE}
N!;>nL
V}BOvj
Fq8f(
A^q.V
6==jT"
~0dL<:
T3WVp
8VqRf
!fbb?
y>_20
[%4L=#
9P0yz
**A\1
4K.&N
"sP`F!
pe`Jy
&gtS#
s7S?n8
wIVP*.(
t'=IJ
fv}F*T
N{_8%
Z-NNr
1M9ER
g[T`b
\y]}X
<b0p<A
Zmk3y
1U:_j
Lh_e^r
E5FE.Z
]ah`/WUT[
]d16{
6G#8Q
:"^zN
nG2(i
Z6MVN+
{!QJ}8
rdAwi
=tU$_:&g
JucNM
Eo%hAX
$,T~M
ND?Ps
/@`nF
K7R!km,mQM
1l.z|
V?hpM
<&obt
r=|6m
Zt];w
wJ2QJM
21L"'r(
D0VK)
oe79}
*Ch[V
S0W&9
|K%p}j
x ?OM
"t\(Wo_
Ul".1ocfJ
,'w}'
s%#+>
=)?P2
3b1qg/
K$oK5
UZE7m
zh^Wu*
P7>9[
";g]]hw,
{V*xZ
B_(1p
>}GE0
0:O+z
~*$l{
xzpWF
Zo=<Q
mZ]"v`
qCzQz
7Z)Si
FXZ`P
UU0CV`
9P|yJ
GB'>S!>
9yGR}
xfzk|#
xP=p~kZ
LSbU,
efMoT
&hCE9\
k":]2
n {?N
g53n,
I}R(/
=?{'(#
fUhr'C
*h#49.x4
(_[l*
{J2ia
e'B&*^'%.
t!1It
03Bz;
0nyz~
F1h3crs
ft\K>
lAWNM\c
iD,ZU;
-A_6U
f<6ZG
6IOu+
(Q5Ts
k|!6K
hX}cK7;B
ET~VE
:^5eq
i/$75
-Pk$I6b-m
xWQ{l
(UOda
~h,ivN1~z
]1$2(
SZ}dI
t/hBV+
cWJVjv
>T%Y'
7r.-L
"j5:C
{LLI|
Fc4/r2
J4MK'
7i,l(
lY|{=
C+ugI
3?<hE
-gS'p
q;>(w
9\J!;
@> xMT
"HG+6o
->)En
^/iwn
]GMh'%
Pp7I^O
0b`F+
y^',x
ULno/3g
ai<Lj
Pzl}2
vFqrL
(|3./
7weX.
uiP<N
p:a,m
U7%?A=4
7{^x)
_YVtlm
XkND.
vjy_4
Zbgv>
zrIX?
H=4`#U
mfz.*
Dz,0\
hJv*_$
fKfo
[s{72"
~3*fW
=[t0)t
n)N1$
-SrHZ+
a*%0THsq
)#VjH
%g-F+t~
W`cBC
=2Zr{
:Mp>_Q
[0IH}
f3<3i
$d|QUl
<2k}l
$Nz,r8
@,f<;&wl
A|mJH
xC~SIJ
q.(KG
R_Tvw
mn{O,
/g[Ah
WSIeW
syr4d
AL7a4
>7wuf
Y*s)B4
~P"a8bz&7
8U1t^
h6r^T
.2_..
}\[Um5:u
$$6A
/b/~f
dPV;y*
*mtXYz}
e1xe/
lLrp-5T
!_*!Y
yJHQy
\U_r6
+(6f[
dr?6|i
~GD.B
D-V#ji
g3+6j)%
hWR{b
iFJ*5
BOj;c:
f[M?#
Mz-*n
67fB2
%?;IlF
JOv"q
B:{qj
?[uD(
J1:D(>!
4hrT.
LDX3q#.
