Detections

Yara:

NanoCore

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 13:59:03 2020-06-05 14:05:36 393 seconds Show Options Show Log
route = tor
2020-05-13 09:29:20,121 [root] INFO: Date set to: 20200605T13:45:07, timeout set to: 200
2020-06-05 13:45:07,078 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-06-05 13:45:07,078 [root] DEBUG: Storing results at: C:\dHHjSXgfus
2020-06-05 13:45:07,078 [root] DEBUG: Pipe server name: \\.\PIPE\lXqkKfgj
2020-06-05 13:45:07,078 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-05 13:45:07,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 13:45:07,078 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 13:45:07,078 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 13:45:07,171 [root] DEBUG: Imported analysis package "exe".
2020-06-05 13:45:07,171 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 13:45:07,171 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 13:45:07,359 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 13:45:07,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 13:45:07,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 13:45:07,421 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 13:45:07,421 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 13:45:07,484 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 13:45:07,500 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 13:45:07,515 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 13:45:07,531 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 13:45:07,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 13:45:07,531 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 13:45:07,546 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 13:45:07,546 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 13:45:07,578 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 13:45:07,578 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 13:45:07,578 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 13:45:07,578 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 13:45:07,578 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 13:45:07,593 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 13:45:07,625 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 13:45:07,625 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 13:45:09,453 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 13:45:09,484 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 13:45:09,515 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 13:45:09,515 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 13:45:09,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 13:45:09,515 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 13:45:09,515 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 13:45:09,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 13:45:09,531 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 13:45:09,531 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 13:45:09,531 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 13:45:09,531 [root] DEBUG: Started auxiliary module Browser
2020-06-05 13:45:09,531 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 13:45:09,531 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 13:45:09,531 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 13:45:09,531 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 13:45:09,562 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 13:45:09,562 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 13:45:09,562 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 13:45:09,562 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 13:45:10,640 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 13:45:10,640 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 13:45:10,656 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 13:45:10,671 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 13:45:10,671 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 13:45:10,671 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 13:45:10,687 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 13:45:10,687 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 13:45:10,687 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 13:45:10,687 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 13:45:10,687 [root] DEBUG: Started auxiliary module Human
2020-06-05 13:45:10,687 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 13:45:10,703 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 13:45:10,703 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 13:45:10,703 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 13:45:10,703 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 13:45:10,703 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 13:45:10,703 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 13:45:10,703 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 13:45:10,718 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 13:45:10,718 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 13:45:10,718 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 13:45:10,734 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 13:45:10,734 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 13:45:10,734 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 13:45:10,734 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 13:45:10,734 [root] DEBUG: Started auxiliary module Usage
2020-06-05 13:45:10,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 13:45:10,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 13:45:10,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 13:45:10,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 13:45:10,812 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\PO _6202020.exe" with arguments "" with pid 4772
2020-06-05 13:45:10,843 [lib.api.process] INFO: Monitor config for process 4772: C:\tmp558c2t_g\dll\4772.ini
2020-06-05 13:45:10,859 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:10,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:10,968 [root] DEBUG: Loader: Injecting process 4772 (thread 2108) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:10,968 [root] DEBUG: Process image base: 0x00400000
2020-06-05 13:45:10,984 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:10,984 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:11,000 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:11,000 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4772
2020-06-05 13:45:13,000 [lib.api.process] INFO: Successfully resumed process with pid 4772
2020-06-05 13:45:13,218 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:13,234 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:13,234 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:13,234 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4772 at 0x6f9b0000, image base 0x400000, stack from 0x186000-0x190000
2020-06-05 13:45:13,249 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\PO _6202020.exe".
2020-06-05 13:45:13,296 [root] INFO: loaded: b'4772'
2020-06-05 13:45:13,296 [root] INFO: Loaded monitor into process with pid 4772
2020-06-05 13:45:13,296 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:13,296 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:13,296 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:13,296 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:13,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x039A0000 to global list.
2020-06-05 13:45:13,359 [root] DEBUG: DLL loaded at 0x72600000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 13:45:14,046 [root] DEBUG: DLL loaded at 0x703F0000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-06-05 13:45:14,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x04120000 to global list.
2020-06-05 13:45:14,281 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:14,296 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:14,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x104 amd local view 0x03EB0000 to global list.
2020-06-05 13:45:14,562 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 13:45:14,578 [root] DEBUG: DLL unloaded from 0x00400000.
2020-06-05 13:45:25,562 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:25,578 [root] DEBUG: set_caller_info: Adding region at 0x01F90000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:25,625 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1f90000
2020-06-05 13:45:25,625 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01F90000 size 0x400000.
2020-06-05 13:45:25,640 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\4772_1441908052545225562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?0x01F90000;?', ['4772'], 'CAPE')
2020-06-05 13:45:25,687 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dHHjSXgfus\CAPE\4772_1441908052545225562020 (size 0xffe)
2020-06-05 13:45:25,687 [root] DEBUG: DumpRegion: Dumped stack region from 0x01F90000, size 0x1000.
2020-06-05 13:45:25,968 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\4772_19912782312545225562020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?0x003F0000;?', ['4772'], 'CAPE')
2020-06-05 13:45:26,031 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dHHjSXgfus\CAPE\4772_19912782312545225562020 (size 0x337b)
2020-06-05 13:45:26,031 [root] DEBUG: DumpRegion: Dumped stack region from 0x003F0000, size 0x8000.
2020-06-05 13:45:28,781 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 3228
2020-06-05 13:45:28,781 [lib.api.process] INFO: Monitor config for process 3228: C:\tmp558c2t_g\dll\3228.ini
2020-06-05 13:45:28,781 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:28,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:28,812 [root] DEBUG: Loader: Injecting process 3228 (thread 2508) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:28,843 [root] DEBUG: Process image base: 0x01010000
2020-06-05 13:45:28,843 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 13:45:28,843 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 13:45:28,843 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:28,859 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3228
2020-06-05 13:45:28,968 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 3228
2020-06-05 13:45:28,968 [lib.api.process] INFO: Monitor config for process 3228: C:\tmp558c2t_g\dll\3228.ini
2020-06-05 13:45:28,968 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:28,984 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:29,000 [root] DEBUG: Loader: Injecting process 3228 (thread 2508) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:29,000 [root] DEBUG: Process image base: 0x01010000
2020-06-05 13:45:29,000 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 13:45:29,000 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 13:45:29,000 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:29,031 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3228
2020-06-05 13:45:29,031 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 3228
2020-06-05 13:45:29,031 [lib.api.process] INFO: Monitor config for process 3228: C:\tmp558c2t_g\dll\3228.ini
2020-06-05 13:45:29,031 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:29,062 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:29,062 [root] DEBUG: Loader: Injecting process 3228 (thread 0) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:29,078 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:29,078 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2508, handle 0xc4
2020-06-05 13:45:29,078 [root] DEBUG: Process image base: 0x01010000
2020-06-05 13:45:29,078 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 13:45:29,078 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 13:45:29,078 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:29,093 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3228
2020-06-05 13:45:29,093 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\4772_4852073471946225562020', b'4;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?3228;?', ['4772'], 'CAPE')
2020-06-05 13:45:29,109 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 3228
2020-06-05 13:45:29,109 [lib.api.process] INFO: Monitor config for process 3228: C:\tmp558c2t_g\dll\3228.ini
2020-06-05 13:45:29,109 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:29,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:29,140 [root] DEBUG: Loader: Injecting process 3228 (thread 0) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:29,140 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7EFDE000 Local PEB 0x7EFDD000 Local TEB 0x7EFDE000: The operation completed successfully.
2020-06-05 13:45:29,140 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2508, handle 0xc4
2020-06-05 13:45:29,140 [root] DEBUG: Process image base: 0x01010000
2020-06-05 13:45:29,156 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 13:45:29,156 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 13:45:29,156 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:29,156 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3228
2020-06-05 13:45:29,156 [root] INFO: Announced 32-bit process name: RegAsm.exe pid: 3228
2020-06-05 13:45:29,171 [lib.api.process] INFO: Monitor config for process 3228: C:\tmp558c2t_g\dll\3228.ini
2020-06-05 13:45:29,171 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:29,187 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:29,187 [root] DEBUG: Loader: Injecting process 3228 (thread 2508) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:29,203 [root] DEBUG: Process image base: 0x01010000
2020-06-05 13:45:29,203 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 13:45:29,203 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 13:45:29,203 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:29,203 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3228
2020-06-05 13:45:29,218 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\4772_1106023101946225562020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?3228;?', ['4772'], 'CAPE')
2020-06-05 13:45:29,249 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\4772_21158947601946225562020', b'3;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?3228;?', ['4772'], 'CAPE')
2020-06-05 13:45:29,453 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:29,468 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:29,468 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:29,468 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3228 at 0x6f9b0000, image base 0x1010000, stack from 0x3e6000-0x3f0000
2020-06-05 13:45:29,468 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\PO _6202020.exe".
2020-06-05 13:45:29,531 [root] INFO: loaded: b'3228'
2020-06-05 13:45:29,546 [root] INFO: Loaded monitor into process with pid 3228
2020-06-05 13:45:29,546 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:29,546 [root] DEBUG: set_caller_info: Adding region at 0x02C10000 to caller regions list (kernel32::GetSystemTime).
2020-06-05 13:45:29,562 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x2c10000
2020-06-05 13:45:29,562 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02C10000 size 0x400000.
