Auto Tasks

#17819: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 13:50:42 2020-06-30 13:56:19 337 seconds Show Options Show Log
route = tor
2020-05-13 09:07:58,415 [root] INFO: Date set to: 20200630T13:39:54, timeout set to: 200
2020-06-30 13:39:54,031 [root] DEBUG: Starting analyzer from: C:\tmpnwhtwc92
2020-06-30 13:39:54,031 [root] DEBUG: Storing results at: C:\WkafFpe
2020-06-30 13:39:54,031 [root] DEBUG: Pipe server name: \\.\PIPE\wjcBkUlKBO
2020-06-30 13:39:54,031 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-30 13:39:54,031 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 13:39:54,046 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 13:39:54,046 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 13:39:54,046 [root] DEBUG: Imported analysis package "exe".
2020-06-30 13:39:54,046 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 13:39:54,046 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 13:39:54,078 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 13:39:54,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 13:39:54,093 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 13:39:54,249 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 13:39:54,249 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 13:39:54,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 13:39:54,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 13:39:54,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 13:39:54,281 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 13:39:54,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 13:39:54,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 13:39:54,312 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 13:39:54,312 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 13:39:54,312 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 13:39:54,312 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 13:39:54,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 13:39:54,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 13:39:54,312 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 13:39:54,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 13:39:54,328 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 13:39:54,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 13:39:56,140 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 13:39:56,171 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 13:39:56,187 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 13:39:56,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 13:39:56,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 13:39:56,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 13:39:56,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 13:39:56,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 13:39:56,218 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 13:39:56,218 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 13:39:56,218 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 13:39:56,218 [root] DEBUG: Started auxiliary module Browser
2020-06-30 13:39:56,218 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 13:39:56,218 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 13:39:56,218 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 13:39:56,218 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 13:39:56,218 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 13:39:56,218 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 13:39:56,218 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 13:39:56,218 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 13:39:56,593 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 13:39:56,593 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 13:39:56,625 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 13:39:56,625 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 13:39:56,625 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 13:39:56,625 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 13:39:56,656 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 13:39:56,656 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 13:39:56,656 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 13:39:56,656 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 13:39:56,656 [root] DEBUG: Started auxiliary module Human
2020-06-30 13:39:56,656 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 13:39:56,656 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 13:39:56,671 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 13:39:56,671 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 13:39:56,671 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 13:39:56,671 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 13:39:56,671 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 13:39:56,671 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 13:39:56,671 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 13:39:56,671 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 13:39:56,671 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 13:39:56,671 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 13:39:56,671 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 13:39:56,671 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 13:39:56,671 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 13:39:56,671 [root] DEBUG: Started auxiliary module Usage
2020-06-30 13:39:56,687 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 13:39:56,687 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 13:39:56,687 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 13:39:56,687 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 13:39:57,046 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.exe" with arguments "" with pid 1172
2020-06-30 13:39:57,046 [lib.api.process] INFO: Monitor config for process 1172: C:\tmpnwhtwc92\dll\1172.ini
2020-06-30 13:39:57,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\AkoSAHai.dll, loader C:\tmpnwhtwc92\bin\urdAOZP.exe
2020-06-30 13:39:57,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wjcBkUlKBO.
2020-06-30 13:39:57,140 [root] DEBUG: Loader: Injecting process 1172 (thread 5540) with C:\tmpnwhtwc92\dll\AkoSAHai.dll.
2020-06-30 13:39:57,140 [root] DEBUG: Process image base: 0x00900000
2020-06-30 13:39:57,140 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:39:57,140 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:39:57,156 [root] DEBUG: Successfully injected DLL C:\tmpnwhtwc92\dll\AkoSAHai.dll.
2020-06-30 13:39:57,156 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1172
2020-06-30 13:39:59,453 [lib.api.process] INFO: Successfully resumed process with pid 1172
2020-06-30 13:40:00,359 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:40:00,359 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:40:00,375 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1172 at 0x69d90000, image base 0x900000, stack from 0x275000-0x280000
2020-06-30 13:40:00,375 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.exe".
2020-06-30 13:40:00,750 [root] INFO: Loaded monitor into process with pid 1172
2020-06-30 13:40:00,765 [root] DEBUG: set_caller_info: Adding region at 0x00180000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 13:40:00,765 [root] DEBUG: set_caller_info: Adding region at 0x01600000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 13:40:00,781 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 13:40:00,781 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1600000
2020-06-30 13:40:00,781 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01600000 size 0x400000.
2020-06-30 13:40:00,796 [root] DEBUG: DumpPEsInRange: Scanning range 0x1600000 - 0x1601000.
2020-06-30 13:40:00,796 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1600000-0x1601000.
2020-06-30 13:40:00,843 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\WkafFpe\CAPE\1172_3481742960401830262020 (size 0xf50)
2020-06-30 13:40:00,843 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00180000.
2020-06-30 13:40:00,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xb8 amd local view 0x703E0000 to global list.
2020-06-30 13:40:00,843 [root] DEBUG: DLL loaded at 0x703E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 13:40:00,859 [root] DEBUG: DLL unloaded from 0x76020000.
2020-06-30 13:40:00,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 amd local view 0x00280000 to global list.
2020-06-30 13:40:00,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x00280000 to global list.
2020-06-30 13:40:00,875 [root] DEBUG: DLL loaded at 0x74330000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:40:00,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x67620000 for section view with handle 0xd0.
2020-06-30 13:40:00,906 [root] DEBUG: DLL loaded at 0x67620000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-30 13:40:00,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69CF0000 for section view with handle 0xd4.
2020-06-30 13:40:00,921 [root] DEBUG: DLL loaded at 0x69CF0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2020-06-30 13:40:00,937 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1172, handle 0xe0.
2020-06-30 13:40:00,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x00100000 to global list.
2020-06-30 13:40:00,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 amd local view 0x00110000 to global list.
2020-06-30 13:40:00,937 [root] INFO: Disabling sleep skipping.
2020-06-30 13:40:00,937 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1172.
2020-06-30 13:40:00,937 [root] DEBUG: DLL loaded at 0x753D0000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-30 13:40:00,953 [root] DEBUG: DLL loaded at 0x74E60000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:40:00,953 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1172.
2020-06-30 13:40:00,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1a0 amd local view 0x66B20000 to global list.
2020-06-30 13:40:00,968 [root] DEBUG: DLL loaded at 0x66B20000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-30 13:40:00,968 [root] DEBUG: DLL unloaded from 0x76640000.
2020-06-30 13:40:00,984 [root] DEBUG: set_caller_info: Adding region at 0x03540000 to caller regions list (kernel32::SetErrorMode).
2020-06-30 13:40:01,015 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x357ffff
2020-06-30 13:40:01,015 [root] DEBUG: DumpMemory: Nothing to dump at 0x03540000!
2020-06-30 13:40:01,015 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x03540000 size 0x40000.
2020-06-30 13:40:01,015 [root] DEBUG: DumpPEsInRange: Scanning range 0x3540000 - 0x3541000.
2020-06-30 13:40:01,015 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3540000-0x3541000.
2020-06-30 13:40:01,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\WkafFpe\CAPE\1172_21174592931401830262020 (size 0xffe)
2020-06-30 13:40:01,046 [root] DEBUG: DumpRegion: Dumped stack region from 0x03540000, size 0x1000.
2020-06-30 13:40:01,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b4 amd local view 0x002A0000 to global list.
2020-06-30 13:40:01,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00400000 for section view with handle 0x1b4.
2020-06-30 13:40:01,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x69800000 for section view with handle 0x1b4.
2020-06-30 13:40:01,093 [root] DEBUG: DLL loaded at 0x69800000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-06-30 13:40:01,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 amd local view 0x66370000 to global list.
2020-06-30 13:40:01,140 [root] DEBUG: DLL loaded at 0x66370000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-30 13:40:01,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x661E0000 for section view with handle 0x1c4.
2020-06-30 13:40:01,140 [root] DEBUG: DLL loaded at 0x661E0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-30 13:40:01,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x65600000 for section view with handle 0x1c4.
2020-06-30 13:40:01,171 [root] DEBUG: DLL loaded at 0x65600000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-30 13:40:01,312 [root] DEBUG: set_caller_info: Adding region at 0x002D0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:40:01,312 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x2dffff
2020-06-30 13:40:01,312 [root] DEBUG: DumpMemory: Nothing to dump at 0x002D0000!
2020-06-30 13:40:01,312 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x002D0000 size 0x10000.
2020-06-30 13:40:01,312 [root] DEBUG: DumpPEsInRange: Scanning range 0x2d0000 - 0x2d1000.
2020-06-30 13:40:01,312 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2d0000-0x2d1000.
2020-06-30 13:40:01,343 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\WkafFpe\CAPE\1172_13428452161401830262020 (size 0x9e)
2020-06-30 13:40:01,343 [root] DEBUG: DumpRegion: Dumped stack region from 0x002D0000, size 0x1000.
2020-06-30 13:40:01,343 [root] DEBUG: DLL loaded at 0x73940000: C:\Windows\system32\uxtheme (0x40000 bytes).
2020-06-30 13:40:01,343 [root] DEBUG: set_caller_info: Adding region at 0x00130000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-30 13:40:01,343 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00130000.
2020-06-30 13:40:01,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d0 amd local view 0x64B70000 to global list.
2020-06-30 13:40:02,312 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1172.
2020-06-30 13:40:02,328 [root] DEBUG: DLL loaded at 0x74880000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:40:02,328 [root] DEBUG: DLL loaded at 0x74610000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:40:02,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 amd local view 0x72A30000 to global list.
2020-06-30 13:40:02,531 [root] DEBUG: DLL loaded at 0x72A30000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-06-30 13:40:02,531 [root] DEBUG: DLL unloaded from 0x72A30000.
2020-06-30 13:40:02,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00430000 for section view with handle 0x228.
2020-06-30 13:40:02,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 amd local view 0x02A10000 to global list.
2020-06-30 13:40:02,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x240 amd local view 0x69750000 to global list.
2020-06-30 13:40:02,781 [root] DEBUG: DLL loaded at 0x69750000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader (0x8d000 bytes).
2020-06-30 13:40:02,984 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x244 amd local view 0x00580000 to global list.
2020-06-30 13:40:03,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x24c amd local view 0x01560000 to global list.
2020-06-30 13:40:03,187 [root] DEBUG: DLL unloaded from 0x00900000.
2020-06-30 13:40:03,281 [root] DEBUG: OpenProcessHandler: Image base for process 1172 (handle 0x250): 0x00900000.
2020-06-30 13:40:03,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x254 amd local view 0x00590000 to global list.
2020-06-30 13:40:03,296 [root] INFO: Announced 32-bit process name: dw20.exe pid: 6012
2020-06-30 13:40:03,296 [lib.api.process] INFO: Monitor config for process 6012: C:\tmpnwhtwc92\dll\6012.ini
2020-06-30 13:40:03,296 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpnwhtwc92\dll\AkoSAHai.dll, loader C:\tmpnwhtwc92\bin\urdAOZP.exe
2020-06-30 13:40:03,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wjcBkUlKBO.
2020-06-30 13:40:03,312 [root] DEBUG: Loader: Injecting process 6012 (thread 5976) with C:\tmpnwhtwc92\dll\AkoSAHai.dll.
2020-06-30 13:40:03,312 [root] DEBUG: Process image base: 0x10000000
2020-06-30 13:40:03,312 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpnwhtwc92\dll\AkoSAHai.dll.
2020-06-30 13:40:03,312 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-30 13:40:03,312 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 13:40:04,383 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-06-30 13:40:05,391 [root] DEBUG: Error -1073741515 (0xc0000135) - InjectDllViaThread: RtlCreateUserThread injection failed: (null)
2020-06-30 13:40:05,391 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-06-30 13:40:05,391 [root] DEBUG: Failed to inject DLL C:\tmpnwhtwc92\dll\AkoSAHai.dll.
2020-06-30 13:40:05,407 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 6012, error: 4294967288
2020-06-30 13:40:05,407 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:40:05,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x264 amd local view 0x05F60000 to global list.
2020-06-30 13:40:06,455 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2020-06-30 13:40:08,501 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1172
2020-06-30 13:40:08,533 [root] DEBUG: GetHookCallerBase: thread 5540 (handle 0x0), return address 0x69DC1698, allocation base 0x69D90000.
2020-06-30 13:40:08,548 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00900000.
2020-06-30 13:43:19,673 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 13:43:19,673 [lib.api.process] ERROR: Failed to open terminate event for pid 1172
2020-06-30 13:43:19,673 [root] INFO: Terminate event set for process 1172.
2020-06-30 13:43:19,673 [root] INFO: Created shutdown mutex.
2020-06-30 13:43:20,673 [root] INFO: Shutting down package.
2020-06-30 13:43:20,673 [root] INFO: Stopping auxiliary modules.
2020-06-30 13:43:20,798 [lib.common.results] WARNING: File C:\WkafFpe\bin\procmon.xml doesn't exist anymore
2020-06-30 13:43:20,798 [root] INFO: Finishing auxiliary modules.
2020-06-30 13:43:20,798 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 13:43:20,814 [root] WARNING: Folder at path "C:\WkafFpe\debugger" does not exist, skip.
2020-06-30 13:43:20,814 [root] WARNING: Monitor injection attempted but failed for process 6012.
2020-06-30 13:43:20,830 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_1 win7_1 KVM 2020-06-30 13:50:42 2020-06-30 13:56:19