10)/
jo1i
3c$nR-
^cKtw
QAXRC
PtjyZx
.lXuF
vXK_`?)
qCg{%
?fbk[
e9?-M
/-lwr8&)
q(Vtn
O-}*:&
[L?'b-
tw.hm
WX5y>
]gyG}\
@//</)mG
jD7=BH
'dU~L
v8DQG
i[Ari
mu(lR
8vL1n
J+Fd5P
ydR-%
uS\0r
Y}/S'
xXjuo
r=OiFC
jX:a>
c;/id
"&9_b/
*W}G;%
2r>Qr
y:Se5(
4HxmRpJoLz
<iJ|6x(e
KFaU31
3M.O<
zHs1tg7
"`VUO
>ow\&=A
YIul8
[m;w[m
~2`gE
Lzsnc
-kli?lf
c?=x|
}>+Up
zO4l]
+]Ylnn
g/i'd
K{kg,
JFIDG
*nO,.
fM8t38
CozXm
R|J30u
4SjbI
rgf69p
2NJcwg
MZ1ZK9
ljMc`L
(a%HG,
D7Ij.G0
r3Q[k1
R?D6]
%n;'n"m
c-"|%
56C1j
xLJ(V1
GN>Sg"
Y_%MZ$
{09s'
CURahk
Ah#h}
4y T]
8L0]^8X
WnRfD
I/dwR
p`YJ>
b-?l7
?t<@os
v0Y5(
&AufB
e84A!
^o?Fb1
+],88i
_vXvY
a'3rr
XM}""e
)!YCE
<?^f(P
XH?vw
@\A%+s
.%$C/ %H
jE3OY"
aTb=`
^4Dvv
~EmC4
(B%ZJ
JZ:oD
i)>}e
4HF>)
"fB"vD
Sr 7
j4#9<
<:yJ?
EeEb}-
L[Q -
7VWW?
xy},H
<,+Ii
8Vnjb
[)Wog
R 9%!
uHBTmK
~#o{o?kE
gt~sM
u 8paW
0m=z%
HgMv3&D
wfa1C
raq{cI
n01.*
u[*(`
M=I z
'v8OV
o6u=9
eLj7Y
-]8"G
VMJ02H
|OMF6}
c^m'O~+
;qISX
$/tZK
MQEiH
3^;kO?u
_nGM&k>/
xS2k;
UM9nz
:%M"z
85Nd1m
#cNLUlOc
`O%@0
QHg*)
u*hOG
#N{J60
Bxr73k"
n"yJs
^C(/\
[I10=$
45;C}
|!1)F>
~'!#x
e3I'A
sQ^xU
xi(!0>z
AF$"e:]7R%e))7G
Hr!'k
@o\ZV&
\\w.7u
T/!&p
NML>`
x YcF
D,-%\
Sw#}0d3"
Ji}lG
*`nTh
J=F/Y
tH=p`
pKR)T
yhD;3
TtC)OW
*HTi$
82v-e
">n)j
HnJIl
XqJ/c
JL(8R=3
F{R:.
~+TpZ
86oP_
)4a^(
~eL6jQ
j~m6D}
<#Ol8A\L^_
j+Rm?<
Je"$S
IQJFj0
EYfJ}N
KX7d3
Q{VY4
D_t{C
Z+lz\
1L)Ix
f6PR?
2zR+M
a%Gnx
qXuj>
}'#.gV
Pj`g=_mo
s1uRz
H;"7i
Rxw 8A&
Y;azv
ARX {
Z5H`A
Shd3[u
IhHbO
XcjP:
'b3~3,K
[.?q%
]H~g8
o8#?n
`PWwd
z+;aOh/:
2m(xK )
^>>`E
1IDATID
rO4=(
E\Etb.
?S".
z8MWp#
?8yKb
_{/9*
20%>x
-qx40
>UtO5^
Vm6S}
?7Nf~
g`\egWIa
Cn);/
YJjwx
JoN?~5
>W(lh0
KWu0kn
0DhO#_
z|o4;y
=p4Mib
]I{#{
`];'A
r;BF$
wZoI1
#n^{hEA
-0rtX
,nESx
tduUm
87rCX.<>
$$bG
GN(+l
f|? e
p|S`.