2020-06-05 13:45:29,562 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_18314337322945225562020', b'9;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?0x02C10000;?', ['3228'], 'CAPE')
2020-06-05 13:45:29,593 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dHHjSXgfus\CAPE\3228_18314337322945225562020 (size 0x597)
2020-06-05 13:45:29,593 [root] DEBUG: DumpRegion: Dumped stack region from 0x02C10000, size 0x1000.
2020-06-05 13:45:29,593 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_8654128922945225562020', b'9;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?0x000A0000;?', ['3228'], 'CAPE')
2020-06-05 13:45:29,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dHHjSXgfus\CAPE\3228_8654128922945225562020 (size 0x129)
2020-06-05 13:45:29,625 [root] DEBUG: DumpRegion: Dumped stack region from 0x000A0000, size 0x1000.
2020-06-05 13:45:29,640 [root] DEBUG: DLL loaded at 0x029A0000: C:\tmp558c2t_g\dll\VMvPYU (0xd5000 bytes).
2020-06-05 13:45:29,640 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-06-05 13:45:29,640 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:29,640 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-06-05 13:45:29,640 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:29,640 [root] DEBUG: DLL unloaded from 0x029A0000.
2020-06-05 13:45:29,656 [root] DEBUG: set_caller_info: Adding region at 0x000B0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:29,656 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_17963742402945225562020', b'9;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?0x000B0000;?', ['3228'], 'CAPE')
2020-06-05 13:45:29,671 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dHHjSXgfus\CAPE\3228_17963742402945225562020 (size 0x129)
2020-06-05 13:45:29,687 [root] DEBUG: DumpRegion: Dumped stack region from 0x000B0000, size 0x1000.
2020-06-05 13:45:29,687 [root] DEBUG: DLL loaded at 0x029A0000: C:\tmp558c2t_g\dll\VMvPYU (0xd5000 bytes).
2020-06-05 13:45:29,687 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-06-05 13:45:29,687 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:29,687 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-06-05 13:45:29,687 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:29,687 [root] DEBUG: DLL unloaded from 0x029A0000.
2020-06-05 13:45:29,703 [root] DEBUG: set_caller_info: Adding region at 0x001C0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:29,718 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_6566902632945225562020', b'9;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?0x001C0000;?', ['3228'], 'CAPE')
2020-06-05 13:45:29,734 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dHHjSXgfus\CAPE\3228_6566902632945225562020 (size 0x129)
2020-06-05 13:45:29,734 [root] DEBUG: DLL loaded at 0x029A0000: C:\tmp558c2t_g\dll\VMvPYU (0xd5000 bytes).
2020-06-05 13:45:29,734 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-06-05 13:45:29,750 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:29,750 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-06-05 13:45:29,750 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:29,750 [root] DEBUG: DLL unloaded from 0x029A0000.
2020-06-05 13:45:29,765 [root] DEBUG: set_caller_info: Adding region at 0x001D0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:29,812 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_5613902322945225562020', b'9;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?0x001D0000;?', ['3228'], 'CAPE')
2020-06-05 13:45:29,828 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dHHjSXgfus\CAPE\3228_5613902322945225562020 (size 0x129)
2020-06-05 13:45:29,828 [root] DEBUG: DumpRegion: Dumped stack region from 0x001D0000, size 0x1000.
2020-06-05 13:45:29,828 [root] DEBUG: DLL loaded at 0x029A0000: C:\tmp558c2t_g\dll\VMvPYU (0xd5000 bytes).
2020-06-05 13:45:29,843 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-06-05 13:45:29,843 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:29,843 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-06-05 13:45:29,843 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:29,859 [root] DEBUG: DLL unloaded from 0x029A0000.
2020-06-05 13:45:29,859 [root] DEBUG: set_caller_info: Adding region at 0x000C0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 13:45:29,859 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_19725556862945225562020', b'9;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?0x000C0000;?', ['3228'], 'CAPE')
2020-06-05 13:45:29,890 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\dHHjSXgfus\CAPE\3228_19725556862945225562020 (size 0x337b)
2020-06-05 13:45:29,890 [root] DEBUG: DumpRegion: Dumped stack region from 0x000C0000, size 0x100000.
2020-06-05 13:45:33,640 [root] DEBUG: DLL loaded at 0x72DF0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 13:45:33,671 [root] DEBUG: DLL loaded at 0x72DE0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:33,687 [root] DEBUG: DLL loaded at 0x76B20000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-05 13:45:33,687 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-05 13:45:33,687 [root] DEBUG: DLL loaded at 0x72D80000: C:\Windows\system32\winhttp (0x58000 bytes).
2020-06-05 13:45:33,703 [root] DEBUG: DLL loaded at 0x71250000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-05 13:45:33,703 [root] DEBUG: DLL unloaded from 0x72D80000.
2020-06-05 13:45:33,718 [root] DEBUG: DLL loaded at 0x743D0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-06-05 13:45:33,718 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-06-05 13:45:33,734 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-06-05 13:45:33,734 [root] DEBUG: DLL loaded at 0x72DD0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-06-05 13:45:33,734 [root] DEBUG: DLL loaded at 0x72DC0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-06-05 13:45:33,750 [root] DEBUG: DLL loaded at 0x72D70000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-06-05 13:45:33,750 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 13:45:33,765 [root] DEBUG: DLL loaded at 0x72D60000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-06-05 13:45:33,765 [root] DEBUG: DLL loaded at 0x71240000: C:\Windows\System32\netprofm (0x5a000 bytes).
2020-06-05 13:45:33,765 [root] DEBUG: DLL loaded at 0x72D50000: C:\Windows\System32\nlaapi (0x10000 bytes).
2020-06-05 13:45:33,781 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-06-05 13:45:33,781 [root] DEBUG: DLL loaded at 0x71220000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-05 13:45:33,796 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-06-05 13:45:33,796 [root] DEBUG: DLL loaded at 0x762F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-06-05 13:45:33,812 [root] DEBUG: DLL loaded at 0x71210000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-06-05 13:45:33,812 [root] DEBUG: DLL loaded at 0x74360000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 13:45:33,828 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 13:45:33,843 [root] DEBUG: DLL loaded at 0x73920000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-05 13:45:33,843 [root] DEBUG: DLL loaded at 0x71200000: C:\Windows\System32\npmproxy (0x8000 bytes).
2020-06-05 13:45:34,406 [root] DEBUG: DLL loaded at 0x711C0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-06-05 13:45:34,421 [root] DEBUG: DLL loaded at 0x73950000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\Comctl32 (0x19e000 bytes).
2020-06-05 13:45:34,437 [root] DEBUG: DLL unloaded from 0x743C0000.
2020-06-05 13:45:34,437 [root] DEBUG: DLL unloaded from 0x72DD0000.
2020-06-05 13:45:34,453 [root] DEBUG: DLL loaded at 0x711B0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-06-05 13:45:34,453 [root] DEBUG: DLL unloaded from 0x74360000.
2020-06-05 13:45:34,453 [root] DEBUG: DLL loaded at 0x71160000: C:\Windows\SysWOW64\schannel (0x41000 bytes).
2020-06-05 13:45:35,125 [root] DEBUG: DLL loaded at 0x71120000: C:\Windows\system32\ncrypt (0x39000 bytes).
2020-06-05 13:45:35,125 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-05 13:45:35,140 [root] DEBUG: DLL loaded at 0x710E0000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2020-06-05 13:45:35,140 [root] DEBUG: DLL loaded at 0x76740000: C:\Windows\syswow64\WINTRUST (0x2f000 bytes).
2020-06-05 13:45:35,171 [root] DEBUG: DLL loaded at 0x710C0000: C:\Windows\system32\GPAPI (0x16000 bytes).
2020-06-05 13:45:35,187 [root] DEBUG: DLL loaded at 0x710A0000: C:\Windows\system32\cryptnet (0x1d000 bytes).
2020-06-05 13:45:35,203 [root] DEBUG: DLL loaded at 0x75F60000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-06-05 13:45:35,203 [root] DEBUG: DLL loaded at 0x71090000: C:\Windows\system32\SensApi (0x6000 bytes).
2020-06-05 13:45:35,218 [root] DEBUG: DLL loaded at 0x71030000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-06-05 13:45:35,218 [root] DEBUG: DLL loaded at 0x70FE0000: C:\Windows\system32\webio (0x50000 bytes).
2020-06-05 13:45:35,218 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:35,218 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:45:36,343 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157', '', False, 'files')
2020-06-05 13:45:36,359 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157', '', False, 'files')
2020-06-05 13:45:36,375 [root] DEBUG: DLL unloaded from 0x710A0000.
2020-06-05 13:45:36,515 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:45:37,359 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203', '', False, 'files')
2020-06-05 13:45:37,375 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203', '', False, 'files')
2020-06-05 13:45:37,390 [root] DEBUG: DLL unloaded from 0x710A0000.
2020-06-05 13:45:39,265 [root] WARNING: Unable to open termination event for pid 4772.
2020-06-05 13:45:39,265 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\~DFF8C4686B686B1523.TMP', '', False, 'files')
2020-06-05 13:45:39,343 [root] INFO: b'C:\\dHHjSXgfus\\CAPE\\4772_9915369662447225562020|4772|0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?'
2020-06-05 13:45:39,343 [root] INFO: cape
2020-06-05 13:45:39,343 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\4772_9915369662447225562020', b'0;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO _6202020.exe;?', ['4772'], 'procdump')
2020-06-05 13:45:39,359 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\4772_9915369662447225562020', '', False, 'files')
2020-06-05 13:45:39,500 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:45:39,906 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F', '', False, 'files')
2020-06-05 13:45:39,953 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F', '', False, 'files')
2020-06-05 13:45:39,984 [root] DEBUG: DLL unloaded from 0x710A0000.
2020-06-05 13:45:40,656 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3444.
2020-06-05 13:45:40,687 [root] DEBUG: set_caller_info: Adding region at 0x221C0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-05 13:45:40,703 [root] DEBUG: set_caller_info: Adding region at 0x00570000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-05 13:45:40,718 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x5b4 amd local view 0x732A0000 to global list.
2020-06-05 13:45:40,734 [root] DEBUG: DLL loaded at 0x732A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-05 13:45:40,734 [root] DEBUG: DLL unloaded from 0x75E80000.
2020-06-05 13:45:40,750 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-06-05 13:45:40,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x258 amd local view 0x70A20000 to global list.
2020-06-05 13:45:40,781 [root] DEBUG: DLL loaded at 0x70A20000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-05 13:45:40,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x5b0 amd local view 0x70980000 to global list.
2020-06-05 13:45:40,796 [root] DEBUG: DLL loaded at 0x70980000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80 (0x9b000 bytes).
2020-06-05 13:45:40,828 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3228, handle 0x5c0.
2020-06-05 13:45:40,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x5bc amd local view 0x006D0000 to global list.
2020-06-05 13:45:40,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x5c4 amd local view 0x006E0000 to global list.
2020-06-05 13:45:40,859 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3560.
2020-06-05 13:45:40,875 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:45:40,875 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:45:40,890 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:45:40,906 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3592.
2020-06-05 13:45:40,906 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:45:40,906 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:45:40,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x668 amd local view 0x6FE80000 to global list.
2020-06-05 13:45:40,937 [root] DEBUG: DLL loaded at 0x6FE80000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-05 13:45:40,953 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-06-05 13:45:40,953 [root] DEBUG: set_caller_info: Adding region at 0x22560000 to caller regions list (kernel32::SetErrorMode).
2020-06-05 13:45:40,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x66c amd local view 0x008A0000 to global list.
2020-06-05 13:45:40,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x664 amd local view 0x008F0000 to global list.
2020-06-05 13:45:41,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x674 amd local view 0x6F200000 to global list.
2020-06-05 13:45:41,000 [root] DEBUG: DLL loaded at 0x6F200000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-05 13:45:41,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F070000 for section view with handle 0x674.
2020-06-05 13:45:41,015 [root] DEBUG: DLL loaded at 0x6F070000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-05 13:45:41,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6E490000 for section view with handle 0x674.
2020-06-05 13:45:41,031 [root] DEBUG: DLL loaded at 0x6E490000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-05 13:45:41,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FE20000 for section view with handle 0x674.
2020-06-05 13:45:41,062 [root] DEBUG: DLL loaded at 0x6FE20000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-06-05 13:45:41,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x678 amd local view 0x6E2F0000 to global list.
2020-06-05 13:45:41,093 [root] DEBUG: DLL loaded at 0x6E2F0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-06-05 13:45:41,156 [root] DEBUG: set_caller_info: Adding region at 0x00920000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-05 13:45:41,234 [root] DEBUG: set_caller_info: Adding region at 0x00700000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-05 13:45:41,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x67c amd local view 0x6DE20000 to global list.
2020-06-05 13:45:41,937 [root] DEBUG: set_caller_info: Adding region at 0x00980000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-05 13:45:41,953 [root] DEBUG: DLL loaded at 0x6FE10000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-06-05 13:45:41,984 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Roaming\\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\\run.dat', '', False, 'files')
2020-06-05 13:45:42,046 [root] INFO: ('dump_file', 'C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe', '', False, 'files')
