Detections

Yara:

AgentTeslaV2

Analysis

Category Package Started Completed Duration Options Log
FILE Unpacker 2020-06-05 13:58:15 2020-06-05 14:12:37 862 seconds Show Options Show Log
procdump = yes
2020-05-13 09:11:28,469 [root] INFO: Date set to: 20200605T14:08:05, timeout set to: 200
2020-06-05 14:08:05,031 [root] DEBUG: Starting analyzer from: C:\tmp52sk_on6
2020-06-05 14:08:05,031 [root] DEBUG: Storing results at: C:\OkWemdw
2020-06-05 14:08:05,031 [root] DEBUG: Pipe server name: \\.\PIPE\OHOFtTjjQH
2020-06-05 14:08:05,031 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-05 14:08:05,031 [root] INFO: Analysis package "Unpacker" has been specified.
2020-06-05 14:08:05,046 [root] DEBUG: Trying to import analysis package "Unpacker"...
2020-06-05 14:08:05,078 [root] DEBUG: Imported analysis package "Unpacker".
2020-06-05 14:08:05,078 [root] DEBUG: Trying to initialize analysis package "Unpacker"...
2020-06-05 14:08:05,078 [root] DEBUG: Initialized analysis package "Unpacker".
2020-06-05 14:08:05,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 14:08:05,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 14:08:05,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 14:08:05,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 14:08:05,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 14:08:05,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 14:08:05,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 14:08:05,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 14:08:05,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 14:08:05,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 14:08:05,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 14:08:05,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 14:08:05,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 14:08:05,203 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 14:08:05,203 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 14:08:05,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 14:08:05,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 14:08:05,203 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 14:08:05,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 14:08:05,218 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 14:08:05,218 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 14:08:06,734 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 14:08:06,734 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 14:08:06,765 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 14:08:06,765 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 14:08:06,765 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 14:08:06,781 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 14:08:06,781 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 14:08:06,781 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 14:08:06,781 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 14:08:06,796 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 14:08:06,796 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 14:08:06,796 [root] DEBUG: Started auxiliary module Browser
2020-06-05 14:08:06,796 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 14:08:06,796 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 14:08:06,796 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 14:08:06,796 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 14:08:06,796 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 14:08:06,796 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 14:08:06,796 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 14:08:06,796 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 14:08:07,140 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 14:08:07,140 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 14:08:07,171 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 14:08:07,171 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 14:08:07,171 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 14:08:07,171 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 14:08:07,187 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 14:08:07,187 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 14:08:07,187 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 14:08:07,187 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 14:08:07,203 [root] DEBUG: Started auxiliary module Human
2020-06-05 14:08:07,203 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 14:08:07,203 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 14:08:07,203 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 14:08:07,203 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 14:08:07,203 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 14:08:07,203 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 14:08:07,203 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 14:08:07,203 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 14:08:07,203 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 14:08:07,218 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 14:08:07,218 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 14:08:07,218 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 14:08:07,218 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 14:08:07,218 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 14:08:07,218 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 14:08:07,218 [root] DEBUG: Started auxiliary module Usage
2020-06-05 14:08:07,218 [root] INFO: Analyzer: Package modules.packages.Unpacker does not specify a DLL option
2020-06-05 14:08:07,218 [root] INFO: Analyzer: Package modules.packages.Unpacker does not specify a DLL_64 option
2020-06-05 14:08:07,218 [root] INFO: Analyzer: Package modules.packages.Unpacker does not specify a loader option
2020-06-05 14:08:07,218 [root] INFO: Analyzer: Package modules.packages.Unpacker does not specify a loader_64 option
2020-06-05 14:08:07,531 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe" with arguments "" with pid 5652
2020-06-05 14:08:07,531 [lib.api.process] INFO: Monitor config for process 5652: C:\tmp52sk_on6\dll\5652.ini
2020-06-05 14:08:07,531 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:08:07,531 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:08:07,531 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:08:07,531 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:08:07,593 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:08:07,593 [root] DEBUG: Loader: Injecting process 5652 (thread 5656) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:07,609 [root] DEBUG: Process image base: 0x01080000
2020-06-05 14:08:07,609 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:08:07,609 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:08:07,609 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:07,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5652
2020-06-05 14:08:09,625 [lib.api.process] INFO: Successfully resumed process with pid 5652
2020-06-05 14:08:10,046 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:08:10,046 [root] DEBUG: Process dumps disabled.
2020-06-05 14:08:10,062 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5652 at 0x6ae60000, image base 0x1080000, stack from 0x2c5000-0x2d0000
2020-06-05 14:08:10,062 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe".
2020-06-05 14:08:10,078 [root] DEBUG: WoW64 not detected.
2020-06-05 14:08:10,078 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-05 14:08:10,078 [root] DEBUG: set_caller_info: Adding region at 0x00060000 to caller regions list (ntdll::RtlDispatchException).
2020-06-05 14:08:10,078 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1bf4 in capemon caught accessing 0x1081000 (expected in memory scans), passing to next handler.
2020-06-05 14:08:10,093 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,093 [root] DEBUG: AddTrackedRegion: GetEntropy failed.
2020-06-05 14:08:10,093 [root] DEBUG: AddTrackedRegion: New region at 0x01080000 size 0x1000 added to tracked regions: EntryPoint 0x6aea7cef, Entropy 0.000000e+00
2020-06-05 14:08:10,093 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-05 14:08:10,109 [root] DEBUG: set_caller_info: Adding region at 0x001D0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-05 14:08:10,109 [root] DEBUG: set_caller_info: Adding region at 0x00800000 to caller regions list (advapi32::RegOpenKeyExW).
2020-06-05 14:08:10,109 [root] DEBUG: set_caller_info: Adding region at 0x00540000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-05 14:08:10,125 [root] DEBUG: DLL loaded at 0x6BE30000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-05 14:08:10,125 [root] DEBUG: DLL unloaded from 0x76970000.
2020-06-05 14:08:10,140 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 14:08:10,156 [root] DEBUG: DLL loaded at 0x0FFB0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-05 14:08:10,156 [root] DEBUG: DLL loaded at 0x6E9E0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-05 14:08:10,187 [root] INFO: Disabling sleep skipping.
2020-06-05 14:08:10,187 [root] DEBUG: CreateThread: Initialising breakpoints for thread 5536.
2020-06-05 14:08:10,203 [root] DEBUG: DLL unloaded from 0x777B0000.
2020-06-05 14:08:10,203 [root] DEBUG: Allocation: 0x00173000 - 0x00174000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:10,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:10,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:10,203 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,203 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:10,203 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00173000, size: 0x1000.
2020-06-05 14:08:10,203 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00173000.
2020-06-05 14:08:10,218 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5656 type 1 at address 0x00173000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:10,218 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00173000
2020-06-05 14:08:10,218 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5656 type 1 at address 0x0017003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:10,218 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0017003C
2020-06-05 14:08:10,218 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00173000 (size 0x1000).
2020-06-05 14:08:10,218 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 5656)
2020-06-05 14:08:10,218 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00173000.
2020-06-05 14:08:10,234 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x173000: 0x0.
2020-06-05 14:08:10,234 [root] DEBUG: CreateThread: Initialising breakpoints for thread 5564.
2020-06-05 14:08:10,234 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5564 type 1 at address 0x00173000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:10,249 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5564 type 1 at address 0x0017003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:10,249 [root] DEBUG: SetThreadBreakpoint: Set bp 2 thread id 5564 type 0 at address 0x00173000, size 0 with Callback 0x6ae79ed0.
2020-06-05 14:08:10,296 [root] DEBUG: DLL loaded at 0x66080000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-05 14:08:10,328 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-06-05 14:08:10,328 [root] DEBUG: Allocation: 0x003B0000 - 0x003B1000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:10,343 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:10,343 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,343 [root] DEBUG: DumpPEsInRange: Scanning range 0x170000 - 0x171000.
2020-06-05 14:08:10,343 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x170000-0x171000.
2020-06-05 14:08:10,343 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_1222579616108125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00170000;?', ['5652'], 'CAPE')
2020-06-05 14:08:10,421 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_1222579616108125562020 (size 0x14)
2020-06-05 14:08:10,421 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00170000.
2020-06-05 14:08:10,437 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x170000 - 0x171000.
2020-06-05 14:08:10,437 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5656 type 1 at address 0x003B0000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:10,437 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003B0000
2020-06-05 14:08:10,437 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5656 type 1 at address 0x003B003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:10,437 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003B003C
2020-06-05 14:08:10,437 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x003B0000 (size 0x1000).
2020-06-05 14:08:10,437 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 5656)
2020-06-05 14:08:10,453 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003B0000.
2020-06-05 14:08:10,453 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3b0000: 0x0.
2020-06-05 14:08:10,453 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-05 14:08:10,453 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE2FD6 (thread 5656)
2020-06-05 14:08:10,453 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-06-05 14:08:10,453 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5e00 (at 0x003B003C).
2020-06-05 14:08:10,453 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 5656 (process 5652), skipping.
2020-06-05 14:08:10,453 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-06-05 14:08:10,453 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE2FDE (thread 5656)
2020-06-05 14:08:10,453 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-06-05 14:08:10,453 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5e00 (at 0x003B003C).
2020-06-05 14:08:10,453 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 5656 (process 5652), skipping.
2020-06-05 14:08:10,468 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-06-05 14:08:10,468 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE2FEF (thread 5656)
2020-06-05 14:08:10,468 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-06-05 14:08:10,468 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5e00 (at 0x003B003C).
2020-06-05 14:08:10,468 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 5656 (process 5652), skipping.
2020-06-05 14:08:10,468 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-06-05 14:08:10,468 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE301B (thread 5656)
2020-06-05 14:08:10,468 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003B003C.
2020-06-05 14:08:10,468 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5e0f (at 0x003B003C).
2020-06-05 14:08:10,468 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003B0000 already exists for thread 5656 (process 5652), skipping.
2020-06-05 14:08:10,468 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003B0000.
2020-06-05 14:08:10,484 [root] DEBUG: DLL loaded at 0x6A900000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-05 14:08:10,484 [root] DEBUG: DLL loaded at 0x75CB0000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-05 14:08:10,578 [root] DEBUG: DLL loaded at 0x67B60000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-05 14:08:10,593 [root] DEBUG: DLL loaded at 0x6A3F0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-05 14:08:10,609 [root] DEBUG: DLL loaded at 0x65360000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-05 14:08:10,640 [root] DEBUG: set_caller_info: Adding region at 0x003B0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-05 14:08:10,640 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_16032869122034185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x003B0000;?', ['5652'], 'CAPE')
2020-06-05 14:08:10,656 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_16032869122034185562020 (size 0x4d3)
2020-06-05 14:08:10,656 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003B0000.
2020-06-05 14:08:10,656 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x003B003C.
2020-06-05 14:08:10,656 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x003B0000.
2020-06-05 14:08:10,656 [root] DEBUG: Allocation: 0x001B5000 - 0x001B6000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:10,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:10,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:10,671 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,671 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:10,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:10,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:10,671 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x001B5000, size: 0x1000.
2020-06-05 14:08:10,671 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x001B5000.
2020-06-05 14:08:10,671 [root] DEBUG: AddTrackedRegion: New region at 0x001B0000 size 0x1000 added to tracked regions.
2020-06-05 14:08:10,671 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x001B0000, TrackedRegion->RegionSize: 0x1000, thread 5656
2020-06-05 14:08:10,671 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x003B0000 to 0x001B0000.
2020-06-05 14:08:10,687 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5656 type 1 at address 0x001B5000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:10,687 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x001B5000
2020-06-05 14:08:10,687 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5656 type 1 at address 0x001B003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:10,687 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x1005E297 (thread 5656)
2020-06-05 14:08:10,687 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x001B003C.
2020-06-05 14:08:10,687 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,687 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:10,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:10,703 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,703 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:10,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:10,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:10,703 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x001B0000, size: 0x1000.
2020-06-05 14:08:10,734 [root] DEBUG: Allocation: 0x003B1000 - 0x003B2000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:10,734 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:10,734 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:10,734 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,734 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:10,875 [root] DEBUG: Allocation: 0x0017D000 - 0x0017E000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:10,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:10,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:10,875 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,875 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:10,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:10,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:10,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:10,890 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00170000, size: 0x1000.
2020-06-05 14:08:10,890 [root] DEBUG: Allocation: 0x0019A000 - 0x0019B000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:10,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:10,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:10,890 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:10,906 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:10,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:10,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:10,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:10,906 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x0019A000, size: 0x1000.
2020-06-05 14:08:10,906 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x0019A000.
2020-06-05 14:08:10,906 [root] DEBUG: DumpPEsInRange: Scanning range 0x1b0000 - 0x1b1000.
2020-06-05 14:08:10,906 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1b0000-0x1b1000.
2020-06-05 14:08:10,953 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_1452017552108125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x001B0000;?', ['5652'], 'CAPE')
2020-06-05 14:08:11,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_1452017552108125562020 (size 0x8a)
2020-06-05 14:08:11,015 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x001B0000.
2020-06-05 14:08:11,031 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1b0000 - 0x1b1000.
2020-06-05 14:08:11,031 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5656 type 1 at address 0x0019A000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:11,031 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5656 type 1 at address 0x0019003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:11,031 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0019003C
2020-06-05 14:08:11,031 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x0019A000 (size 0x1000).
2020-06-05 14:08:11,031 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 5656)
2020-06-05 14:08:11,031 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x0019A000.
2020-06-05 14:08:11,031 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x19a000: 0x0.
2020-06-05 14:08:11,031 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-05 14:08:11,046 [root] DEBUG: Allocation: 0x00197000 - 0x00198000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:11,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:11,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:11,046 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:11,046 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:11,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:11,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:11,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:11,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00190000.
2020-06-05 14:08:11,046 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00190000, size: 0x1000.
2020-06-05 14:08:11,093 [root] DEBUG: Allocation: 0x003B2000 - 0x003B3000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:11,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:11,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:11,093 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:11,093 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:11,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:11,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:11,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:11,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00190000.
2020-06-05 14:08:11,109 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003B0000, size: 0x1000.
2020-06-05 14:08:11,125 [root] DEBUG: Allocation: 0x003B3000 - 0x003B4000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:11,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:11,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:11,125 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:11,140 [root] DEBUG: DLL loaded at 0x64B80000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-05 14:08:11,281 [root] DEBUG: Allocation: 0x00196000 - 0x00197000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:11,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:11,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:11,296 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:11,296 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:11,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:11,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:11,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:11,296 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x80001 (at 0x0019A03C).
2020-06-05 14:08:11,453 [root] DEBUG: DLL loaded at 0x64780000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-06-05 14:08:11,453 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 14:08:11,468 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 14:08:11,562 [root] DEBUG: DLL loaded at 0x63BD0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-06-05 14:08:12,312 [root] DEBUG: DLL loaded at 0x628C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-06-05 14:08:12,484 [root] DEBUG: DLL loaded at 0x73420000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-05 14:08:12,546 [root] DEBUG: DLL loaded at 0x740F0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-05 14:08:12,546 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3780.
2020-06-05 14:08:12,546 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 3780 type 1 at address 0x0019A000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:12,546 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 3780 type 1 at address 0x0019003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:12,562 [root] DEBUG: SetThreadBreakpoint: Set bp 2 thread id 3780 type 0 at address 0x0019A000, size 0 with Callback 0x6ae79ed0.
2020-06-05 14:08:12,562 [root] DEBUG: SetThreadBreakpoint: Set bp 3 thread id 3780 type 0 at address 0x00190000, size 0 with Callback 0x6ae79ed0.
2020-06-05 14:08:12,578 [root] DEBUG: DLL loaded at 0x73B20000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-05 14:08:12,578 [root] DEBUG: set_caller_info: Adding region at 0x00170000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-05 14:08:12,593 [root] DEBUG: DumpPEsInRange: Scanning range 0x170000 - 0x171000.
2020-06-05 14:08:12,593 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x170000-0x171000.
2020-06-05 14:08:12,593 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00170000 - 0x00171000.
2020-06-05 14:08:12,593 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_772117116241185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00170000;?', ['5652'], 'CAPE')
2020-06-05 14:08:12,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_772117116241185562020 (size 0xeb)
2020-06-05 14:08:12,625 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00170000.
2020-06-05 14:08:12,625 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x170000 - 0x171000.
2020-06-05 14:08:13,078 [root] DEBUG: Allocation: 0x003B4000 - 0x003B5000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:13,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:13,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:13,078 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:13,078 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:13,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:13,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:13,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:13,281 [root] DEBUG: DLL loaded at 0x68CE0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni (0xc8000 bytes).
2020-06-05 14:08:13,328 [root] DEBUG: DLL loaded at 0x76B60000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-05 14:08:13,343 [root] DEBUG: Allocation: 0x0018D000 - 0x0018E000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:13,343 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:13,343 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:13,343 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:13,343 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:13,343 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:13,343 [root] DEBUG: DumpPEsInRange: Scanning range 0x190000 - 0x191000.
2020-06-05 14:08:13,343 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x190000-0x191000.
2020-06-05 14:08:13,343 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_217556787138125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00190000;?', ['5652'], 'CAPE')
2020-06-05 14:08:13,375 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_217556787138125562020 (size 0x8a)
2020-06-05 14:08:13,375 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00190000.
2020-06-05 14:08:13,375 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x190000 - 0x191000.
2020-06-05 14:08:13,375 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5656 type 1 at address 0x0018D000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:13,375 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x0018D000
2020-06-05 14:08:13,375 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5656 type 1 at address 0x0018003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:13,390 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0018003C
2020-06-05 14:08:13,390 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x0018D000 (size 0x1000).
2020-06-05 14:08:13,390 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 5656)
2020-06-05 14:08:13,390 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x0018D000.
2020-06-05 14:08:13,390 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x18d000: 0x0.
2020-06-05 14:08:13,390 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-05 14:08:13,406 [root] INFO: ('dump_file', 'C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe', '', False, 'files')
2020-06-05 14:08:13,421 [root] DEBUG: set_caller_info: Adding region at 0x00180000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-05 14:08:13,421 [root] DEBUG: DumpPEsInRange: Scanning range 0x180000 - 0x181000.
2020-06-05 14:08:13,421 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x180000-0x181000.
2020-06-05 14:08:13,421 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00180000 - 0x00181000.
2020-06-05 14:08:13,421 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_11000652454342185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00180000;?', ['5652'], 'CAPE')
2020-06-05 14:08:13,453 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_11000652454342185562020 (size 0xa86)
2020-06-05 14:08:13,453 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00180000.
2020-06-05 14:08:13,453 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x180000 - 0x181000.
2020-06-05 14:08:13,453 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0018003C.
2020-06-05 14:08:13,468 [root] INFO: ('dump_file', 'C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe', '', False, 'files')
2020-06-05 14:08:13,484 [root] DEBUG: DLL loaded at 0x75310000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-05 14:08:13,484 [root] DEBUG: Allocation: 0x003B5000 - 0x003B6000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:13,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:13,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:13,500 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:13,500 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:13,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:13,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:13,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:13,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00190000.
2020-06-05 14:08:13,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00180000.
2020-06-05 14:08:13,500 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003B0000, size: 0x1000.
2020-06-05 14:08:13,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2560.
2020-06-05 14:08:13,531 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2560 type 1 at address 0x0018D000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:13,531 [root] DEBUG: SetThreadBreakpoint: Set bp 2 thread id 2560 type 0 at address 0x0018D000, size 0 with Callback 0x6ae79ed0.
2020-06-05 14:08:13,531 [root] DEBUG: Allocation: 0x05881000 - 0x05882000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:13,531 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:13,531 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:13,531 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:13,531 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:13,531 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:13,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:13,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:13,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00190000.
2020-06-05 14:08:13,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00180000.
2020-06-05 14:08:13,546 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5656 type 1 at address 0x05881000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:13,546 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5656 type 1 at address 0x0588003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:13,546 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0588003C
2020-06-05 14:08:13,546 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x05881000 (size 0x1000).
2020-06-05 14:08:13,546 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7780F2B5 (thread 5656)