>W><`\lrG
c}jtn
{>R``
r)`re
-`PchX
rWm>{
Y~l"Wonq
:_GN]K
rL(br
LD88%#
h|<{)
fFAog
dvUoE
8F>6H)
e~83VOX SW
jJ*U[
_?#IIElV
v0[7fGz
z6#/l
LWR.<
}Q5nZ
A&Mx5;D
los2d?2
`#6:Gx7
hXpoZ
o)=m7q
N%tr{
2f-#
VKVy1N
$:3 7
^l%(:
5H4}f
*VCIr
S&[.E
.AOE7c
yAl'e^
`rK+X.P::
lScO~
1+j4.0
#U5+hp}
A?)3s
lVo|'
^z`/W
?\'2$
TUdFl
VTw}a
:4m&+
nz9:qm
'3&bk
H/%4mu
{^jEm
-/ZY<
,bhyi
VFvBb
"fb[!
CmRk>
Q%f|G3
AUm=T
[\Nl3
"MqoQ
>.!y~
UD{ )
^S~>P
U?$-
je]3M3
pv;s%5#`
Q2N1[
uI/"~d
:t4aKF
otK}_
%.hb=
)qh9y
*Y}Tj]
``e7M
`I9i>
hZ%//X
#YKRh
Es:8n
2|]ef
Y_x\q
l|;PSW
vc\T/p
6#F`w
1Fokw
R{$i{
R_/:7
jy=Ot i
,oK3*
U"zX^
Q)sheG
ZS>Q!<?
K6#Tk
"'X?o
b[vaHa
dqjPGT
'/dmTrv
=l3=U
In4ML<`
J\d2!h
Y"m.j
<?o#K
JxnmM
)U)\fXW
<3INk
2(+BjAy
.N1#h
\IqD0[
FG{?y
sIPqo
Ir,y6
0lk!x
rH\T;E
Wz!PgpQP
[3&SuK
b0y~;8FD
o*&S)b
]92wA
.H5K#i
[e|;Wh
q]r$x
P4Rx=
@NSHkLw
hOKuP
Z^R<I
m<W]|(N
9O(I~lR
NT:n)
\its\
924]}`x
s`=LhP7|
H_Vr#
NtBPS
ZH2{UX,
w.DE{g}
abe|'
O30nDF
~PX-t
+WSz9
$^`bK1
o}~_nR
1m+b7\
eldYOEb
W_2.w$
|ZFH*`]<
dT)>k
L&h,)
Rsxd*
[YpKS
,+5fX
3^@UA
HaTA4
skN4vX-
y7neR
`q?S[
2df7
YK8:>l
+X'}z
v2.0.50727
#Strings
#GUID
#Blob
<Module>
TJrduJL8RICTIdn.exe
AbZVBPSqBUVONvpOHI
DxQhwXvQlHmvZcWOa
QdtCBbYAibZOddQr
HInsz
WndgC
sooygZgF
mscorlib
System
Object
System.Windows.Forms
.ctor
EventArgs
button1_Click_1
button2_Click
button3_Click
Form1_Load
KeyPressEventArgs
textBox1_KeyPress
textBox2_KeyPress
textBox3_KeyPress
textBox4_KeyPress
textBox5_KeyPress
textBox6_KeyPress
textBox7_KeyPress
listView1_SelectedIndexChanged
button4_Click
button5_Click
textBox20_KeyPress
button6_Click
button7_Click
button8_Click
comboBox2_SelectedIndexChanged
System.ComponentModel
IContainer
components
Dispose
CallBack
InitializeComponent
TabControl
tabControl1
TabPage
tabPage1
tabPage2
tabPage3
Label
label2
Button
button1
ListView
listView1
ColumnHeader
columnHeader1
columnHeader2
GroupBox
groupBox2
groupBox1
groupBox3
groupBox4
groupBox5
RadioButton
radioButton4
radioButton3
radioButton2
radioButton1
radioButton7
radioButton6
radioButton5
CheckBox
checkBox13
checkBox12
checkBox11
checkBox10
checkBox9
checkBox8
checkBox7
checkBox6
checkBox5
checkBox4
checkBox3
checkBox2
checkBox1
checkBox14
checkBox21
checkBox20
checkBox19
checkBox18
checkBox17
checkBox16
checkBox15
TextBox
textBox7
textBox6
textBox5
textBox4
textBox3
textBox2
textBox1
label1
checkBox28
checkBox27
checkBox26
checkBox25
checkBox24
checkBox23
checkBox22
columnHeader3
button3
button2
textBox8
label5
textBox10
label4
textBox9