2020-06-05 13:45:42,109 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x6a8 amd local view 0x00990000 to global list.
2020-06-05 13:45:42,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x6b0 amd local view 0x00B20000 to global list.
2020-06-05 13:45:42,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x6bc amd local view 0x6FAF0000 to global list.
2020-06-05 13:45:42,234 [root] DEBUG: DLL loaded at 0x6FAF0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader (0x8d000 bytes).
2020-06-05 13:45:42,328 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp8047.tmp', '', False, 'files')
2020-06-05 13:45:42,437 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3836
2020-06-05 13:45:42,437 [lib.api.process] INFO: Monitor config for process 3836: C:\tmp558c2t_g\dll\3836.ini
2020-06-05 13:45:42,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:42,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:42,500 [root] DEBUG: Loader: Injecting process 3836 (thread 4140) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:42,500 [root] DEBUG: Process image base: 0x00A40000
2020-06-05 13:45:42,515 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:42,515 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:42,531 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:42,531 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3836
2020-06-05 13:45:42,609 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp".
2020-06-05 13:45:42,625 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3836, ImageBase: 0x00A40000
2020-06-05 13:45:42,625 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3836
2020-06-05 13:45:42,625 [lib.api.process] INFO: Monitor config for process 3836: C:\tmp558c2t_g\dll\3836.ini
2020-06-05 13:45:42,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:42,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:42,671 [root] DEBUG: Loader: Injecting process 3836 (thread 4140) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:42,687 [root] DEBUG: Process image base: 0x00A40000
2020-06-05 13:45:42,703 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:42,703 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:42,703 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:42,718 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3836
2020-06-05 13:45:42,796 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:42,843 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:42,890 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:42,906 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:42,921 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3836 at 0x6f9b0000, image base 0xa40000, stack from 0x206000-0x210000
2020-06-05 13:45:42,921 [root] DEBUG: Commandline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\"schtasks.exe" \create \f \tn "SCSI Subsystem" \xml "C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp".
2020-06-05 13:45:42,968 [root] INFO: loaded: b'3836'
2020-06-05 13:45:42,968 [root] INFO: Loaded monitor into process with pid 3836
2020-06-05 13:45:43,000 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2020-06-05 13:45:43,000 [root] DEBUG: DLL unloaded from 0x00A40000.
2020-06-05 13:45:43,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x035D0000 to global list.
2020-06-05 13:45:43,031 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 3836).
2020-06-05 13:45:43,046 [root] INFO: Stopping Task Scheduler Service
2020-06-05 13:45:43,296 [root] INFO: Stopped Task Scheduler Service
2020-06-05 13:45:43,375 [root] INFO: Starting Task Scheduler Service
2020-06-05 13:45:43,515 [root] INFO: Started Task Scheduler Service
2020-06-05 13:45:43,531 [lib.api.process] INFO: Monitor config for process 840: C:\tmp558c2t_g\dll\840.ini
2020-06-05 13:45:43,593 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp558c2t_g\dll\EFKECXL.dll, loader C:\tmp558c2t_g\bin\PkKtnOZk.exe
2020-06-05 13:45:43,656 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:43,656 [root] DEBUG: Loader: Injecting process 840 (thread 0) with C:\tmp558c2t_g\dll\EFKECXL.dll.
2020-06-05 13:45:43,671 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDF000 Local PEB 0x000007FFFFFDD000 Local TEB 0x000007FFFFFDF000: The operation completed successfully.
2020-06-05 13:45:43,671 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 844, handle 0xa8
2020-06-05 13:45:43,671 [root] DEBUG: Process image base: 0x00000000FF500000
2020-06-05 13:45:43,671 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-05 13:45:43,687 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-05 13:45:43,703 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:43,718 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:43,734 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:43,750 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 840 at 0x000000006E1F0000, image base 0x00000000FF500000, stack from 0x0000000002676000-0x0000000002680000
2020-06-05 13:45:43,750 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-05 13:45:43,812 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-05 13:45:43,828 [root] WARNING: b'Unable to hook LockResource'
2020-06-05 13:45:43,843 [root] INFO: loaded: b'840'
2020-06-05 13:45:43,843 [root] INFO: Loaded monitor into process with pid 840
2020-06-05 13:45:43,859 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 13:45:43,890 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 13:45:43,890 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\EFKECXL.dll.
2020-06-05 13:45:45,890 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 13:45:45,906 [root] DEBUG: DLL loaded at 0x73610000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-06-05 13:45:46,750 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3836
2020-06-05 13:45:46,750 [root] DEBUG: GetHookCallerBase: thread 4140 (handle 0x0), return address 0x00A57569, allocation base 0x00A40000.
2020-06-05 13:45:46,750 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00A40000.
2020-06-05 13:45:46,750 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-05 13:45:46,750 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00A40000.
2020-06-05 13:45:46,750 [root] DEBUG: DumpProcess: Module entry point VA is 0x00017683.
2020-06-05 13:45:46,765 [root] INFO: b'C:\\dHHjSXgfus\\CAPE\\3836_1669414862646225562020|3836|0;?C:\\Windows\\SysWOW64\\schtasks.exe;?C:\\Windows\\SysWOW64\\schtasks.exe;?'
2020-06-05 13:45:46,765 [root] INFO: cape
2020-06-05 13:45:46,781 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3836_1669414862646225562020', b'0;?C:\\Windows\\SysWOW64\\schtasks.exe;?C:\\Windows\\SysWOW64\\schtasks.exe;?', ['3836'], 'procdump')
2020-06-05 13:45:46,796 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3836_1669414862646225562020', '', False, 'files')
2020-06-05 13:45:46,812 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2b400.
2020-06-05 13:45:46,812 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-06-05 13:45:46,890 [root] WARNING: Unable to open termination event for pid 3836.
2020-06-05 13:45:46,906 [root] INFO: ('delete_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp8047.tmp')
2020-06-05 13:45:46,906 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp8047.tmp', '', False, 'files')
2020-06-05 13:45:46,921 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Roaming\\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\\task.dat', '', False, 'files')
2020-06-05 13:45:46,953 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp9249.tmp', '', False, 'files')
2020-06-05 13:45:46,984 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 972
2020-06-05 13:45:46,984 [lib.api.process] INFO: Monitor config for process 972: C:\tmp558c2t_g\dll\972.ini
2020-06-05 13:45:47,000 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:47,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:47,015 [root] DEBUG: Loader: Injecting process 972 (thread 108) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:47,031 [root] DEBUG: Process image base: 0x009E0000
2020-06-05 13:45:47,031 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:47,031 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 13:45:47,031 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:47,031 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 972
2020-06-05 13:45:47,078 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "schtasks.exe" /create /f /tn "SCSI Subsystem Task" /xml "C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp".
2020-06-05 13:45:47,078 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF01F0000 to caller regions list (msvcrt::memcpy).
2020-06-05 13:45:47,078 [root] DEBUG: CreateProcessHandler: Injection info set for new process 972, ImageBase: 0x009E0000
2020-06-05 13:45:47,078 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF01F0000 skipped.
2020-06-05 13:45:47,078 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 972
2020-06-05 13:45:47,078 [lib.api.process] INFO: Monitor config for process 972: C:\tmp558c2t_g\dll\972.ini
2020-06-05 13:45:47,078 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\VMvPYU.dll, loader C:\tmp558c2t_g\bin\EyGtxpC.exe
2020-06-05 13:45:47,109 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\lXqkKfgj.
2020-06-05 13:45:47,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xb6c amd local view 0x0000000006260000 to global list.
2020-06-05 13:45:47,125 [root] DEBUG: Loader: Injecting process 972 (thread 108) with C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:47,125 [root] DEBUG: Process image base: 0x009E0000
2020-06-05 13:45:47,187 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:47,187 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 13:45:47,218 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4c amd local view 0x0000000000AB0000 to global list.
2020-06-05 13:45:47,265 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\VMvPYU.dll.
2020-06-05 13:45:47,265 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 972
2020-06-05 13:45:47,328 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 13:45:47,375 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 13:45:47,421 [root] INFO: Disabling sleep skipping.
2020-06-05 13:45:47,421 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 13:45:47,421 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 972 at 0x6f9b0000, image base 0x9e0000, stack from 0x1c6000-0x1d0000
2020-06-05 13:45:47,421 [root] DEBUG: Commandline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\"schtasks.exe" \create \f \tn "SCSI Subsystem Task" \xml "C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp".
2020-06-05 13:45:47,484 [root] INFO: loaded: b'972'
2020-06-05 13:45:47,500 [root] INFO: Loaded monitor into process with pid 972
2020-06-05 13:45:47,500 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2020-06-05 13:45:47,500 [root] DEBUG: DLL unloaded from 0x009E0000.
2020-06-05 13:45:47,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x03630000 to global list.
2020-06-05 13:45:47,515 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 972).
2020-06-05 13:45:47,531 [root] DEBUG: DLL loaded at 0x761C0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 13:45:47,531 [root] DEBUG: DLL loaded at 0x73610000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-06-05 13:45:47,984 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 972
2020-06-05 13:45:47,984 [root] DEBUG: GetHookCallerBase: thread 108 (handle 0x0), return address 0x009F7569, allocation base 0x009E0000.
2020-06-05 13:45:47,984 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x009E0000.
2020-06-05 13:45:47,984 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-05 13:45:48,000 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x009E0000.
2020-06-05 13:45:48,000 [root] DEBUG: DumpProcess: Module entry point VA is 0x00017683.
2020-06-05 13:45:48,015 [root] INFO: b'C:\\dHHjSXgfus\\CAPE\\972_0846225562020|972|0;?C:\\Windows\\SysWOW64\\schtasks.exe;?C:\\Windows\\SysWOW64\\schtasks.exe;?'
2020-06-05 13:45:48,015 [root] INFO: cape
2020-06-05 13:45:48,015 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\972_0846225562020', b'0;?C:\\Windows\\SysWOW64\\schtasks.exe;?C:\\Windows\\SysWOW64\\schtasks.exe;?', ['972'], 'procdump')
2020-06-05 13:45:48,062 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\972_0846225562020', '', False, 'files')
2020-06-05 13:45:48,109 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2b400.
2020-06-05 13:45:48,125 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-06-05 13:45:48,125 [root] WARNING: Unable to open termination event for pid 972.
2020-06-05 13:45:48,140 [root] INFO: ('delete_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp9249.tmp')
2020-06-05 13:45:48,140 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp9249.tmp', '', False, 'files')
2020-06-05 13:45:48,171 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3920.
2020-06-05 13:45:48,171 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:45:48,171 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:45:48,171 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:45:48,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x6f4 amd local view 0x6FE00000 to global list.
2020-06-05 13:45:48,421 [root] DEBUG: DLL loaded at 0x6FE00000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-06-05 13:45:48,437 [root] DEBUG: DLL unloaded from 0x6FE00000.
2020-06-05 13:45:48,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x002F0000 for section view with handle 0x6f4.
2020-06-05 13:45:48,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00200000 for section view with handle 0x6f4.
2020-06-05 13:45:48,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2932.
2020-06-05 13:45:48,515 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:45:48,531 [root] DEBUG: CreateThread: Initialising breakpoints for thread 264.
2020-06-05 13:45:48,531 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:45:48,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x72c amd local view 0x00210000 to global list.
2020-06-05 13:45:48,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x728 amd local view 0x00210000 to global list.
2020-06-05 13:45:48,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x730 amd local view 0x00390000 to global list.
2020-06-05 13:45:48,656 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1076.
2020-06-05 13:45:48,656 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:45:48,656 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:45:48,718 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x73c amd local view 0x00AC0000 to global list.
2020-06-05 13:45:48,843 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x690 amd local view 0x6E0F0000 to global list.
2020-06-05 13:45:48,859 [root] DEBUG: DLL loaded at 0x6E0F0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d22616370e881379e5a7c30ee1e75a6\System.Configuration.ni (0xf3000 bytes).
2020-06-05 13:45:48,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6DBB0000 for section view with handle 0x690.
2020-06-05 13:45:48,890 [root] DEBUG: DLL loaded at 0x6DBB0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni (0x53b000 bytes).
2020-06-05 13:45:48,906 [root] DEBUG: set_caller_info: Adding region at 0x6DBB0000 to caller regions list (ntdll::memcpy).