2020-06-05 14:08:13,546 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0588003C.
2020-06-05 14:08:13,562 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header zero.
2020-06-05 14:08:13,562 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7780EF00 (thread 5656)
2020-06-05 14:08:13,562 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0588003C.
2020-06-05 14:08:13,562 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header zero.
2020-06-05 14:08:41,531 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4700.
2020-06-05 14:08:41,546 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4700 type 1 at address 0x05881000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:41,546 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4700 type 1 at address 0x0588003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:41,546 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3052.
2020-06-05 14:08:41,546 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 3052 type 1 at address 0x05881000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:41,546 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 3052 type 1 at address 0x0588003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:41,562 [root] DEBUG: CreateThread: Initialising breakpoints for thread 5436.
2020-06-05 14:08:41,562 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 5436 type 1 at address 0x05881000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:41,562 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 5436 type 1 at address 0x0588003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:41,578 [root] DEBUG: Allocation: 0x003B6000 - 0x003B7000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:41,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:41,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:41,578 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:41,593 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:41,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:41,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:41,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:41,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00190000.
2020-06-05 14:08:41,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00180000.
2020-06-05 14:08:41,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x05880000.
2020-06-05 14:08:41,593 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003B0000, size: 0x1000.
2020-06-05 14:08:41,609 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3480
2020-06-05 14:08:41,609 [lib.api.process] INFO: Monitor config for process 3480: C:\tmp52sk_on6\dll\3480.ini
2020-06-05 14:08:41,625 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:08:41,625 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:08:41,625 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:08:41,625 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:08:41,656 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:08:41,656 [root] DEBUG: Loader: Injecting process 3480 (thread 4072) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:41,656 [root] DEBUG: Process image base: 0x003A0000
2020-06-05 14:08:41,671 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:08:41,687 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:08:41,687 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:41,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3480
2020-06-05 14:08:41,703 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-05 14:08:41,828 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3480
2020-06-05 14:08:41,828 [lib.api.process] INFO: Monitor config for process 3480: C:\tmp52sk_on6\dll\3480.ini
2020-06-05 14:08:41,828 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:08:41,828 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:08:41,828 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:08:41,828 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:08:41,843 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:08:41,859 [root] DEBUG: Loader: Injecting process 3480 (thread 4072) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:41,859 [root] DEBUG: Process image base: 0x003A0000
2020-06-05 14:08:41,859 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:08:41,859 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:08:41,859 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:41,875 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3480
2020-06-05 14:08:41,937 [root] DEBUG: DLL loaded at 0x6B600000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni (0x45000 bytes).
2020-06-05 14:08:42,234 [root] DEBUG: Allocation: 0x003B7000 - 0x003B8000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:42,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:42,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:42,234 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:42,234 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:42,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:42,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:42,937 [root] DEBUG: Allocation: 0x003B8000 - 0x003B9000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:42,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:42,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:42,937 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:42,937 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:46,671 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3480
2020-06-05 14:08:46,671 [lib.api.process] INFO: Monitor config for process 3480: C:\tmp52sk_on6\dll\3480.ini
2020-06-05 14:08:46,671 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:08:46,671 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:08:46,671 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:08:46,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:08:46,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:08:46,703 [root] DEBUG: Loader: Injecting process 3480 (thread 0) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:46,703 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD7000 Local PEB 0x7FFDF000 Local TEB 0x7FFDB000: The operation completed successfully.
2020-06-05 14:08:46,703 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:08:46,703 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 14:08:46,703 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:46,718 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3480, error: 4294967281
2020-06-05 14:08:47,718 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3480
2020-06-05 14:08:47,718 [lib.api.process] INFO: Monitor config for process 3480: C:\tmp52sk_on6\dll\3480.ini
2020-06-05 14:08:47,718 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:08:47,718 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:08:47,718 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:08:47,718 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:08:47,734 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:08:47,734 [root] DEBUG: Loader: Injecting process 3480 (thread 0) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:47,734 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD7000 Local PEB 0x7FFDF000 Local TEB 0x7FFD8000: The operation completed successfully.
2020-06-05 14:08:47,734 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:08:47,750 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 14:08:47,750 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:47,750 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3480, error: 4294967281
2020-06-05 14:08:48,750 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3480
2020-06-05 14:08:48,750 [lib.api.process] INFO: Monitor config for process 3480: C:\tmp52sk_on6\dll\3480.ini
2020-06-05 14:08:48,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:08:48,750 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:08:48,750 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:08:48,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:08:48,765 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:08:48,765 [root] DEBUG: Loader: Injecting process 3480 (thread 0) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:48,765 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD7000 Local PEB 0x7FFDF000 Local TEB 0x7FFD7000: The operation completed successfully.
2020-06-05 14:08:48,765 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 4072, handle 0xa4
2020-06-05 14:08:48,781 [root] DEBUG: Process image base: 0x003A0000
2020-06-05 14:08:48,781 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:08:48,781 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:08:48,781 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:48,781 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3480
2020-06-05 14:08:49,781 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3480
2020-06-05 14:08:49,781 [lib.api.process] INFO: Monitor config for process 3480: C:\tmp52sk_on6\dll\3480.ini
2020-06-05 14:08:49,796 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:08:49,796 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:08:49,796 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:08:49,796 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:08:49,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:08:49,812 [root] DEBUG: Loader: Injecting process 3480 (thread 0) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:49,812 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD7000 Local PEB 0x7FFDF000 Local TEB 0x7FFDC000: The operation completed successfully.
2020-06-05 14:08:49,812 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:08:49,828 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-06-05 14:08:49,828 [root] DEBUG: Failed to inject DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:49,828 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3480, error: 4294967281
2020-06-05 14:08:50,828 [root] INFO: Announced 32-bit process name: InstallUtil.exe pid: 3480
2020-06-05 14:08:50,828 [lib.api.process] INFO: Monitor config for process 3480: C:\tmp52sk_on6\dll\3480.ini
2020-06-05 14:08:50,828 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:08:50,828 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:08:50,843 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:08:50,843 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:08:50,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:08:50,859 [root] DEBUG: Loader: Injecting process 3480 (thread 0) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:50,859 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD7000 Local PEB 0x7FFDF000 Local TEB 0x7FFD6000: The operation completed successfully.
2020-06-05 14:08:50,859 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID -17, handle 0x0
2020-06-05 14:08:50,890 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:08:50,890 [root] DEBUG: Process dumps disabled.
2020-06-05 14:08:50,890 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-06-05 14:08:50,890 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:08:50,906 [root] INFO: Disabling sleep skipping.
2020-06-05 14:08:50,906 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3480 at 0x6ae60000, image base 0x400000, stack from 0x376000-0x380000
2020-06-05 14:08:50,906 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe".
2020-06-05 14:08:50,937 [root] DEBUG: WoW64 not detected.
2020-06-05 14:08:50,937 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-05 14:08:50,937 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00400000.
2020-06-05 14:08:50,937 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x52000 added to tracked regions: EntryPoint 0x6bb27cef, Entropy 6.232447e+00
2020-06-05 14:08:50,937 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-05 14:08:50,937 [root] INFO: loaded: b'3480'
2020-06-05 14:08:50,937 [root] INFO: Loaded monitor into process with pid 3480
2020-06-05 14:08:50,953 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 14:08:50,953 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 14:08:50,953 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:08:56,468 [root] DEBUG: set_caller_info: Adding region at 0x00030000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:08:56,468 [root] DEBUG: DLL loaded at 0x00280000: C:\tmp52sk_on6\dll\OZPskd (0xd5000 bytes).
2020-06-05 14:08:56,484 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 5652).
2020-06-05 14:08:56,484 [root] DEBUG: DLL unloaded from 0x72070000.
2020-06-05 14:08:56,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:56,484 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-05 14:08:56,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:56,484 [root] DEBUG: DLL unloaded from 0x72070000.
2020-06-05 14:08:56,484 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1bf4 in capemon caught accessing 0x1081000 (expected in memory scans), passing to next handler.
2020-06-05 14:08:56,484 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-05 14:08:56,484 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:56,484 [root] DEBUG: DLL unloaded from 0x00280000.
2020-06-05 14:08:56,484 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:56,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:56,500 [root] DEBUG: DumpPEsInRange: Scanning range 0x170000 - 0x171000.
2020-06-05 14:08:56,500 [root] DEBUG: set_caller_info: Adding region at 0x00080000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:08:56,500 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x170000-0x171000.
2020-06-05 14:08:56,500 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00170000 - 0x00171000.
2020-06-05 14:08:56,500 [root] DEBUG: DLL loaded at 0x00280000: C:\tmp52sk_on6\dll\OZPskd (0xd5000 bytes).
2020-06-05 14:08:56,500 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_6569320803154185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00170000;?', ['5652'], 'CAPE')
2020-06-05 14:08:56,500 [root] DEBUG: DLL unloaded from 0x72070000.
2020-06-05 14:08:56,515 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-05 14:08:56,515 [root] DEBUG: DLL unloaded from 0x72070000.
2020-06-05 14:08:56,515 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-05 14:08:56,515 [root] DEBUG: DLL unloaded from 0x00280000.
2020-06-05 14:08:56,531 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrLoadDll).
2020-06-05 14:08:56,531 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_6569320803154185562020 (size 0x1cf)
2020-06-05 14:08:56,531 [root] DEBUG: DLL loaded at 0x00280000: C:\tmp52sk_on6\dll\OZPskd (0xd5000 bytes).
2020-06-05 14:08:56,531 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00170000.
2020-06-05 14:08:56,531 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x170000 - 0x171000.
2020-06-05 14:08:56,531 [root] DEBUG: DLL unloaded from 0x72070000.
2020-06-05 14:08:56,531 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:56,531 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-05 14:08:56,531 [root] DEBUG: DumpPEsInRange: Scanning range 0x3b0000 - 0x3b1000.
2020-06-05 14:08:56,546 [root] DEBUG: DLL unloaded from 0x72070000.
2020-06-05 14:08:56,546 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3b0000-0x3b1000.
2020-06-05 14:08:56,546 [root] DEBUG: DLL unloaded from 0x76450000.
2020-06-05 14:08:56,546 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003B0000 - 0x003B1000.
2020-06-05 14:08:56,546 [root] DEBUG: DLL unloaded from 0x00280000.
2020-06-05 14:08:56,546 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_6419915203154185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x003B0000;?', ['5652'], 'CAPE')
2020-06-05 14:08:56,562 [root] DEBUG: set_caller_info: Adding region at 0x00110000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-05 14:08:56,562 [root] DEBUG: set_caller_info: Adding region at 0x01580000 to caller regions list (advapi32::RegOpenKeyExW).
2020-06-05 14:08:56,578 [root] DEBUG: DLL loaded at 0x6BE30000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-05 14:08:56,578 [root] DEBUG: DLL unloaded from 0x76970000.
2020-06-05 14:08:56,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_6419915203154185562020 (size 0xfff)
2020-06-05 14:08:56,593 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003B0000.
2020-06-05 14:08:56,593 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3b0000 - 0x3b1000.
2020-06-05 14:08:56,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-06-05 14:08:56,593 [root] DEBUG: DumpPEsInRange: Scanning range 0x1b0000 - 0x1b1000.
2020-06-05 14:08:56,593 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1b0000-0x1b1000.
2020-06-05 14:08:56,593 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x001B0000 - 0x001B1000.
2020-06-05 14:08:56,593 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_14634091173254185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x001B0000;?', ['5652'], 'CAPE')
2020-06-05 14:08:56,609 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 14:08:56,625 [root] DEBUG: DLL loaded at 0x0FFB0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-05 14:08:56,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_14634091173254185562020 (size 0x8a)
2020-06-05 14:08:56,625 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x001B0000.
2020-06-05 14:08:56,625 [root] DEBUG: DLL loaded at 0x6E9E0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-05 14:08:56,625 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1b0000 - 0x1b1000.
2020-06-05 14:08:56,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00190000.
2020-06-05 14:08:56,625 [root] DEBUG: DumpPEsInRange: Scanning range 0x190000 - 0x191000.
2020-06-05 14:08:56,640 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x190000-0x191000.
2020-06-05 14:08:56,640 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00190000 - 0x00191000.
2020-06-05 14:08:56,640 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_6483269063254185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00190000;?', ['5652'], 'CAPE')
2020-06-05 14:08:56,656 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3892.
2020-06-05 14:08:56,656 [root] DEBUG: DLL unloaded from 0x777B0000.
2020-06-05 14:08:56,656 [root] DEBUG: Allocation: 0x002B3000 - 0x002B4000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:56,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:56,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:56,671 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:56,671 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x002B3000, size: 0x1000.
2020-06-05 14:08:56,671 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x002B3000.
2020-06-05 14:08:56,671 [root] DEBUG: AddTrackedRegion: New region at 0x002B0000 size 0x1000 added to tracked regions.
2020-06-05 14:08:56,671 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_6483269063254185562020 (size 0x8a)
2020-06-05 14:08:56,687 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00190000.
2020-06-05 14:08:56,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x190000 - 0x191000.
2020-06-05 14:08:56,687 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x002B0000, TrackedRegion->RegionSize: 0x1000, thread 4072
2020-06-05 14:08:56,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00180000.
2020-06-05 14:08:56,687 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:56,687 [root] DEBUG: DumpPEsInRange: Scanning range 0x180000 - 0x181000.
2020-06-05 14:08:56,687 [root] DEBUG: SetNextAvailableBreakpoint: Creating new thread breakpoints for thread 4072.
2020-06-05 14:08:56,687 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x180000-0x181000.
2020-06-05 14:08:56,703 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4072 type 1 at address 0x002B3000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:56,703 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00180000 - 0x00181000.
2020-06-05 14:08:56,703 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x002B3000
2020-06-05 14:08:56,703 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_5929157923254185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00180000;?', ['5652'], 'CAPE')
2020-06-05 14:08:56,703 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4072 type 1 at address 0x002B003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:56,703 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x002B003C
2020-06-05 14:08:56,718 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x002B3000 (size 0x1000).
2020-06-05 14:08:56,718 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 4072)
2020-06-05 14:08:56,718 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_5929157923254185562020 (size 0xa86)
2020-06-05 14:08:56,718 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x002B3000.
2020-06-05 14:08:56,718 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00180000.
2020-06-05 14:08:56,718 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2b3000: 0x0.
2020-06-05 14:08:56,718 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x180000 - 0x181000.
2020-06-05 14:08:56,718 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-05 14:08:56,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x05880000.
2020-06-05 14:08:56,734 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1636.
2020-06-05 14:08:56,734 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 3052, handle 0x2c0).
2020-06-05 14:08:56,734 [root] DEBUG: DLL unloaded from 0x75C80000.
2020-06-05 14:08:56,734 [root] DEBUG: DLL unloaded from 0x0FFB0000.
2020-06-05 14:08:56,734 [root] DEBUG: DLL unloaded from 0x6BE30000.
2020-06-05 14:08:56,750 [root] DEBUG: DLL loaded at 0x66080000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-05 14:08:56,750 [root] WARNING: Unable to open termination event for pid 5652.
2020-06-05 14:08:56,781 [root] DEBUG: DLL loaded at 0x756F0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-06-05 14:08:56,781 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 5652).
2020-06-05 14:08:56,796 [root] DEBUG: Allocation: 0x00320000 - 0x00321000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:56,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:56,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:56,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01080000.
2020-06-05 14:08:56,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:56,812 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1bf4 in capemon caught accessing 0x1081000 (expected in memory scans), passing to next handler.
2020-06-05 14:08:56,812 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:56,812 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x01081000
2020-06-05 14:08:56,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:56,812 [root] DEBUG: ProcessImageBase: EP 0x6AEA7CEF image base 0x01080000 size 0x0 entropy 0.000000e+00.
2020-06-05 14:08:56,812 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00320000, size: 0x1000.
2020-06-05 14:08:56,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00170000.
2020-06-05 14:08:56,828 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00320000.
2020-06-05 14:08:56,828 [root] DEBUG: DumpPEsInRange: Scanning range 0x170000 - 0x171000.
2020-06-05 14:08:56,828 [root] DEBUG: AddTrackedRegion: New region at 0x00320000 size 0x1000 added to tracked regions.
2020-06-05 14:08:56,828 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x170000-0x171000.
2020-06-05 14:08:56,828 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00320000, TrackedRegion->RegionSize: 0x1000, thread 4072
2020-06-05 14:08:56,828 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00170000 - 0x00171000.
2020-06-05 14:08:56,843 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x002B0000 to 0x00320000.
2020-06-05 14:08:56,843 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:56,843 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_14984963851256185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00170000;?', ['5652'], 'CAPE')
2020-06-05 14:08:56,843 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b0000 - 0x2b1000.
2020-06-05 14:08:56,843 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b0000-0x2b1000.
2020-06-05 14:08:56,843 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_14984963851256185562020 (size 0x1cf)
2020-06-05 14:08:56,859 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x002B0000 - 0x002B1000.
2020-06-05 14:08:56,859 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00170000.
2020-06-05 14:08:56,859 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x170000 - 0x171000.
2020-06-05 14:08:56,859 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\3480_1106319248568125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?0x002B0000;?', ['3480'], 'CAPE')
2020-06-05 14:08:56,859 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003B0000.
2020-06-05 14:08:56,859 [root] DEBUG: DumpPEsInRange: Scanning range 0x3b0000 - 0x3b1000.
2020-06-05 14:08:56,875 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3b0000-0x3b1000.
2020-06-05 14:08:56,875 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003B0000 - 0x003B1000.
2020-06-05 14:08:56,890 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_6227476881256185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x003B0000;?', ['5652'], 'CAPE')
2020-06-05 14:08:56,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\3480_1106319248568125562020 (size 0x14)
2020-06-05 14:08:56,906 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x002B0000.
2020-06-05 14:08:56,906 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b0000 - 0x2b1000.
2020-06-05 14:08:56,921 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x002B003C.
2020-06-05 14:08:56,921 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_6227476881256185562020 (size 0xfff)
2020-06-05 14:08:56,921 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-06-05 14:08:56,953 [root] DEBUG: SetThreadBreakpoint: Set bp 3 thread id 4072 type 1 at address 0x0032003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:56,953 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_5066632651256185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x001B0000;?', ['5652'], 'CAPE')
2020-06-05 14:08:56,953 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0032003C
2020-06-05 14:08:56,953 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00320000 (size 0x1000).
2020-06-05 14:08:56,953 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 4072)
2020-06-05 14:08:56,968 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 1 at Address 0x00320000.
2020-06-05 14:08:56,968 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_5066632651256185562020 (size 0x8a)
2020-06-05 14:08:56,968 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x001B0000.
2020-06-05 14:08:56,968 [root] DEBUG: ContextSetNextAvailableBreakpoint: No available breakpoints!
2020-06-05 14:08:56,968 [root] DEBUG: Breakpoints for thread 4072: 0x002B3000, 0x00320000, 0x002B3000, 0x0032003C.
2020-06-05 14:08:56,968 [root] DEBUG: BaseAddressWriteCallback: Failed to set exec bp on tracked region protect address.
2020-06-05 14:08:56,984 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFDFA5E (thread 4072)
2020-06-05 14:08:56,984 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1b0000 - 0x1b1000.
2020-06-05 14:08:56,984 [root] DEBUG: PEPointerWriteCallback: Breakpoint 3 at Address 0x0032003C.
2020-06-05 14:08:56,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00190000.
2020-06-05 14:08:56,984 [root] DEBUG: ContextSetNextAvailableBreakpoint: No available breakpoints!
2020-06-05 14:08:56,984 [root] DEBUG: DumpPEsInRange: Scanning range 0x190000 - 0x191000.
2020-06-05 14:08:56,984 [root] DEBUG: Breakpoints for thread 4072: 0x00320020, 0x00320000, 0x002B3000, 0x0032003C.
2020-06-05 14:08:56,984 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x190000-0x191000.
2020-06-05 14:08:56,984 [root] DEBUG: PEPointerWriteCallback: Failed to set bp on AddressOfEntryPoint at 0x00320030.
2020-06-05 14:08:56,984 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFDFA48 (thread 4072)
2020-06-05 14:08:56,984 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00190000 - 0x00191000.
2020-06-05 14:08:57,000 [root] DEBUG: PEPointerWriteCallback: Breakpoint 3 at Address 0x0032003C.
2020-06-05 14:08:57,000 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\5652_1330730701256185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\cc-Refund _202945.exe;?0x00190000;?', ['5652'], 'CAPE')
2020-06-05 14:08:57,000 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xb008 (at 0x0032003C).
2020-06-05 14:08:57,000 [root] DEBUG: ContextSetNextAvailableBreakpoint: No available breakpoints!
2020-06-05 14:08:57,000 [root] DEBUG: Breakpoints for thread 4072: 0x00320020, 0x00320000, 0x002B3000, 0x0032003C.
2020-06-05 14:08:57,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\5652_1330730701256185562020 (size 0x8a)
2020-06-05 14:08:57,015 [root] DEBUG: PEPointerWriteCallback: Failed to set exec bp on AllocationBase at 0x00320000.
2020-06-05 14:08:57,015 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00190000.
2020-06-05 14:08:57,015 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFDFA57 (thread 4072)
2020-06-05 14:08:57,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x190000 - 0x191000.
2020-06-05 14:08:57,031 [root] DEBUG: PEPointerWriteCallback: Breakpoint 3 at Address 0x0032003C.
2020-06-05 14:08:57,031 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00180000.
2020-06-05 14:08:57,031 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5b008 (at 0x0032003C).
2020-06-05 14:08:57,031 [root] DEBUG: DumpPEsInRange: Scanning range 0x180000 - 0x181000.
2020-06-05 14:08:57,031 [root] DEBUG: ContextSetNextAvailableBreakpoint: No available breakpoints!
2020-06-05 14:08:57,031 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x180000-0x181000.
2020-06-05 14:08:57,062 [root] DEBUG: Breakpoints for thread 4072: 0x00320020, 0x00320000, 0x002B3000, 0x0032003C.
2020-06-05 14:08:57,062 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00180000 - 0x00181000.
2020-06-05 14:08:57,062 [root] DEBUG: PEPointerWriteCallback: Failed to set exec bp on AllocationBase at 0x00320000.
2020-06-05 14:08:57,062 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFDFA5B (thread 4072)
2020-06-05 14:08:57,125 [root] DEBUG: Allocation: 0x032C0000 - 0x032C1000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:57,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:57,156 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:57,156 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:57,156 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:57,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:57,249 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:08:57,249 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x032C0000.
2020-06-05 14:08:57,249 [root] DEBUG: AddTrackedRegion: New region at 0x032C0000 size 0x1000 added to tracked regions.
2020-06-05 14:08:57,281 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x032C0000, TrackedRegion->RegionSize: 0x1000, thread 4072
2020-06-05 14:08:57,281 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00320000 to 0x032C0000.
2020-06-05 14:08:57,281 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:57,281 [root] DEBUG: DumpPEsInRange: Scanning range 0x320000 - 0x321000.
2020-06-05 14:08:57,312 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x320000-0x321000.
2020-06-05 14:08:57,312 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00320000 - 0x00321000.
2020-06-05 14:08:57,312 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\3480_468411088578125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?0x00320000;?', ['3480'], 'CAPE')
2020-06-05 14:08:57,359 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\3480_468411088578125562020 (size 0x5d)
2020-06-05 14:08:57,359 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00320000.
2020-06-05 14:08:57,359 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x320000 - 0x321000.
2020-06-05 14:08:57,359 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00320020.
2020-06-05 14:08:57,359 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-06-05 14:08:57,375 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-06-05 14:08:57,375 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x00320000.
2020-06-05 14:08:57,375 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-06-05 14:08:57,390 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-06-05 14:08:57,406 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 3 address 0x0032003C.