label3
button4
groupBox7
groupBox6
button5
ComboBox
comboBox1
label9
textBox13
label8
textBox12
label7
textBox11
label6
textBox17
label13
textBox16
label12
textBox15
label11
textBox14
label10
comboBox2
label14
textBox20
label17
textBox19
label16
textBox18
label15
textBox21
label18
button6
button8
button7
label19
PictureBox
pictureBox1
label21
label20
pictureBox2
pdMTByVEt
kCHzofuo
VNAXFf
dEwSuR
enZgCpZ
zSuIIBG
xxKZma
ntuepi
WRYLWi
System.Runtime.InteropServices
GuidAttribute
System.Reflection
AssemblyVersionAttribute
AssemblyFileVersionAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
TJrduJL8RICTIdn
STAThreadAttribute
Application
EnableVisualStyles
SetCompatibleTextRenderingDefault
sender
get_Checked
ListViewItem
ListViewSubItemCollection
get_SubItems
ListViewSubItem
ListViewItemCollection
get_Items
Control
get_Text
Convert
ToInt32
Double
ToString
set_Text
System.Collections
IEnumerator
GetEnumerator
get_Current
get_Item
ToDouble
MoveNext
IDisposable
SelectTab
set_Checked
set_Enabled
ObjectCollection
get_KeyChar
IsDigit
set_Handled
Clear
Close
String
op_Equality
MessageBox
DialogResult
TrimStart
MessageBoxButtons
disposing
System.Threading
Thread
Sleep
AppDomain
GetDomain
FromBase64String
Assembly
GetType
BindingFlags
Binder
InvokeMember
input
System.Text
StringBuilder
get_Chars
Round
Append
get_Length
CreateDomain
CrossAppDomainDelegate
DoCallBack
Environment
SuspendLayout
ISupportInitialize
BeginInit
ControlCollection
get_Controls
System.Drawing
FontStyle
GraphicsUnit
set_Font
Point
set_Location
set_Name
set_SelectedIndex
set_Size
set_TabIndex
Color
FromArgb
set_BackColor
Padding
set_Padding
set_AutoSize
get_White
set_ForeColor
ButtonBase
set_UseVisualStyleBackColor
EventHandler
add_Click
set_TabStop
KeyPressEventHandler
add_KeyPress
get_Black
PictureBoxSizeMode
set_SizeMode
ColumnHeaderCollection
get_Columns
AddRange
set_UseCompatibleStateImageBehavior
set_View
add_SelectedIndexChanged
set_Width
get_ForestGreen
ComboBoxStyle
set_DropDownStyle
get_DarkRed
SizeF
ContainerControl
set_AutoScaleDimensions
AutoScaleMode
set_AutoScaleMode
ScrollableControl
set_AutoScroll
get_DarkGoldenrod
set_ClientSize
FormBorderStyle
set_FormBorderStyle
set_MaximizeBox
add_Load
ResumeLayout
PerformLayout
EndInit
Ceiling
Console
WriteLine
Nullable`1
get_HasValue
GetValueOrDefault
a3222.resources
$38cebe60-3d2b-4beb-ab6e-f82b14b7ebe0
68.23.1.0
'Makong King Yee CEO Rit Thirakomen 2012
MK Restaurant
Makong King Yee.