2020-06-05 13:45:48,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x75c amd local view 0x00F40000 to global list.
2020-06-05 13:45:49,625 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4436.
2020-06-05 13:45:49,625 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:45:49,625 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:45:49,671 [root] DEBUG: set_caller_info: Adding region at 0x00750000 to caller regions list (mswsock::ConnectEx).
2020-06-05 13:45:50,515 [root] DEBUG: set_caller_info: Adding region at 0x00210000 to caller regions list (ws2_32::closesocket).
2020-06-05 13:45:52,671 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4208.
2020-06-05 13:45:52,671 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:45:52,671 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:45:57,187 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2940.
2020-06-05 13:45:57,187 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:45:57,187 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:00,859 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5080000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-06-05 13:46:00,859 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5080000 skipped.
2020-06-05 13:46:01,687 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2184.
2020-06-05 13:46:01,687 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:01,687 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:03,843 [root] DEBUG: DLL unloaded from 0x76C30000.
2020-06-05 13:46:03,953 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6E90000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-05 13:46:03,953 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF6E90000 skipped.
2020-06-05 13:46:04,187 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4356.
2020-06-05 13:46:04,187 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:46:04,203 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:04,203 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:06,687 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5A90000 to caller regions list (msvcrt::memcpy).
2020-06-05 13:46:06,687 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5A90000 skipped.
2020-06-05 13:46:07,390 [root] DEBUG: DLL unloaded from 0x710A0000.
2020-06-05 13:46:07,390 [root] DEBUG: DLL unloaded from 0x76770000.
2020-06-05 13:46:10,203 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4304.
2020-06-05 13:46:10,218 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:46:10,234 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:10,234 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:14,234 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4496.
2020-06-05 13:46:14,234 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:14,234 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:18,734 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1996.
2020-06-05 13:46:18,734 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:18,750 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:23,265 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2316.
2020-06-05 13:46:23,265 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:23,265 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:27,281 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4216.
2020-06-05 13:46:27,281 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:27,281 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:31,796 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4088.
2020-06-05 13:46:31,812 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:31,812 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:35,812 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1624.
2020-06-05 13:46:35,828 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:35,828 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:36,375 [root] DEBUG: DLL unloaded from 0x71030000.
2020-06-05 13:46:40,328 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4068.
2020-06-05 13:46:40,343 [root] DEBUG: DLL unloaded from 0x77290000.
2020-06-05 13:46:40,343 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:40,343 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:43,343 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2956.
2020-06-05 13:46:43,359 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:43,359 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:48,859 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4672.
2020-06-05 13:46:48,859 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:48,859 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:52,859 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3512.
2020-06-05 13:46:52,859 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:52,859 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:57,359 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3340.
2020-06-05 13:46:57,375 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:46:57,375 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:46:59,265 [root] DEBUG: DLL unloaded from 0x000007FEFBFD0000.
2020-06-05 13:47:00,375 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3520.
2020-06-05 13:47:00,375 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:00,375 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:03,875 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3400.
2020-06-05 13:47:03,875 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:03,875 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:10,500 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4132.
2020-06-05 13:47:14,500 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3540.
2020-06-05 13:47:14,500 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:14,500 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:19,000 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4032.
2020-06-05 13:47:19,015 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:19,015 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:23,015 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3648.
2020-06-05 13:47:23,031 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:23,031 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:27,531 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3452.
2020-06-05 13:47:27,531 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:27,531 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:31,531 [root] DEBUG: CreateThread: Initialising breakpoints for thread 836.
2020-06-05 13:47:31,531 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:31,531 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:34,078 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2120.
2020-06-05 13:47:34,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:34,093 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:40,093 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2516.
2020-06-05 13:47:40,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:40,093 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:44,593 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4728.
2020-06-05 13:47:44,593 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:44,593 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:47,093 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4060.
2020-06-05 13:47:47,109 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:47,109 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:52,687 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4824.
2020-06-05 13:47:52,703 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:52,703 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:47:57,203 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4880.
2020-06-05 13:47:57,203 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:47:57,218 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:48:01,265 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4112.
2020-06-05 13:48:03,796 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3208.
2020-06-05 13:48:03,796 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:48:03,796 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:48:09,796 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4712.
2020-06-05 13:48:09,796 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:48:09,796 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:48:14,343 [root] DEBUG: CreateThread: Initialising breakpoints for thread 596.
2020-06-05 13:48:14,343 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:48:14,343 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:48:18,343 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4692.
2020-06-05 13:48:18,343 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:48:18,343 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:48:22,843 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3040.
2020-06-05 13:48:22,843 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:48:22,843 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:48:26,843 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2716.
2020-06-05 13:48:26,843 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:48:26,843 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:48:31,343 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3792.
2020-06-05 13:48:31,359 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3228.
2020-06-05 13:48:31,359 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3228.
2020-06-05 13:48:33,687 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 13:48:33,687 [lib.api.process] ERROR: Failed to open terminate event for pid 4772
2020-06-05 13:48:33,687 [root] INFO: Terminate event set for process 4772.
2020-06-05 13:48:33,687 [lib.api.process] INFO: Terminate event set for process 3228
2020-06-05 13:48:33,687 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 3228).
2020-06-05 13:48:33,687 [root] DEBUG: ClearAllBreakpoints: Error: no thread id for thread breakpoints 0x3007ad0.
2020-06-05 13:48:33,687 [root] DEBUG: Terminate Event: Attempting to dump process 3228
2020-06-05 13:48:33,687 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x01010000.
2020-06-05 13:48:33,703 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x01011000
2020-06-05 13:48:33,734 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-05 13:48:33,734 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x01010000.
2020-06-05 13:48:33,750 [root] INFO: b'C:\\dHHjSXgfus\\CAPE\\3228_9330452603348195562020|3228|0;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?'
2020-06-05 13:48:33,750 [root] INFO: cape
2020-06-05 13:48:33,765 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_9330452603348195562020', b'0;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?', ['3228'], 'procdump')
2020-06-05 13:48:33,812 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_9330452603348195562020', '', False, 'files')
2020-06-05 13:48:33,812 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-05 13:48:33,812 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x01010000, dumping memory region.
2020-06-05 13:48:33,812 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x00400000.
2020-06-05 13:48:33,812 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-05 13:48:33,828 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-05 13:48:33,828 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001E792.
2020-06-05 13:48:33,843 [root] INFO: b'C:\\dHHjSXgfus\\CAPE\\3228_2453039373348195562020|3228|0;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?'
2020-06-05 13:48:33,843 [root] INFO: cape
2020-06-05 13:48:33,843 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_2453039373348195562020', b'0;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe;?', ['3228'], 'procdump')
2020-06-05 13:48:33,906 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1268.
2020-06-05 13:48:33,921 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\3228_2453039373348195562020', '', False, 'files')
2020-06-05 13:48:33,937 [lib.api.process] INFO: Termination confirmed for process 3228
2020-06-05 13:48:33,937 [root] INFO: Terminate event set for process 3228.
2020-06-05 13:48:33,937 [lib.api.process] ERROR: Failed to open terminate event for pid 3836
2020-06-05 13:48:33,953 [root] INFO: Terminate event set for process 3836.
2020-06-05 13:48:33,953 [lib.api.process] INFO: Terminate event set for process 840
2020-06-05 13:48:33,953 [root] DEBUG: Terminate Event: Attempting to dump process 840
2020-06-05 13:48:33,953 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF500000.
2020-06-05 13:48:33,953 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-05 13:48:33,968 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF500000.
2020-06-05 13:48:33,968 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-06-05 13:48:33,984 [root] INFO: b'C:\\dHHjSXgfus\\CAPE\\840_5527654003348195562020|840|0;?C:\\Windows\\sysnative\\svchost.exe;?C:\\Windows\\sysnative\\svchost.exe;?'
2020-06-05 13:48:33,984 [root] INFO: cape
2020-06-05 13:48:33,984 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\840_5527654003348195562020', b'0;?C:\\Windows\\sysnative\\svchost.exe;?C:\\Windows\\sysnative\\svchost.exe;?', ['840'], 'procdump')
2020-06-05 13:48:34,000 [root] INFO: ('dump_file', 'C:\\dHHjSXgfus\\CAPE\\840_5527654003348195562020', '', False, 'files')
2020-06-05 13:48:34,015 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-05 13:48:34,015 [lib.api.process] INFO: Termination confirmed for process 840
2020-06-05 13:48:34,015 [root] INFO: Terminate event set for process 840.
2020-06-05 13:48:34,015 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 840
2020-06-05 13:48:34,015 [lib.api.process] ERROR: Failed to open terminate event for pid 972
2020-06-05 13:48:34,031 [root] INFO: Terminate event set for process 972.
2020-06-05 13:48:34,031 [root] INFO: Created shutdown mutex.
2020-06-05 13:48:35,031 [root] INFO: Shutting down package.
2020-06-05 13:48:35,031 [root] INFO: Stopping auxiliary modules.
2020-06-05 13:48:35,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec8 amd local view 0x0000000006260000 to global list.
2020-06-05 13:48:35,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1308 amd local view 0x000000004A2B0000 to global list.
2020-06-05 13:48:35,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AB0000 for section view with handle 0x1308.
2020-06-05 13:48:35,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x000000004ABF0000 for section view with handle 0x1308.
2020-06-05 13:48:35,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AB0000 for section view with handle 0x1308.
2020-06-05 13:48:35,296 [lib.common.results] WARNING: File C:\dHHjSXgfus\bin\procmon.xml doesn't exist anymore
2020-06-05 13:48:35,296 [root] INFO: Finishing auxiliary modules.
2020-06-05 13:48:35,296 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 13:48:35,296 [root] INFO: Uploading files at path "C:\dHHjSXgfus\debugger" 
2020-06-05 13:48:35,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x000000004A100000 for section view with handle 0x1308.
2020-06-05 13:48:35,312 [root] INFO: Analysis completed.
2020-06-05 13:48:35,328 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000AB0000 for section view with handle 0x1308.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-06-05 13:59:04 2020-06-05 14:05:36