File Details

File Name DOCUMENT_PDF.exe
File Size 380928 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-30 05:08:50
MD5 1dba5b473921df961ea28abf48658e8f
SHA1 b36d4f261b9443841d3b5717ddcf5f9fdfec96e1
SHA256 89324c8c402f268c3348061e16af6cf60e37ec46d14a96bc965adb3c94cae044
SHA512 750408a6e550cbc704b66bacfa7de8cd91d06ae7517b20c8e9973e56814e858d30dbf0bdbe4cdce2ea6530d77388bece7442edb9dbf4fe5e073ee325356187f2
CRC32 DBE9BAA2
Ssdeep 6144:o00zi0L3+pLPG5CuIyIeEfPK5TdVqnBKzY50wUe9D6WPMaL/uJdPzLA:x0F+1YIxsG56e92WPMGQLL
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/SwitchToThread
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/CreateIoCompletionPort
DynamicLoader: KERNEL32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: MSCOREE.DLL/DllGetClassObject
DynamicLoader: mscoreei.dll/DllGetClassObject_RetAddr
DynamicLoader: mscoreei.dll/DllGetClassObject
DynamicLoader: diasymreader.dll/DllGetClassObjectInternal
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: MSCOREE.DLL/DllGetClassObject
Reads data out of its own binary image
self_read: process: DOCUMENT_PDF.exe, pid: 1172, offset: 0x00000000, length: 0x00001000
self_read: process: DOCUMENT_PDF.exe, pid: 1172, offset: 0x000080c2, length: 0x00000200
CAPE extracted potentially suspicious content
DOCUMENT_PDF.exe: Unpacked Shellcode
DOCUMENT_PDF.exe: Unpacked Shellcode
DOCUMENT_PDF.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.78, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0005a000, virtual_size: 0x00059754
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.exe
Network activity detected but not expressed in API logs