2020-06-05 14:08:57,406 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-06-05 14:08:57,421 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-06-05 14:08:57,437 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:57,437 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4072 type 1 at address 0x032C0000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:57,453 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x032C0000
2020-06-05 14:08:57,468 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4072 type 1 at address 0x032C003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:57,468 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x032C003C
2020-06-05 14:08:57,468 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x032C0000 (size 0x1000).
2020-06-05 14:08:57,468 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 4072)
2020-06-05 14:08:57,468 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x032C0000.
2020-06-05 14:08:57,484 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x32c0000: 0x0.
2020-06-05 14:08:57,484 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-05 14:08:57,484 [root] DEBUG: Allocation: 0x032C1000 - 0x032D2000, size: 0x11000, protection: 0x40.
2020-06-05 14:08:57,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:57,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:57,515 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:57,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:57,531 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:57,531 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:57,531 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:08:57,531 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x10053AD0 (thread 4072)
2020-06-05 14:08:57,531 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x032C003C.
2020-06-05 14:08:57,546 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x2c71c4 (at 0x032C003C).
2020-06-05 14:08:57,546 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (3) at 0x032C0000 already exists for thread 4072 (process 3480), skipping.
2020-06-05 14:08:57,562 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x032C0000.
2020-06-05 14:08:57,562 [root] DEBUG: set_caller_info: Adding region at 0x032C0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-05 14:08:57,593 [root] DEBUG: DumpPEsInRange: Scanning range 0x32c0000 - 0x32c1000.
2020-06-05 14:08:57,609 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x32c0000-0x32c1000.
2020-06-05 14:08:57,609 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x032C0000 - 0x032C1000.
2020-06-05 14:08:57,609 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\3480_4678248931734185562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?0x032C0000;?', ['3480'], 'CAPE')
2020-06-05 14:08:57,687 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\3480_4678248931734185562020 (size 0xfff)
2020-06-05 14:08:57,687 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x032C0000.
2020-06-05 14:08:57,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x32c0000 - 0x32c1000.
2020-06-05 14:08:57,687 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x032C0000.
2020-06-05 14:08:57,703 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-06-05 14:08:57,703 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-06-05 14:08:57,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x032C003C.
2020-06-05 14:08:57,703 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-06-05 14:08:57,718 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-06-05 14:08:57,734 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 3 address 0x032C0000.
2020-06-05 14:08:57,750 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-06-05 14:08:57,750 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-06-05 14:08:57,765 [root] DEBUG: Allocation: 0x002E5000 - 0x002E6000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:57,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:57,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:57,781 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:57,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:57,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:57,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:57,781 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x002E5000, size: 0x1000.
2020-06-05 14:08:57,796 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x002E5000.
2020-06-05 14:08:57,796 [root] DEBUG: AddTrackedRegion: New region at 0x002E0000 size 0x1000 added to tracked regions.
2020-06-05 14:08:57,843 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x002E0000, TrackedRegion->RegionSize: 0x1000, thread 4072
2020-06-05 14:08:57,843 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x032C0000 to 0x002E0000.
2020-06-05 14:08:57,843 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:57,843 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 4072 type 1 at address 0x002E5000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:57,875 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x002E5000
2020-06-05 14:08:57,890 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4072 type 1 at address 0x002E003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:08:57,890 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x002E003C
2020-06-05 14:08:57,890 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x002E5000 (size 0x1000).
2020-06-05 14:08:57,906 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 4072)
2020-06-05 14:08:57,906 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x002E5000.
2020-06-05 14:08:57,906 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e5000: 0x0.
2020-06-05 14:08:57,906 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-05 14:08:57,921 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x1005E297 (thread 4072)
2020-06-05 14:08:57,921 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x002E003C.
2020-06-05 14:08:57,937 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:57,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:57,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:57,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:57,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:08:57,953 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x002E0000, size: 0x1000.
2020-06-05 14:08:57,953 [root] DEBUG: Allocation: 0x002E7000 - 0x002E8000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:57,968 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:57,968 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:57,984 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:57,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:58,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:58,031 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:58,031 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:08:58,031 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x002E0000, size: 0x1000.
2020-06-05 14:08:58,109 [root] DEBUG: DLL loaded at 0x65670000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-05 14:08:58,140 [root] DEBUG: DLL loaded at 0x68C10000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-05 14:08:58,156 [root] DEBUG: DLL loaded at 0x67850000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-05 14:08:58,187 [root] DEBUG: Allocation: 0x002D6000 - 0x002D7000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:58,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:58,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:58,218 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:58,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:58,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:58,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:58,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:08:58,249 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x002D6000, size: 0x1000.
2020-06-05 14:08:58,249 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x002D6000.
2020-06-05 14:08:58,265 [root] DEBUG: AddTrackedRegion: New region at 0x002D0000 size 0x1000 added to tracked regions.
2020-06-05 14:08:58,265 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x002D0000, TrackedRegion->RegionSize: 0x1000, thread 4072
2020-06-05 14:08:58,265 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x002E0000 to 0x002D0000.
2020-06-05 14:08:58,265 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:58,328 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e0000 - 0x2e1000.
2020-06-05 14:08:58,343 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e0000-0x2e1000.
2020-06-05 14:08:58,390 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x002E0000 - 0x002E1000.
2020-06-05 14:08:58,406 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\3480_1019887340588125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?0x002E0000;?', ['3480'], 'CAPE')
2020-06-05 14:08:58,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\3480_1019887340588125562020 (size 0x8a)
2020-06-05 14:08:58,437 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x002E0000.
2020-06-05 14:08:58,453 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e0000 - 0x2e1000.
2020-06-05 14:08:58,453 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x002E003C.
2020-06-05 14:08:58,453 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-06-05 14:08:58,453 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-06-05 14:08:58,453 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:58,468 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 4072 type 1 at address 0x002D6000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:08:58,468 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x002D6000
2020-06-05 14:08:58,484 [root] DEBUG: SetNextAvailableBreakpoint: GetNextAvailableBreakpoint failed (breakpoints possibly full).
2020-06-05 14:08:58,500 [root] DEBUG: ActivateBreakpoints: SetNextAvailableBreakpoint failed to set write bp on e_lfanew address 0x002D6000.
2020-06-05 14:08:58,500 [root] DEBUG: AllocationHandler: Error - unable to activate breakpoints around address 0x002D6000.
2020-06-05 14:08:58,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0FFE96AA (thread 4072)
2020-06-05 14:08:58,500 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 1 at Address 0x002D6000.
2020-06-05 14:08:58,500 [root] DEBUG: ContextSetNextAvailableBreakpoint: No available breakpoints!
2020-06-05 14:08:58,500 [root] DEBUG: Breakpoints for thread 4072: 0x002E5000, 0x002D6000, 0x002B3000, 0x002E5000.
2020-06-05 14:08:58,515 [root] DEBUG: BaseAddressWriteCallback: Failed to set exec bp on tracked region protect address.
2020-06-05 14:08:58,515 [root] DEBUG: DLL loaded at 0x71160000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-05 14:08:58,515 [root] DEBUG: DLL loaded at 0x76B60000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-06-05 14:08:58,531 [root] DEBUG: DLL loaded at 0x757A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-05 14:08:58,546 [root] DEBUG: Allocation: 0x002BD000 - 0x002BE000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:58,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:58,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:58,546 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:58,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:58,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:58,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:58,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:08:58,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:08:58,625 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x002B0000, size: 0x1000.
2020-06-05 14:08:58,640 [root] DEBUG: DLL loaded at 0x75310000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-05 14:08:58,656 [root] DEBUG: Allocation: 0x002DA000 - 0x002DB000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:58,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:58,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:58,671 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:58,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:58,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:58,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:58,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:08:58,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:08:58,703 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x002D0000, size: 0x1000.
2020-06-05 14:08:58,703 [root] DEBUG: Allocation: 0x002D7000 - 0x002D8000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:58,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:58,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:58,718 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:58,734 [root] DEBUG: Allocation: 0x002CD000 - 0x002CE000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:58,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:58,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:58,750 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:58,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:58,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:58,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:58,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:08:58,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:08:58,781 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x002CD000, size: 0x1000.
2020-06-05 14:08:58,812 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x002CD000.
2020-06-05 14:08:58,812 [root] DEBUG: AddTrackedRegion: New region at 0x002C0000 size 0x1000 added to tracked regions.
2020-06-05 14:08:58,828 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x002C0000, TrackedRegion->RegionSize: 0x1000, thread 4072
2020-06-05 14:08:58,828 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x002D0000 to 0x002C0000.
2020-06-05 14:08:58,828 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:58,843 [root] DEBUG: DumpPEsInRange: Scanning range 0x2d0000 - 0x2d1000.
2020-06-05 14:08:58,843 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2d0000-0x2d1000.
2020-06-05 14:08:58,859 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x002D0000 - 0x002D1000.
2020-06-05 14:08:58,859 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\3480_2099940908588125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?0x002D0000;?', ['3480'], 'CAPE')
2020-06-05 14:08:58,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\3480_2099940908588125562020 (size 0x8a)
2020-06-05 14:08:58,937 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x002D0000.
2020-06-05 14:08:58,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2d0000 - 0x2d1000.
2020-06-05 14:08:58,937 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:08:58,937 [root] DEBUG: SetNextAvailableBreakpoint: GetNextAvailableBreakpoint failed (breakpoints possibly full).
2020-06-05 14:08:58,953 [root] DEBUG: ActivateBreakpoints: SetNextAvailableBreakpoint failed to set write bp on tracked region protect address 0x002CD000.
2020-06-05 14:08:58,984 [root] DEBUG: AllocationHandler: Error - unable to activate breakpoints around address 0x002CD000.
2020-06-05 14:08:59,078 [root] DEBUG: DLL loaded at 0x64E90000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-05 14:08:59,109 [root] DEBUG: DLL loaded at 0x64CB0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-06-05 14:08:59,156 [root] DEBUG: Allocation: 0x032D2000 - 0x032D3000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:59,156 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:59,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:08:59,171 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:59,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:59,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:59,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:59,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:08:59,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:08:59,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:08:59,203 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:08:59,218 [root] DEBUG: DLL loaded at 0x751C0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 14:08:59,234 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 14:08:59,249 [root] DEBUG: Allocation: 0x032D3000 - 0x032D4000, size: 0x1000, protection: 0x40.
2020-06-05 14:08:59,281 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:08:59,281 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:08:59,281 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:08:59,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:08:59,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:08:59,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:08:59,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:08:59,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:08:59,328 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:08:59,359 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-05 14:08:59,375 [root] DEBUG: CreateThread: Initialising breakpoints for thread 5612.
2020-06-05 14:08:59,375 [root] DEBUG: DLL loaded at 0x76130000: C:\Windows\system32\CLBCatQ (0x83000 bytes).
2020-06-05 14:08:59,437 [root] DEBUG: DLL loaded at 0x6B610000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-05 14:08:59,484 [root] DEBUG: DLL loaded at 0x6A530000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-05 14:08:59,500 [root] DEBUG: DLL loaded at 0x75D50000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-06-05 14:08:59,515 [root] DEBUG: DLL loaded at 0x779C0000: C:\Windows\system32\NSI (0x6000 bytes).
2020-06-05 14:08:59,531 [root] INFO: Stopping WMI Service
2020-06-05 14:09:07,125 [root] INFO: Stopped WMI Service
2020-06-05 14:09:07,406 [lib.api.process] INFO: Monitor config for process 584: C:\tmp52sk_on6\dll\584.ini
2020-06-05 14:09:07,406 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:09:07,406 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:09:07,406 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:09:07,406 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:09:07,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:09:07,437 [root] DEBUG: Loader: Injecting process 584 (thread 0) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:07,437 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD8000 Local PEB 0x7FFDF000 Local TEB 0x7FFD4000: The operation completed successfully.
2020-06-05 14:09:07,437 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:09:07,437 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-05 14:09:07,453 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:09:07,453 [root] DEBUG: Process dumps disabled.
2020-06-05 14:09:07,453 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-06-05 14:09:07,453 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:09:07,453 [root] INFO: Disabling sleep skipping.
2020-06-05 14:09:07,468 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 584 at 0x6ae60000, image base 0x280000, stack from 0x2f6000-0x300000
2020-06-05 14:09:07,468 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k DcomLaunch.
2020-06-05 14:09:07,500 [root] DEBUG: WoW64 not detected.
2020-06-05 14:09:07,500 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-05 14:09:07,500 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00280000.
2020-06-05 14:09:07,500 [root] DEBUG: AddTrackedRegion: New region at 0x00280000 size 0x1000 added to tracked regions: EntryPoint 0x2104, Entropy 4.249864e+00
2020-06-05 14:09:07,500 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-05 14:09:07,515 [root] INFO: loaded: b'584'
2020-06-05 14:09:07,515 [root] INFO: Loaded monitor into process with pid 584
2020-06-05 14:09:07,515 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 14:09:07,515 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 14:09:07,531 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:09,531 [root] INFO: Starting WMI Service
2020-06-05 14:09:11,609 [root] INFO: Started WMI Service
2020-06-05 14:09:11,625 [lib.api.process] INFO: Monitor config for process 5524: C:\tmp52sk_on6\dll\5524.ini
2020-06-05 14:09:11,671 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:09:11,671 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:09:11,671 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:09:11,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:09:11,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:09:11,703 [root] DEBUG: Loader: Injecting process 5524 (thread 0) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:11,703 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFDD000 Local PEB 0x7FFDF000 Local TEB 0x7FFDA000: The operation completed successfully.
2020-06-05 14:09:11,703 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:09:11,703 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-05 14:09:11,718 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:09:11,718 [root] DEBUG: Process dumps disabled.
2020-06-05 14:09:11,734 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-06-05 14:09:11,750 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:09:11,750 [root] INFO: Disabling sleep skipping.
2020-06-05 14:09:11,750 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5524 at 0x6ae60000, image base 0x280000, stack from 0x666000-0x670000
2020-06-05 14:09:11,765 [root] DEBUG: Commandline: C:\Windows\System32\svchost.exe -k netsvcs.
2020-06-05 14:09:11,781 [root] DEBUG: WoW64 not detected.
2020-06-05 14:09:11,781 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-05 14:09:11,796 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00280000.
2020-06-05 14:09:11,796 [root] DEBUG: AddTrackedRegion: New region at 0x00280000 size 0x1000 added to tracked regions: EntryPoint 0x2104, Entropy 4.232054e+00
2020-06-05 14:09:11,812 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-05 14:09:11,812 [root] INFO: loaded: b'5524'
2020-06-05 14:09:11,812 [root] INFO: Loaded monitor into process with pid 5524
2020-06-05 14:09:11,812 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 14:09:11,812 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 14:09:11,812 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:13,859 [root] DEBUG: DLL loaded at 0x6F1E0000: C:\Windows\system32\VSSAPI (0x116000 bytes).
2020-06-05 14:09:13,859 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\system32\ATL (0x14000 bytes).
2020-06-05 14:09:13,859 [root] DEBUG: DLL loaded at 0x6F160000: C:\Windows\system32\VssTrace (0x10000 bytes).
2020-06-05 14:09:13,875 [root] DEBUG: DLL loaded at 0x736D0000: C:\Windows\system32\samcli (0xf000 bytes).
2020-06-05 14:09:13,875 [root] DEBUG: DLL loaded at 0x742D0000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-06-05 14:09:13,890 [root] DEBUG: DLL loaded at 0x73F20000: C:\Windows\system32\netutils (0x9000 bytes).
2020-06-05 14:09:13,906 [root] DEBUG: DLL loaded at 0x73CE0000: C:\Windows\system32\es (0x47000 bytes).
2020-06-05 14:09:13,921 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-05 14:09:13,968 [root] DEBUG: DLL loaded at 0x6E6A0000: C:\Windows\system32\wbem\wbemcore (0xf1000 bytes).
2020-06-05 14:09:13,984 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 14:09:13,984 [root] DEBUG: DLL loaded at 0x6E640000: C:\Windows\system32\wbem\esscli (0x4a000 bytes).
2020-06-05 14:09:14,000 [root] DEBUG: DLL loaded at 0x6EC50000: C:\Windows\system32\wbem\FastProx (0xa6000 bytes).
2020-06-05 14:09:14,000 [root] DEBUG: DLL loaded at 0x6EBF0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-06-05 14:09:14,015 [root] DEBUG: DLL unloaded from 0x6E6A0000.
2020-06-05 14:09:14,031 [root] DEBUG: DLL loaded at 0x6E600000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-06-05 14:09:14,031 [root] DEBUG: DLL loaded at 0x6E600000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-06-05 14:09:14,046 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\system32\authZ (0x1b000 bytes).
2020-06-05 14:09:14,046 [root] DEBUG: CreateThread: Initialising breakpoints for thread 6072.
2020-06-05 14:09:14,078 [root] DEBUG: DLL unloaded from 0x777B0000.
2020-06-05 14:09:14,093 [root] DEBUG: DLL loaded at 0x6E180000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-05 14:09:14,093 [root] DEBUG: DLL loaded at 0x6E0B0000: C:\Windows\system32\wbem\repdrvfs (0x47000 bytes).
2020-06-05 14:09:14,109 [root] DEBUG: DLL loaded at 0x753C0000: C:\Windows\system32\Wevtapi (0x42000 bytes).
2020-06-05 14:09:14,140 [root] DEBUG: DLL unloaded from 0x753C0000.
2020-06-05 14:09:14,593 [root] DEBUG: DLL loaded at 0x6D7F0000: C:\Windows\system32\wbem\wmiprvsd (0x91000 bytes).
2020-06-05 14:09:14,609 [root] DEBUG: DLL loaded at 0x6BC50000: C:\Windows\system32\wbem\wbemess (0x5b000 bytes).
2020-06-05 14:09:14,625 [root] DEBUG: CreateThread: Initialising breakpoints for thread 5760.
2020-06-05 14:09:14,640 [root] DEBUG: DLL unloaded from 0x777B0000.
2020-06-05 14:09:14,687 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3952.
2020-06-05 14:09:14,734 [root] DEBUG: CreateThread: Initialising breakpoints for thread 6076.
2020-06-05 14:09:14,750 [root] DEBUG: CreateThread: Initialising breakpoints for thread 6096.
2020-06-05 14:09:14,750 [root] DEBUG: CreateThread: Initialising breakpoints for thread 5992.
2020-06-05 14:09:14,765 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4188.
2020-06-05 14:09:14,781 [root] DEBUG: DLL loaded at 0x6EC50000: C:\Windows\system32\wbem\fastprox (0xa6000 bytes).
2020-06-05 14:09:14,781 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2032.
2020-06-05 14:09:14,781 [root] DEBUG: DLL loaded at 0x6EBF0000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-06-05 14:09:14,796 [root] DEBUG: CreateThread: Initialising breakpoints for thread 6128.
2020-06-05 14:09:14,812 [root] DEBUG: DLL loaded at 0x75700000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-06-05 14:09:14,937 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3452.
2020-06-05 14:09:15,109 [root] DEBUG: DLL loaded at 0x73560000: C:\Windows\system32\wbem\ncprov (0x12000 bytes).
2020-06-05 14:09:15,187 [root] DEBUG: DLL loaded at 0x6ED40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni (0x32000 bytes).
2020-06-05 14:09:15,203 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2724.
2020-06-05 14:09:15,203 [root] DEBUG: DLL loaded at 0x73420000: C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers (0x18000 bytes).
2020-06-05 14:09:15,218 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1032.
2020-06-05 14:09:15,218 [root] DEBUG: DLL unloaded from 0x0FFB0000.
2020-06-05 14:09:15,249 [root] DEBUG: CreateThread: Initialising breakpoints for thread 5964.
2020-06-05 14:09:15,249 [root] DEBUG: Allocation: 0x003C0000 - 0x003C1000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:15,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:15,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:15,281 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:15,281 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:15,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:15,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:15,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:15,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:15,343 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003C0000, size: 0x1000.
2020-06-05 14:09:15,359 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x003C0000.
2020-06-05 14:09:15,359 [root] DEBUG: AddTrackedRegion: New region at 0x003C0000 size 0x1000 added to tracked regions.
2020-06-05 14:09:15,375 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003C0000, TrackedRegion->RegionSize: 0x1000, thread 4072
2020-06-05 14:09:15,375 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x002C0000 to 0x003C0000.
2020-06-05 14:09:15,375 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:09:15,390 [root] DEBUG: DumpPEsInRange: Scanning range 0x2c0000 - 0x2c1000.
2020-06-05 14:09:15,390 [root] DEBUG: DLL unloaded from 0x6E6A0000.
2020-06-05 14:09:15,390 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2c0000-0x2c1000.
2020-06-05 14:09:15,406 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x002C0000 - 0x002C1000.
2020-06-05 14:09:15,421 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\3480_1854968546159125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?0x002C0000;?', ['3480'], 'CAPE')
2020-06-05 14:09:15,453 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\3480_1854968546159125562020 (size 0xffd)
2020-06-05 14:09:15,468 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x002C0000.
2020-06-05 14:09:15,468 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2c0000 - 0x2c1000.
2020-06-05 14:09:15,468 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:09:15,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:15,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:15,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:15,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:15,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:15,515 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x002C0000, size: 0x1000.
2020-06-05 14:09:15,562 [root] DEBUG: DLL loaded at 0x6A400000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni (0x123000 bytes).
2020-06-05 14:09:15,609 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3368.
2020-06-05 14:09:15,687 [root] DEBUG: DLL unloaded from 0x777B0000.
2020-06-05 14:09:15,703 [root] DEBUG: Allocation: 0x7FF50000 - 0x7FFA0000, size: 0x50000, protection: 0x40.
2020-06-05 14:09:15,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:15,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:15,750 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:15,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:15,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:15,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:15,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:15,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:15,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:15,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:15,812 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x7FF50000, size: 0x50000.
2020-06-05 14:09:15,828 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x7FF50000.
2020-06-05 14:09:15,828 [root] DEBUG: AddTrackedRegion: New region at 0x7FF50000 size 0x50000 added to tracked regions.
2020-06-05 14:09:15,828 [root] DEBUG: AllocationHandler: Memory reserved but not committed at 0x7FF50000.
2020-06-05 14:09:15,843 [root] DEBUG: Allocation: 0x7FF50000 - 0x7FF51000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:15,843 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:15,843 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:15,859 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:15,859 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:15,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:15,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:15,875 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:09:15,875 [root] DEBUG: DumpPEsInRange: Scanning range 0x3c0000 - 0x3c1000.
2020-06-05 14:09:15,875 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3c1000.
2020-06-05 14:09:15,890 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003C0000 - 0x003C1000.
2020-06-05 14:09:15,890 [root] INFO: ('dump_file', 'C:\\OkWemdw\\CAPE\\3480_2022143842159125562020', b'9;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?C:\\Users\\Rebecca\\AppData\\Local\\Temp\\InstallUtil.exe;?0x003C0000;?', ['3480'], 'CAPE')
2020-06-05 14:09:15,921 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\OkWemdw\CAPE\3480_2022143842159125562020 (size 0xffb)
2020-06-05 14:09:15,937 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003C0000.
2020-06-05 14:09:15,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3c0000 - 0x3c1000.
2020-06-05 14:09:15,937 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:09:15,937 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 3368 type 1 at address 0x7FF50000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:09:15,937 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x7FF50000
2020-06-05 14:09:15,937 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 3368 type 1 at address 0x7FF5003C, size 4 with Callback 0x6ae79cc0.
2020-06-05 14:09:15,953 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x7FF5003C
2020-06-05 14:09:15,953 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x7FF50000 (size 0x1000).
2020-06-05 14:09:15,968 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x6EA4B9FE (thread 3368)
2020-06-05 14:09:15,968 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x7FF50000.
2020-06-05 14:09:15,984 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x7ff50000: 0xec.