File Details

File Name PO _6202020.exe
File Size 81920 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
PE timestamp 2015-01-07 18:15:58
MD5 2a45a1584510256d4f4f838368433960
SHA1 f42cb4d0b68191a1b1fa91c0d51df30524f3873b
SHA256 743b0bd67e604e9e69acffcc8c7d56d8294de21c11c1a16cbeea94f82b6e5fa4
SHA512 8087599d1133f54820679f1a0a4641e327e77c8a8c91f30d70d65cd9c271514315f04920c89bd79fae01e1dfafc1a066039e496de4bb835a796ee0f101eea4f5
CRC32 BCE66AB7
Ssdeep 1536:ApXDrdLtwJT69XSjwDwvtwvpy9Jyx3QnL4P0:ANrdhSTyNE1upy9B7
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction - unpacking
SetUnhandledExceptionFilter detected (possible anti-debug)
Attempts to connect to a dead IP:Port (3 unique times)
IP: 205.185.216.10:80
IP: 72.21.91.29:80
IP: 79.134.225.77:37273 (Switzerland)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3228 trigged the Yara rule 'NanoCore'
Hit: PID 4772 trigged the Yara rule 'shellcode_patterns'
Hit: PID 4772 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 4772 trigged the Yara rule 'GuLoader'
Creates RWX memory
NtSetInformationThread: attempt to hide thread from debugger
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: RegAsm.exe tried to sleep 755.488 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: asycfilt.dll/FilterCreateInstance
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: VERSION.DLL/VerQueryValueA
DynamicLoader: VERSION.DLL/GetFileVersionInfoSizeA
DynamicLoader: VERSION.DLL/GetFileVersionInfoA
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: SHLWAPI.dll/UrlGetPartW
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: profapi.dll/
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: MSCOREE.DLL/_CorExeMain
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: UxTheme.dll/IsAppThemed
DynamicLoader: UxTheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: USER32.dll/GetWindowTextLength
DynamicLoader: USER32.dll/GetWindowTextLengthW
DynamicLoader: USER32.dll/GetWindowText
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: KERNEL32.dll/GetStartupInfo
DynamicLoader: KERNEL32.dll/GetStartupInfoW
DynamicLoader: USER32.dll/GetWindowPlacement
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/CreateIconFromResourceEx
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMenu
DynamicLoader: USER32.dll/EnableMenuItem
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/SetWindowPos
DynamicLoader: USER32.dll/RedrawWindow
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/IsWindowUnicode
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetFocus
DynamicLoader: KERNEL32.dll/GetModuleFileName
DynamicLoader: KERNEL32.dll/GetModuleFileNameW
DynamicLoader: KERNEL32.dll/SetCurrentDirectory
DynamicLoader: KERNEL32.dll/SetCurrentDirectoryW
DynamicLoader: KERNEL32.dll/FindResourceEx
DynamicLoader: KERNEL32.dll/FindResourceExA
DynamicLoader: KERNEL32.dll/LoadResource
DynamicLoader: KERNEL32.dll/SizeofResource
DynamicLoader: KERNEL32.dll/LockResource
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptGetProvParam
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: KERNEL32.dll/ReleaseMutex
DynamicLoader: KERNEL32.dll/CreateMutex
DynamicLoader: KERNEL32.dll/CreateMutexW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/SetErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/CreateDirectory
DynamicLoader: KERNEL32.dll/CreateDirectoryW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/RegSetValueEx
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: MSCOREE.DLL/DllGetClassObject
DynamicLoader: mscoreei.dll/DllGetClassObject_RetAddr
DynamicLoader: mscoreei.dll/DllGetClassObject
DynamicLoader: diasymreader.dll/DllGetClassObjectInternal
DynamicLoader: MSCOREE.DLL/DllGetClassObject
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentDirectory
DynamicLoader: KERNEL32.dll/GetCurrentDirectoryW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: KERNEL32.dll/GetExitCodeProcess
DynamicLoader: KERNEL32.dll/GetExitCodeProcessW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileA
DynamicLoader: KERNEL32.dll/GetSystemInfo
DynamicLoader: KERNEL32.dll/CreateIoCompletionPort
DynamicLoader: KERNEL32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/SwitchToThread
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/EnumProcessesW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/GetKeyboardLayout
DynamicLoader: USER32.dll/GetWindowText
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: KERNEL32.dll/GlobalMemoryStatusEx
DynamicLoader: USER32.dll/RegisterRawInputDevices
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: WS2_32.dll/WSAStartup
DynamicLoader: WS2_32.dll/WSASocket
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/WSAEventSelect
DynamicLoader: WS2_32.dll/ioctlsocket
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptor
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/CreateFileMapping
DynamicLoader: KERNEL32.dll/CreateFileMappingW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/MapViewOfFile
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
DynamicLoader: ADVAPI32.dll/CreateWellKnownSidW
DynamicLoader: KERNEL32.dll/WaitForSingleObject
DynamicLoader: KERNEL32.dll/OpenMutex
DynamicLoader: KERNEL32.dll/OpenMutexW
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: KERNEL32.dll/GetProcessTimes
DynamicLoader: KERNEL32.dll/GetProcessTimesW
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/freeaddrinfo
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/bind
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/setsockopt
DynamicLoader: WS2_32.dll/getpeername
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: KERNEL32.dll/GetExitCodeThread
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: KERNEL32.dll/SetThreadExecutionState
DynamicLoader: KERNEL32.dll/FormatMessage
DynamicLoader: KERNEL32.dll/FormatMessageW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: Secur32.dll/DeleteSecurityContext
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: WS2_32.dll/
DynamicLoader: MSCOREE.DLL/DllGetClassObject
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
HTTPS urls from behavior.
URL: https://onedrive.live.com/download?cid=EAD0E1196BD04320&resid=EAD0E1196BD04320%211219&authkey=AKgo75RMvr4khlc
Reads data out of its own binary image
self_read: process: RegAsm.exe, pid: 3228, offset: 0x00000000, length: 0x00001000
self_read: process: RegAsm.exe, pid: 3228, offset: 0x00000178, length: 0x00000200
self_read: process: RegAsm.exe, pid: 3228, offset: 0x000080c2, length: 0x00000200
self_read: process: RegAsm.exe, pid: 3228, offset: 0x00a7c220, length: 0x00000200
self_read: process: RegAsm.exe, pid: 3228, offset: 0x00a7c23c, length: 0x00000200
A process created a hidden window
Process: RegAsm.exe -> "schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp"
Process: RegAsm.exe -> "schtasks.exe" /create /f /tn "SCSI Subsystem Task" /xml "C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp"
CAPE extracted potentially suspicious content
PO _6202020.exe: Injected PE Image: 32-bit executable
PO _6202020.exe: Injected Shellcode/Data
PO _6202020.exe: GuLoader
PO _6202020.exe: Injected PE Image: 32-bit executable
RegAsm.exe: Unpacked Shellcode
PO _6202020.exe: Unpacked Shellcode
RegAsm.exe: Unpacked Shellcode
RegAsm.exe: Unpacked Shellcode
RegAsm.exe: Unpacked Shellcode
RegAsm.exe: Unpacked Shellcode
Unconventionial language used in binary resources: Catalan
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 6.82, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00010000, virtual_size: 0x0000f108
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\PO _6202020.exe
Uses Windows utilities for basic functionality
command: "schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp"
command: "schtasks.exe" /create /f /tn "SCSI Subsystem Task" /xml "C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp"
Behavioural detection: Injection (Process Hollowing)
Injection: PO _6202020.exe(4772) -> RegAsm.exe(3228)
Executed a process and injected code into it, probably while unpacking
Injection: PO _6202020.exe(4772) -> RegAsm.exe(3228)
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Installs itself for autorun at Windows startup
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem
data: C:\Program Files (x86)\SCSI Subsystem\scsiss.exe
Performs a large number of encryption calls using the same key possibly indicative of ransomware file encryption behavior
encryption: The crypto key 0x227a0910 was used 428 times to encrypt data
Exhibits behavior characteristic of Nanocore RAT
Attempts to bypass application whitelisting by copying and persisting .NET utility
Copy: c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe > c:\program files (x86)\scsi subsystem\scsiss.exe
Regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem
CAPE detected the NanoCore malware family
File has been identified by 20 Antiviruses on VirusTotal as malicious
McAfee: Fareit-FST!2A45A1584510
Cylance: Unsafe
Sangfor: Malware
CrowdStrike: win/malicious_confidence_90% (W)
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
Paloalto: generic.ml
Endgame: malicious (high confidence)
Trapmine: malicious.moderate.ml.score
SentinelOne: DFI - Suspicious PE
Avira: TR/Injector.ftnlc
Fortinet: W32/EMGX!tr
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Microsoft: PWS:Win32/Fareit.AB!MTB
Malwarebytes: Trojan.MalPack.VB
ESET-NOD32: a variant of Win32/Injector.EMGX
Rising: Downloader.Guloader!1.C738 (CLOUD)
eGambit: Unsafe.AI_Score_96%
BitDefenderTheta: Gen:[email protected]
Qihoo-360: HEUR/QVM03.0.B344.Malware.Gen
Attempts to modify proxy settings
Collects information to fingerprint the system
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 79.134.225.77 [VT] Switzerland
Y 52.114.132.47 [VT] United States
Y 13.86.101.172 [VT] United States
Y 13.107.42.13 [VT] United States
N 13.107.42.12 [VT] United States