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.exe.config
C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index38e.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\System32\l_intl.nls
C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Globalization\en-us.nlp
C:\Users\Rebecca\AppData\Local\Temp\TJrduJL8RICTIdn.dll
C:\Users\Rebecca\AppData\Local\Temp\TJrduJL8RICTIdn\TJrduJL8RICTIdn.dll
C:\Users\Rebecca\AppData\Local\Temp\TJrduJL8RICTIdn.exe
C:\Users\Rebecca\AppData\Local\Temp\TJrduJL8RICTIdn\TJrduJL8RICTIdn.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\VERSION.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.PDB
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.exe.config
C:\Users\Rebecca\AppData\Local\Temp\DOCUMENT_PDF.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Rebecca\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index38e.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Fonts\staticcache.dat
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DOCUMENT_PDF.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\48524502\b79fa73
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|DOCUMENT_PDF.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|DOCUMENT_PDF.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|DOCUMENT_PDF.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ForceQueueMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\AllOrNone
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x7e60\x19fEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\DOCUMENT_PDF.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index38e\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\74\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\6d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\66\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\65\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\54\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\57\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\53\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\61\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\78\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\70\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\6f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\5c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ForceQueueMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\AllOrNone
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\x7e60\x19fEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetVersionExW
kernel32.dll.GetFullPathNameW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
user32.dll.GetSystemMetrics
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
kernel32.dll.GetUserDefaultUILanguage
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
kernel32.dll.DeactivateActCtx
kernel32.dll.SwitchToThread
ole32.dll.CoCreateGuid
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.CreateEventW
kernel32.dll.CloseHandle
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtQuerySystemInformation
ntdll.dll.NtGetCurrentProcessorNumber
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
mscoree.dll.DllGetClassObject
mscoreei.dll.DllGetClassObject
diasymreader.dll.DllGetClassObjectInternal
advapi32.dll.CheckTokenMembership
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
dw20.exe -x -s 596
Global\CLR_CASOFF_MUTEX
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x0045b74e 0x00000000 0x00067651 4.0 2020-06-30 05:08:50 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00002000 0x00059754 0x0005a000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.78
.rsrc 0x0005b000 0x0005c000 0x000003f8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.07
.reloc 0x0005c000 0x0005e000 0x0000000c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.02

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x0005c058 0x000003a0 LANG_NEUTRAL SUBLANG_NEUTRAL 3.47 None

Imports


Assembly Information

Name TJrduJL8RICTIdn
Version 68.0.0.11

Assembly References

Name Version
mscorlib 2.0.0.0
System.Windows.Forms 2.0.0.0
System 2.0.0.0
System.Drawing 2.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute MK Restaura
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 68.23.1
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Makong King Yee CEO Rit Thirakomen 20
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 38cebe60-3d2b-4beb-ab6e-f82b14b7eb
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute Makong King Ye
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute Coca Group of Restauran
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute MK Restaura

Type References

Assembly Type Name
mscorlib System.Object
System.Windows.Forms System.Windows.Forms.Form
mscorlib System.EventArgs
System.Windows.Forms System.Windows.Forms.KeyPressEventArgs
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.TabControl
System.Windows.Forms System.Windows.Forms.TabPage
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.ListView
System.Windows.Forms System.Windows.Forms.ColumnHeader
System.Windows.Forms System.Windows.Forms.GroupBox
System.Windows.Forms System.Windows.Forms.RadioButton
System.Windows.Forms System.Windows.Forms.CheckBox
System.Windows.Forms System.Windows.Forms.TextBox
System.Windows.Forms System.Windows.Forms.ComboBox
System.Windows.Forms System.Windows.Forms.PictureBox
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyVersionAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.STAThreadAttribute
System.Windows.Forms System.Windows.Forms.Application
System.Windows.Forms System.Windows.Forms.ListViewItem
System.Windows.Forms System.Windows.Forms.ListViewItem/ListViewSubItemCollection
System.Windows.Forms System.Windows.Forms.ListViewItem/ListViewSubItem
System.Windows.Forms System.Windows.Forms.ListView/ListViewItemCollection
System.Windows.Forms System.Windows.Forms.Control
mscorlib System.Convert
mscorlib System.Double
mscorlib System.Collections.IEnumerator
mscorlib System.IDisposable
System.Windows.Forms System.Windows.Forms.ComboBox/ObjectCollection
mscorlib System.Char
mscorlib System.String
System.Windows.Forms System.Windows.Forms.MessageBox
System.Windows.Forms System.Windows.Forms.DialogResult
System.Windows.Forms System.Windows.Forms.MessageBoxButtons
mscorlib System.Threading.Thread
mscorlib System.AppDomain
mscorlib System.Reflection.Assembly
mscorlib System.Type
mscorlib System.Reflection.BindingFlags
mscorlib System.Reflection.Binder
mscorlib System.Text.StringBuilder
mscorlib System.Math
mscorlib System.CrossAppDomainDelegate
mscorlib System.Environment
System System.ComponentModel.ISupportInitialize
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Size
System.Drawing System.Drawing.Color
System.Windows.Forms System.Windows.Forms.Padding
System.Windows.Forms System.Windows.Forms.ButtonBase
mscorlib System.EventHandler
System.Windows.Forms System.Windows.Forms.KeyPressEventHandler
System.Windows.Forms System.Windows.Forms.PictureBoxSizeMode
System.Windows.Forms System.Windows.Forms.ListView/ColumnHeaderCollection
System.Windows.Forms System.Windows.Forms.View
System.Windows.Forms System.Windows.Forms.ComboBoxStyle
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Windows.Forms System.Windows.Forms.ScrollableControl
System.Windows.Forms System.Windows.Forms.FormBorderStyle
mscorlib System.Console
mscorlib System.Nullable`1