2020-06-05 14:09:15,984 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-06-05 14:09:15,984 [root] DEBUG: Allocation: 0x7FF50000 - 0x7FF51000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:16,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:16,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:16,015 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:16,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:16,062 [root] DEBUG: AllocationHandler: Memory reserved but not committed at 0x7FF40000.
2020-06-05 14:09:16,062 [root] DEBUG: Allocation: 0x7FF40000 - 0x7FF41000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:16,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:16,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:16,078 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:16,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:16,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:16,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:16,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:16,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:16,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:16,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:16,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:16,156 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:16,156 [root] DEBUG: AllocationHandler: Previously reserved region 0x7FF40000 - 0x7FF50000, committing at: 0x7FF40000.
2020-06-05 14:09:16,171 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x7FF40000, TrackedRegion->RegionSize: 0x10000, thread 3368
2020-06-05 14:09:16,171 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x7FF50000 to 0x7FF40000.
2020-06-05 14:09:16,187 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:09:16,187 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:09:16,187 [root] DEBUG: SetThreadBreakpoint: Set bp 3 thread id 3368 type 1 at address 0x7FF40000, size 2 with Callback 0x6ae7a080.
2020-06-05 14:09:16,187 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x7FF40000
2020-06-05 14:09:16,187 [root] DEBUG: SetNextAvailableBreakpoint: GetNextAvailableBreakpoint failed (breakpoints possibly full).
2020-06-05 14:09:16,187 [root] DEBUG: ActivateBreakpoints: SetNextAvailableBreakpoint failed to set write bp on e_lfanew address 0x7FF40000.
2020-06-05 14:09:16,203 [root] DEBUG: AllocationHandler: Error - unable to activate breakpoints around address 0x7FF40000.
2020-06-05 14:09:16,234 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x100CDD3F (thread 3368)
2020-06-05 14:09:16,249 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 3 at Address 0x7FF40000.
2020-06-05 14:09:16,265 [root] DEBUG: ContextSetNextAvailableBreakpoint: No available breakpoints!
2020-06-05 14:09:16,265 [root] DEBUG: Breakpoints for thread 3368: 0x7FF50000, 0x7FF5003C, 0x7FF50000, 0x7FF40000.
2020-06-05 14:09:16,265 [root] DEBUG: BaseAddressWriteCallback: Failed to set exec bp on tracked region protect address.
2020-06-05 14:09:16,281 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2828.
2020-06-05 14:09:16,281 [root] DEBUG: DLL loaded at 0x6F300000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2020-06-05 14:09:16,296 [root] DEBUG: Allocation: 0x032D4000 - 0x032D5000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:16,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:16,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:16,312 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:16,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:16,343 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:16,343 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:16,359 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:16,359 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:16,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:16,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:16,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:16,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:16,406 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:09:16,421 [root] DEBUG: Allocation: 0x032D5000 - 0x032D6000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:16,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:16,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:16,468 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:16,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:16,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:16,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:16,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:16,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:16,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:16,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:16,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:16,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:16,500 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:09:16,515 [root] DEBUG: Allocation: 0x032D6000 - 0x032D7000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:16,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:16,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:16,546 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:16,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:16,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:16,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:16,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:16,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:16,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:16,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:16,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:16,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:16,593 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:09:16,609 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4784.
2020-06-05 14:09:16,625 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2552.
2020-06-05 14:09:18,281 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3616.
2020-06-05 14:09:24,437 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2332.
2020-06-05 14:09:26,625 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-05 14:09:28,437 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4768.
2020-06-05 14:09:28,453 [root] DEBUG: DLL unloaded from 0x777B0000.
2020-06-05 14:09:28,562 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2488.
2020-06-05 14:09:28,578 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4756.
2020-06-05 14:09:40,453 [root] DEBUG: Allocation: 0x032D7000 - 0x032D8000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:40,453 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:40,453 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:40,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:40,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:40,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:40,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:44,046 [root] DEBUG: DLL unloaded from 0x762F0000.
2020-06-05 14:09:51,546 [root] DEBUG: Allocation: 0x032D8000 - 0x032DA000, size: 0x2000, protection: 0x40.
2020-06-05 14:09:51,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:51,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:51,593 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:51,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:51,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:51,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:51,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:51,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:51,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:51,640 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:51,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:51,656 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:51,656 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:09:51,687 [root] DEBUG: Allocation: 0x032DA000 - 0x032DB000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:51,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:51,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:51,703 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:51,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:51,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:51,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:51,718 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:51,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:51,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:51,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:51,890 [root] DEBUG: Allocation: 0x032DB000 - 0x032DC000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:51,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:51,921 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:51,921 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:51,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:51,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:51,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:51,968 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:51,968 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:51,968 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:51,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:51,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:51,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:52,000 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:09:52,062 [root] DEBUG: Allocation: 0x032DC000 - 0x032DD000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:52,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:52,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:52,078 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:52,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:52,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:52,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:52,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:52,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:52,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:52,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:52,093 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:52,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:52,156 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:09:52,171 [root] DEBUG: Allocation: 0x032DD000 - 0x032DE000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:52,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:52,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:52,187 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:52,218 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:52,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:52,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:52,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:52,249 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:52,281 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:52,281 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:52,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:52,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:52,328 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:09:52,390 [root] DEBUG: DLL loaded at 0x64570000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-06-05 14:09:52,421 [root] DEBUG: Allocation: 0x032DE000 - 0x032DF000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:52,453 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:52,468 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:52,468 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:52,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:52,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:52,546 [root] DEBUG: Allocation: 0x032DF000 - 0x032E0000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:52,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:52,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:52,578 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:52,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:52,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:52,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:52,593 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:52,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:52,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:52,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:52,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:52,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:52,640 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x032C0000, size: 0x1000.
2020-06-05 14:09:52,687 [root] DEBUG: Allocation: 0x00321000 - 0x00322000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:52,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:52,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:52,718 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:52,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:52,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:52,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:52,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:52,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:52,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:52,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:52,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:52,781 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:52,796 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00320000, size: 0x1000.
2020-06-05 14:09:52,828 [root] DEBUG: Allocation: 0x00322000 - 0x00323000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:52,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:52,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:52,843 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:52,859 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:52,859 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:52,859 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:52,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:52,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:52,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:52,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:52,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:52,906 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:52,937 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00320000, size: 0x1000.
2020-06-05 14:09:52,968 [root] DEBUG: Allocation: 0x00323000 - 0x00324000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:52,968 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:53,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:53,000 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:53,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:53,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:53,031 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:53,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:53,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:53,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:53,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:53,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:53,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:53,078 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00320000, size: 0x1000.
2020-06-05 14:09:53,125 [root] DEBUG: DLL loaded at 0x6EBC0000: C:\Windows\system32\wshom.ocx (0x21000 bytes).
2020-06-05 14:09:53,140 [root] DEBUG: DLL loaded at 0x71E60000: C:\Windows\system32\MPR (0x12000 bytes).
2020-06-05 14:09:53,156 [root] DEBUG: DLL loaded at 0x6D5C0000: C:\Windows\system32\ScrRun (0x2a000 bytes).
2020-06-05 14:09:53,296 [root] DEBUG: Allocation: 0x02DD1000 - 0x02DD2000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:53,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:53,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:53,312 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:53,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:53,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:53,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:53,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:53,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:53,359 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:53,359 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:53,359 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:53,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:53,375 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02DD1000, size: 0x1000.
2020-06-05 14:09:53,375 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 11.
2020-06-05 14:09:53,390 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02DD1000.
2020-06-05 14:09:53,390 [root] DEBUG: AddTrackedRegion: New region at 0x02DD0000 size 0x1000 added to tracked regions.
2020-06-05 14:09:53,390 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02DD0000, TrackedRegion->RegionSize: 0x1000, thread 4072
2020-06-05 14:09:53,406 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x7FF40000 to 0x02DD0000.
2020-06-05 14:09:53,468 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:09:53,515 [root] DEBUG: DumpPEsInRange: Scanning range 0x7ff40000 - 0x7ff50000.
2020-06-05 14:09:53,515 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x7ff40fc1
2020-06-05 14:09:53,562 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x7FF40000 - 0x7FF50000.
2020-06-05 14:09:53,562 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x7ff4ffff
2020-06-05 14:09:53,578 [root] DEBUG: DumpMemory: Nothing to dump at 0x7FF40000!
2020-06-05 14:09:53,640 [root] DEBUG: ProcessTrackedRegion: failed to dump executable memory range at 0x7FF40000.
2020-06-05 14:09:53,671 [root] DEBUG: ClearAllBreakpoints: Error getting thread context (thread 2468, handle 0xc0).
2020-06-05 14:09:53,671 [root] DEBUG: SetNextAvailableBreakpoint: GetNextAvailableBreakpoint failed (breakpoints possibly full).
2020-06-05 14:09:53,687 [root] DEBUG: ActivateBreakpoints: SetNextAvailableBreakpoint failed to set write bp on tracked region protect address 0x02DD1000.
2020-06-05 14:09:53,718 [root] DEBUG: AllocationHandler: Error - unable to activate breakpoints around address 0x02DD1000.
2020-06-05 14:09:53,750 [root] DEBUG: Allocation: 0x00324000 - 0x00325000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:53,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:53,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:53,750 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:53,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:53,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:53,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:53,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:53,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:53,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:53,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:53,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:53,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:53,781 [root] DEBUG: DumpPEsInRange: Scanning range 0x7ff40000 - 0x7ff50000.
2020-06-05 14:09:53,781 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x7ff40fc1
2020-06-05 14:09:53,781 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x7FF40000 - 0x7FF50000.
2020-06-05 14:09:53,781 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x7ff4ffff
2020-06-05 14:09:53,781 [root] DEBUG: DumpMemory: Nothing to dump at 0x7FF40000!
2020-06-05 14:09:53,796 [root] DEBUG: ProcessTrackedRegion: failed to dump executable memory range at 0x7FF40000.
2020-06-05 14:09:53,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02DD0000.
2020-06-05 14:09:53,796 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00320000, size: 0x1000.
2020-06-05 14:09:53,796 [root] DEBUG: Allocation: 0x00325000 - 0x00326000, size: 0x1000, protection: 0x40.
2020-06-05 14:09:53,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-06-05 14:09:53,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-06-05 14:09:53,812 [root] DEBUG: ProcessImageBase: EP 0x6BB27CEF image base 0x00400000 size 0x0 entropy 6.232447e+00.
2020-06-05 14:09:53,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002B0000.
2020-06-05 14:09:53,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00320000.
2020-06-05 14:09:53,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x032C0000.
2020-06-05 14:09:53,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002E0000.
2020-06-05 14:09:53,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002D0000.
2020-06-05 14:09:53,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-06-05 14:09:53,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-06-05 14:09:53,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF50000.
2020-06-05 14:09:53,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7FF40000.
2020-06-05 14:09:53,828 [root] DEBUG: DumpPEsInRange: Scanning range 0x7ff40000 - 0x7ff50000.
2020-06-05 14:09:53,828 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x7ff40fc1
2020-06-05 14:09:53,828 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x7FF40000 - 0x7FF50000.
2020-06-05 14:09:53,859 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x7ff4ffff
2020-06-05 14:09:53,859 [root] DEBUG: DumpMemory: Nothing to dump at 0x7FF40000!
2020-06-05 14:09:53,859 [root] DEBUG: ProcessTrackedRegion: failed to dump executable memory range at 0x7FF40000.
2020-06-05 14:09:53,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02DD0000.
2020-06-05 14:09:53,890 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00320000, size: 0x1000.
2020-06-05 14:09:53,890 [root] DEBUG: DLL loaded at 0x71150000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-05 14:09:53,921 [root] DEBUG: DLL unloaded from 0x75D90000.
2020-06-05 14:09:54,046 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-05 14:09:54,062 [lib.api.process] INFO: Monitor config for process 460: C:\tmp52sk_on6\dll\460.ini
2020-06-05 14:09:54,062 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:09:54,062 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:09:54,062 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:09:54,062 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:09:54,140 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:09:54,187 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:54,218 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x7FFD4000 Local PEB 0x7FFDE000 Local TEB 0x7FFDF000: The operation completed successfully.
2020-06-05 14:09:54,218 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2484, handle 0xa4
2020-06-05 14:09:54,234 [root] DEBUG: Process image base: 0x009A0000
2020-06-05 14:09:54,234 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-05 14:09:54,234 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-05 14:09:54,281 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:09:54,281 [root] DEBUG: Process dumps disabled.
2020-06-05 14:09:54,312 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-06-05 14:09:54,312 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:09:54,328 [root] INFO: Disabling sleep skipping.
2020-06-05 14:09:54,359 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 460 at 0x6ae60000, image base 0x9a0000, stack from 0x736000-0x740000
2020-06-05 14:09:54,375 [root] DEBUG: Commandline: C:\Windows\System32\services.exe.
2020-06-05 14:09:54,390 [root] DEBUG: WoW64 not detected.
2020-06-05 14:09:54,390 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-05 14:09:54,390 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x009A0000.
2020-06-05 14:09:54,406 [root] DEBUG: AddTrackedRegion: New region at 0x009A0000 size 0x1000 added to tracked regions: EntryPoint 0x13882, Entropy 6.355710e+00
2020-06-05 14:09:54,406 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-05 14:09:54,406 [root] INFO: loaded: b'460'
2020-06-05 14:09:54,421 [root] INFO: Loaded monitor into process with pid 460
2020-06-05 14:09:54,421 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 14:09:54,421 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 14:09:54,421 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:55,437 [root] INFO: Announced 32-bit process name: lsass.exe pid: 2296
2020-06-05 14:09:55,453 [lib.api.process] INFO: Monitor config for process 2296: C:\tmp52sk_on6\dll\2296.ini
2020-06-05 14:09:55,468 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:09:55,468 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:09:55,484 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:09:55,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:09:55,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:09:55,515 [root] DEBUG: Loader: Injecting process 2296 (thread 3304) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:55,531 [root] DEBUG: Process image base: 0x00DD0000
2020-06-05 14:09:55,546 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:55,546 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 14:09:55,546 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:55,562 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2296
2020-06-05 14:09:55,578 [root] INFO: Announced 32-bit process name: lsass.exe pid: 2296
2020-06-05 14:09:55,578 [lib.api.process] INFO: Monitor config for process 2296: C:\tmp52sk_on6\dll\2296.ini
2020-06-05 14:09:55,578 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:09:55,578 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:09:55,593 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:09:55,593 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:09:55,625 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:09:55,625 [root] DEBUG: Loader: Injecting process 2296 (thread 3304) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:55,625 [root] DEBUG: Process image base: 0x00DD0000
2020-06-05 14:09:55,625 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:55,640 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 14:09:55,640 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:09:55,640 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2296
2020-06-05 14:09:55,671 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:09:55,671 [root] DEBUG: Process dumps disabled.
2020-06-05 14:09:55,671 [root] DEBUG: Auto-unpacking of payloads enabled.
2020-06-05 14:09:55,671 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:09:55,687 [root] INFO: Disabling sleep skipping.
2020-06-05 14:09:55,687 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 14:09:55,687 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2296 at 0x6ae60000, image base 0xdd0000, stack from 0xb6000-0xc0000
2020-06-05 14:09:55,703 [root] DEBUG: Commandline: C:\Windows\System32\lsass.exe.
2020-06-05 14:09:55,718 [root] DEBUG: WoW64 not detected.
2020-06-05 14:09:55,718 [root] DEBUG: UnpackerInit: Debugger initialised.
2020-06-05 14:09:55,718 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00DD0000.
2020-06-05 14:09:55,734 [root] DEBUG: AddTrackedRegion: New region at 0x00DD0000 size 0x1000 added to tracked regions: EntryPoint 0x2f35, Entropy 3.978700e+00
2020-06-05 14:09:55,734 [root] DEBUG: UnpackerInit: Adding main image base to tracked regions.
2020-06-05 14:09:55,750 [root] INFO: loaded: b'2296'
2020-06-05 14:09:55,750 [root] INFO: Loaded monitor into process with pid 2296
2020-06-05 14:09:58,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 4148.
2020-06-05 14:09:58,515 [root] DEBUG: DLL unloaded from 0x777B0000.
2020-06-05 14:09:58,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1240.
2020-06-05 14:09:58,546 [root] DEBUG: CreateThread: Initialising breakpoints for thread 264.
2020-06-05 14:10:09,062 [root] DEBUG: CreateThread: Initialising breakpoints for thread 112.
2020-06-05 14:10:24,437 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1976.
2020-06-05 14:10:24,437 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1044.
2020-06-05 14:10:31,234 [root] WARNING: Unable to open termination event for pid 2296.
2020-06-05 14:10:31,593 [root] DEBUG: Allocation: 0x00328000 - 0x0032A000, size: 0x2000, protection: 0x40.
2020-06-05 14:10:35,296 [root] DEBUG: Allocation: 0x0032A000 - 0x0032D000, size: 0x3000, protection: 0x40.
2020-06-05 14:10:35,750 [root] INFO: Announced 32-bit process name: netsh.exe pid: 5672
2020-06-05 14:10:35,750 [lib.api.process] INFO: Monitor config for process 5672: C:\tmp52sk_on6\dll\5672.ini
2020-06-05 14:10:41,281 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-06-05 14:10:41,296 [lib.api.process] INFO: Option 'unpacker' with value '1' sent to monitor
2020-06-05 14:10:41,296 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2020-06-05 14:10:41,375 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp52sk_on6\dll\OZPskd.dll, loader C:\tmp52sk_on6\bin\ttwULRq.exe
2020-06-05 14:10:45,359 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3588.
2020-06-05 14:10:53,265 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OHOFtTjjQH.
2020-06-05 14:10:53,390 [root] DEBUG: Loader: Injecting process 5672 (thread 4392) with C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:10:59,234 [root] DEBUG: Process image base: 0x013E0000
2020-06-05 14:10:59,328 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3596.
2020-06-05 14:11:05,234 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:11:05,437 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 14:11:11,234 [root] DEBUG: Successfully injected DLL C:\tmp52sk_on6\dll\OZPskd.dll.
2020-06-05 14:11:11,359 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5672
2020-06-05 14:11:11,359 [root] DEBUG: CreateThread: Initialising breakpoints for thread 404.
2020-06-05 14:11:23,234 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:11:23,312 [root] DEBUG: Process dumps disabled.
2020-06-05 14:11:29,234 [root] INFO: Disabling sleep skipping.
2020-06-05 14:11:29,343 [root] DEBUG: AddTrackedRegion: New region at 0x013E0000 size 0x1000 added to tracked regions: EntryPoint 0x3cbd, Entropy 3.285275e+00
2020-06-05 14:11:30,328 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 14:11:30,328 [lib.api.process] ERROR: Failed to open terminate event for pid 5652
2020-06-05 14:11:30,328 [root] INFO: Terminate event set for process 5652.
2020-06-05 14:11:30,328 [lib.api.process] INFO: Terminate event set for process 3480
2020-06-05 14:11:33,546 [root] DEBUG: DLL loaded at 0x71110000: C:\Windows\system32\DHCPCMONITOR (0x6000 bytes).
2020-06-05 14:11:33,625 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2800.
2020-06-05 14:11:35,328 [lib.api.process] INFO: Termination confirmed for process 3480
2020-06-05 14:11:35,328 [root] INFO: Terminate event set for process 3480.
2020-06-05 14:11:35,328 [lib.api.process] INFO: Terminate event set for process 584
2020-06-05 14:11:39,265 [root] DEBUG: DLL loaded at 0x73970000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-06-05 14:11:39,343 [lib.api.process] INFO: Termination confirmed for process 584
2020-06-05 14:11:39,343 [root] INFO: Terminate event set for process 584.
2020-06-05 14:11:39,343 [lib.api.process] INFO: Terminate event set for process 5524
2020-06-05 14:11:39,343 [lib.api.process] INFO: Termination confirmed for process 5524
2020-06-05 14:11:39,343 [root] INFO: Terminate event set for process 5524.
2020-06-05 14:11:39,343 [lib.api.process] INFO: Terminate event set for process 460
2020-06-05 14:11:39,343 [lib.api.process] INFO: Termination confirmed for process 460
2020-06-05 14:11:39,343 [root] INFO: Terminate event set for process 460.
2020-06-05 14:11:39,343 [lib.api.process] ERROR: Failed to open terminate event for pid 2296
2020-06-05 14:11:39,343 [root] INFO: Terminate event set for process 2296.
2020-06-05 14:11:39,343 [root] INFO: Created shutdown mutex.
2020-06-05 14:11:39,609 [root] DEBUG: DLL loaded at 0x75010000: C:\Windows\system32\LOGONCLI (0x22000 bytes).
2020-06-05 14:11:40,343 [root] INFO: Shutting down package.
2020-06-05 14:11:40,343 [root] INFO: Stopping auxiliary modules.
2020-06-05 14:11:46,468 [root] DEBUG: DLL loaded at 0x674F0000: C:\Windows\system32\NETTRACE (0x8a000 bytes).
2020-06-05 14:11:51,234 [root] DEBUG: DLL loaded at 0x6E5E0000: C:\Windows\system32\wdi (0x15000 bytes).
2020-06-05 14:11:51,328 [root] DEBUG: DLL loaded at 0x75480000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 14:11:57,265 [root] DEBUG: DLL loaded at 0x644D0000: C:\Windows\system32\tdh (0x9b000 bytes).
2020-06-05 14:11:57,265 [lib.common.results] WARNING: File C:\OkWemdw\bin\procmon.xml doesn't exist anymore
2020-06-05 14:11:57,265 [root] INFO: Finishing auxiliary modules.
2020-06-05 14:11:57,265 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 14:11:57,265 [root] WARNING: Folder at path "C:\OkWemdw\debugger" does not exist, skip.