DNS

Name Response Post-Analysis Lookup
qlrfyw.bn.files.1drv.com [VT] A 13.107.42.12 [VT] 13.107.42.12 [VT]
mrjeffy.duckdns.org [VT] A 79.134.225.77 [VT] 79.134.225.77 [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\PO _6202020.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\Louise\AppData\Local\Temp\~DFF8C4686B686B1523.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Users\Louise\AppData\LocalLow
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.config
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.INI
C:\Windows\System32\l_intl.nls
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411
C:\Users\Louise\AppData\Roaming
C:\Users\Louise\AppData
C:\Users\Louise
C:\Users
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\run.dat
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\Exceptions\1.2.2.0
C:\Program Files (x86)\SCSI Subsystem
C:\Program Files (x86)
C:\Program Files (x86)\SCSI Subsystem\scsiss.exe
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\SCSI Subsystem\scsiss.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.PDB
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb
C:\Windows\symbols\exe\RegAsm.pdb
C:\Windows\exe\RegAsm.pdb
C:\Windows\RegAsm.pdb
C:\Users\Louise\AppData\Local\Temp
C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\task.dat
C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\catalog.dat
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\storage.dat
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ClientPlugin.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ClientPlugin\ClientPlugin.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ClientPlugin.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ClientPlugin\ClientPlugin.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\settings.bin
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\settings.bak
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\Logs\Louise
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\Logs
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Lzma#.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Lzma#\Lzma#.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Lzma#.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Lzma#\Lzma#.exe
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\SurveillanceExClientPlugin.resources.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\SurveillanceExClientPlugin.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.exe
C:\Windows\Globalization\en.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\SurveillanceExClientPlugin.resources.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\SurveillanceExClientPlugin.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d22616370e881379e5a7c30ee1e75a6\System.Configuration.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ws2_32.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb
C:\Windows\symbols\dll\System.pdb
C:\Windows\dll\System.pdb
C:\Windows\System.pdb
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\AutoKMS
C:\Windows\Tasks\SCSI Subsystem.job
C:\Windows\sysnative\Tasks\SCSI Subsystem
C:\Windows\sysnative\Tasks\
\??\MountPointManager
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\*.*
C:\Windows\SysWOW64\ui\SwDRM.dll
C:\Windows\Tasks\SCSI Subsystem Task.job
C:\Windows\sysnative\Tasks\SCSI Subsystem Task
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\~DFF8C4686B686B1523.TMP
C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
C:\Windows\SysWOW64\msvbvm60.dll
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\assembly\pubpol214.dat
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb
C:\Windows\symbols\exe\RegAsm.pdb
C:\Windows\exe\RegAsm.pdb
C:\Windows\RegAsm.pdb
C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp
C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\System32\tzres.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d22616370e881379e5a7c30ee1e75a6\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb
C:\Windows\symbols\dll\System.pdb
C:\Windows\dll\System.pdb
C:\Windows\System.pdb
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Users\Louise\AppData\Local\Temp\~DFF8C4686B686B1523.TMP
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Users\Louise\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\run.dat
C:\Program Files (x86)\SCSI Subsystem\scsiss.exe
C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\task.dat
C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp
C:\Program Files (x86)\SCSI Subsystem\scsiss.exe
C:\Users\Louise\AppData\Roaming\048DA2FC-03CD-4F4F-9037-FCD5F0EA1411\SCSI Subsystem\scsiss.exe
C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp
C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier
C:\Windows\Tasks\SCSI Subsystem.job
C:\Windows\Tasks\SCSI Subsystem Task.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\startbogstavs\Caponized9
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Tuberculomas\Coatninger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\52-54-00-6f-d4-05
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\SchemeDllRetrieveEncodedObjectW
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\SchemeDllRetrieveEncodedObjectW
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xbad0\x300EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
\xbad0\x300EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xbad0\x300EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\xbad0\x300EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegAsm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5aa75839\10fdf3
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
\xc6d0\x300EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4ecde57e\31d9ddbb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a054161\46043f61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\219e9581\292d2ab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\219e9581\26d19501
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Library
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\IsMultiInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\First Counter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\CategoryOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\FileMappingSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Counter Names
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SCSI Subsystem.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SCSI Subsystem.job.fp
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F04E1FCF-9C06-44B9-91DB-C75CDD9B0DF5}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F04E1FCF-9C06-44B9-91DB-C75CDD9B0DF5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F04E1FCF-9C06-44B9-91DB-C75CDD9B0DF5}\Triggers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\schtasks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SCSI Subsystem Task.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SCSI Subsystem Task.job.fp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem Task
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D89B3D7-8F35-4480-8B53-1287CD6304ED}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D89B3D7-8F35-4480-8B53-1287CD6304ED}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem Task\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem Task\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D89B3D7-8F35-4480-8B53-1287CD6304ED}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xbad0\x300EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
\xbad0\x300EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
\xbad0\x300EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
\xbad0\x300EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
\xc6d0\x300EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Library
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\IsMultiInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\First Counter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\CategoryOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\FileMappingSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Counter Names
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadNetworkName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F04E1FCF-9C06-44B9-91DB-C75CDD9B0DF5}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F04E1FCF-9C06-44B9-91DB-C75CDD9B0DF5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F04E1FCF-9C06-44B9-91DB-C75CDD9B0DF5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D89B3D7-8F35-4480-8B53-1287CD6304ED}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D89B3D7-8F35-4480-8B53-1287CD6304ED}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem Task\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SCSI Subsystem Task\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D89B3D7-8F35-4480-8B53-1287CD6304ED}\Triggers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E5E0B13-621E-47B5-AA41-63B84D6692D2}\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-6f-d4-05\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SCSI Subsystem.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SCSI Subsystem.job.fp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SCSI Subsystem Task.job
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\SCSI Subsystem Task.job.fp
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
asycfilt.dll.FilterCreateInstance
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.NlsGetCacheUpdateCount
version.dll.VerQueryValueA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
kernel32.dll.GetCalendarInfoW
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.NotifyUnicastIpAddressChange
iphlpapi.dll.GetAdaptersAddresses
ws2_32.dll.GetAddrInfoW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
ws2_32.dll.#5
shlwapi.dll.UrlGetPartW
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpCrackUrl
shlwapi.dll.StrCmpNW
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
ole32.dll.CoInitializeEx
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoTaskMemAlloc
ole32.dll.StringFromIID
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.GetIfEntry2
ole32.dll.CoTaskMemFree
nsi.dll.NsiFreeTable
ole32.dll.CoUninitialize
sechost.dll.ConvertSidToStringSidW
profapi.dll.#104
winhttp.dll.WinHttpSendRequest
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#9
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpQueryHeaders
shlwapi.dll.StrStrIW
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpCloseHandle
rpcrt4.dll.RpcBindingFree
mscoree.dll._CorExeMain
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
kernel32.dll.GetNativeSystemInfo
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
ole32.dll.CoGetContextToken
kernel32.dll.QueryActCtxW
kernel32.dll.GetFullPathNameW
kernel32.dll.GetVersionExW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
mscorjit.dll.getJit
kernel32.dll.GetUserDefaultUILanguage
user32.dll.RegisterWindowMessageW
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
user32.dll.GetWindowTextLengthW
user32.dll.GetWindowTextW
user32.dll.GetUserObjectInformationA
kernel32.dll.SetConsoleCtrlHandler
user32.dll.GetClassInfoW
kernel32.dll.GetStartupInfoW
user32.dll.GetWindowPlacement
user32.dll.GetDC
gdi32.dll.GetDeviceCaps
user32.dll.ReleaseDC
user32.dll.CreateIconFromResourceEx
user32.dll.SendMessageW
user32.dll.GetSystemMenu
user32.dll.EnableMenuItem
user32.dll.SetWindowPos
user32.dll.RedrawWindow
user32.dll.ShowWindow
ole32.dll.OleInitialize
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.IsWindowUnicode
user32.dll.GetMessageW
user32.dll.TranslateMessage
user32.dll.DispatchMessageW
user32.dll.GetFocus
kernel32.dll.GetModuleFileNameW
kernel32.dll.SetCurrentDirectoryW
kernel32.dll.FindResourceExA
kernel32.dll.LoadResource
kernel32.dll.SizeofResource
kernel32.dll.LockResource
bcrypt.dll.BCryptGetFipsAlgorithmMode
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptGetProvParam
cryptsp.dll.CryptSetKeyParam
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptEncrypt
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
kernel32.dll.CloseHandle
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegQueryValueExA
shfolder.dll.SHGetFolderPathW
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.CreateDirectoryW
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
kernel32.dll.DeleteFileW
kernel32.dll.CopyFileW
advapi32.dll.RegSetValueExW
mscoree.dll.DllGetClassObject
mscoreei.dll.DllGetClassObject
diasymreader.dll.DllGetClassObjectInternal
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.CreateProcessW
ole32.dll.CoWaitForMultipleHandles
kernel32.dll.GetExitCodeProcess
kernel32.dll.DeleteFileA
kernel32.dll.GetSystemInfo
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtQuerySystemInformation
ntdll.dll.NtGetCurrentProcessorNumber
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
advapi32.dll.GetUserNameW
kernel32.dll.SwitchToThread
user32.dll.GetForegroundWindow
user32.dll.GetWindowThreadProcessId
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
psapi.dll.EnumProcesses
user32.dll.GetKeyboardLayout
kernel32.dll.GlobalMemoryStatusEx
user32.dll.RegisterRawInputDevices
user32.dll.SetClipboardViewer
user32.dll.SendMessageA
ole32.dll.CoCreateGuid
user32.dll.WaitMessage
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
ws2_32.dll.WSAStartup
ws2_32.dll.setsockopt
ws2_32.dll.WSAEventSelect
ws2_32.dll.ioctlsocket
ws2_32.dll.closesocket
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetComputerNameW
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
kernel32.dll.LocalFree
kernel32.dll.CreateFileMappingW
kernel32.dll.MapViewOfFile
kernel32.dll.UnmapViewOfFile
kernel32.dll.VirtualQuery
advapi32.dll.CreateWellKnownSid
kernel32.dll.WaitForSingleObject
kernel32.dll.OpenMutexW
kernel32.dll.OpenProcess
kernel32.dll.GetProcessTimes
ws2_32.dll.getaddrinfo
ws2_32.dll.freeaddrinfo
ws2_32.dll.bind
ws2_32.dll.getpeername
kernel32.dll.CreateEventW
kernel32.dll.SetEvent
kernel32.dll.GetExitCodeThread
kernel32.dll.SetThreadExecutionState
kernel32.dll.FormatMessageW
secur32.dll.DeleteSecurityContext
ncrypt.dll.SslDecrementProviderReferenceCount
ncrypt.dll.SslFreeObject
ws2_32.dll.#22
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
sspicli.dll.GetUserNameExW
"C:\Users\Louise\AppData\Local\Temp\PO _6202020.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe "C:\Users\Louise\AppData\Local\Temp\PO _6202020.exe"
"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Louise\AppData\Local\Temp\tmp8047.tmp"
"schtasks.exe" /create /f /tn "SCSI Subsystem Task" /xml "C:\Users\Louise\AppData\Local\Temp\tmp9249.tmp"
Global\CLR_CASOFF_MUTEX
Global\{97d0e714-f7a3-4372-9f4a-e9222d84ebdb}
Global\.net clr networking

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004014d4 0x0001d555 0x0001d555 4.0 2015-01-07 18:15:58 33394a0ac3e96ec6599fc0e19df02306 aedc4e05821876decd030ed5ee2566f1 bdddc624fc4ee0ecd2c05af8f5cfdc51

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x0000f108 0x00010000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.82
.data 0x00011000 0x00011000 0x00000e8c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00012000 0x00012000 0x000015a8 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.11

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000123f0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.01 None
RT_ICON 0x000123f0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.01 None
RT_ICON 0x000123f0 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 4.01 None
RT_GROUP_ICON 0x000123c0 0x00000030 LANG_NEUTRAL SUBLANG_NEUTRAL 3.07 None
RT_VERSION 0x00012150 0x00000270 LANG_CATALAN SUBLANG_DEFAULT 3.28 None

Imports

0x401000 None
0x401004 None
0x401008 _CIcos
0x40100c _adj_fptan
0x401010 __vbaVarMove
0x401014 __vbaFreeVar
0x401018 __vbaStrVarMove
0x40101c __vbaFreeVarList
0x401020 _adj_fdiv_m64
0x401024 None
0x401028 __vbaFreeObjList
0x40102c None
0x401030 _adj_fprem1
0x401034 __vbaStrCat
0x401038 None
0x40103c None
0x401044 None
0x401048 _adj_fdiv_m32
0x40104c None
0x401050 None
0x401054 __vbaAryDestruct
0x401058 None
0x40105c __vbaObjSet
0x401060 _adj_fdiv_m16i
0x401064 _adj_fdivr_m16i
0x401068 None
0x40106c __vbaFpR8
0x401070 _CIsin
0x401074 __vbaChkstk
0x401078 EVENT_SINK_AddRef
0x40107c None
0x401080 __vbaStrCmp
0x401084 __vbaVarTstEq
0x401088 None
0x40108c None
0x401090 None
0x401094 __vbaCastObjVar
0x401098 None
0x40109c _adj_fpatan
0x4010a0 None
0x4010a4 EVENT_SINK_Release
0x4010a8 __vbaUI1I2
0x4010ac _CIsqrt
0x4010b4 __vbaExceptHandler
0x4010b8 None
0x4010bc _adj_fprem
0x4010c0 _adj_fdivr_m64
0x4010c4 None
0x4010c8 None
0x4010cc __vbaFPException
0x4010d0 None
0x4010d4 None
0x4010d8 _CIlog
0x4010dc __vbaNew2
0x4010e0 _adj_fdiv_m32i
0x4010e4 _adj_fdivr_m32i
0x4010e8 __vbaStrCopy
0x4010ec __vbaFreeStrList
0x4010f0 None
0x4010f4 _adj_fdivr_m32
0x4010f8 _adj_fdiv_r
0x4010fc None
0x401100 __vbaI4Var
0x401104 None
0x401108 None
0x40110c None
0x401110 __vbaVarDup
0x401114 None
0x40111c _CIatan
0x401120 __vbaStrMove
0x401124 __vbaUI1Str
0x401128 None
0x40112c _allmul
0x401130 None
0x401134 _CItan
0x401138 None
0x40113c None
0x401140 _CIexp
0x401144 __vbaFreeStr
0x401148 __vbaFreeObj