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
l#333333
l#333333
#l#333333
'l#333333
+l#333333
/l#333333
@][(;
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^T
XeEm^
Dsaz-
`@M&Z
S.`Qr[
8kV`F
D7q"J1IF
(2td%
}:~v[m[
DNZ(c
`bX{o
+&DdDKB
<)$JHb8
iq2`+
JaO8{
<(Stnu
<!))v*_
*k9p[
@'xRT=
7+ p7
q%\}}
4!Q[M
MT#-I
=YFfj']
(\o)F
a]3m)Nx|z
lNS6V]
#8vwKx
jG_]>
0bIf<
]x`\.
~D,Z6&
U UU37#(
=T>CN
}p,M$
iiZZ'h
10P#@
WI%yD
kw(+u|%
)fBmO
X0vp]
Y)To\
@;st$G'
p1UE`
.&xRUA
#nF-dN
vpvdXE
No]VQ
uh}/J
yM-t`h
QW&=pXc
, gH1
r?O;-
l:$Xb$k
eE0M6
~Pzhk_r
42=9AG
3W6yb
{\{-v3cAz
`IneL
$].xr
uG<rH
$<c$z
D!Mfu
OL^WbkZ}4
G=Vuo
n>?Pw
IoiD}.ve
8p:L~<"
^0U3~
p;wI;6
;4,Ma
jI$X)1
/JMD9
Z=+8
o|KC#
s_H',X
p/QTNm
]G.<>V[y
)<%XQ
2k+wh
K2TP,
\M8C&4
{s YW
JvIh/
Dt}fy
0\f\3
sN#v?
U)b "
4$P>%
Plo dNr
;\X^V*
Cs2]3
w?2.K
{?[fC
._wq.<
p9aNU
FG">
d>AV$P
m0M8{:<;*
}`O:Wzb
b}|Il
^7rC=
O$Ii0
h?xG:!t
o3./UV
zVcuK
GO#%k
lhTxF
vOb,i
Sk_[vYe
Fk3CV
zF+Wi
vfD9Qo
}x}|"
mS9h1
_U3l(
h0Wfg;#(B
+kqAn
94Lp')
hh#~Zq
d6>W>
P<@rAJ
yGP:E
3)A$aD`
|[BZ}
wRTA,
kL64b
ZU{3K5
^Jt^x
Xqohl!
#I?Fg
E1RM,
qy7yz
C(A[~
64MAe
*M4rq
<!C\}
g(9'>}=
liiy0
0k9Zn
?`.KR~
Vk6Xk
Zh[f?`o
Hq$.Q
Jq&.!
bP}Ke[
=*SP\q
Ow,W[
s"v%<
"g]EY
3^VT2Z+!
lUjN%
Pzbkqq
ahS iN6!
gBOPnY
g0>fK
dk7RL
#>$%F9
vE(hO]=
b)4y{
{n6P.
'v[&<~=
E](l"
J[.y+
kmC-)
ClKX(
^x`S.
RYh:pw
_qSNt
|mXg-
2aut`
u!EFH
{^<4fg
}>O}.
-)q&[
g|?NBU'
G 1l"N
!DA)X
n^%JG
rHPe4W
|m)x1
DXh O
Hc:;2
y>TsHk
2L9|R
e"yBl
w+Yjx
(rI|@,ag
}qfGh
EQHY_
'z5Fw#k
p&}CFc
tgKwm}
shRZ!
3k^1m
HkB*O
/8|6o
xK[,_Pf
_H,sO
+;tJZ
0r~!;
F)oy;oR
*'$q6
Vj_,7
sL}#8
`#PbM
f1VGD
wvXNE
7]7]'
7ybN7Q
Cr+?eDse2
6)`8eet
l\aC\
RBO<o
+Qu`&
(;#_d4
Dr47S
hrdpW
GrUFqfyK
]b{#p
N>;/f
yb(wR
vUOo{
V*x*u
l<:pc
CC2H)}6'
X<2OY
)~h/f
I=}I0]S
6AiD-
e)4qm
V=>d?
jr\qm8
o sN\
)#Dr,
idIgp
J{ &s~
-Fh*J?
z:(Tb
E}sgZ{S
0SNK`
Dx7{R
jPZiK
Qx z+
sxqq"
8C0-Z
NIva+
&WB!|i(
s}{)rf|@
1.BP[O
98Knyh[(
?A6][T
%RVJP
}O&TB
&"tW*
zEG(7}:7
6F{!S]
R8f;O
Da}XW?i
*i4J`_Al
#@0c:
\Ygb9
/&e3W
9X+^W-
gVWFb
B-FE/J
cJO5o
g]X6.
@#6,]
7fDpm_
2Nmwx
{vIcZ
O2LiL
"&e*s
5;"ZF>
\MCvJD
j_{P6
;o-t
|Ijxw
F}Srl
O+q*=,
tg!_^
vUd|j%
;djHM
b^nhIj
*=RgW\}
_ fDQ
+9p-#l
/z{'S
c,WmKbs0
qZU|
r$U/4
uPsw,
)gYMy
}a|n?
<J[e7
|LWML
3t|GOL
@lA"1
1"HbK
*p;2'h
ow1m<
oy|?9I
C7#dHYt
![X^gp
=/0{`_
2 Ix}i
$M|#c
<[d'k)^
'_C60T
ysCh=
/tj&7
K3S-m
4#J;]
!<D~`
0l-lye]
?sMnv(
vBGzTu
C:1BS52
Q6tO$
oH`]c
Ntk^gDa/I$
Kq31k
c_+z>
8L_I&xI
Qvji[
d3a{u
!{2#YWR
,@lWw
?t*a-
YbE}[
)[#gp
j%@`U
Y_7XV
/j~|iS
U2x~/h
r4E5
j3ZaS
uPr81
& u| 2
l_GZH
nOp0/
M<(Z?!
X%,!h
|*/X?<mW
pXC[y
X]Q_y
?_yrj
]uERy
's.$2
jh5W:-
hMX$wEw!:
*?gW=b
6)7Z9
F,KFk
kIH4p
4?`b%
r/g7J\ry
(J4rWMZn
o<>_w &
A:rNz
b!EfFb
vDd{B
p$(d[-
MB;l6'
y;cL9
t>1s;-W
"!PU"
:|g41
~=Eej
<7)}@C
qCl<g
4?swa
^l"FJ
yj7>p
~fr*E
>wbK[
IP7gF
>q{Lp
I.GT~
t-TM9
C-Jo0
@Ow_s
+kRu'
Hgm3B
hFf<~\
xck[>
/,yCS
(I:\N
EwuS4
_B?Ct
Bb|-c
^3F<q
B~`o`
O>Fl+
XwD'8
zU~,U
x2)5y
:9P3x
;89?C
Biv-T'~
Y:9Tb
_>.Ml
OSTCD
Z$!!oo
y.C5X
lNH|1Q-
/%Q>/
kT)17
*{?.2
f;`{g
[u!Rx
[I_6X'
?X|gZ
hwr`F
@%|~o
I+!JO3U
5[#>^
9Lem2
Gf(Dm
:*xeU
t<~Mk
z+ig*6
WRS~$
cm[vZXE^
q={!
\K#iw
,jaG)
{!/75
`@KHWwl}
L3N^0
TTqIX
4e_V}4
'>FH+
>@6_=}
pLcv0
oNkJAW%
(@v]7
uo>lo0
C^a[s
JwOpg#
5jWW4"
DEf=+Y
Y;7(4G
}ydxM6
suYeL"x
EVyk>P
254p
UBw|x
O96CyF
O[Fq"
3mh6pd
;i8ac
8mEa5
;R`/v
xh>ul
?FfOj|
dEuP[
Xr~GC9
z{/3v{.o
?Z'_b
*<zY.E_
F4'G}
&f_ej
eTUt4
JlHKL
h/u K
=6=A=[
CNfi=
5:$$=
<jTg6o=
?9_phV
ON-L;
GQlimkl
@}<o"{
_Foo"6
YU9#8
}Put?Xq
./~a"4>
nVl{y
8Cy_S:pQJ
q/NOV
wZ(hU
arTqk
U3-T*
M~cHq'E
q<h//0
OjLNC
zR-pJZ
-!+},
dr^&I
GX0C#6
s|qXt
jJz53,
y/hp4
,[<S1
U{v{Y
3qEW&z
~QwCl
,{|4.K
p#mnf
otV{v
s^<qOq
9&AC.
~CDa_
rr3Lo
$[rWh
~pH4N
;S*a`
EdoH>
H`@{V%
Zk{Jy
(Jz<Y
b EIA
P}@B$
%"|_|
=b\.8[X
OOQ5i
'?K'8
1Sw}xm
t9%|Q
/[z9;
bvIAg
'5]i2ZSkK
(& hWg
A+/[ZZ
HNZ|T[
R~wrwT
(i~37
F{0X_
f12$|
:?pGt
%<1tB,
ygWS>
D*{J!'
<B]@2e{o^
,@oNM"0
BjtwQX0
f9ZNa
Z,G""
o[TQt
!1kvp p
pTaoX
a^uGe#
^D8>qKf
<e'dF5
5/`6G
CsofT
-!{X/1
0'?RM
!MyO$u
r.sSo\
.7;%)%'
7N) M
xh~jQ
/Zg-h"
M~^{4+
xu6DQ
Zq)~
AMaSQz
#5,g8
jgC]%
Kj~NR
,<+cLo
9]x{i
|[jKa
i[w<o=
a#WsHb
}Gakd
,+n>XKu
rVWt7zx
d&}<=
B\X+<
#z!([
[f6l(i"
|eC}a:j
QA__`R
cV>`k
K3:&4
7H?JS
h",F9
xWi=#Mm
_))t#
+G*Qm)
vem)8
9xIc[1
j]g1I
zk[sr
UV6(Km
vGoze
d]o*|
np%|M
//kbd
llGge
YSsbMZ
-?r|ZW
)P''p
iihn6V
~9GCD[
CnqI<
Zi7_1
bf*.vhA
<l$q[~
ytrb)E
L$ttv
8 :D19