Coca Group of Restaurants
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
cYfxXSYwpfAkiUYbLxd.png
[k.+
Normal Crust Small Pizza
Cheesy Crust Small Pizza
Sausage Crust Small Pizza
Normal Crust Medium Pizza
Cheesy Crust Medium Pizza
Sausage Crust Medium Pizza
Normal Crust Large Pizza
10.00
Cheesy Crust Large Pizza
Sausage Crust Large Pizza
Normal Crust Extra Large Pizza
13.00
Cheesy Crust Extra Large Pizza
Sausage Crust Extra Large Pizza
Pepperoni Toppings
Extra Cheese Toppings
Mushroom Toppings
Ham Toppings
Bacon Toppings
Ground Beef Toppings
Jalapeno Toppings
Pineapple Toppings
Dried Shrimps Toppings
Anchovies Toppings
Sun Dried Tomatoes Toppings
Spinach Toppings
Roasted Garlic Toppings
Shredded Chicken Toppings
Coke - Can
Diet Coke - Can
Iced Tea - Can
Ginger Ale - Can
Sprite - Can
Root Beer - Can
Bottled Water
Chicken Wings
Poutine
Onion Rings
Cheesy Garlic Bread
Garlic Dip
BBQ Dip
Sour Cream Dip
tabPage2
tabPage1
tabPage3
Alberta
British Columbia
Manitoba
New Brunswick
Newfoundland and Labrador
Ontario
Prince Edward Island
Quebec
Saskatchewan
Credit Card
Debit Card
Promo Card
Please fill in required fields
Please pay your balance
Thanks for ordering at Pizza Express. Your ordered items will be ready and delivered in 30 minutes. Do you want to order some more?
Trriority.Sdar
CoreLoader
a3222.resources
H7yzS3
cYfxXSYwpfAkiUYbLxd.png
TempDomain
Calibri
tabControl1
Place Your Order
label20
Brought To You By code-projects.org
button5
groupBox5
Crust
radioButton7
Sausage
radioButton6
Cheesy
radioButton5
Normal
groupBox4
Other Items
checkBox28
Sour Cream Dip (Free)
checkBox27
BBQ Dip (Free)
checkBox26
Garlic Dip (Free)
checkBox25
Cheesy Garlic Bread ($3.00)
checkBox24
Onion Rings ($3.00)
checkBox23
Poutine ($3.00)
checkBox22
Chicken Wings ($3.00)
groupBox3
Drinks
textBox7
textBox6
textBox5
textBox4
textBox3
textBox2
textBox1
label1
Quantity
checkBox21
Water ($1.25)
checkBox20
Root Beer ($1.45)
checkBox19
Sprite ($1.45)
checkBox18
Ginger Ale ($1.45)
checkBox17
Iced Tea ($1.45)
checkBox16
Diet Coke ($1.45)
checkBox15
Coke ($1.45)
button1
Confirm Order
groupBox2
Toppings ($0.75 each)
checkBox14
Shredded Chicken
checkBox13
Roasted Garlic
checkBox12
Spinach
checkBox11
Sun Dried Tomatoes
checkBox10
Anchovies
checkBox9
Dried Shrimps
checkBox8
Pineapple
checkBox7
Jalapeno
checkBox6
Ground Beef
checkBox5
Bacon
checkBox4
checkBox3
Mushroom
checkBox2
Extra Cheese
checkBox1
Pepperoni
groupBox1
Pizza Size
radioButton4
Extra Large ($13.00)
radioButton3
Large ($10.00)
radioButton2
Medium ($7.00)
radioButton1
Small ($4.00)
Confirm Your Order
pictureBox2
button4
Clear Order
label5
Total Amount
textBox10
label4
textBox9
label3
Amount before taxes
textBox8
button3
Check Out
button2
Order Again
listView1
Items
Price CAD
label2
Order List
Make Payment
button8
Submit Order
button7
button6
Go Back
groupBox7
Payment Information
textBox21
label18
Change:
textBox20
label17
*Amount Paid:
textBox19
label16
Amount Due:
textBox18
label15
*Card No:
comboBox2
label14
*Payment Method:
groupBox6
Customer Information
label19
Fields with ( * ) are required.