!This program cannot be run in DOS mode.
.text
`.data
.rsrc
MSVBVM60.DLL
Virkeligheds
Ddvgtensprol4
Pizzl9
"Exif
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
O\mSTXZf
hmq{io
oj>ojtq
I%I$~Y
I+N;?
~oje^
Eu3X[
`O:d_
9>V|}
SE[[{
T.dY.
Q[ky6
ui.ty
x~I4[VY
>|WIk
'q$2-
Yl4H.
8~&|O
2[]\/
=RFy<
Kvi7o
H$_5S
sm#mm
Gc}ukoy
Z+}V%m
w>rJrf
?8,>3
g.OZ,
kkCg;o
+e&wi
k;uOk
KR)kk
KR)kg
`P.i*
kk+e,W
Ce4_Zq
kk;trk
kdWEkk
kkZikg
=Xikg
e+g+e
P.c;Xikc
kkXqkc
g3wXqcc
{Xqkc
(o`ig/`
kk,[wj
jdV>ik
kk,[cj
k;Ce&/
kk,Ykc
/e&KR/k*
kkXkoj
kk,[_j
kkPkwj
kk/,ck
~:Ybk
<;;/ek
kk;?qk
kCe3sC
kk+).
a.#+-
kk;[}k
e&wCT
kkCg.WCe&wCTr;O,
zA >C
,g;{Ce&si
e&siT
kkZkKj
kkZkOj
kkC~2
g.3Ce&7i
T\'_+
59^kEIDf"#
fcv<aX
59^kEIDf"#
fcv<aX
,ckC~>
6e.cX
e+[+e+{X
3+,ck/
%,ok8
Oo+Tn~
+,{k8
g;hC(+l,(+c
hig8jZ
((V+:
3#Z/;3
;3:(jk
c&Z>;3
(/x,-;3
"P,c;
)/x.#E)
kkj"kk
jk,Yk;
3_Jiz=
Kj#Q$
~ZQ/S
._6I%
<Egyu&
[=Yn5H
huKth
k?/t?=:
}t7^e
<Qqmk2
y$k$v
3-tS1
i4=SZ
DRKq/
8Ws=~
y.#o>T
x~I?w
_5[sm
kK]>YW~
Coq,s
U~_)~o
x^7I7,
]I4}/P
x]y_:
333333334
D951015=
%),//,)$
981)!
MGB?>>ABFL
Pizzl9
Check1
Vbnernese4
Taeniformja1
Option3
Automobilfirm
Option2
Estrago2
Option1
Line2
Line1
VB5!6&*
BARTENDERNESN
Virkeligheds
Virkeligheds
Virkeligheds
Ddvgtensprol4
Brugsanv
LSEHA
Accouche
Handelsrejse
judgingtineal
Nonexte
Projektg
Kunst5
TILSMUDS
rewhitenunpa
Ungdom
Taeniformja1
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Check1
Estrago2
Automobilfirm
LYNNEDSLAGENE
kneeing
Bottomlessly
Deathcup
CROSSABILITY
kawaka
VISERENDE
Uanvendeliges
BRUGERANGIVNE
OLDFRUER
facsim
Eftergrelse3
VBA6.DLL
__vbaFpR8
__vbaVarMove
__vbaUI1Str
__vbaVarDup
__vbaFreeObjList
__vbaFreeObj
__vbaStrVarMove
__vbaFreeVarList
__vbaVarTstEq
__vbaFreeStr
__vbaStrCopy
__vbaUI1I2
__vbaCastObjVar
__vbaObjSet
__vbaHresultCheckObj
__vbaNew2
__vbaVarLateMemCallLd
__vbaFreeVar
__vbaFreeStrList
__vbaStrCat
__vbaStrMove
__vbaStrCmp
__vbaAryDestruct
__vbaI4Var
Kystklima
Volstead5
PHTHIRIUS
Solod
Larvicidal
Foruroligelserne5
UNCONTEMPTIBLY
INSTRUKTIONSKURSUS
Vngerne
Tilhrendes4
Dveskolens8
Servicefunktioners5
EKSEKUTION
Diktere1
CHEFDOM
Lornness7
RANVEIG
Forpligtelseserklrings
metea
Irradiate5
Amuck7
BRANIFF
Bestvlede6
reaccelerated
Oinks
surstyle
sammenstds
refractional
TOTALERS
brdstudiers
Merling8
SATANIZE
DONNER
Driftsikkert6
Plastiskes9
VENSTRELINEAER
Skovhugsterne1
Heautomorphism1
Whoreishly
Bryggerkedels9
tH9=
tj9=
ty9=
@tp9=
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
__vbaVarTstEq
__vbaCastObjVar
_adj_fpatan
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaI4Var
__vbaVarDup
__vbaVarLateMemCallLd
_CIatan
__vbaStrMove
__vbaUI1Str
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
D951015=
%),//,)$
981)!
MGB?>>ABFL
333333334
/ P6pL
,/KPip
-P?pR
@or-Clo
L3kOpEkLYZppyTY9i0RZwqFI8r197
Spiralsnoet6
somatological
annelides
Jurata
Sejrvindings
Upshoot3
KOMMUNALBESTYRELSE
aflvningerne
CONTAINMENT
CANCANENS
KATJES
medicean
FLERRIED
OLIGIST
Fodterapeuters
startbogstavs
Caponized9
Blokfljternes
TALVRDIEN
harpist
:20:2
Tuberculomas
Coatninger
Polydaemonist5
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040304B0
LegalCopyright
Internal
LegalTrademarks
Internal
ProductName
Virkeligheds
FileVersion
ProductVersion
InternalName
BARTENDERNESN
OriginalFilename
BARTENDERNESN.exe
/ P6pL
,/KPip
-P?pR

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean McAfee Fareit-FST!2A45A1584510 Cylance Unsafe
VIPRE Clean SUPERAntiSpyware Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
CrowdStrike win/malicious_confidence_90% (W) Invincea Clean Baidu Clean
F-Prot Clean Symantec Clean TotalDefense Clean
APEX Malicious Avast Clean ClamAV Clean
Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean NANO-Antivirus Clean
Paloalto generic.ml AegisLab Clean Tencent Clean
Endgame malicious (high confidence) Sophos Clean Comodo Clean
F-Secure Clean DrWeb Clean Zillya Clean
TrendMicro Clean McAfee-GW-Edition Clean Trapmine malicious.moderate.ml.score
FireEye Clean Emsisoft Clean SentinelOne DFI - Suspicious PE
Cyren Clean Jiangmin Clean Webroot Clean
Avira TR/Injector.ftnlc Fortinet W32/EMGX!tr Antiy-AVL Clean
Kingsoft Clean Arcabit Clean ViRobot Clean
ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean Microsoft PWS:Win32/Fareit.AB!MTB
TACHYON Clean AhnLab-V3 Clean Acronis Clean
VBA32 Clean ALYac Clean MAX Clean
Ad-Aware Clean Malwarebytes Trojan.MalPack.VB Zoner Clean
ESET-NOD32 a variant of Win32/Injector.EMGX TrendMicro-HouseCall Clean Rising Downloader.Guloader!1.C738 (CLOUD)
Yandex Clean Ikarus Clean eGambit Unsafe.AI_Score_96%
GData Clean BitDefenderTheta Gen:[email protected] AVG Clean
Cybereason Clean Panda Clean Qihoo-360 HEUR/QVM03.0.B344.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 79.134.225.77 [VT] Switzerland
Y 52.114.132.47 [VT] United States
Y 13.86.101.172 [VT] United States
Y 13.107.42.13 [VT] United States
N 13.107.42.12 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.1.8 49199 13.107.42.12 qlrfyw.bn.files.1drv.com 443
192.168.1.8 49172 13.107.42.23 443
192.168.1.8 49174 13.107.42.23 443
192.168.1.8 49176 13.107.42.23 443
192.168.1.8 32761 52.114.132.47 36064
192.168.1.8 40570 52.114.132.47 25774
192.168.1.8 9064 52.114.132.47 40625
192.168.1.8 53187 52.114.132.47 6522
192.168.1.8 49196 72.21.91.29 80
192.168.1.8 49213 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49214 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49215 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49216 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49217 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49220 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49221 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49222 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49223 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49224 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49225 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49226 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49227 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49228 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49229 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49230 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49231 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49232 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49233 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49234 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49235 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49236 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49237 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49238 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49239 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49240 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49241 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49242 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49243 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49244 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49245 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49246 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49247 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49248 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49249 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49250 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49251 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49252 79.134.225.77 mrjeffy.duckdns.org 37273
192.168.1.8 49253 79.134.225.77 mrjeffy.duckdns.org 37273