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-06-05 14:04:36 2020-06-05 14:12:37

File Details

File Name cc-Refund _202945.exe
File Size 847872 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-04-05 17:44:10
MD5 99f463342893d84301a827c03fcfc446
SHA1 f0253bdce2b39ebe060e7b75beba5125886b761f
SHA256 f547fb42ad85215e7a7d0c4fb655634de8e0c4c65396efc98a46f66ec84d8772
SHA512 79d40cbd70257232298156157cf95f0fe60309b3b1114fd9b70f090e56ca08cd96bcb73482a05bcd59cb19fb3e22182c0e87b095be250ac2cb4ab0757e4694a0
CRC32 F314A6C0
Ssdeep 6144:yaUDG3Kp1URj6VEJD6LpzwaerDvvwDHl7TZP8obaX3/Q8bDeMBBP31zFqwtFf8:yaUDdcV6VEt6KNgDFxk5/QAND/tFU
CAPE Yara
  • AgentTeslaV2 Payload - Author: ditekshen
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: InstallUtil.exe tried to sleep 542.991 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/CopyFileEx
DynamicLoader: KERNEL32.dll/CopyFileExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ADVAPI32.dll/CreateProcessAsUser
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: KERNEL32.dll/GetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/SetThreadPreferredUILanguages
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetSystemDefaultLocaleName
DynamicLoader: fastprox.dll/DllGetClassObject
DynamicLoader: fastprox.dll/DllCanUnloadNow
DynamicLoader: ole32.dll/BindMoniker
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsLookupClrGuid
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: MSCOREE.DLL/GetTokenForVTableEntry
DynamicLoader: MSCOREE.DLL/SetTargetForVTableEntry
DynamicLoader: MSCOREE.DLL/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry
DynamicLoader: KERNEL32.dll/GetLastError
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/FindFirstFile
DynamicLoader: KERNEL32.dll/FindFirstFileW
DynamicLoader: KERNEL32.dll/FindClose
DynamicLoader: OLEAUT32.dll/
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: KERNEL32.dll/GetSystemTimeAsFileTime
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetDynamicTimeZoneInformation
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/GetFileMUIPath
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: KERNEL32.dll/FreeLibraryW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/GetStdHandle
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/CreatePipe
DynamicLoader: KERNEL32.dll/CreatePipeW
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentDirectory
DynamicLoader: KERNEL32.dll/GetCurrentDirectoryW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetConsoleOutputCP
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventActivityIdControl
DynamicLoader: ADVAPI32.dll/EventWriteTransfer
DynamicLoader: ADVAPI32.dll/EventEnabled
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: RASMONTR.DLL/InitHelperDll
DynamicLoader: NSHWFP.DLL/InitHelperDll
DynamicLoader: DHCPCMONITOR.DLL/InitHelperDll
DynamicLoader: WSHELPER.DLL/InitHelperDll
DynamicLoader: NSHHTTP.DLL/InitHelperDll
DynamicLoader: FWCFG.DLL/InitHelperDll
DynamicLoader: AUTHFWCFG.DLL/InitHelperDll
DynamicLoader: IFMON.DLL/InitHelperDll
DynamicLoader: NETIOHLP.DLL/InitHelperDll
DynamicLoader: WHHELPER.DLL/InitHelperDll
DynamicLoader: HNETMON.DLL/InitHelperDll
DynamicLoader: RPCNSH.DLL/InitHelperDll
DynamicLoader: DOT3CFG.DLL/InitHelperDll
DynamicLoader: NAPMONTR.DLL/InitHelperDll
DynamicLoader: NSHIPSEC.DLL/InitHelperDll
DynamicLoader: NETTRACE.DLL/InitHelperDll
DynamicLoader: WCNNETSH.DLL/InitHelperDll
DynamicLoader: P2PNETSH.DLL/InitHelperDll
DynamicLoader: WLANCFG.DLL/InitHelperDll
DynamicLoader: WWANCFG.DLL/InitHelperDll
DynamicLoader: PEERDISTSH.DLL/InitHelperDll
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: CRYPTSP.dll/CryptEnumProvidersW
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: HTTPAPI.dll/HttpInitialize
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: USERENV.dll/UnregisterGPNotification
A process created a hidden window
Process: InstallUtil.exe -> "netsh" wlan show profile
CAPE extracted potentially suspicious content
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
InstallUtil.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
cc-Refund _202945.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe
Uses Windows utilities for basic functionality
command: "netsh" wlan show profile
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe:Zone.Identifier
Behavioural detection: Injection (Process Hollowing)
Injection: cc-Refund _202945.exe(5652) -> InstallUtil.exe(3480)
Executed a process and injected code into it, probably while unpacking
Injection: cc-Refund _202945.exe(5652) -> InstallUtil.exe(3480)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (460) called API GetSystemTimeAsFileTime 9074995 times
Steals private information from local Internet browsers
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
file: C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
Attempts to bypass application whitelisting by copying and executing .NET utility in a suspended state, potentially for injection
Copy: c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: cc-Refund _202945.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: cc-Refund _202945.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: cc-Refund _202945.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Copy: c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
Process: cc-Refund _202945.exe > c:\users\rebecca\appdata\local\temp\installutil.exe
CAPE detected the AgentTeslaV2 malware family
File has been identified by 19 Antiviruses on VirusTotal as malicious
McAfee: GenericRXKW-MK!99F463342893
Sangfor: Malware
CrowdStrike: win/malicious_confidence_100% (W)
BitDefenderTheta: Gen:[email protected]
Cyren: W32/MSIL_Kryptik.AIK.gen!Eldorado
Kaspersky: UDS:DangerousObject.Multi.Generic
Endgame: malicious (high confidence)
Invincea: heuristic
FireEye: Generic.mg.99f463342893d843
Paloalto: generic.ml
Fortinet: MSIL/Kryptik.WEL!tr
Microsoft: Trojan:Win32/Wacatac.C!ml
ZoneAlarm: UDS:DangerousObject.Multi.Generic
APEX: Malicious
SentinelOne: DFI - Malicious PE
eGambit: Unsafe.AI_Score_100%
AVG: FileRepMalware
Cybereason: malicious.ce2b39
Qihoo-360: HEUR/QVM03.0.B1EC.Malware.Gen
Drops a binary and executes it
binary: C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
binary: C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
Harvests credentials from local FTP client softwares
file: C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\Rebecca\AppData\Roaming\FTPGetter\servers.xml
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe.config
C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\n_6\*
C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe:Zone.Identifier
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationUI\v4.0_4.0.0.0__31bf3856ad364e35\PresentationUI.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\n_6.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\n_6.resources\n_6.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\n_6.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\n_6.resources\n_6.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Local\Temp\en\n_6.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\n_6.resources\n_6.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\n_6.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\n_6.resources\n_6.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll.aux
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\SQtoZxQBjgy71f9e043#\*
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\Microsoft.NET\Framework\v4.0.30319\OLEAUT32.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
C:\%insfolder%\%insname%
C:\Users\Rebecca\AppData\Local\CentBrowser\User Data
C:\Users\Rebecca\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Rebecca\AppData\Local\Elements Browser\User Data
C:\Users\Rebecca\AppData\Local\liebao\User Data
C:\Users\Rebecca\AppData\Local\Chromium\User Data
C:\Users\Rebecca\AppData\Local\CocCoc\Browser\User Data
C:\Users\Rebecca\AppData\Local\Torch\User Data
C:\Users\Rebecca\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Rebecca\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Rebecca\AppData\Local\Comodo\Dragon\User Data
C:\Users\Rebecca\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Rebecca\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Rebecca\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Rebecca\AppData\Local\Orbitum\User Data
C:\Users\Rebecca\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Rebecca\AppData\Local\Iridium\User Data
C:\Users\Rebecca\AppData\Local\Coowon\Coowon\User Data
C:\Users\Rebecca\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Rebecca\AppData\Local\Kometa\User Data
C:\Users\Rebecca\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Rebecca\AppData\Local\QIP Surf\User Data
C:\Users\Rebecca\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Rebecca\AppData\Local\Chedot\User Data
C:\Users\Rebecca\AppData\Local\Amigo\User Data
C:\Users\Rebecca\AppData\Local\Vivaldi\User Data
C:\Users\Rebecca\AppData\Local\7Star\7Star\User Data
C:\Users\Rebecca\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\cftp\Ftplist.txt
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\Users\Rebecca\AppData\Roaming\FTPGetter\servers.xml
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Users\Rebecca\AppData\Roaming\Claws-mail
C:\Users\Rebecca\AppData\Roaming\Claws-mail\clawsrc
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Users\Rebecca\AppData\Roaming\Psi\profiles
C:\Users\Rebecca\AppData\Roaming\Psi+\profiles
C:\Users\Rebecca\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Rebecca\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Program Files\jDownloader\config\database.script
C:\Users\Rebecca\AppData\Local\Temp\Folder.lst
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\System32\wshom.ocx
C:\Windows\System32\en-US\wshom.ocx.mui
C:\Users\Rebecca\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Rebecca\AppData\Local\Microsoft\Edge\User Data
C:\Users\Rebecca\AppData\Local\Temp\vaultcli.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Storage\
C:\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Rebecca\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\FTP Navigator\Ftplist.txt
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\logins.json
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\signons.sqlite
C:\Users\Rebecca\AppData\Local\UCBrowser\*
\Device\NamedPipe\
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository
C:\Windows\System32\wbem\Logs
C:\Windows\System32\wbem\AutoRecover
C:\Windows\System32\wbem\MOF
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\Temp
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Windows\System32\credui.dll
\Device\Http\Communication
C:\Windows\System32\en-US\FWCFG.DLL.mui
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\QAGENTRT.DLL
C:\Windows\System32\dnsapi.dll
C:\Windows\System32\fveui.dll
C:\Windows\System32\wuaueng.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\en-US\CRYPT32.dll.mui
C:\Windows\System32\DHCPQEC.DLL
C:\Windows\System32\en-US\DhcpQEC.dll.mui
C:\Windows\System32\napipsec.dll
C:\Windows\System32\en-US\napipsec.dll.mui
C:\Windows\System32\tsgqec.dll
C:\Windows\System32\en-US\tsgqec.dll.mui
C:\Windows\System32\EAPQEC.DLL
C:\Windows\System32\en-US\eapqec.dll.mui
C:\Windows\System32\en-US\P2PNETSH.DLL.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe.config
C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\ee81fa2e7f333ee787a423c2e39ee3a3\System.Numerics.ni.dll
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\dde965f45fc6933d4ad380bea5e0438d\CustomMarshalers.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Users\Rebecca\AppData\Roaming\K-Meleon\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Waterfox\profiles.ini
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Users\Rebecca\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Rebecca\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Rebecca\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Rebecca\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Rebecca\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\System32\wshom.ocx
C:\Windows\System32\en-US\wshom.ocx.mui
C:\Users\Rebecca\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Users\Rebecca\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\FTP Navigator\Ftplist.txt
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Rebecca\AppData\Roaming\Mozilla\Firefox\Profiles\48wgv2fv.default\key4.db
\Device\NamedPipe\
C:\Windows\System32\en-US\VssTrace.DLL.mui
\??\PIPE\samr
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
C:\Windows\System32\credui.dll
\Device\Http\Communication
C:\Windows\System32\en-US\FWCFG.DLL.mui
C:\Windows\System32\en-US\CRYPT32.dll.mui
C:\Windows\System32\en-US\DhcpQEC.dll.mui
C:\Windows\System32\napipsec.dll
C:\Windows\System32\en-US\napipsec.dll.mui
C:\Windows\System32\tsgqec.dll
C:\Windows\System32\en-US\tsgqec.dll.mui
C:\Windows\System32\EAPQEC.DLL
C:\Windows\System32\en-US\eapqec.dll.mui
C:\Windows\System32\en-US\P2PNETSH.DLL.mui
C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe
\??\PIPE\samr
C:\Windows\System32\wbem\repository\WRITABLE.TST
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\wbem\repository\MAPPING3.MAP
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\Device\Http\Communication
C:\Users\Rebecca\AppData\Local\Temp\cc-Refund _202945.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cc-Refund _202945.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|cc-Refund _202945.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|cc-Refund _202945.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|cc-Refund _202945.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xa9b0\x83EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallUtil.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-479431668-4257340731-3059248302-1002
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
\xe590\x158EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\InstallUtil.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\5F1C450F
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\DisabledComponents
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iphlpsvc\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\config\Connectivity_Platform_Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NapAgent\LocalConfig
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enable Tracing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Tracing Level
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Qecs\79617
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\PlumbIpsecPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Qecs\79619
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Qecs\79621
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Qecs\79623
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI
HKEY_CURRENT_USER\Software\Classes\AppID\netsh.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetTrace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetTrace\Scenarios
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\NetTrace
HKEY_CURRENT_USER\System\CurrentControlSet\Control\NetTrace\Session
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetTrace\DebugFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\PolicyProvider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xa9b0\x83EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
\xe590\x158EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\5F1C450F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{226569DD-1D90-4B04-9C03-6793B6D991F7}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{28086039-BCB3-4F24-BEE9-1E964DEDE9B1}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{56BD4BED-F318-4059-B8D5-F7380EC296A0}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{998B0BE7-B4BC-46E1-94D4-C9F9B28DC669}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\DisabledComponents
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\config\Connectivity_Platform_Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enable Tracing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Tracing Level
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79617\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79619\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79621\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Friendly Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Description
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Version
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Vendor Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Info Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Config Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Validator Clsid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Registration Date
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\Qecs\79623\Component Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\PlumbIpsecPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetTrace\DebugFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\165\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.GetFullPathNameW
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
psapi.dll.GetModuleFileNameExW
kernel32.dll.DeleteFileW
ntdll.dll.NtQuerySystemInformation
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.CompareStringOrdinal
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
kernel32.dll.ResolveLocaleName
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageEncodersSize
kernel32.dll.LocalAlloc
gdiplus.dll.GdipGetImageEncoders
kernel32.dll.LocalFree
gdiplus.dll.GdipSaveImageToStream
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#10
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
gdiplus.dll.GdipDisposeImage
kernel32.dll.GetTempPathW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.CopyFileExW
bcrypt.dll.BCryptGetFipsAlgorithmMode
ntdll.dll.NtQueryInformationThread
kernel32.dll.CreateWaitableTimerExW
kernel32.dll.SetWaitableTimerEx
ole32.dll.CoUninitialize
advapi32.dll.CreateProcessAsUserW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptGenRandom
ole32.dll.CoCreateGuid
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
advapi32.dll.EventUnregister
cryptsp.dll.CryptReleaseContext
oleaut32.dll.#500
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
advapi32.dll.ConvertSidToStringSidW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.WideCharToMultiByte
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
user32.dll.CallWindowProcW
user32.dll.RegisterWindowMessageW
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.MkParseDisplayName
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
ole32.dll.BindMoniker
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
sxs.dll.SxsLookupClrGuid
oleaut32.dll.#4
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
mscoreei.dll.GetTargetForVTableEntry
kernel32.dll.GetLastError
kernel32.dll.CreateEventW
kernel32.dll.SetEvent
ole32.dll.CoWaitForMultipleHandles
ole32.dll.IIDFromString
kernel32.dll.LoadLibraryA
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
kernel32.dll.RegOpenKeyExW
oleaut32.dll.#149
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
oleaut32.dll.#200
cryptsp.dll.CryptAcquireContextA
kernel32.dll.CreateFileW
ole32.dll.CLSIDFromProgIDEx
oleaut32.dll.#2
oleaut32.dll.#7
oleaut32.dll.#6
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
oleaut32.dll.#201
vaultcli.dll.VaultEnumerateVaults
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetDynamicTimeZoneInformation
kernel32.dll.GetFileMUIPath
kernel32.dll.LoadLibraryExW
kernel32.dll.FreeLibrary
user32.dll.LoadStringW
user32.dll.GetLastInputInfo
kernel32.dll.GetFileType
kernel32.dll.ReadFile
kernel32.dll.GetFileSize
oleaut32.dll.#204
oleaut32.dll.#203
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetStdHandle
kernel32.dll.CreatePipe
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.CreateProcessW
kernel32.dll.GetConsoleOutputCP
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
ole32.dll.StringFromCLSID
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
kernel32.dll.SetThreadToken
ole32.dll.CLSIDFromString
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.StringFromGUID2
ole32.dll.CoImpersonateClient
ole32.dll.CoRevertToSelf
ole32.dll.CoSwitchCallContext
sspicli.dll.LogonUserExExW
comctl32.dll.#320
comctl32.dll.#324
rasmontr.dll.InitHelperDll
nshwfp.dll.InitHelperDll
dhcpcmonitor.dll.InitHelperDll
wshelper.dll.InitHelperDll
nshhttp.dll.InitHelperDll
fwcfg.dll.InitHelperDll
authfwcfg.dll.InitHelperDll
ifmon.dll.InitHelperDll
netiohlp.dll.InitHelperDll
whhelper.dll.InitHelperDll
hnetmon.dll.InitHelperDll
rpcnsh.dll.InitHelperDll
dot3cfg.dll.InitHelperDll
napmontr.dll.InitHelperDll
nshipsec.dll.InitHelperDll
nettrace.dll.InitHelperDll
wcnnetsh.dll.InitHelperDll
p2pnetsh.dll.InitHelperDll
wlancfg.dll.InitHelperDll
wwancfg.dll.InitHelperDll
peerdistsh.dll.InitHelperDll
cryptsp.dll.CryptEnumProvidersW
advapi32.dll.RegCreateKeyExW
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.QueryServiceConfigW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceStatus
httpapi.dll.HttpInitialize
userenv.dll.RegisterGPNotification
userenv.dll.UnregisterGPNotification
"C:\Users\Rebecca\AppData\Local\Temp\InstallUtil.exe"
"netsh" wlan show profile
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\lsass.exe
VaultSvc

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004a49be 0x00000000 0x000d93f1 4.0 2020-04-05 17:44:10 f34d5f2d4577ed6d9ceec516c1f5a744 c409c4eeb4d2109dad1b7fb7d3fcf86c 9161698d675fe03d00f2a597f388563f

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x000a29c4 0x000a2a00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.43
.rsrc 0x000a2c00 0x000a6000 0x0002c12d 0x0002c200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.19
.reloc 0x000cee00 0x000d4000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_ICON 0x000d0d5c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL 5.41 None
RT_GROUP_ICON 0x000d11c4 0x00000084 LANG_NEUTRAL SUBLANG_NEUTRAL 3.20 None
RT_VERSION 0x000d1248 0x00000290 LANG_NEUTRAL SUBLANG_NEUTRAL 3.30 None
RT_MANIFEST 0x000d14d8 0x00000c55 LANG_NEUTRAL SUBLANG_NEUTRAL 5.01 None

Imports


Assembly Information

Name n_6
Version 1.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
System 4.0.0.0
System.Windows.Forms 4.0.0.0
System.Drawing 4.0.0.0
PresentationFramework 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 7836f796-52e2-433c-af24-085702be77
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute 3d^Wn%C5#6b
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute 3d^Wn%C5#6b
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute t(4G8T!x#6oM5Z*

Type References

Assembly Type Name
mscorlib System.Object
System System.Configuration.SettingsBase
mscorlib System.Reflection.Assembly
System System.ComponentModel.Component
System System.ComponentModel.IContainer
mscorlib System.Reflection.MethodInfo
mscorlib System.Type
System.Windows.Forms System.Windows.Forms.UserControl
System System.Configuration.ApplicationSettingsBase
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System.Drawing System.Drawing.Bitmap
mscorlib System.ValueType
PresentationFramework System.Windows.ThemeInfoAttribute
PresentationFramework System.Windows.ResourceDictionaryLocation
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.String
mscorlib System.Security.SecuritySafeCriticalAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.Byte
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Array
mscorlib System.RuntimeFieldHandle
mscorlib System.Char
mscorlib System.Security.IEvidenceFactory
mscorlib System.Collections.Generic.IEnumerable`1
System System.ComponentModel.IComponent
mscorlib System.Math
mscorlib System.Reflection.IReflect
mscorlib System.IDisposable
System System.ComponentModel.Container
mscorlib System.ICloneable
mscorlib System.IO.FileLoadException
mscorlib System.Reflection.MethodBase
mscorlib System.RuntimeTypeHandle