textBox17
label13
Email:
textBox16
label12
Contact No:
textBox15
label11
*Postal Code:
textBox14
label10
City:
comboBox1
label9
Province:
textBox13
label8
*Address:
textBox12
label7
*Last Name:
textBox11
label6
*First Name:
Microsoft Sans Serif
label21
pictureBox1
Form1
Pizza Express
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
Coca Group of Restaurants
CompanyName
Makong King Yee.
FileDescription
MK Restaurant
FileVersion
68.23.1.0
InternalName
TJrduJL8RICTIdn.exe
LegalCopyright
Makong King Yee CEO Rit Thirakomen 2012
OriginalFilename
TJrduJL8RICTIdn.exe
ProductName
MK Restaurant
ProductVersion
68.23.1.0
Assembly Version
68.0.0.11

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean DrWeb Clean MicroWorld-eScan Gen:Variant.Razy.692990
FireEye Generic.mg.1dba5b473921df96 CAT-QuickHeal Clean McAfee GenericRXLE-YG!1DBA5B473921
Cylance Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Clean Alibaba Trojan:MSIL/Kryptik.d970f5fe
K7GW Clean Cybereason malicious.61b944 TrendMicro Clean
BitDefenderTheta Clean F-Prot Clean Symantec ML.Attribute.HighConfidence
TotalDefense Clean APEX Malicious Avast Win32:MalwareX-gen [Trj]
ClamAV Clean Kaspersky Clean BitDefender Gen:Variant.Razy.692990
NANO-Antivirus Clean Paloalto Clean AegisLab Clean
Tencent Clean Endgame malicious (high confidence) TACHYON Clean
Emsisoft Gen:Variant.Razy.692990 (B) Comodo Clean F-Secure Clean
Baidu Clean VIPRE Clean Invincea Clean
Trapmine suspicious.low.ml.score CMC Clean Sophos Clean
SentinelOne Clean Cyren Clean Jiangmin Clean
Webroot Clean Avira Clean Fortinet MSIL/Kryptik.WGV!tr
Antiy-AVL Clean Kingsoft Clean Arcabit Trojan.Razy.DA92FE
ViRobot Clean ZoneAlarm Clean Avast-Mobile Clean
Microsoft Clean Cynet Malicious (score: 100) AhnLab-V3 Clean
Acronis Clean VBA32 Clean ALYac Gen:Variant.Razy.692990
MAX malware (ai score=80) Ad-Aware Gen:Variant.Razy.692990 Malwarebytes Clean
Zoner Clean ESET-NOD32 a variant of MSIL/Kryptik.WGV TrendMicro-HouseCall Clean
Rising Clean Yandex Clean Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_95% GData Gen:Variant.Razy.692990 AVG Win32:MalwareX-gen [Trj]
Panda Clean CrowdStrike win/malicious_confidence_60% (W) Qihoo-360 Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.6 56304 1.1.1.1 53
192.168.1.6 57593 1.1.1.1 53
192.168.1.6 58697 1.1.1.1 53
192.168.1.6 63241 1.1.1.1 53
192.168.1.6 63713 1.1.1.1 53
192.168.1.6 64201 1.1.1.1 53
192.168.1.6 65048 1.1.1.1 53
192.168.1.6 137 192.168.1.255 137
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy

    Processing ( 10.953 seconds )

    • 5.344 Suricata
    • 3.947 BehaviorAnalysis
    • 0.522 Static
    • 0.293 Deduplicate
    • 0.258 VirusTotal
    • 0.23 static_dotnet
    • 0.157 NetworkAnalysis
    • 0.094 CAPE
    • 0.057 AnalysisInfo
    • 0.032 TargetInfo