Kcs?3V
Z$xnHzc
I ^+6
)!il*
Q:\9e
1f1k'
Y[Tet\0:
Y!Dp~
U8~?"{
z~"/>
,6~&cZ.
'a/O-^
lg9Z}`\
zHpaj
>aq6y
Z`m30
.m&<^
3wy^bR$Eh
q/C3"
k0ETo
~$6{f+
a}@QQ
$\<p)
%Zbh=3
kNyVm
sA(|'
=Iv3)
r[H/y
l*WxM
1_/-j
|@hzh
esC>/
mjAN8=
(8ore
[g/vm
2zkxG
:vzW:g
(c=N:
']N~uk
TIO2l
,Rdb_
~+q R
GUFpv
6cZa~
~0xqb
zoF~"}
'7=Gz
9nR5[
mQ2tk
z}>6b
*^LJ#]Z]
?fRHu}p
}mIIb
wB4wq
qF:wm
$}?'K2T
<f%*]
1|I(I
)|d{j
aQYfo
V-}.n
*dkxZE
&F/.]
&6W!e
mM22Q
7&.3c
_yG 0}
R:)PA
`\HbT
/OAeJ
Nqs|j
ty>HG
Jc>T|
(&%>N);
79%) g
!TUE}
N!;>nL
V}BOvj
Fq8f(
A^q.V
6==jT"
~0dL<:
T3WVp
8VqRf
!fbb?
y>_20
[%4L=#
9P0yz
**A\1
4K.&N
"sP`F!
pe`Jy
&gtS#
s7S?n8
wIVP*.(
t'=IJ
fv}F*T
N{_8%
Z-NNr
1M9ER
g[T`b
\y]}X
<b0p<A
Zmk3y
1U:_j
Lh_e^r
E5FE.Z
]ah`/WUT[
]d16{
6G#8Q
:"^zN
nG2(i
Z6MVN+
{!QJ}8
rdAwi
=tU$_:&g
JucNM
Eo%hAX
$,T~M
ND?Ps
/@`nF
K7R!km,mQM
1l.z|
V?hpM
<&obt
r=|6m
Zt];w
wJ2QJM
21L"'r(
D0VK)
oe79}
*Ch[V
S0W&9
|K%p}j
x ?OM
"t\(Wo_
Ul".1ocfJ
,'w}'
s%#+>
=)?P2
3b1qg/
K$oK5
UZE7m
zh^Wu*
P7>9[
";g]]hw,
{V*xZ
B_(1p
>}GE0
0:O+z
~*$l{
xzpWF
Zo=<Q
mZ]"v`
qCzQz
7Z)Si
FXZ`P
UU0CV`
9P|yJ
GB'>S!>
9yGR}
xfzk|#
xP=p~kZ
LSbU,
efMoT
&hCE9\
k":]2
n {?N
g53n,
I}R(/
=?{'(#
fUhr'C
*h#49.x4
(_[l*
{J2ia
e'B&*^'%.
t!1It
03Bz;
0nyz~
F1h3crs
ft\K>
lAWNM\c
iD,ZU;
-A_6U
f<6ZG
6IOu+
(Q5Ts
k|!6K
hX}cK7;B
ET~VE
:^5eq
i/$75
-Pk$I6b-m
xWQ{l
(UOda
~h,ivN1~z
]1$2(
SZ}dI
t/hBV+
cWJVjv
>T%Y'
7r.-L
"j5:C
{LLI|
Fc4/r2
J4MK'
7i,l(
lY|{=
C+ugI
3?<hE
-gS'p
q;>(w
9\J!;
@> xMT
"HG+6o
->)En
^/iwn
]GMh'%
Pp7I^O
0b`F+
y^',x
ULno/3g
ai<Lj
Pzl}2
vFqrL
(|3./
7weX.
uiP<N
p:a,m
U7%?A=4
7{^x)
_YVtlm
XkND.
vjy_4
Zbgv>
zrIX?
H=4`#U
mfz.*
Dz,0\
hJv*_$
fKfo
[s{72"
~3*fW
=[t0)t
n)N1$
-SrHZ+
a*%0THsq
)#VjH
%g-F+t~
W`cBC
=2Zr{
:Mp>_Q
[0IH}
f3<3i
$d|QUl
<2k}l
$Nz,r8
@,f<;&wl
A|mJH
xC~SIJ
q.(KG
R_Tvw
mn{O,
/g[Ah
WSIeW
syr4d
AL7a4
>7wuf
Y*s)B4
~P"a8bz&7
8U1t^
h6r^T
.2_..
}\[Um5:u
$$6A
/b/~f
dPV;y*
*mtXYz}
e1xe/
lLrp-5T
!_*!Y
yJHQy
\U_r6
+(6f[
dr?6|i
~GD.B
D-V#ji
g3+6j)%
hWR{b
iFJ*5
BOj;c:
f[M?#
Mz-*n
67fB2
%?;IlF
JOv"q
B:{qj
?[uD(
J1:D(>!
4hrT.
LDX3q#.
10)/
jo1i
3c$nR-
^cKtw
QAXRC
PtjyZx
.lXuF
vXK_`?)
qCg{%
?fbk[
e9?-M
/-lwr8&)
q(Vtn
O-}*:&
[L?'b-
tw.hm
WX5y>
]gyG}\
@//</)mG
jD7=BH
'dU~L
v8DQG
i[Ari
mu(lR
8vL1n
J+Fd5P
ydR-%
uS\0r
Y}/S'
xXjuo
r=OiFC
jX:a>
c;/id
"&9_b/
*W}G;%
2r>Qr
y:Se5(
4HxmRpJoLz
<iJ|6x(e
KFaU31
3M.O<
zHs1tg7
"`VUO
>ow\&=A
YIul8
[m;w[m
~2`gE
Lzsnc
-kli?lf
c?=x|
}>+Up
zO4l]
+]Ylnn
g/i'd
K{kg,
JFIDG
*nO,.
fM8t38
CozXm
R|J30u
4SjbI
rgf69p
2NJcwg
MZ1ZK9
ljMc`L
(a%HG,
D7Ij.G0
r3Q[k1
R?D6]
%n;'n"m
c-"|%
56C1j
xLJ(V1
GN>Sg"
Y_%MZ$
{09s'
CURahk
Ah#h}
4y T]
8L0]^8X
WnRfD
I/dwR
p`YJ>
b-?l7
?t<@os
v0Y5(
&AufB
e84A!
^o?Fb1
+],88i
_vXvY
a'3rr
XM}""e
)!YCE
<?^f(P
XH?vw
@\A%+s
.%$C/ %H
jE3OY"
aTb=`
^4Dvv
~EmC4
(B%ZJ
JZ:oD
i)>}e
4HF>)
"fB"vD
Sr 7
j4#9<
<:yJ?
EeEb}-
L[Q -
7VWW?
xy},H
<,+Ii
8Vnjb
[)Wog
R 9%!
uHBTmK
~#o{o?kE
gt~sM
u 8paW
0m=z%
HgMv3&D
wfa1C
raq{cI
n01.*
u[*(`
M=I z
'v8OV
o6u=9
eLj7Y
-]8"G
VMJ02H
|OMF6}
c^m'O~+
;qISX
$/tZK
MQEiH
3^;kO?u
_nGM&k>/
xS2k;
UM9nz
:%M"z
85Nd1m
#cNLUlOc
`O%@0
QHg*)
u*hOG
#N{J60
Bxr73k"
n"yJs
^C(/\
[I10=$
45;C}
|!1)F>
~'!#x
e3I'A
sQ^xU
xi(!0>z
AF$"e:]7R%e))7G
Hr!'k
@o\ZV&
\\w.7u
T/!&p
NML>`
x YcF
D,-%\
Sw#}0d3"
Ji}lG
*`nTh
J=F/Y
tH=p`
pKR)T
yhD;3
TtC)OW
*HTi$
82v-e
">n)j
HnJIl
XqJ/c
JL(8R=3
F{R:.
~+TpZ
86oP_
)4a^(
~eL6jQ
j~m6D}
<#Ol8A\L^_
j+Rm?<
Je"$S
IQJFj0
EYfJ}N
KX7d3
Q{VY4
D_t{C
Z+lz\
1L)Ix
f6PR?
2zR+M
a%Gnx
qXuj>
}'#.gV
Pj`g=_mo
s1uRz
H;"7i
Rxw 8A&
Y;azv
ARX {
Z5H`A
Shd3[u
IhHbO
XcjP:
'b3~3,K
[.?q%
]H~g8
o8#?n
`PWwd
z+;aOh/:
2m(xK )
^>>`E
1IDATID
rO4=(
E\Etb.
?S".
z8MWp#
?8yKb
_{/9*
20%>x
-qx40
>UtO5^
Vm6S}
?7Nf~
g`\egWIa
Cn);/
YJjwx
JoN?~5
>W(lh0
KWu0kn
0DhO#_
z|o4;y
=p4Mib
]I{#{
`];'A
r;BF$
wZoI1
#n^{hEA
-0rtX
,nESx
tduUm
87rCX.<>
$$bG
GN(+l
f|? e
p|S`.
>W><`\lrG
c}jtn
{>R``
r)`re
-`PchX
rWm>{
Y~l"Wonq
:_GN]K
rL(br
LD88%#
h|<{)
fFAog
dvUoE
8F>6H)
e~83VOX SW
jJ*U[
_?#IIElV
v0[7fGz
z6#/l
LWR.<
}Q5nZ
A&Mx5;D
los2d?2
`#6:Gx7
hXpoZ
o)=m7q
N%tr{
2f-#
VKVy1N
$:3 7
^l%(:
5H4}f
*VCIr
S&[.E
.AOE7c
yAl'e^
`rK+X.P::
lScO~
1+j4.0
#U5+hp}
A?)3s
lVo|'
^z`/W
?\'2$
TUdFl
VTw}a
:4m&+
nz9:qm
'3&bk
H/%4mu
{^jEm
-/ZY<
,bhyi
VFvBb
"fb[!
CmRk>
Q%f|G3
AUm=T
[\Nl3
"MqoQ
>.!y~
UD{ )
^S~>P
U?$-
je]3M3
pv;s%5#`
Q2N1[
uI/"~d
:t4aKF
otK}_
%.hb=
)qh9y
*Y}Tj]
``e7M
`I9i>
hZ%//X
#YKRh
Es:8n
2|]ef