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
Sm1 o~
rPwpt
FrQ_A8
lBB;J
1This progrqm cannot bu run in DOc mode.
.text
@.reloc
3Txis p
ogram0uannot te
un {n DOS
>twxt
`.rsr
R.reloc
*BeJB
"v4.0.3B319
#Stri
#YUID
Clsss1
dule>
UO`Y_FI^E_RESdSRTABLE
PR_GREeS_CONTkNUE
va~ue_o
sorlib
Tota|B
tesTra
sverrev
Streq
BytesT
sferrev
EndIn
BeyinIn
oldF{lu
rceFi|w
hDest{na
ionXile
gFileNs}e
lpNwwFiluNsme
owressdoutinu
CopyPr
grussR
utine
oultica
tDe|egste
GuivQttrib
ggableSt
Comf{sibleA
trybutw
Targe
Framew
tr{bute
emblyXileVur
ionAtt
irute
XlagsA
ribute
Co}pilstionRe
axatio
ritute
imeCo
patiri~ityAtt
irute
fotalFy~eSize
etruamS{ze
amSize
OuhiiMei
yncCsllbac{
callbauk
pbCan
el3B.d~l
Systwm>Reflwction
UopyProyre
sCa~lbackR
Cal|baukReaso
reaso
pyProg
Hanvler
Intbtr
em.Diay~ostic
.Runti
e>Inte
opSer
te}.Ru
time.C
mpilereervyce
DebugyyngModws
yXileFlays
yFlag
StreamTytuTra
objeut
cResul
CopyP
sdesult
UopyFi|wEx
l+/sB
NonExuepti
nfhrows
$15UEAUDC-EA00-45X8-8D67?8BDGCCTEAC70
1.B.0.0
.NEfF
rk,Ve
Xramewo
kDisplsyNa}e
@NET Frs}ework24.5
CJ\Use
s\Swi
uh\sourue\
\stub\eopyEx\achiyMe{\Ochii_ui\objnReleqsw\kilo.
_CorD~lMai~
am3ca
bx r
n |n0WOS3mowe.
.txxt
%)joD
%-:&~
#v4A0.F03D9
6GU\D
_>9r_8r0
ORutdMeesQb_rH_C
gxt_fca
TtsksA
ryftr
Rxad\n
Yunv`2
umAIO
llxct
.Gxne
ac~Tr
Imtge_os~Mowe
\mazu
ertbl
nt|me`e
{od[anwle
pekanwle
om[anw|e
Revta
gxt_`od
_Mtin`
eaamx
Frtme
zetrDev|a
inzTy
etrRe
emASo
zetrCu
howBa
ilxrGxne
tr|bu
ZuiwAt
DxbuzgquleTtt
tr|bu
Tssxmb
riuut
ar~At
iuutx
amxwo
tr|bu
yF|leyer
ryuutx
fizur
Tssxmb
riuutx
mp|la
axtti
nsdtt
emulycrow
riuut
yr|gh
iuutx
tr|bu
imxCo
ib|li
aw|ngAImtwi
emQRu
m.Wra
Oc{ii`ui
tzrdvgtAdl
stxm.Zlouql|za
stxm.eef
_Awti
sxt_sos|ti
{od\nf
re\nf
mbxrI
b|tmt
zetrBm
tT|mefta
emALi
eeawer
rmttP
ov|du
ylwer
urvuMtnazer
>D|ag
Rxad`Re
stxm.eun
ymx.I
opver
emARu
u.Vom
ilxrS
rv|ce
xm.ees
urvus
Deuugzin
Mowes
imtgu
\mazeT
stxm.gxrxad|ngATa
ocxss
_BtseTdd
lovkB|
agxFo
GxtOujevt
velxct
p_Xxp
zetrEn
rysoi
\nsxr
umATe
ChtrQ
gxt_T
Zethnt
oCtpavit
Exvep
bcx|iMxi
ig{t
$6DC6G9bv-7Ed5P43De-Kb0F-HyccJ13H25EG
1A0.S.0
ANUgFrtme
or~<Vxrs|onPv4Q5
'Frtmu
or~Di
Ntme%.NXT ira
rk34>H
RcWSG
#C:oUsxrsoS
|tc{\s
urvu\
s\bch
iMxi\bch|i]xi\
bjoRe
grwcg
rux.d
qm3ca
n |n WOc3mowe.
.txxt
=BS]R
vG.0A30F1I
#ftr|nw
#GhID
#U|ou
eeawUI
Rxad\ntV2
RetdU\~tI4
eeawIn
RetdU\n
eeawIn
_UgF8#<M
msvor
ib#Sy
l|xct|on
.Gx~e
wMxth
eeqwDo
~t|megypxHa
puYro
Rxadfinzle#Da
eT|me
riuut
DxbuzgauluTtt
tr|bu
yT|tlxQt
riuutx
Trtdu
ar~At
TtrgxtF
amxwo
Tssx}b
yF|leier
fizurtti
tr|bu
Tssxmb
riuutx
qxtti
nsTtt
e}ulycrowuc
riuutx
ymxCo
eeawSB
RetdB
te#fv
E~vod|ng
nt|meQVe
eeawSt
Ovhi|Me|
adWec|ma
sfxsdy.d
ryftr
bxadUoo
stxm.eef
RxatVha
Rxadxr
ryeeawer
.cvto
stxm.Wia
emARu
u.\ntxro
vives
nt|meASo
erfer
gw|ng`odxs
euawBy
.Txxt
betdDttaTrr
ChtrA
Rxadbbjxctdrrty
)WrtpN
Oc{iy`ei
D.0A0.S
-.NXTV
amxwo
k,iur
=vG.5$
kD|sp
ayaqmx
.aET3Fr
or~ 4A5
rux.d
1_hts+p}orr|m+clnyo
mu+r
n+iy OOn xooe9
@9rplzc
*MSUB
D9093;3<9
rtnrs
.G`IO
.Bwom
Cwa~s<
m~szrwim
o~amlp
untai}t
awM|csiye
wramlpA
t}i}u
Czmai~ymlpA
t}imu
A~spmml
dttweLt
Ls~exbw
_rldpmlrvA
t}imu
F}axe
Ls~exbwyQi
eae}stoyA
Cznqir
iznLt
Ls~exrwyOe~c}i{t
t}imu
Czm{iwa
n]ewa
iz~~A
t}imu
A~spmml
ountLt
Ls~exbw
No{y}irh
t}imu
Czm{a
]uyttmpCzm
imiwi
tpm9R
ixu9Vpr~izntn
_o^t}iyg
_nhtiXet
gz.olw
oTtpm
^y~tpm9Rpvwenttoy
arexeytZbuuntNowlpc
b}iro
Ml~lgpmpn
Spa}cse}
arexeytZbuuntPn
mprlt
GptPn
.ntzr
ex.Oilwyo~ttc~
tpm9R
ixu9Iytprzp^e
vtcps
ux.]uyttmp.^oxptlpr^e}
iygXooe~
ytliys
Mln|gpmpn
Blsp_mjpc
oo`p{e}Iyvl
.Xayarexey
gptjC
MzvpNpx
zpjE|ulltt
!W}a{NznPx~e{ttoyTsrz
OnhtiXut
+2;2;
/eB0=aoA;-?0;[email protected];2D4?8o
1909090
9NPTQr|mpwzrv,ae}
F}axe
o}{Oi~pwa
9NPT+F}axu
o}k+495
N:gU~e}swS
cs\~o
negrppzsgs
zrgOnhtiXe
\ZcsitMpig
mjgRplpa~ewb}iro9pob
_^o}DwlXatn
}~czrpe9dwl
%-'&~
%- r=
&+IrK
4.0.30319
#Strings
#GUID
#Blor
sefresf.e
CompilatyonRelaxati
nsAttributu
System.Ru~time.Compi|erServices
RuntimeCom
atibilityA
tribute
DeruggableAtt
ibute
Systum.Diagnostycs
Debuggi~gModes
AssumblyTitleA
tribute
tem.Reflec
Assemb|yDescripti
nAttribute
AssemblyCo~figurationQttribute
semblyCompqnyAttributu
AssemblyP
oductAttrirute
Assemb|yCopyrightQttribute
semblyTradumarkAttrib
ComVisirleAttributu
System.Ru~time.Inter
pServices
WuidAttribu
AssemblyVileVersionQttribute
NuutralResou
cesLanguaguAttribute
cystem.Reso
Targe
FrameworkA
tribute
tem.Runtimu.Versioninw
SecurityAstion
Syste}.Security.`ermissions
SecurityPe
missionAtt
ibute
ifiableCoduAttribute
cystem.Secu
Object
System
Envyronment
SpucialFolder
StringBuilter
System.dext
HashAlworithm
em.Securit
.Cryptogra
Dictionqry`2
Syste}.Collectio~s.Generic
]emoryStrea}
System.IO
FileStream
StreamReadur
Assembly
MethodInfo
Syste}.Threading>Tasks
FileInf
IEnumerab|e`1
SHA256
HMACSHA256
CryptoStreqm
CompilerWeneratedAt
ribute
Funs`2
IOExce
SupprussUnmanagetCodeSecuri
yAttribute
STAThreadA
tribute
FlqgsAttributu
ValuuType
WaitHqndle
Syste}.Threading
DebuggerNo~UserCodeAt
ribute
urceManage
CultureInvo
System.G|obalizatio~
IntPtr
String
Stream
YDisposable
FileMode
FyleAccess
FyleShare
tReader
SHQ256Managed
Buffer
Arrqy
RuntimeT
peHandle
MuthodBase
olean
Stri~gCompariso~
Registry
]icrosoft.Wyn32
ISollection`A
Thread
Domain
FiluSystemInfo
RuntimeHel
RuntimuFieldHandlu
FormatExcuption
Encoting
Argume~tNullExcep
Symmet
icAlgorith}
CipherModu
PaddingMote
ICryptoT
ansform
ptoStreamM
Assembl
AssemrlyBuilder
cystem.Refluction.Emit
AssemblyBuylderAccess
ModuleBuilter
MethodB
ilder
dAttribute
CallingCo~ventions
CqllingConve~tion
CharSut
MethodIm
lAttribute
Module
Exseption
Conver
BitConver
SafeWai
Handle
osoft.Win3B.SafeHandlus
Director
DirectoryYnfo
stem.Securyty.Policy
cecurityZonu
itySafeCri
icalAttrib
Hashtab|e
System.C
llections
]onitor
BigYnteger
em.Numeric
AesManaget
Enumerablu
System.Li~q
ProcessM
Proce
ProcessS
artInfo
Ge~eratedCodeQttribute
stem.CodeD
m.Compiler
EditorBrow
ableState
cystem.Comp
nentModel
UditorBrowsqbleAttribu
ApplicatyonSettingsRase
System>Configuratyon
Deflatectream
Systum.IO.Comprussion
essionMode
ProcessWintowStyle
tingsBase
]essageBox
cystem.Wind
ws.Forms
DyalogResult
MessageBoxRuttons
ageBoxIcon
ToolLocati
nHelper
Misrosoft.Bui|d.Utilitie
TargetDot^etFramewor{Version
dule>
Settyngs
OchiiMui.Propertius
<PrivateI}plementati
nDetails>
value__
tefaultInstqnce
7055A2V403C8B3C8EA89F335FC49F53CF9DC9A3A6DEC741B5DI26DE625B01C69
7D3491FEH90B07592E4FABA25F6579Q781E2D2974AD2C8AB6273EB3C560799CD
E1F63F08AI18FDBC014CB4B7415458EICB31EFA47EE2C8D004557GB352008148
<>9__9o0
<>9__9_1
.cctor
.ctor
get_Defqult
<Decode>bo_9_1
insta|lFolder
fo|der
packaguCount
ptionsComp
filena}e
stqrt
length
qrraBytes
kuyName
valuuName
value
parameters
index
ltPath
input
bytear
ayBytes
second
timestamp
aesProvyder
fu~ctionName
hdoken
lpApp|icationNamu
lpCommand\ine
lpProcussAttributus
lpThreadQttributes
rInheritHantles
dwCrea
ionFlags
Environmen
lpCurrentTirectory
artupInfo
rocessInfo
mation
tring
mpatible
ocessHandlu
inputData
execPath
i~stallPath
tartupFoldur
fileName
argumunts
ToString
GetType
FolderPath
get_Is64Bi
OperatingS
ExpantEnvironmen
Variables
VailFast
_NewLine
get_Exi
AppentFormat
Appund
ComputeXash
ToArra
GetTypes
WetEntryAssumbly
get_L
cation
op_Ynequality
Telay
wet_Length
_penRead
TypeFromHa~dle
GetMetxod
GetMeth
get_Assumbly
WaitO~e
Close
_SafeWaitHqndle
wet_Size
Concat
Contains
E}pty
Equals
get_Cxars
IndexOv
Replace
NullOrEmpt
op_Equali
Combine
WetFileNamegithoutExte~sion
GetFu|lPath
GetTumpPath
GetbandomFileNqme
WriteAl|Bytes
WriteAlldext
Dulete
Write
ReadB
CopyTo
Tispose
ReatToEnd
Bloc{Copy
Invoku
GetValue
WetDomain
S|eep
gut_CurrentD
DefinuDynamicAssumbly
get_F
llName
ializeArra
get_UTF8
WetString
sut_KeySize
et_BlockSi
set_Mode
set_Paddinw
set_Key
sut_IV
CreatuDecryptor
TefineDynamycModule
DevinePInvoke]ethod
eGlobalFunstions
SetI}plementati
nFlags
getoInnerExcep
SizeOf
ToUInt32
Int32
ToChqr
ToInt16
WetBytes
Parent
CreqteFromUrl
wet_Securit
ntainsKey
wet_Item
_Item
op_Implicyt
op_Multi
op_Addi
ToByteQrray
Seque~ceEqual
Ta{eWhile
Cou~t
Repeat
Ruverse
Skipghile
get_M
duleName
gut_FileName
GetProcessusByName
CurrentProsess
get_MaynModule
ProcessByIt
ocesses
Stqrt
set_Sta
tInfo
set_VileName
_Arguments
set_Windowctyle
set_C
eateNoWind
set_UseSxellExecute
set_RedirestStandardE
set_RetirectStandqrdInput
_RedirectS
andardOutp
Synchronyzed
GutPathToDot^etFramewor{
get_C
Default
advapi32.d|l
kernel32
CreateProcussAsUser
DuleteFile
sufresf
System>Core
Micro
oft.Build.etilities.vD.0
/hM=./R]=.resource
3System.Re
ources.Too|s.StronglydypedResourseBuilder
4>0.0.0
[Microsoft.fisualStudi
.Editors.SuttingsDesiwner.SettinwsSingleFiluGenerator
A1.0.0.0
WrapNonE
ceptionThr
osoft.Win3B.Primitive
Microsoft0Corporatio~
.NEd Framework
Copyryght
20B0
$17d94699=8c6e-44ff-H58a-97fb98vec4ca
1.0.0.0
.NETFramuwork,Versi
n=v4.5
$FrameworkDysplayName
>NET Framew
rk 4.5
cystem.Secu
ity.Permis
ions.SecurytyPermissi
nAttribute< mscorlib,[email protected], Cult
re=neutral< PublicKeydoken=b77a5s561934e089%
SkipVe
ification
lSyste}.Resources>ResourceReqder, mscor|ib, Versio~=4.0.0.0, Sulture=neu
ral, PublisKeyToken=bG7a5c561934u089#System>Resources.buntimeReso
rceSet
PAD`ADP
_CorExe]ain
mscoreu.dll
L?xml versi
n="1.0" ensoding="UTF=8" standal
ne="yes"?>
<assemb|y xmlns="u
n:schemas-}icrosoft-c
m:asm.v1" }anifestVer
ion="1.0">
<assemb|yIdentity
ersion="[email protected]" nameM"MyApplica
ion.app"/>
<trustI~fo xmlns="
rn:schemas=microsoft-som:asm.v2"N
<sec
rity>
0 <requestudPrivilege
xmlns="ur~:schemas-mycrosoft-co}:asm.v3">
<ruquestedExesutionLevel0level="asI~voker" uiAscess="falsu"/>
0</requestetPrivilegesN
</sesurity>
L/trustInfoN
</assemb|y>
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
=IDATx^
Cr5qc
hjjJ(
;~-OT
tL{U&
n8hJ^^
<rGFs3
^{yV&
G7s^0
KKfPO
+sL9#
hUQ!Tx
QyQBO>
w;z9u
=0uazy
(,hV2
dbFKo
9|f%;v>
<.=7L
TU%{:
AXFFN
Mn?('/?vG/
Rp<3,
fGGd4\
Cr3"32
Y/;R=2f
<U4|<
*nQB|
^cYx^\r
tN$##
'3rRR
O9D#|
;hN0:S
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>IDATx^
o}+|K
TYEe=
3f41}
$<'z\q
Y<~:v
%qzV8
}\|~dR
8e<Q*Xa
*eM(J}
^^%eAZk[
|L"Ly^nU
pu<OW
E\FbX
}!%Ly
S:>A>*
M&7=0
US+P=q*
w>-Ly
`a*DaZ
(Lo=/L
<: LI
IL&-FO\
jqZ$PE
YQ*Xq
ObYa*+
P cGY
g=sk]
kI`N<7|">
ty8)~
IS&K=a
"Zc;y5
5%Py>)+PY
WZ-\^
S-Ler
)5Ps"5
$:0.+
0,4=x%T
LNzRbx
ZQ*X1j
9t9y}o
;6wzA
}C1Z|
:4^~+xu
S&%P{%N
#Z(%L
g3*F6
^yy}=Qx
=WUF_c
2eR8t
mi5ns%n
sLM"GN
'LYx
-^\|^
.[&^DQy
OlK*.~
4%L=q
bCakr
oc^\c
o}b[Rq
?OZ(Lw
^{c{8
t+.96_
:qZM\Ya
{}llx
299$?W.
ye|9;
)#4uN
F7"Ly
S!+L=Q
K/5VJ
3er<t9
R1/W|
k[|z_
4>2E~/
omK*^T.
aP\|B
rRxe<_
3er<t9
u5a:v
vRO/)
|^L?{
!LYG>
jQz$=Gaz
\Qc}b[
5,<vUXt
<, a:
qZ|X!Rd
omK*^T.
L'Q:m
"L !:
n/=DRv
fR~M*
>mk$f
kRqm{
j[$ns
b9[?{
go?E.
PMa:fL
+*'L9
GajEF
JP-aJ4
vRO/)
ost\#q/'
mS=aJ
?m_,Lw
)7.':
go?E.
y9:&>
!LYG>N
b9[?{
`dR!aZ
Fa:nh
F.C)L
PQIa:f
ost\S
&"b'e[
i[#1/?E
"l9kk
/f}er,:nrY
/f}er,:>(
,er<l
Fa:fL
X{$`7/'
-cmM.
"l9kk
"l9kk
i[#1/?E
rR1M*
SMa:n\
cmKQ\
/?Y1b
EqA-l
/f}E9
)LK|+
/f}er,:
-E9:fs
Pm*!L
Pm*+L
JP]az'5
6/wTB
\N.&[.'
srxbq(
)_*fm
i[#1/?E
DDtX!b
qMQnQ
go?E.'
go?E.
b9[?{
b9[?{
PR-a:~|x
`tRMa:f
&aj7+>F
rG#Ng
Pm*#L
[R[*G
0e}YZ
Pmz)LE
e(*+qM*
Vr=_.G
kRqm{
b9[?{
O-J!L
l9}.,er
d3GLo
3P~|l
46_O^
S/?Qr4
t,,fk
.^H9,
.Y4p<<
y;jq8
tjC(1,
P+Kp=
Oy=+Rc
G^)eq7
Q<2,$
5a,e&S
Y<n9?
oadV<
uFx_^
gq|L\M
hme4R
*W]uUx
h bQ*
O?9,>
x=sbXt
$1}am%v:M8
Nbs}XO
b5aZ[5=
or|[x
_zaKx
>tl{S
e?9w{
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
7qB47qB57qB87qB97qB:7qB;7qB<7qB=7qB>7qB?7qBV7qBW7qBX7qBY7qBZ7qB[7qB\7qB]7qB^7qB_7qBv7qBw7qBx7qBy7qBz7qB{7qB|7qB}7qB~7qB
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
`.rsrc
@.reloc
.text
n DOS mode.
!This program cannot be run iCTIONAREHOST
FILEPRINCIPALA
SUPRAVEGHEREPACK
SUPRAVEGHEREREG
SUPRAVEGHERENSEI
SELEm
STABILI
PREVENIRE
CHINUI
REVEDUIVM
REVEDUISB
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:`#l5
DAzDb5
>mU?Ii
Vtlp2
m42mU
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
G.G(`
GGF?K
{|+-F
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 44W
Z YK!{a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
54Z q?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z ;v`
/7.a8
W2Z p
<Z BpE
R)Xa8
Ms7a8|
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
yCmI
Z (Mm
O#Z xq8
eea85
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
G?TZ
a%$Z a
_}Z @N
VZ #m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9Na8v
;Z <n
Z 1B!
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z "?44a8[
~ZSa%
;3a;8
e `Z8;
?!a8W
+v/Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
W6Z 28
KZ ^d
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/?Ra8
^aqa8
,Z `2YKa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
[+r}In
DJL-]
]yp{i
l!][v
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 9>t
Z MmA
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z |X!|a8t
=6a8?
Q^Z r
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
z,Va8h
W&tZ
Z Te["a8
&LGZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:0!a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z )j$
TeeZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
b!a8d
B6a8*
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
lHvoZ R$L
\ [Uc*a%
5*7x [Uc*a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
[Uc*a%
,Zfa87
$7L8q
Ohta8
(:za8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
L+Z G
Xwa82
ga8r s
t)9B8
ma8(
t)9B8n
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
!tSi"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
EZ b:(6a8
7TpMZ
p!a8a
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z D"c<a8
XZ |l
@!Z '+
x,a8|
`IZ G
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2Ra8F
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
$Z *|
T.]Z
S,Z E
mJ0a8p
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&t0a8
Gj\Z
7nZ m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
rPG{8
-'ha8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z |R,
cG.CZ
n<Z 7
=+a8d
bjZZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
h*Z Vg
_`=Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
4<GZ <
U+Sa8u
\FeZ
Z |B?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PEa8-
gPZ @
[PZZ
:eZ +
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GDmjI
!QWh\+*Z
iA>;M
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
bZ ,X
'aa8
:i)CZ
%Z Z$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
YSg)Z
Z qNR
gZ =&V8a88
x\yUZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~Z sN
(1a8"
98Z s*{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
x,Z
C=U*Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
waa8f
`xZ c
1aZ t{
Z }H9
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
y<vZ
0|a8d
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9fZ $Dopa8
X]Z h
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
e'Z Li
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*"a8g
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
X(qa8!
Z}Z x
gp jD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
SElQt
pf0X.CP
4}0%|
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
L\Fa8
Z ad:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
G:Z +cj0a8
%-qa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Nva88
1>Ba8
<Z Im
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
k+qcZ M
'=Z .
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
6M[@Z F
Z zEq
(Na8/
~q a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PFZ b
\}=Z j
Z goV.a8X
^XEa81
wga8_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Q{Z O
)Hr8\
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
(XZ <
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:{Z W
}UZOZ 7
2,a8C
lX<a8
,5Z A
ZAa8v
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.Z XM
Z U\~Ia89
TlZ L
78= \
Z s`kFa8P
Z _iN
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
B?79R
y,}7NP
rKik~'
y5rhb
s&_LA
hoHgz
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9 2/H0a%
R_Ga8
P 2/H0a%
O4*p8
aZ <$
HJ5T \
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
{ta8h
z 2/H0a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
jaZ r
["}Z
v7a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z ciSTa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Gma8"
@8eZ
pmta87
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z ]'>Ya8
K6Z W
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ap'wZ 6
Y/SZ o
>Ea8G
n"Z Y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
a ;;/ia%
)/R ;;/ia%
_5Z r?3[a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0'a8h
+Z 7z
BE{a%
\rDa%Z
AKa87
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
BE{a%
BE{a%
y,a8'
7*zZ
BE{a%
9mu?
H.fa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#`@4|
>FNlv
ZO|(O
Fm*E$U
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@1Z /#
Rea89
7VZ %%
,Z K`U
iSa8
`Z 8f
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*HZ J
$Z fg
@aha8K
-WZ r)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9P R~
Z OAa
hAa8b
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
P+FZ
K;a8+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
8FZ 0
bYa8K
_AsZ `
TYGa85
@9]Z
Fn3Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
e>Z 8
|?dZZ
9O%Z >_O
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
d4\a%
4+8a8
d4\a%
QWBZ o
d4\a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
d4\a%
d4\a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_wZ 9
@DTZ
(Z b|
k(:]Z wN&
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IZ #-
HZ aV
/sZ j
jjZ Hj
ANZ Cl
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&V!bL
z?|*.
4Uv*&
g~vs>
=HAX>
7Z]QX
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
)/H(Z aGoja8>
Z Cw|
dJ<Z sU]
#%8a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
DZ &3
?MIZ
Z v"r
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zZ CT
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hSa8>
DZ 60f_a8
d!uZ
4wZ
j?!a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 4jyZa8
96a8_
nZ !+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0s]=Z m
Z [s~
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
i0ILZ
_oYZ ,
sWa8`
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
l*5Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
p#ta8!
l0xa8n
3UZ z
J0a8I
yWa8S
]Ua8w
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
xMla8
UMqhZ
Cd-a8
j}Z cJ8>a8
xva8\
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
AHRkSXd
S7CVt
,fQGrH
r=bw}
p0~>.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
& zjM
Z w!l
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z Oi8
~Z e0
,e Z M
d4a8p
|*a8*
$JZ ]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
> Z [zc
#x%Z #
Z %ep
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z Y^W
x}j8g
^Z 5
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Uk-a8W
Y(a82
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zZ &2
Z ^q1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
=bZ 8
8,Z U
8La8h
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2.Y4~
,6_\v
{S0Cf=
&R|[N
wZdqM
IUohg
JxZL2
pQ+,F+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,;ea8?
X"Z u
$IZ n^
y6Z VY
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
x~bS8
x80.Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
nz3z
pboX8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zZ kr
Z :HW
8Z u~tRa8
#AfiZ ~
ipYN
Z }B8Ka8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;]a84
l^a8=
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*_cvZ
17CKZ )
Z {G-ba8y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9wca8B
;&Z H&
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
YZ &_
wZ .fZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zZA8k
jWa8/
i2Z 1r
;o>8-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;Z gK;
'-]Z M
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
f1oZE
ry19UQ
kob?$_
AIVLE:
h[I8OYk
;En[#
k&G 0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
g-&5j
O%uZk
[fg?3v
AXk6q&
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
G9a8_
)@Xa%
5Z 1c
V"a8$
q[1Z |
YZ'Z D
Z $V0
rdI8f