UDP

Source Source Port Destination Destination Port
192.168.1.8 137 192.168.1.255 137
192.168.1.8 49744 8.8.8.8 53
192.168.1.8 51064 8.8.8.8 53
192.168.1.8 52398 8.8.8.8 53
192.168.1.8 55051 8.8.8.8 53
192.168.1.8 56571 8.8.8.8 53
192.168.1.8 61090 8.8.8.8 53
192.168.1.8 61380 8.8.8.8 53
192.168.1.8 63225 8.8.8.8 53
192.168.1.8 63471 8.8.8.8 53
192.168.1.8 65129 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
qlrfyw.bn.files.1drv.com [VT] A 13.107.42.12 [VT] 13.107.42.12 [VT]
mrjeffy.duckdns.org [VT] A 79.134.225.77 [VT] 79.134.225.77 [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-05 14:02:08.703 192.168.1.8 [VT] 49172 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:08.703 192.168.1.8 [VT] 49173 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:08.826 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:09.079 192.168.1.8 [VT] 49174 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:09.091 192.168.1.8 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-05 14:02:47.959 192.168.1.8 [VT] 56571 8.8.8.8 [VT] 53 UDP 1 2022918 2 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-05 14:02:08.910 192.168.1.8 [VT] 49173 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:02:08.910 192.168.1.8 [VT] 49172 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:02:09.033 192.168.1.8 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:02:09.080 192.168.1.8 [VT] 49174 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:02:09.192 192.168.1.8 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-05 14:02:33.770 192.168.1.8 [VT] 49192 13.107.42.13 [VT] 443 CN=onedrive.com 98:1a:ce:12:3c:76:27:2a:c4:56:a3:93:77:3c:27:fe:22:fc:ba:19 TLS 1.2
2020-06-05 14:02:38.030 192.168.1.8 [VT] 49199 13.107.42.12 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 57:ec:78:dd:17:81:29:d9:fb:38:23:29:00:5e:fd:3c:47:2b:f8:65 TLS 1.2
2020-06-05 14:03:08.649 192.168.1.8 [VT] 49218 52.114.132.47 [VT] 443 CN=*.events.data.microsoft.com 1a:c2:39:ff:84:fe:1a:c9:81:f5:45:9a:d0:a0:f2:66:d1:8c:38:c9 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-06-05 14:02:35.282 192.168.1.8 [VT] 49193 205.185.216.10 [VT] 80 200 ctldl.windowsupdate.com [VT] /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1525c93a2c3d98ee application/vnd.ms-cab-compressed Microsoft-CryptoAPI/6.1 None 6894
2020-06-05 14:02:36.314 192.168.1.8 [VT] 49196 72.21.91.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:02:38.839 192.168.1.8 [VT] 49196 72.21.91.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
2020-06-05 14:03:09.746 192.168.1.8 [VT] 49219 72.21.91.29 [VT] 80 200 ocsp.digicert.com [VT] /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D application/ocsp-response Microsoft-CryptoAPI/6.1 None 1507
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.8 49199 13.107.42.12 qlrfyw.bn.files.1drv.com 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.8 49192 13.107.42.13 443 d124ae14809abde3528a479fe01a12bd unknown
192.168.1.8 49172 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49174 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.8 49218 52.114.132.47 443 d124ae14809abde3528a479fe01a12bd unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name schtasks.exe
PID 3836
Dump Size 177152 bytes
Module Path C:\Windows\SysWOW64\schtasks.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:20:03
MD5 4afc4c0739eee7ef6ce0520313f88272
SHA1 fa74e83c6c21b72048acf71c403c6a01f272adc6
SHA256 43ecdcae4fc9ce68c2f5a1d7ec9d3be17d4e025423fc1ec4337445358887690f
CRC32 E1CFE4C1
Ssdeep 3072:RvXFcu3Zos3GFRBQqx2K0hXHE1vjUkmy2tDvDQk2f9jqxGBGAGCx:R9cu3Zos+ThmarUpyMDQO+GAd
Dump Filename 43ecdcae4fc9ce68c2f5a1d7ec9d3be17d4e025423fc1ec4337445358887690f
Download Download Zip

BinGraph Download graph

Process Name svchost.exe
PID 840
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 dee7243396ae983fa433b691b35d9616
SHA1 aa92db2341234f0491352179c41a7a71a2a6e86e
SHA256 4a7be92f7d0fe49df1f968b9d29e17af6e970492e5a505cd1a35d2f007912e2e
CRC32 6FCDA8DE
Ssdeep 384:zvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCEyrlWVSsEsj45RCOvojtPKW9C5bW:bWkX7q+f5TYvVeZMmn+0C4xZEbvKtPK
Dump Filename 4a7be92f7d0fe49df1f968b9d29e17af6e970492e5a505cd1a35d2f007912e2e
Download Download Zip

BinGraph Download graph

Process Name schtasks.exe
PID 972
Dump Size 177152 bytes
Module Path C:\Windows\SysWOW64\schtasks.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:20:03
MD5 88c437bca201a6fe8b7fcce3e7ed8f29
SHA1 564abb4c5b7713c2228a3ac915e4d4011b9fcd4b
SHA256 04fa60a92ac4568c5d1e5884094f110ee51f2c13d92d543d8a3c933b6419a447
CRC32 22245181
Ssdeep 3072:R2Dcobu6yV3Jo09gsmhjBA9LOcMsQBDxRE28HoIgGBGABCx:RacobudVNa6yXsURE1GAY
Dump Filename 04fa60a92ac4568c5d1e5884094f110ee51f2c13d92d543d8a3c933b6419a447
Download Download Zip

BinGraph Download graph

Process Name RegAsm.exe
PID 3228
Dump Size 208384 bytes
Module Path C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Type PE image: 32-bit executable
PE timestamp 2015-02-22 00:49:37
MD5 a1c20f1c367dc0869b6ba4ca8c8c0484
SHA1 42de9678700f7d06ba36a26d939bc91f0139b98f
SHA256 d8563ae9d9dcc272f502792bac452a4c4ef016927aa5c7e0c7f45b903f9d84c7
CRC32 3483FEFD
Ssdeep 3072:WzEqZ6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI8hG1w4xEgOLk1HKgBu8/FH2Qu:WLZ6Bta6dtJmakIM5/rg5lKKHyFMU
CAPE Yara
Dump Filename d8563ae9d9dcc272f502792bac452a4c4ef016927aa5c7e0c7f45b903f9d84c7
Download Download Zip

BinGraph Download graph

JSON Report Download
Defense Evasion Impact Execution Privilege Escalation Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1118 - InstallUtil
    • Signature - persists_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1127 - Trusted Developer Utilities
    • Signature - persists_dev_util
  • T1486 - Data Encrypted for Impact
    • Signature - mass_data_encryption
  • T1118 - InstallUtil
    • Signature - persists_dev_util
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1127 - Trusted Developer Utilities
    • Signature - persists_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1060 - Registry Run Keys / Startup Folder
    • Signature - persistence_autorun
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task

    Processing ( 10.431 seconds )

    • 5.212 Suricata
    • 2.76 BehaviorAnalysis
    • 1.227 NetworkAnalysis
    • 0.453 VirusTotal
    • 0.444 CAPE
    • 0.093 Static
    • 0.082 Dropped
    • 0.073 ProcDump
    • 0.037 Deduplicate
    • 0.021 AnalysisInfo
    • 0.012 TargetInfo
    • 0.01 Debug
    • 0.005 peid
    • 0.002 Strings

    Signatures ( 1.521999999999996 seconds )

    • 0.252 antiav_detectreg
    • 0.099 api_spamming
    • 0.092 infostealer_ftp
    • 0.087 stealth_timeout
    • 0.085 territorial_disputes_sigs
    • 0.077 decoy_document
    • 0.058 NewtWire Behavior
    • 0.053 infostealer_im
    • 0.052 antianalysis_detectreg
    • 0.045 antisandbox_sleep
    • 0.028 antivm_vbox_keys
    • 0.025 masquerade_process_name
    • 0.022 antiav_detectfile
    • 0.02 antidbg_windows
    • 0.019 antivm_vmware_keys
    • 0.019 infostealer_mail
    • 0.017 dyre_behavior
    • 0.017 ransomware_files
    • 0.014 antivm_generic_disk
    • 0.014 antivm_parallels_keys
    • 0.013 antivm_xen_keys
    • 0.013 infostealer_bitcoin
    • 0.011 mimics_filetime
    • 0.011 antianalysis_detectfile
    • 0.01 InjectionCreateRemoteThread
    • 0.009 Doppelganging
    • 0.009 bootkit
    • 0.009 injection_createremotethread
    • 0.009 reads_self
    • 0.009 virus
    • 0.009 antivm_generic_diskreg
    • 0.009 antivm_vbox_files
    • 0.009 antivm_vpc_keys
    • 0.009 geodo_banking_trojan
    • 0.009 ransomware_extensions
    • 0.008 encrypted_ioc
    • 0.008 stealth_file
    • 0.007 antiav_avast_libs
    • 0.007 antiemu_wine_func
    • 0.007 dynamic_function_loading
    • 0.007 persistence_autorun
    • 0.006 antivm_generic_scsi
    • 0.006 betabot_behavior
    • 0.005 antidebug_guardpages
    • 0.005 exec_crash
    • 0.005 exploit_heapspray
    • 0.005 hancitor_behavior
    • 0.005 infostealer_browser_password
    • 0.005 kibex_behavior
    • 0.005 malicious_dynamic_function_loading
    • 0.005 mass_data_encryption
    • 0.005 modify_proxy
    • 0.005 predatorthethief_files
    • 0.005 qulab_files
    • 0.004 antisandbox_sunbelt_libs
    • 0.004 infostealer_browser
    • 0.004 kovter_behavior
    • 0.004 shifu_behavior
    • 0.004 antivm_xen_keys
    • 0.004 antivm_hyperv_keys
    • 0.004 browser_security
    • 0.004 bypass_firewall
    • 0.003 InjectionInterProcess
    • 0.003 antiav_bitdefender_libs
    • 0.003 antiav_bullgaurd_libs
    • 0.003 antiav_emsisoft_libs
    • 0.003 antiav_qurb_libs
    • 0.003 antiav_apioverride_libs
    • 0.003 antiav_nthookengine_libs
    • 0.003 antisandbox_sboxie_libs
    • 0.003 antivm_vbox_libs
    • 0.003 exploit_getbasekerneladdress
    • 0.003 hawkeye_behavior
    • 0.003 encrypt_data_agenttesla_http
    • 0.003 encrypt_data_agentteslat2_http
    • 0.003 encrypt_data_nanocore
    • 0.003 network_anomaly
    • 0.003 blackrat_registry_keys
    • 0.003 dcrat_behavior
    • 0.003 recon_programs
    • 0.003 antidbg_devices
    • 0.003 antivm_generic_system
    • 0.003 antivm_vmware_files
    • 0.003 ketrican_regkeys
    • 0.003 darkcomet_regkeys
    • 0.003 disables_browser_warn
    • 0.003 limerat_regkeys
    • 0.002 antivm_generic_services
    • 0.002 exploit_gethaldispatchtable
    • 0.002 network_tor
    • 0.002 rat_nanocore
    • 0.002 OrcusRAT Behavior
    • 0.002 stack_pivot
    • 0.002 stealth_network
    • 0.002 tinba_behavior
    • 0.002 antivm_generic_bios
    • 0.002 antivm_vbox_devices
    • 0.002 network_torgateway
    • 0.002 recon_fingerprint
    • 0.002 remcos_regkeys
    • 0.001 InjectionSetWindowLong
    • 0.001 uac_bypass_eventvwr
    • 0.001 cerber_behavior
    • 0.001 cryptowall_behavior
    • 0.001 dridex_behavior
    • 0.001 Raccoon Behavior
    • 0.001 Vidar Behavior
    • 0.001 ispy_behavior
    • 0.001 kazybot_behavior
    • 0.001 persistence_autorun_tasks
    • 0.001 ransomware_message
    • 0.001 blackrat_apis
    • 0.001 rat_luminosity
    • 0.001 sets_autoconfig_url
    • 0.001 vawtrak_behavior
    • 0.001 neshta_files
    • 0.001 banker_cridex
    • 0.001 bot_drive
    • 0.001 browser_addon
    • 0.001 codelux_behavior
    • 0.001 disables_system_restore
    • 0.001 disables_windows_defender
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 network_dns_opennic
    • 0.001 packer_armadillo_regkey
    • 0.001 persistence_shim_database
    • 0.001 medusalocker_regkeys
    • 0.001 revil_mutexes
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 warzonerat_regkeys
    • 0.001 sniffer_winpcap
    • 0.001 stealth_hiddenreg
    • 0.001 targeted_flame

    Reporting ( 17.92 seconds )

    • 17.789 BinGraph
    • 0.066 PCAP2CERT
    • 0.065 MITRE_TTPS