    • 0.01 Strings
    • 0.005 Debug
    • 0.004 peid

    Signatures ( 0.5310000000000002 seconds )

    • 0.139 antiav_detectreg
    • 0.051 infostealer_ftp
    • 0.047 territorial_disputes_sigs
    • 0.029 antianalysis_detectreg
    • 0.029 infostealer_im
    • 0.015 antivm_vbox_keys
    • 0.012 antiav_detectfile
    • 0.011 infostealer_mail
    • 0.011 masquerade_process_name
    • 0.01 antivm_vmware_keys
    • 0.009 ransomware_files
    • 0.007 stealth_timeout
    • 0.007 antivm_parallels_keys
    • 0.007 antivm_xen_keys
    • 0.007 infostealer_bitcoin
    • 0.006 antidbg_windows
    • 0.006 api_spamming
    • 0.006 decoy_document
    • 0.006 antianalysis_detectfile
    • 0.006 ransomware_extensions
    • 0.005 antivm_generic_diskreg
    • 0.005 antivm_vbox_files
    • 0.005 antivm_vpc_keys
    • 0.005 geodo_banking_trojan
    • 0.004 NewtWire Behavior
    • 0.003 antivm_generic_scsi
    • 0.003 guloader_apis
    • 0.003 exec_crash
    • 0.003 kibex_behavior
    • 0.003 persistence_autorun
    • 0.002 Doppelganging
    • 0.002 antiemu_wine_func
    • 0.002 betabot_behavior
    • 0.002 dynamic_function_loading
    • 0.002 malicious_dynamic_function_loading
    • 0.002 antidbg_devices
    • 0.002 antivm_xen_keys
    • 0.002 antivm_hyperv_keys
    • 0.002 bypass_firewall
    • 0.002 predatorthethief_files
    • 0.002 qulab_files
    • 0.002 recon_fingerprint
    • 0.001 InjectionInterProcess
    • 0.001 InjectionCreateRemoteThread
    • 0.001 InjectionProcessHollowing
    • 0.001 Unpacker
    • 0.001 antiav_avast_libs
    • 0.001 antidebug_guardpages
    • 0.001 antivm_generic_disk
    • 0.001 antivm_generic_services
    • 0.001 antivm_vbox_libs
    • 0.001 bootkit
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_heapspray
    • 0.001 hawkeye_behavior
    • 0.001 infostealer_browser
    • 0.001 infostealer_browser_password
    • 0.001 injection_createremotethread
    • 0.001 injection_runpe
    • 0.001 kazybot_behavior
    • 0.001 kovter_behavior
    • 0.001 mimics_filetime
    • 0.001 network_tor
    • 0.001 blackrat_registry_keys
    • 0.001 OrcusRAT Behavior
    • 0.001 reads_self
    • 0.001 recon_programs
    • 0.001 shifu_behavior
    • 0.001 stealth_file
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 virus
    • 0.001 antivm_generic_bios
    • 0.001 antivm_generic_system
    • 0.001 antivm_vbox_devices
    • 0.001 antivm_vmware_files
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 masslogger_files
    • 0.001 medusalocker_regkeys
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 rat_pcclient
    • 0.001 warzonerat_regkeys
    • 0.001 remcos_regkeys

    Reporting ( 3.98 seconds )

    • 2.81 BinGraph
    • 1.046 JsonDump
    • 0.078 SubmitCAPE
    • 0.043 MITRE_TTPS
    • 0.003 PCAP2CERT