Y_x\q
l|;PSW
vc\T/p
6#F`w
1Fokw
R{$i{
R_/:7
jy=Ot i
,oK3*
U"zX^
Q)sheG
ZS>Q!<?
K6#Tk
"'X?o
b[vaHa
dqjPGT
'/dmTrv
=l3=U
In4ML<`
J\d2!h
Y"m.j
<?o#K
JxnmM
)U)\fXW
<3INk
2(+BjAy
.N1#h
\IqD0[
FG{?y
sIPqo
Ir,y6
0lk!x
rH\T;E
Wz!PgpQP
[3&SuK
b0y~;8FD
o*&S)b
]92wA
.H5K#i
[e|;Wh
q]r$x
P4Rx=
@NSHkLw
hOKuP
Z^R<I
m<W]|(N
9O(I~lR
NT:n)
\its\
924]}`x
s`=LhP7|
H_Vr#
NtBPS
ZH2{UX,
w.DE{g}
abe|'
O30nDF
~PX-t
+WSz9
$^`bK1
o}~_nR
1m+b7\
eldYOEb
W_2.w$
|ZFH*`]<
dT)>k
L&h,)
Rsxd*
[YpKS
,+5fX
3^@UA
HaTA4
skN4vX-
y7neR
`q?S[
2df7
YK8:>l
+X'}z
v2.0.50727
#Strings
#GUID
#Blob
<Module>
TJrduJL8RICTIdn.exe
AbZVBPSqBUVONvpOHI
DxQhwXvQlHmvZcWOa
QdtCBbYAibZOddQr
HInsz
WndgC
sooygZgF
mscorlib
System
Object
System.Windows.Forms
.ctor
EventArgs
button1_Click_1
button2_Click
button3_Click
Form1_Load
KeyPressEventArgs
textBox1_KeyPress
textBox2_KeyPress
textBox3_KeyPress
textBox4_KeyPress
textBox5_KeyPress
textBox6_KeyPress
textBox7_KeyPress
listView1_SelectedIndexChanged
button4_Click
button5_Click
textBox20_KeyPress
button6_Click
button7_Click
button8_Click
comboBox2_SelectedIndexChanged
System.ComponentModel
IContainer
components
Dispose
CallBack
InitializeComponent
TabControl
tabControl1
TabPage
tabPage1
tabPage2
tabPage3
Label
label2
Button
button1
ListView
listView1
ColumnHeader
columnHeader1
columnHeader2
GroupBox
groupBox2
groupBox1
groupBox3
groupBox4
groupBox5
RadioButton
radioButton4
radioButton3
radioButton2
radioButton1
radioButton7
radioButton6
radioButton5
CheckBox
checkBox13
checkBox12
checkBox11
checkBox10
checkBox9
checkBox8
checkBox7
checkBox6
checkBox5
checkBox4
checkBox3
checkBox2
checkBox1
checkBox14
checkBox21
checkBox20
checkBox19
checkBox18
checkBox17
checkBox16
checkBox15
TextBox
textBox7
textBox6
textBox5
textBox4
textBox3
textBox2
textBox1
label1
checkBox28
checkBox27
checkBox26
checkBox25
checkBox24
checkBox23
checkBox22
columnHeader3
button3
button2
textBox8
label5
textBox10
label4
textBox9
label3
button4
groupBox7
groupBox6
button5
ComboBox
comboBox1
label9
textBox13
label8
textBox12
label7
textBox11
label6
textBox17
label13
textBox16
label12
textBox15
label11
textBox14
label10
comboBox2
label14
textBox20
label17
textBox19
label16
textBox18
label15
textBox21
label18
button6
button8
button7
label19
PictureBox
pictureBox1
label21
label20
pictureBox2
pdMTByVEt
kCHzofuo
VNAXFf
dEwSuR
enZgCpZ
zSuIIBG
xxKZma
ntuepi
WRYLWi
System.Runtime.InteropServices
GuidAttribute
System.Reflection
AssemblyVersionAttribute
AssemblyFileVersionAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
TJrduJL8RICTIdn
STAThreadAttribute
Application
EnableVisualStyles
SetCompatibleTextRenderingDefault
sender
get_Checked
ListViewItem
ListViewSubItemCollection
get_SubItems
ListViewSubItem
ListViewItemCollection
get_Items
Control
get_Text
Convert
ToInt32
Double
ToString
set_Text
System.Collections
IEnumerator
GetEnumerator
get_Current
get_Item
ToDouble
MoveNext
IDisposable
SelectTab
set_Checked
set_Enabled
ObjectCollection
get_KeyChar
IsDigit
set_Handled
Clear
Close
String
op_Equality
MessageBox
DialogResult
TrimStart
MessageBoxButtons
disposing
System.Threading
Thread
Sleep
AppDomain
GetDomain
FromBase64String
Assembly
GetType
BindingFlags
Binder
InvokeMember
input
System.Text
StringBuilder
get_Chars
Round
Append
get_Length
CreateDomain
CrossAppDomainDelegate
DoCallBack
Environment
SuspendLayout
ISupportInitialize
BeginInit
ControlCollection
get_Controls
System.Drawing
FontStyle
GraphicsUnit
set_Font
Point
set_Location
set_Name
set_SelectedIndex
set_Size
set_TabIndex
Color
FromArgb
set_BackColor
Padding
set_Padding
set_AutoSize
get_White
set_ForeColor
ButtonBase
set_UseVisualStyleBackColor
EventHandler
add_Click
set_TabStop
KeyPressEventHandler
add_KeyPress
get_Black
PictureBoxSizeMode
set_SizeMode
ColumnHeaderCollection
get_Columns
AddRange
set_UseCompatibleStateImageBehavior
set_View
add_SelectedIndexChanged
set_Width
get_ForestGreen
ComboBoxStyle
set_DropDownStyle
get_DarkRed
SizeF
ContainerControl
set_AutoScaleDimensions
AutoScaleMode
set_AutoScaleMode
ScrollableControl
set_AutoScroll
get_DarkGoldenrod
set_ClientSize
FormBorderStyle
set_FormBorderStyle
set_MaximizeBox
add_Load
ResumeLayout
PerformLayout
EndInit
Ceiling