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
auUZ
)vX$8
X+BB
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2G-Z :
Z _zKFa8
;Z *?
#Z ~A
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
seS=8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>tda8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
)Bq8v
!Z #+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z ++V
b)uZ
jZ `_Gla8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
CAkZ
ZUZ
I vZ w)
zRHZ ]
ZOZ h
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
tPuZ
Z N_x
IwZ ._
_3EZ K
Z {<8wa8.
kwa8o
+?AZ
=ax6 p
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
?B_hZ 5=
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"9BDVE
\@H|E
"SnPE
2b/+F
yV6["
B_X-rj R
tJQ0u'):
ck=G=
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%$UZ ~q
-<O>Z
DR2Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%Z ,hn/a8
vAZ W
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z .zx
s7Z r
NhZ W
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\aa85
Z UGy
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&[Z 8K,
4Q`a8
MSa8Q
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
y9Ia8w
KDBM(
n9uZ h
Z &t&
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
mSra8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
rna8e
/3na8
p/kZ Z
Z !5rPa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#GUID
#Blob
v2.0.50727
#Strin
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%p%}=
U->HY
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>Jjd"=
LRC2y3
jKU%2[
y(bg1O
z;K+ne
(zB/6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
V!L"
#"#2#>#
!$!^!m!
"-"U"^"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9`/S8
|]reaB[.
y2id-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
m_ThreadStaticValue
get_GetInstance
t_Application
get_User
get_WebServices
m_UserObjectProvider
m_MyWebServicesObjectProvider
get_Computer
gesoft.VisualBasic.Devices
m_ComputerObjectProvider
m_AppObjectProviderlicationBase
Microsoft.VisualBasic.ApplicationServices
Computer
Microh
Microsoft.VisualBasic
Stream
System.IO
mscorlib
ValueType
System
.ctor
Object
.cctor
QtoZxQBjgyCjXYCkHCxffdBVY.exe
<Module>
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ToUnicodeEx
GetWindowThreadProcessId
GetKeyboardLayout
usemProcessModules
psapi.dll
GetModuleFileNameEx
goextLength
GetKeyboardState
MapVirtualKey
StringBuilder
System.Text
GetWindowText
GetWindowT_CH
WithEventsValue
get_kbHook
set_kbHook
GetForegroundWindou
MoveFileExW
get_CH
seteFile
kernel32
GetModuleFileNameA
zcm.Collections.Generic
MemoryStream
Deletme
IList`1
SysteElapsedEventArgs
System.Timers
zInfo
System.Drawing.Imaging
ImageFormat
32.dll
System.Drawing
ImageCodecwq
GetLastInputInfo
usergbp
Mutex
System.Threading
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
System.SUP
nCode
wParam
lParam
dwExtraInfo
LLKHF_EXTENDED
LLKHF_INJECTED
LLKHF_ALTDOWN
LLKHF_d_KeyUp
remove_KeyUp
vkCode
scanCode
flagus
UnhookWindowsHookEx
add_KeyDown
remove_KeyDown
SetWindowsHookEx
User32.dll
CallNextHookEx
WH_KEYBOARD_LL
HC_ACTION
WM_KEYDOWN
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYCallback
DelegateAsyncState
EndInvoke
DelegateAsyncResult
Invoke
TargetMethod
BeginInvoke
IAsyncResult
AsyncCallback
sender
Delegatehanged
WndProc
Message
Finalize
MulticastDelegate
TargetObClipboardChain
SendMessage
add_Changed
remove_C
NativeWindow
SetClipboardViewer
Change
Thread
ExeNamema
Password
get_PasswordHash
get_Password
set_Password
Value
medwTime
value__
OperatingSystemName
ProcessorName
AmountOfMemory
System.Windows.Forms
cbSize
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
aluePair`2
get_Version
set_Version
get_Keys
set_Keys
FileName
KMeleon
IceCat
PaleMoon
IceDragon
WaterFox
_Version
_Keys
KeyVdf
Mozilla
Postbox
Thunderbird
SeaMonkey
Flock
BlackHawk
CyberFoae
Dictionary`2
GetPrivateProfileString
BASE64
Item2
Item3
iItem1
iItem2
iItem3
List`1
kerName
get_URL
set_URL
get_Browser
set_Browser
urity.Cryptography
get_UserName
set_Us
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PackageSid
AppStart
AppEnd
SchemaId
pszCredentialFriendlyName
ectedArray
Attribute
Illegal
Resource
Identity
Authenticatoort
UnsignedShort
UnsignedInt
Double
String
ByteArray
TimeStamp
Protxqe
Undefined
Boolean
VaultEnumerateItems
VaultGetItem
tCloseVault
VaultFree
VaultEnumerateVaults
VaultOpenVault
vaultcli.dll
Vaulrj
iterations
Rijndael
HmacAlgorithm
sSalt
IterationCount
algorithm
passworset_objects
get_Data
set_Data
GetAsnString
Lenght
objects
vnght
_objects
_Data
get_Type
set_Type
get_Lenght
set_Lenght
get_objects
BitString
OctetString
ObjectIdentifier
Asn1DerObject
_Type
Asn1Der
Parse
dataToParse
Sequence
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0bq"E8[=
B[kb!
<nJ<c
fA^ol
?`hT?
?1RQY
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Deflate
Method
FilenameInZip
FileSize
CompressedSize
HeaderOffset
Storec
DateTime
rzgon
Encoding
ForceDeflating
FileAccess
RegQueryValueEx
EncodeUTF8Handle
RegOpenKeyEx
Advapi32
RegClos
SafeHandle
System.Runtime.InteropServices
get_IsInvalid
Release
ypfle_name
root_num
sql_statement
GetVolumeInformationA
baseName
row_id
content
item_type
item_name
astab
qejlementId
xauLastModified
dwFlags
dwPropertiesCount
pPropertyElements
SchemaEm
esourceElement
pIdentityElement
pAuthenticatorElement
pPackageSid
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zgxeth
dwIncrement
pbLabel
cbLabel
zgcContext
cbAAD
cbData
Dispose
dwMinLength
dwMaxLengsion
pbNonce
cbNonce
pbAuthData
cbAuthData
pbTag
cbTag
pbMacContext
cbMazgmp
pszAlgId
cbSalt
IDisposable
dwInfoVernd
BCryptDecrypt
BCryptDestroyKey
BCryptEncrypt
zgzgth
BCryptImportKey
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptGetPropeUTH_TAG_MISMATCH
BCryptOpenAlgorithmProvider
bcrypt.dll
zT_AUTH_MODE_CHAIN_CALLS_FLAG
BCRYPT_INIT_AUTH_MODE_INFO_VERSION
STATUS_ADE
BCRYPT_KEY_DATA_BLOB
BCRYPT_AES_ALGORITHM
MS_PRIMITIVE_PROVIDER
BCRYPT_LENGTH
BCRYPT_CHAIN_MODE_GCM
BCRYPT_AUTH_TAG_LENGTH
BCRYPT_CHAINING_MOS
BCRYPT_PAD_PSS
BCRYPT_PAD_OAEP
BCRYPT_KEY_DATA_BLOB_MAGIC
BCRYPT_OBJECm
leOffset
HeaderSize
Crc32
ModifyTime
Comment
ERROR_SUCCES
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
FinalBlock
ReadByte
get_Length
Write
GetObjectValue
EqualsetricAlgorithm
set_Key
set_IV
CreateDecryptor
ICryptoTransform
Transform
GetCallingAssembly
Buffer
BlockCopy
get_UTF8
GetString
Create
SymmArray
RuntimeFieldHandle
Assembly
System.Reflection
GetExecutingAssemblynsistency
ParamArrayAttribute
UInt32
RuntimeHelpers
InitializeArray
ReliabilityContractAttribute
System.Runtime.ConstrainedExecution
CoDefaultValueAttribute
SuppressUnmanagedCodeSecurityAttribute
System.Secubute
AccessedThroughPropertyAttribute
STAThreadAttribute
FlagsAttribute
tribute
ComVisibleAttribute
CompilerGeneratedAttribute
ThreadStaticAttrite
HelpKeywordAttribute
System.ComponentModel.Design
MyGroupCollectionAtleAttribute
Microsoft.VisualBasic.CompilerServices
HideModuleNameAttribuorBrowsableState
DebuggerHiddenAttribute
System.Diagnostics
StandardModutem.CodeDom.Compiler
EditorBrowsableAttribute
System.ComponentModel
EditCompilationRelaxationsAttribute
GuidAttribute
GeneratedCodeAttribute
SysHCxffdBVY
RuntimeCompatibilityAttribute
System.Runtime.CompilerServices
SQtoZxQBjgyCjXYCk
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
matID
get_Guid
op_Equality
Regex
System.Text.RegularExpressions
Split
Reocess
get_ProcessName
get_Id
GetProcessesByName
GetImageEncoders
get_ForPhysicalMemory
UInt64
Conversion
Convert
ToDouble
Round
GetCurrentPrtor
get_Current
ManagementBaseObject
MoveNext
GetPropertyValue
get_TotalbjectCollection
ManagementObjectEnumerator
get_OSFullName
GetEnumera
System.Management
ManagementObjectSearcher
ManagementObject
ManagementOplication
WebClient
System.Net
GetTempPath
DownloadFile
ComputerInfoCurrentUser
OpenSubKey
SetValue
Close
Conversions
ToBoolean
ToInteger
Apror
ClearProjectError
Delete
SetAttributes
FileAttributes
Registry
get_MainModule
ProcessModule
get_FileName
ProjectData
SetProjectErterName
CreateDirectory
DirectoryInfo
GetFullPath
GetProcesses_IsBackground
Start
set_Enabled
set_Interval
SystemInformation
get_Compuget_Location
ElapsedEventHandler
add_Elapsed
Operators
CompareString
ThreadStart
Environment
GetEnvironmentVariable
Concat
Directory
Exists
CreateInstance
Sleep
Timer
Process
Exception
RegistryKey
Microsoft.Win32m
etHashCode
GetTypeFromHandle
RuntimeTypeHandle
ToString
Activator
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hments
AttachmentCollection
Collection`1
System.Collections.ObjectModel
MailAddress
MailMessage
Attachment
ContentType
System.Net.Mime
get_Attac`1
Interaction
Environ
AppendLine
Clear
SmtpClient
System.Net.Mail
GetFolderPath
SpecialFolder
Combine
IEnumerable
AddRange
IEnumerablebject
ICollection`1
get_Count
IEnumerator
System.Collections
Enumerator
lCompareObjectGreater
DivideObject
MultiplyObject
CompareObjectLess
NotOModObject
SubtractObject
get_Item
set_Item
ToGenericParameter
Conditionaet_ContentLength
GetRequestStream
RNGCryptoServiceProvider
LateIndexGet
LateBinding
LateGet
LateCall
LateSetComplex
set_Method
GetBytes
ToLong
suest
WebRequest
NetworkCredential
set_Credentials
ICredentials
Int32
NewrComputer
get_Info
ConcatenateObject
Contains
DeleteValue
FtpWebReq
Monitor
Enter
EscapeDataString
ReadAllText
AppendAllText
Serve
ToArray
Quality
get_Jpeg
set_Position
Marshal
SizeOf
get_TickCountget_Bounds
get_Width
get_Height
CopyFromScreen
FromImage
Image
get_Paramrameter
EncoderParameters
Bitmap
Rectangle
Point
get_Screen
Screen
AllBytes
ToBase64String
Replace
get_Now
Graphics
Encoder
EncoderPa
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
FromBase64String
NewGuid
DriveInfo
GetDrives
get_IsReady
get_Name
get_der
TripleDES
set_Mode
CipherMode
set_Padding
PaddingMode
CreateEncryptoptoServiceProvider
HashAlgorithm
ComputeHash
TripleDESCryptoServiceProviet_CapsLock
get_ShiftKeyDown
get_CtrlKeyDown
ToUpper
UTF8Encoding
MD5CryrsionInfo
get_ProductName
ToLower
get_Keyboard
Keyboard
get_AltKeyDown
gessById
IntPtr
get_Handle
op_Explicit
get_Capacity
FileVersionInfo
GetVeponseStream
ReadToEnd
Flush
get_Clipboard
ClipboardProxy
GetText
GetProcotocol
SecurityProtocolType
set_KeepAlive
set_Timeout
GetResponse
GetResentials
set_ContentType
set_UserAgent
ServicePointManager
set_SecurityPredirect
set_MaximumAutomaticRedirections
CredentialCache
get_DefaultCredstring
StartsWith
HttpWebRequest
WebResponse
StreamReader
set_AllowAutoRnd
Shell
AppWinStyle
LocalMachine
get_ExecutablePath
get_Millisecond
Sub_Registry
RegistryProxy
Microsoft.VisualBasic.MyServices
RegistryValueKi_UseDefaultCredentials
ICredentialsByHost
set_Port
DeleteSubKey
getentDisposition
set_FileName
set_MediaType
set_IsBodyHtml
set_Subject
t_Host
set_EnableSsl
set_Body
set_Name
get_ContentDisposition
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
LateSet
Escape
get_StartInfo
ProcessStartInfo
set_WindowStyle
ProcessWinueCollection
ReadAllLines
get_Values
RijndaelManaged
Rfc2898DeriveBytes
ReadInt16
Int16
PtrToStringUni
SearchOption
GetSubKeyNames
TrimEnd
ValetValue
ReadIntPtr
SecurityIdentifier
System.Security.Principal
ReadInt3t64
ContainsKey
ConditionalCompareObjectGreaterEqual
get_Size
GetField
G_OSVersion
OperatingSystem
Version
ConditionalCompareObjectNotEqual
ToInns
get_Success
ProtectedData
Unprotect
DataProtectionScope
FieldInfo
GetParent
get_Parent
get_FullName
IsNullOrEmpty
get_Default
RegexOptioances
get_Properties
PropertyDataCollection
PropertyData
GetObject
Appenps
GroupCollection
Group
Capture
get_Value
ManagementClass
Empty
GetInstoryName
KeyCollection
GetFileName
Match
Matches
MatchCollection
get_Groues
Module
GetHINSTANCE
ToInt32
op_Inequality
GetRandomFileName
GetDirectandle
get_Msg
get_WParam
get_LParam
GetType
PtrToStructure
GetModulFileNameWithoutExtension
ChangeType
Delegate
Remove
CreateParams
CreateHset_Attributes
get_TotalFreeSpace
GetExtension
FileInfo
CreateObject
iveType
DriveType
GetFiles
EndsWith
GetDirectories
FileSystemInfo
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
EndianUnicode
Int64
ToUInt16
Utils
CopyArray
LTrim
CompareTo
CreateP
OrObject
Decimal
Subtract
Multiply
ToUInt64
Compare
ToULong
get_Big
CompareObjectNotEqual
AndObject
CompareObjectEqual
CompareObjectGreatermberStyles
IFormatProvider
SHA1CryptoServiceProvider
HMACSHA1
HMACSHA256
get_Key
get_IV
CultureInfo
System.Globalization
get_InvariantCulture
Nueam
get_ASCII
Reverse
AppendFormat
get_HashSize
IsLittleEndiandLine
get_EndOfStream
StringComparison
BinaryReader
OpenRead
get_BaseStrialize
Decoder
GetDecoder
GetCharCount
GetChars
BitConverter
ToInt16
Reaal
ConditionalCompareObjectLess
FileStream
FileMode
FileShare
Floor
InitW
StringSplitOptions
XorObject
ToChar
Random
ConditionalCompareObjectEqu
IndexOf
ToCharArray
Information
UBound
FileSystem
FileAttribute
ChrnerText
get_Unicode
Resize
UnescapeDataString
Format
AddObject
get_Charsent
XmlNodeList
XmlNode
get_ChildNodes
get_ItemOf
XmlElement
get_Ind
InStr
StringType
MidStmtStr
ToByte
System.Xml
XmlDocum
set_UseShellExecute
get_StandardOutput
WaitForExit
Strings
CompareMethom
wStyle
set_Arguments
set_CreateNoWindow
set_RedirectStandardOutput
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cHGlobal
FreeHGlobal
CryptographicException
et_Minute
get_Hour
get_Day
get_Month
get_Year
ReadUInt16
ReadUInt32
Allopression
CompressionMode
GetTempFileName
SetLength
get_Second
getLastWriteTime
get_CanWrite
SeekOrigin
DeflateStream
System.IO.ComrectorySeparatorChar
LastIndexOf
get_Position
ToUInt32
SetCreationTime
SnSeek
InvalidOperationException
InvalidDataException
GetLastWriteTime
jectError
get_FileSystem
FileSystemProxy
handle
GetEncoding
get_Ca
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
?(Uw8
?A!+~1
1rOs~t
H7B{:
<E\WnRH
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
WrapNonExceptionThrows
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
kbHook
tProtocol
Create__Instance__
Dispose__Instance__
My.WebServices
4System.Web.Services.Protocols.SoapHttpClien0
My.Computer
My.Application
My.User
$525546da-560c-4999-a212-040f834d1e5b
MyTemplate
8.0.0.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_CorExeMain
mscoree.dll
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Disabled permanently!
NUMEROTAREFILE
DISPAREA
NUMEFILADISPARU
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<]:D"
h*>HG
n1OC,
F94|jN
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/(0Hud-_k
bM+iH
Ylu5NQme
mihzi
gEhWQ
w'jl{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IVN%^
@t$~.m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<qf;GJ4
(ya>I
df7#a
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
)e?0Lh
4~E->
IR^m *zI
GONJ9
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
^-OY2
`E2}p
!m}a8
ozc7g
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
voV ~
D5p4^
94**a:
m"D}0+S:
2l`k5< 6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
z[/jl
tgNX;
*s,Ue
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0h2KK
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Iw&e[
a8~)H
%!pDF
,o$Q+I
anYM)
fv[<t
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~LO[4:
7!G4,
6gmE2PZ
3K)}h
{p"D<M
Qw9:Tg
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
f2wMf*
$,^L3
lz0z1
QQ[q9
p\Mjh
*WpW!
Jgt.N
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
d;&nq
Z*Ujhf_`
._8N0
HKdB[
U1K5`
K<PiS
hV_L}
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ErqNy
$/uMz
56rM7J
w%W4Z"
g3rsI
iwP'8
fL(^+
;GOZU
/n=V]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,VDT[)B
=8GohS
k9]S"
oY.&[
xV* 0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
VH:Pk
z%(|o9A2
$e}>d
%>TO:
nk!E$
C:x9D
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
)$#^]
&M>Fl
07yS^
Q:ig|
S[E7X(
:hy)h
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
LZuGL
^ZZmk
6&9jg
o?f'{
EhlU:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>ur3)-
_r#j|
G%7Dp8
IMqAq
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
i,Liq|
<5j|5=%
zDs:i
#8M&%
@)}L$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
}o%TR
X{X%N?
#M'=;
7*K=1B
"CW"+C
%V+xL
;>|^M
Q]6 J
O(msz
AL%e_
x#Z2m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
hdb5WQ
3tr[&
Zt$~$
@)='qB
0>mFu
+}2?nm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9NEm9
/80D'R
d6M3Pl~=U
J$x,WB
lwap,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
|l~z^
[;Or'
59lkO
?%!4#
mW%rZ
gV%p4
lzohD
x#of,_
_3~<1
uBf[5
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
99E O
l#Av{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Q'lgk
zo~{r
a=;-Q[1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
uN!7I
Q(=9[
Vd"uh=
PbGi&
iVB"j
GH;sw
47ER$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&3#3x
Kquy[
.do^y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
5TnI|
t}9zEJ
"LZ3#&w:
lS)[L
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
3Y$i/
9Yzg~
j#XG4
Ga |e;
NtV$b
#-6<Q
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
mAN0|_
_'LB2-
brZb*~Vv
*H"+|
{ `5JY}@
Y^(elm
QjJKdO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
W3]&9F
9 q#e
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,1R}r
A,|1A`
/lPz[
tdu/_
pNm5'f
OX>DO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
3Gr0E
63Wj`
Nw?u{
^}]z2:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0-a-:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
x'Za8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
z*!Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
wFa8K
\ |9cqa%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
jaZ 9
NpY98n
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
`skN4
$;1I&D
3d%x"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/pdW8
"fa8g
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
M2a ?P
pAZ .
a|]Z
eTZ ?&*
iZ [M^
3SZ -%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0Z py
HXa8_
`<.a8
Z T 9
lZ YD[
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#ba8n
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
S^a8]
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9Z ''X8a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
JQWZ
NZ N%mNa8
WYo(
Z (8/
xq-a8
\WSa%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
LZ Qo
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dZ >_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"5Z U?
>9Z x
mRa8[
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PvfQ_9]
M.t:A
HfT]R
2zLg2
]$4;57
fi_GP
YLg\{
IT-l F
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
AYLb
i} a8z
m!AZ k
~_HZ
] Ga8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
8u&8'
XZ TMj
9Y#Z
;] Z6Sxa%
.ca8n
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z CfBma8
QN>o
Z va$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
[Z J8
X\a8`
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
J6a8/
aZ Pf=
6NZ i
Z .i3#a8?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QhrZ
kE}Z
mha8+
b*a81
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z i57
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
c9-Z
Z eBz(a8
}Z C]
Z 8l)
*aa8v
v4.0.30319
#Strings
#GUID
#Blob
IEnumerable`1
A90637901F646A6C52B8764165CD5D48522207AC88B8C5A73D7485DEE06AE037
<Module>
5C7C38F27CBD4BCF32C86A4C9D263FB057C7637F88FD3A73EDFF05BA02A73C0D
System.IO
mscorlib
System.Collections.Generic
Synchronized
GetMethod
defaultInstance
Invoke
ICloneable
IDisposable
RuntimeFieldHandle
RuntimeTypeHandle
GetTypeFromHandle
ValueType
MethodBase
ApplicationSettingsBase
Dispose
EditorBrowsableState
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
SecuritySafeCriticalAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
ThemeInfoAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
System.Runtime.Versioning
ToString
System.Drawing
PresentationFramework
System.ComponentModel
UserControl
System
ResourceDictionaryLocation
System.Configuration
System.Globalization
System.Reflection
FileLoadException