Console
WriteLine
Nullable`1
get_HasValue
GetValueOrDefault
a3222.resources
$38cebe60-3d2b-4beb-ab6e-f82b14b7ebe0
68.23.1.0
'Makong King Yee CEO Rit Thirakomen 2012
MK Restaurant
Makong King Yee.
Coca Group of Restaurants
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
cYfxXSYwpfAkiUYbLxd.png
[k.+
Normal Crust Small Pizza
Cheesy Crust Small Pizza
Sausage Crust Small Pizza
Normal Crust Medium Pizza
Cheesy Crust Medium Pizza
Sausage Crust Medium Pizza
Normal Crust Large Pizza
10.00
Cheesy Crust Large Pizza
Sausage Crust Large Pizza
Normal Crust Extra Large Pizza
13.00
Cheesy Crust Extra Large Pizza
Sausage Crust Extra Large Pizza
Pepperoni Toppings
Extra Cheese Toppings
Mushroom Toppings
Ham Toppings
Bacon Toppings
Ground Beef Toppings
Jalapeno Toppings
Pineapple Toppings
Dried Shrimps Toppings
Anchovies Toppings
Sun Dried Tomatoes Toppings
Spinach Toppings
Roasted Garlic Toppings
Shredded Chicken Toppings
Coke - Can
Diet Coke - Can
Iced Tea - Can
Ginger Ale - Can
Sprite - Can
Root Beer - Can
Bottled Water
Chicken Wings
Poutine
Onion Rings
Cheesy Garlic Bread
Garlic Dip
BBQ Dip
Sour Cream Dip
tabPage2
tabPage1
tabPage3
Alberta
British Columbia
Manitoba
New Brunswick
Newfoundland and Labrador
Ontario
Prince Edward Island
Quebec
Saskatchewan
Credit Card
Debit Card
Promo Card
Please fill in required fields
Please pay your balance
Thanks for ordering at Pizza Express. Your ordered items will be ready and delivered in 30 minutes. Do you want to order some more?
Trriority.Sdar
CoreLoader
a3222.resources
H7yzS3
cYfxXSYwpfAkiUYbLxd.png
TempDomain
Calibri
tabControl1
Place Your Order
label20
Brought To You By code-projects.org
button5
groupBox5
Crust
radioButton7
Sausage
radioButton6
Cheesy
radioButton5
Normal
groupBox4
Other Items
checkBox28
Sour Cream Dip (Free)
checkBox27
BBQ Dip (Free)
checkBox26
Garlic Dip (Free)
checkBox25
Cheesy Garlic Bread ($3.00)
checkBox24
Onion Rings ($3.00)
checkBox23
Poutine ($3.00)
checkBox22
Chicken Wings ($3.00)
groupBox3
Drinks
textBox7
textBox6
textBox5
textBox4
textBox3
textBox2
textBox1
label1
Quantity
checkBox21
Water ($1.25)
checkBox20
Root Beer ($1.45)
checkBox19
Sprite ($1.45)
checkBox18
Ginger Ale ($1.45)
checkBox17
Iced Tea ($1.45)
checkBox16
Diet Coke ($1.45)
checkBox15
Coke ($1.45)
button1
Confirm Order
groupBox2
Toppings ($0.75 each)
checkBox14
Shredded Chicken
checkBox13
Roasted Garlic
checkBox12
Spinach
checkBox11
Sun Dried Tomatoes
checkBox10
Anchovies
checkBox9
Dried Shrimps
checkBox8
Pineapple
checkBox7
Jalapeno
checkBox6
Ground Beef
checkBox5
Bacon
checkBox4
checkBox3
Mushroom
checkBox2
Extra Cheese
checkBox1
Pepperoni
groupBox1
Pizza Size
radioButton4
Extra Large ($13.00)
radioButton3
Large ($10.00)
radioButton2
Medium ($7.00)
radioButton1
Small ($4.00)
Confirm Your Order
pictureBox2
button4
Clear Order
label5
Total Amount
textBox10
label4
textBox9
label3
Amount before taxes
textBox8
button3
Check Out
button2
Order Again
listView1
Items
Price CAD
label2
Order List
Make Payment
button8
Submit Order
button7
button6
Go Back
groupBox7
Payment Information
textBox21
label18
Change:
textBox20
label17
*Amount Paid:
textBox19
label16
Amount Due:
textBox18
label15
*Card No:
comboBox2
label14
*Payment Method:
groupBox6
Customer Information
label19
Fields with ( * ) are required.
textBox17
label13
Email:
textBox16
label12
Contact No:
textBox15
label11
*Postal Code:
textBox14
label10
City:
comboBox1
label9
Province:
textBox13
label8
*Address:
textBox12
label7
*Last Name:
textBox11
label6
*First Name:
Microsoft Sans Serif
label21
pictureBox1
Form1
Pizza Express
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
Coca Group of Restaurants
CompanyName
Makong King Yee.
FileDescription
MK Restaurant
FileVersion
68.23.1.0
InternalName
TJrduJL8RICTIdn.exe
LegalCopyright
Makong King Yee CEO Rit Thirakomen 2012
OriginalFilename
TJrduJL8RICTIdn.exe
ProductName
MK Restaurant
ProductVersion
68.23.1.0
Assembly Version
68.0.0.11
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 60934 1.1.1.1 53
192.168.1.2 64006 1.1.1.1 53
192.168.1.2 137 192.168.1.255 137
192.168.1.2 60934 8.8.8.8 53
192.168.1.2 64006 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy

    Processing ( 4.807999999999999 seconds )

    • 3.117 BehaviorAnalysis
    • 0.496 Suricata
    • 0.437 Static
    • 0.222 Deduplicate
    • 0.173 VirusTotal
    • 0.129 static_dotnet
    • 0.088 AnalysisInfo
    • 0.061 CAPE
    • 0.031 TargetInfo
    • 0.03 NetworkAnalysis
    • 0.01 Strings
    • 0.008 Debug
    • 0.006 peid

    Signatures ( 0.7440000000000003 seconds )

    • 0.143 antiav_detectreg
    • 0.104 infostealer_ftp
    • 0.057 infostealer_im
    • 0.05 territorial_disputes_sigs
    • 0.029 antianalysis_detectreg
    • 0.027 antivm_vbox_keys
    • 0.022 infostealer_mail
    • 0.021 masquerade_process_name
    • 0.019 antivm_vmware_keys
    • 0.015 infostealer_bitcoin
    • 0.015 ransomware_files
    • 0.014 antivm_xen_keys
    • 0.012 antiav_detectfile
    • 0.01 antivm_vpc_keys
    • 0.01 geodo_banking_trojan
    • 0.009 ransomware_extensions
    • 0.008 stealth_timeout
    • 0.008 antivm_parallels_keys
    • 0.007 api_spamming
    • 0.007 decoy_document
    • 0.006 antidbg_windows
    • 0.006 antianalysis_detectfile
    • 0.005 NewtWire Behavior
    • 0.005 antivm_generic_diskreg
    • 0.005 antivm_vbox_files
    • 0.005 qulab_files
    • 0.004 guloader_apis
    • 0.004 ketrican_regkeys
    • 0.004 bypass_firewall
    • 0.004 predatorthethief_files
    • 0.003 Doppelganging
    • 0.003 antiemu_wine_func
    • 0.003 antivm_generic_scsi
    • 0.003 exec_crash
    • 0.003 kibex_behavior
    • 0.003 persistence_autorun
    • 0.003 darkcomet_regkeys
    • 0.003 masslogger_files
    • 0.003 limerat_regkeys
    • 0.003 recon_fingerprint
    • 0.002 InjectionCreateRemoteThread
    • 0.002 antivm_generic_disk
    • 0.002 betabot_behavior
    • 0.002 dynamic_function_loading
    • 0.002 infostealer_browser
    • 0.002 infostealer_browser_password
    • 0.002 injection_createremotethread
    • 0.002 malicious_dynamic_function_loading
    • 0.002 mimics_filetime
    • 0.002 antidbg_devices
    • 0.002 antivm_xen_keys
    • 0.002 antivm_hyperv_keys
    • 0.002 antivm_vmware_files
    • 0.002 browser_security
    • 0.002 disables_browser_warn
    • 0.002 azorult_mutexes
    • 0.002 revil_mutexes
    • 0.002 warzonerat_regkeys
    • 0.001 InjectionInterProcess
    • 0.001 InjectionProcessHollowing
    • 0.001 Unpacker
    • 0.001 antiav_avast_libs
    • 0.001 antidebug_guardpages
    • 0.001 antivm_generic_services
    • 0.001 antivm_vbox_libs
    • 0.001 bootkit
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_heapspray
    • 0.001 hawkeye_behavior
    • 0.001 injection_runpe
    • 0.001 kovter_behavior
    • 0.001 network_tor
    • 0.001 blackrat_registry_keys
    • 0.001 OrcusRAT Behavior
    • 0.001 reads_self
    • 0.001 recon_programs
    • 0.001 shifu_behavior
    • 0.001 stealth_file
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 virus
    • 0.001 antivm_generic_bios
    • 0.001 antivm_generic_system
    • 0.001 antivm_vbox_devices
    • 0.001 banker_cridex
    • 0.001 banker_zeus_mutex
    • 0.001 bot_drive
    • 0.001 modify_proxy
    • 0.001 codelux_behavior
    • 0.001 disables_windows_defender_logging
    • 0.001 network_tor_service
    • 0.001 office_perfkey
    • 0.001 packer_armadillo_regkey
    • 0.001 medusalocker_regkeys
    • 0.001 satan_mutexes
    • 0.001 modirat_bheavior
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 rat_spynet
    • 0.001 remcos_regkeys
    • 0.001 lokibot_mutexes

    Reporting ( 5.724 seconds )

    • 3.272 BinGraph
    • 1.69 JsonDump
    • 0.702 MITRE_TTPS
    • 0.059 SubmitCAPE
    • 0.001 PCAP2CERT