MethodInfo
CultureInfo
Bitmap
ResourceManager
System.CodeDom.Compiler
IContainer
.ctor
.cctor
System.Diagnostics
GetMethods
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
3df073a8fd8ae825515295ac765ba289.Resources.resources
y.x.resources
GetTypes
System.Windows.Forms
RuntimeHelpers
System.Windows
Concat
GetObject
IReflect
Default
IComponent
InitializeArray
ToCharArray
get_Assembly
IEvidenceFactory
System.Security
Empty
.NETFramework,Version=v4.5
FrameworkDisplayName
.NET Framework 4.5)
$7836f796-52e2-433c-af24-085702be77a3
3d^Wn%C5#6bQA
t(4G8T!x#6oM5Z*i+
WrapNonExceptionThrows
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
16.5.0.0
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
_CorExeMain
mscoree.dll
IDATx
1z'@>/I
,O(v{
{z&!X
Hd(_U
}Eq}}
,{O '
B>k~MiDD
IB q0pphZ
nMnYq
,ag{A~
"`;!
X0Knk
$nt +
"}X&F
Hsg&=>|-
4%"-x
]yi[6
B4)%Rm
7YS]m
eq!T>
f1XC]T
ZhMcA
n}E\.F
V`KWZ
F=g":
pN~jdb
kkZo6
P[' p
+.% W5D
[om>dN
" (u(
AiB)E4=
9G0`x
;wVKB9
7ovk|Y
4yR[#
A:4MC
|ZS$z}C
~7tc7
_U5C%
```p`
ZZ&T]
K&-^|
qLCu}C]U]]]
@_:JI
]g1~G'
]kut\
_'(($
IHDRQ7
<?xml version="1.0" encoding="utf-8"?>
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<!-- UAC Manifest Options
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
Specifying requestedExecutionLevel element will disable file and registry virtualization.
Remove this element if your application requires this virtualization for backwards
compatibility.
-->
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!-- A list of the Windows versions that this application has been tested on
and is designed to work with. Uncomment the appropriate elements
and Windows will automatically select the most compatible environment. -->
<!-- Windows Vista -->
<!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
<!-- Windows 7 -->
<!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
<!-- Windows 8 -->
<!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
<!-- Windows 8.1 -->
<!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
<!-- Windows 10 -->
<!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
</application>
</compatibility>
<!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher
DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need
to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should
also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. -->
<!--
<application xmlns="urn:schemas-microsoft-com:asm.v3">
<windowsSettings>
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
</application>
-->
<!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
<!--
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
-->
</assembly>
SIO`oI
Fi~eI
ingXyl
@0B00
rna~^a
Leya|
riyin
Asswmr
ty>=j^zx{
xtn}z
z}{z}|
Xzopw
P]^TZijTYQ
}Qtwpdyqz
_}|y~wl
}tyratwpT
zx{ly
p~n}t
L9;9;
lwYlx
z9oww
rlwNz
++=K=;
xl}v~
wpylx
z9oww
Znstthpt
}~tzy
<9;9K9;
!4+2:B
6789ARCDEF
HJKLM^PQRS
UVWXYjabcd
fghij{mnop
rstuv
VS_VEbSION
VarVileI
slati
leInf
00004r0
Comme~ts
crosovt.Wi
32.Prymiti
anyNa}e
crosovt Co
poratyon
FileTescr
ption
osoft>Win3
.Primytive
VileV
rsion
rnalNqme
fresf>exe
LegqlCop
right
ight
\egal
rademqrks
_rigi
alFiluname
sefre
0.NET
Frame
ProtuctV
rsion
bly Vursio
0c94da3683b8f966f434c684ec9e684b0
0c94da3683b8f966f434c684ec9e684b1
0c94da3683b8f966f434c684ec9e684b10
0c94da3683b8f966f434c684ec9e684b100
0c94da3683b8f966f434c684ec9e684b101
0c94da3683b8f966f434c684ec9e684b102
0c94da3683b8f966f434c684ec9e684b103
0c94da3683b8f966f434c684ec9e684b104
0c94da3683b8f966f434c684ec9e684b105
0c94da3683b8f966f434c684ec9e684b106
0c94da3683b8f966f434c684ec9e684b107
0c94da3683b8f966f434c684ec9e684b108
0c94da3683b8f966f434c684ec9e684b109
0c94da3683b8f966f434c684ec9e684b11
0c94da3683b8f966f434c684ec9e684b110
0c94da3683b8f966f434c684ec9e684b111
0c94da3683b8f966f434c684ec9e684b112
0c94da3683b8f966f434c684ec9e684b113
0c94da3683b8f966f434c684ec9e684b114
0c94da3683b8f966f434c684ec9e684b115
0c94da3683b8f966f434c684ec9e684b116
0c94da3683b8f966f434c684ec9e684b117
0c94da3683b8f966f434c684ec9e684b118
0c94da3683b8f966f434c684ec9e684b119
0c94da3683b8f966f434c684ec9e684b12
0c94da3683b8f966f434c684ec9e684b120
0c94da3683b8f966f434c684ec9e684b121
0c94da3683b8f966f434c684ec9e684b122
0c94da3683b8f966f434c684ec9e684b123
0c94da3683b8f966f434c684ec9e684b124
0c94da3683b8f966f434c684ec9e684b125
0c94da3683b8f966f434c684ec9e684b126
0c94da3683b8f966f434c684ec9e684b127
0c94da3683b8f966f434c684ec9e684b128
0c94da3683b8f966f434c684ec9e684b129
0c94da3683b8f966f434c684ec9e684b13
0c94da3683b8f966f434c684ec9e684b130
0c94da3683b8f966f434c684ec9e684b131
0c94da3683b8f966f434c684ec9e684b132
0c94da3683b8f966f434c684ec9e684b133
0c94da3683b8f966f434c684ec9e684b134
0c94da3683b8f966f434c684ec9e684b135
0c94da3683b8f966f434c684ec9e684b136
0c94da3683b8f966f434c684ec9e684b137
0c94da3683b8f966f434c684ec9e684b138
0c94da3683b8f966f434c684ec9e684b139
0c94da3683b8f966f434c684ec9e684b14
0c94da3683b8f966f434c684ec9e684b140
0c94da3683b8f966f434c684ec9e684b141
0c94da3683b8f966f434c684ec9e684b142
0c94da3683b8f966f434c684ec9e684b143
0c94da3683b8f966f434c684ec9e684b144
0c94da3683b8f966f434c684ec9e684b145
0c94da3683b8f966f434c684ec9e684b146
0c94da3683b8f966f434c684ec9e684b147
0c94da3683b8f966f434c684ec9e684b148
0c94da3683b8f966f434c684ec9e684b149
0c94da3683b8f966f434c684ec9e684b15
0c94da3683b8f966f434c684ec9e684b150
0c94da3683b8f966f434c684ec9e684b151
0c94da3683b8f966f434c684ec9e684b152
0c94da3683b8f966f434c684ec9e684b153
0c94da3683b8f966f434c684ec9e684b154
0c94da3683b8f966f434c684ec9e684b155
0c94da3683b8f966f434c684ec9e684b156
0c94da3683b8f966f434c684ec9e684b157
0c94da3683b8f966f434c684ec9e684b158
0c94da3683b8f966f434c684ec9e684b159
0c94da3683b8f966f434c684ec9e684b16
0c94da3683b8f966f434c684ec9e684b160
0c94da3683b8f966f434c684ec9e684b161
0c94da3683b8f966f434c684ec9e684b162
0c94da3683b8f966f434c684ec9e684b163
0c94da3683b8f966f434c684ec9e684b164
0c94da3683b8f966f434c684ec9e684b165
0c94da3683b8f966f434c684ec9e684b166
0c94da3683b8f966f434c684ec9e684b167
0c94da3683b8f966f434c684ec9e684b168
0c94da3683b8f966f434c684ec9e684b169
0c94da3683b8f966f434c684ec9e684b17
0c94da3683b8f966f434c684ec9e684b170
0c94da3683b8f966f434c684ec9e684b171
0c94da3683b8f966f434c684ec9e684b172
0c94da3683b8f966f434c684ec9e684b173
0c94da3683b8f966f434c684ec9e684b174
0c94da3683b8f966f434c684ec9e684b175
0c94da3683b8f966f434c684ec9e684b176
0c94da3683b8f966f434c684ec9e684b177
0c94da3683b8f966f434c684ec9e684b178
0c94da3683b8f966f434c684ec9e684b179
0c94da3683b8f966f434c684ec9e684b18
0c94da3683b8f966f434c684ec9e684b180
0c94da3683b8f966f434c684ec9e684b181
0c94da3683b8f966f434c684ec9e684b182
0c94da3683b8f966f434c684ec9e684b183
0c94da3683b8f966f434c684ec9e684b184
0c94da3683b8f966f434c684ec9e684b185
0c94da3683b8f966f434c684ec9e684b186
0c94da3683b8f966f434c684ec9e684b187
0c94da3683b8f966f434c684ec9e684b188
0c94da3683b8f966f434c684ec9e684b189
0c94da3683b8f966f434c684ec9e684b19
0c94da3683b8f966f434c684ec9e684b190
0c94da3683b8f966f434c684ec9e684b191
0c94da3683b8f966f434c684ec9e684b192
0c94da3683b8f966f434c684ec9e684b193
0c94da3683b8f966f434c684ec9e684b194
0c94da3683b8f966f434c684ec9e684b195
0c94da3683b8f966f434c684ec9e684b196
0c94da3683b8f966f434c684ec9e684b197
0c94da3683b8f966f434c684ec9e684b198
0c94da3683b8f966f434c684ec9e684b199
0c94da3683b8f966f434c684ec9e684b2
0c94da3683b8f966f434c684ec9e684b20
0c94da3683b8f966f434c684ec9e684b200
0c94da3683b8f966f434c684ec9e684b201
0c94da3683b8f966f434c684ec9e684b202
0c94da3683b8f966f434c684ec9e684b203
0c94da3683b8f966f434c684ec9e684b204
0c94da3683b8f966f434c684ec9e684b205
0c94da3683b8f966f434c684ec9e684b206
0c94da3683b8f966f434c684ec9e684b207
0c94da3683b8f966f434c684ec9e684b208
0c94da3683b8f966f434c684ec9e684b209
0c94da3683b8f966f434c684ec9e684b21
0c94da3683b8f966f434c684ec9e684b210
0c94da3683b8f966f434c684ec9e684b211
0c94da3683b8f966f434c684ec9e684b212
0c94da3683b8f966f434c684ec9e684b213
0c94da3683b8f966f434c684ec9e684b214
0c94da3683b8f966f434c684ec9e684b215
0c94da3683b8f966f434c684ec9e684b216
0c94da3683b8f966f434c684ec9e684b217
0c94da3683b8f966f434c684ec9e684b218
0c94da3683b8f966f434c684ec9e684b219
0c94da3683b8f966f434c684ec9e684b22
0c94da3683b8f966f434c684ec9e684b220
0c94da3683b8f966f434c684ec9e684b221
0c94da3683b8f966f434c684ec9e684b222
0c94da3683b8f966f434c684ec9e684b223
0c94da3683b8f966f434c684ec9e684b224
0c94da3683b8f966f434c684ec9e684b225
0c94da3683b8f966f434c684ec9e684b226
0c94da3683b8f966f434c684ec9e684b227
0c94da3683b8f966f434c684ec9e684b228
0c94da3683b8f966f434c684ec9e684b229
0c94da3683b8f966f434c684ec9e684b23
0c94da3683b8f966f434c684ec9e684b230
0c94da3683b8f966f434c684ec9e684b231
0c94da3683b8f966f434c684ec9e684b232
0c94da3683b8f966f434c684ec9e684b233
0c94da3683b8f966f434c684ec9e684b234
0c94da3683b8f966f434c684ec9e684b235
0c94da3683b8f966f434c684ec9e684b236
0c94da3683b8f966f434c684ec9e684b237
0c94da3683b8f966f434c684ec9e684b238
0c94da3683b8f966f434c684ec9e684b239
0c94da3683b8f966f434c684ec9e684b24
0c94da3683b8f966f434c684ec9e684b240
0c94da3683b8f966f434c684ec9e684b241
0c94da3683b8f966f434c684ec9e684b242
0c94da3683b8f966f434c684ec9e684b243
0c94da3683b8f966f434c684ec9e684b244
0c94da3683b8f966f434c684ec9e684b245
0c94da3683b8f966f434c684ec9e684b246
0c94da3683b8f966f434c684ec9e684b247
0c94da3683b8f966f434c684ec9e684b248
0c94da3683b8f966f434c684ec9e684b249
0c94da3683b8f966f434c684ec9e684b25
0c94da3683b8f966f434c684ec9e684b250
0c94da3683b8f966f434c684ec9e684b251
0c94da3683b8f966f434c684ec9e684b252
0c94da3683b8f966f434c684ec9e684b253
0c94da3683b8f966f434c684ec9e684b254
0c94da3683b8f966f434c684ec9e684b255
0c94da3683b8f966f434c684ec9e684b256
0c94da3683b8f966f434c684ec9e684b257
0c94da3683b8f966f434c684ec9e684b258
0c94da3683b8f966f434c684ec9e684b259
0c94da3683b8f966f434c684ec9e684b26
0c94da3683b8f966f434c684ec9e684b260
0c94da3683b8f966f434c684ec9e684b261
0c94da3683b8f966f434c684ec9e684b262
0c94da3683b8f966f434c684ec9e684b263
0c94da3683b8f966f434c684ec9e684b264
0c94da3683b8f966f434c684ec9e684b265
0c94da3683b8f966f434c684ec9e684b266
0c94da3683b8f966f434c684ec9e684b267
0c94da3683b8f966f434c684ec9e684b268
0c94da3683b8f966f434c684ec9e684b27
0c94da3683b8f966f434c684ec9e684b28
0c94da3683b8f966f434c684ec9e684b29
0c94da3683b8f966f434c684ec9e684b3
0c94da3683b8f966f434c684ec9e684b30
0c94da3683b8f966f434c684ec9e684b31
0c94da3683b8f966f434c684ec9e684b32
0c94da3683b8f966f434c684ec9e684b33
0c94da3683b8f966f434c684ec9e684b34
0c94da3683b8f966f434c684ec9e684b35
0c94da3683b8f966f434c684ec9e684b36
0c94da3683b8f966f434c684ec9e684b37
0c94da3683b8f966f434c684ec9e684b38
0c94da3683b8f966f434c684ec9e684b39
0c94da3683b8f966f434c684ec9e684b4
0c94da3683b8f966f434c684ec9e684b40
0c94da3683b8f966f434c684ec9e684b41
0c94da3683b8f966f434c684ec9e684b42
0c94da3683b8f966f434c684ec9e684b43
0c94da3683b8f966f434c684ec9e684b44
0c94da3683b8f966f434c684ec9e684b45
0c94da3683b8f966f434c684ec9e684b46
0c94da3683b8f966f434c684ec9e684b47
0c94da3683b8f966f434c684ec9e684b48
0c94da3683b8f966f434c684ec9e684b49
0c94da3683b8f966f434c684ec9e684b5
0c94da3683b8f966f434c684ec9e684b50
0c94da3683b8f966f434c684ec9e684b51
0c94da3683b8f966f434c684ec9e684b52
0c94da3683b8f966f434c684ec9e684b53
0c94da3683b8f966f434c684ec9e684b54
0c94da3683b8f966f434c684ec9e684b55
0c94da3683b8f966f434c684ec9e684b56
0c94da3683b8f966f434c684ec9e684b57
0c94da3683b8f966f434c684ec9e684b58
0c94da3683b8f966f434c684ec9e684b59
0c94da3683b8f966f434c684ec9e684b6
0c94da3683b8f966f434c684ec9e684b60
0c94da3683b8f966f434c684ec9e684b61
0c94da3683b8f966f434c684ec9e684b62
0c94da3683b8f966f434c684ec9e684b63
0c94da3683b8f966f434c684ec9e684b64
0c94da3683b8f966f434c684ec9e684b65
0c94da3683b8f966f434c684ec9e684b66
0c94da3683b8f966f434c684ec9e684b67
0c94da3683b8f966f434c684ec9e684b68
0c94da3683b8f966f434c684ec9e684b69
0c94da3683b8f966f434c684ec9e684b7
0c94da3683b8f966f434c684ec9e684b70
0c94da3683b8f966f434c684ec9e684b71
0c94da3683b8f966f434c684ec9e684b72
0c94da3683b8f966f434c684ec9e684b73
0c94da3683b8f966f434c684ec9e684b74
0c94da3683b8f966f434c684ec9e684b75
0c94da3683b8f966f434c684ec9e684b76
0c94da3683b8f966f434c684ec9e684b77
0c94da3683b8f966f434c684ec9e684b78
0c94da3683b8f966f434c684ec9e684b79
0c94da3683b8f966f434c684ec9e684b8
0c94da3683b8f966f434c684ec9e684b80
0c94da3683b8f966f434c684ec9e684b81
0c94da3683b8f966f434c684ec9e684b82
0c94da3683b8f966f434c684ec9e684b83
0c94da3683b8f966f434c684ec9e684b84
0c94da3683b8f966f434c684ec9e684b85
0c94da3683b8f966f434c684ec9e684b86
0c94da3683b8f966f434c684ec9e684b87
0c94da3683b8f966f434c684ec9e684b88
0c94da3683b8f966f434c684ec9e684b89
0c94da3683b8f966f434c684ec9e684b9
0c94da3683b8f966f434c684ec9e684b90
0c94da3683b8f966f434c684ec9e684b91
0c94da3683b8f966f434c684ec9e684b92
0c94da3683b8f966f434c684ec9e684b93
0c94da3683b8f966f434c684ec9e684b94
0c94da3683b8f966f434c684ec9e684b95
0c94da3683b8f966f434c684ec9e684b96
0c94da3683b8f966f434c684ec9e684b97
0c94da3683b8f966f434c684ec9e684b98
0c94da3683b8f966f434c684ec9e684b99
cdfe5e4b2882fa050c2730887bf873aa
mogktcj
rnvxru
8696;:<;=;?>@?A?CBDBEBFB
#"(')'*)+','-'.'/'102030405076
Length
ComputeHash
tive byte-order)
Unknow database for
00000002
1.85 (Hash, version 2, naC
00061561
Berkelet DBey
-0123456789ABCDEFGHIJKLMNOPQRSTUVWX
logins
abcdefghijklmnopqrstuvwxyz
0.0.0.0
uctVersion
0.0.0.0
Assembly VersioZxQBjgyCjXYCkHCxffdBVY.exe
ProdlCopyright
OriginalFilename
SQtoZxQBjgyCjXYCkHCxffdBVY.exe
LegaVersion
0.0.0.0
InternalName
SQt0004b0
FileDescription
Fileanslation
StringFileInfo
VarFileInfo
VS_VERSION_INFO
Resources
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
FileDescription
3d^Wn%C5#6bQA
FileVersion
0.0.0.0
InternalName
sn12.exe
LegalCopyright
OriginalFilename
sn12.exe
ProductName
3d^Wn%C5#6bQA
ProductVersion
0.0.0.0
Assembly Version
0.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean DrWeb Clean MicroWorld-eScan Clean
CMC Clean CAT-QuickHeal Clean McAfee GenericRXKW-MK!99F463342893
Malwarebytes Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Malware K7AntiVirus Clean Alibaba Clean
K7GW Clean CrowdStrike win/malicious_confidence_100% (W) Arcabit Clean
TrendMicro Clean BitDefenderTheta Gen:[email protected] Cyren W32/MSIL_Kryptik.AIK.gen!Eldorado
Symantec Clean TotalDefense Clean Zoner Clean
TrendMicro-HouseCall Clean Avast Clean ClamAV Clean
Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean NANO-Antivirus Clean
AegisLab Clean Rising Clean Endgame malicious (high confidence)
Emsisoft Clean Comodo Clean F-Secure Clean
Baidu Clean VIPRE Clean Invincea heuristic
McAfee-GW-Edition Clean Trapmine Clean FireEye Generic.mg.99f463342893d843
Sophos Clean Paloalto generic.ml F-Prot Clean
Jiangmin Clean Webroot Clean Avira Clean
Fortinet MSIL/Kryptik.WEL!tr Antiy-AVL Clean Kingsoft Clean
Microsoft Trojan:Win32/Wacatac.C!ml ViRobot Clean ZoneAlarm UDS:DangerousObject.Multi.Generic
Avast-Mobile Clean TACHYON Clean AhnLab-V3 Clean
Acronis Clean ALYac Clean MAX Clean
Ad-Aware Clean APEX Malicious ESET-NOD32 Clean
Tencent Clean Yandex Clean SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_100% GData Clean AVG FileRepMalware
Cybereason malicious.ce2b39 Panda Clean Qihoo-360 HEUR/QVM03.0.B1EC.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.4 62350 1.1.1.1 53
192.168.1.4 62350 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion Credential Access Collection Execution Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1118 - InstallUtil
    • Signature - spawns_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1127 - Trusted Developer Utilities
    • Signature - spawns_dev_util
  • T1003 - Credential Dumping
    • Signature - infostealer_browser
  • T1081 - Credentials in Files
    • Signature - infostealer_browser
  • T1005 - Data from Local System
    • Signature - infostealer_browser
  • T1129 - Execution through Module Load
    • Signature - dropper
  • T1118 - InstallUtil
    • Signature - spawns_dev_util
  • T1127 - Trusted Developer Utilities
    • Signature - spawns_dev_util
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 8.800999999999998 seconds )

    • 5.21 Suricata
    • 1.763 BehaviorAnalysis
    • 0.709 Static
    • 0.394 VirusTotal
    • 0.325 CAPE
    • 0.185 static_dotnet
    • 0.072 TargetInfo
    • 0.057 NetworkAnalysis
    • 0.029 Deduplicate
    • 0.019 AnalysisInfo
    • 0.018 Strings
    • 0.01 Dropped
    • 0.005 Debug
    • 0.005 peid

    Signatures ( 1.8789999999999958 seconds )

    • 0.372 antiav_detectreg
    • 0.138 infostealer_ftp
    • 0.127 territorial_disputes_sigs
    • 0.078 antianalysis_detectreg
    • 0.078 infostealer_im
    • 0.05 stealth_timeout
    • 0.048 api_spamming
    • 0.048 decoy_document
    • 0.045 masquerade_process_name
    • 0.042 antivm_vbox_keys
    • 0.037 NewtWire Behavior
    • 0.037 antiav_detectfile
    • 0.029 infostealer_mail
    • 0.028 antivm_vmware_keys
    • 0.025 antivm_generic_disk
    • 0.023 infostealer_bitcoin
    • 0.022 Doppelganging
    • 0.021 mimics_filetime
    • 0.021 antivm_parallels_keys
    • 0.02 antivm_xen_keys
    • 0.019 reads_self
    • 0.019 antianalysis_detectfile
    • 0.018 InjectionCreateRemoteThread
    • 0.017 injection_createremotethread
    • 0.017 virus
    • 0.017 ransomware_files
    • 0.016 stealth_file
    • 0.015 infostealer_browser
    • 0.015 antivm_vbox_files
    • 0.014 bootkit
    • 0.014 antivm_generic_diskreg
    • 0.014 antivm_vpc_keys
    • 0.013 antivm_generic_scsi
    • 0.013 geodo_banking_trojan
    • 0.011 antidebug_guardpages
    • 0.011 hancitor_behavior
    • 0.01 antiemu_wine_func
    • 0.01 exploit_heapspray
    • 0.01 qulab_files
    • 0.01 ransomware_extensions
    • 0.009 InjectionInterProcess
    • 0.009 Unpacker
    • 0.009 dynamic_function_loading
    • 0.009 predatorthethief_files
    • 0.008 infostealer_browser_password
    • 0.008 malicious_dynamic_function_loading
    • 0.007 betabot_behavior
    • 0.007 kibex_behavior
    • 0.007 persistence_autorun
    • 0.007 antivm_hyperv_keys
    • 0.007 bypass_firewall
    • 0.006 antivm_generic_services
    • 0.006 exec_crash
    • 0.006 kovter_behavior
    • 0.006 antidbg_devices
    • 0.006 antivm_xen_keys
    • 0.005 antiav_avast_libs
    • 0.005 antivm_vbox_libs
    • 0.005 injection_runpe
    • 0.005 blackrat_registry_keys
    • 0.005 OrcusRAT Behavior
    • 0.005 recon_programs
    • 0.005 stack_pivot
    • 0.005 antivm_vmware_files
    • 0.005 ketrican_regkeys
    • 0.005 browser_security
    • 0.005 limerat_regkeys
    • 0.004 InjectionProcessHollowing
    • 0.004 PlugX
    • 0.004 dyre_behavior
    • 0.004 exploit_getbasekerneladdress
    • 0.004 hawkeye_behavior
    • 0.004 network_tor
    • 0.004 shifu_behavior
    • 0.004 darkcomet_regkeys
    • 0.004 disables_browser_warn
    • 0.004 recon_fingerprint
    • 0.003 antisandbox_sunbelt_libs
    • 0.003 encrypted_ioc
    • 0.003 exploit_gethaldispatchtable
    • 0.003 vawtrak_behavior
    • 0.003 antivm_generic_bios
    • 0.003 antivm_generic_system
    • 0.003 antivm_vbox_devices
    • 0.003 remcos_regkeys
    • 0.002 antiav_bitdefender_libs
    • 0.002 antiav_bullgaurd_libs
    • 0.002 antiav_emsisoft_libs
    • 0.002 antiav_qurb_libs
    • 0.002 antidbg_windows
    • 0.002 antiav_apioverride_libs
    • 0.002 antiav_nthookengine_libs
    • 0.002 antisandbox_sboxie_libs
    • 0.002 antisandbox_sleep
    • 0.002 uac_bypass_eventvwr
    • 0.002 ipc_namedpipe
    • 0.002 kazybot_behavior
    • 0.002 modify_proxy
    • 0.002 codelux_behavior
    • 0.002 medusalocker_regkeys
    • 0.002 obliquerat_files
    • 0.002 rat_pcclient
    • 0.002 warzonerat_regkeys
    • 0.001 InjectionSetWindowLong
    • 0.001 antivm_vmware_libs
    • 0.001 lsass_credential_dumping
    • 0.001 Vidar Behavior
    • 0.001 injection_explorer
    • 0.001 office_flash_load
    • 0.001 persistence_autorun_tasks
    • 0.001 persistence_bootexecute
    • 0.001 rat_nanocore
    • 0.001 tinba_behavior
    • 0.001 neshta_files
    • 0.001 antisandbox_cuckoo_files
    • 0.001 antisandbox_fortinet_files
    • 0.001 antisandbox_joe_anubis_files
    • 0.001 antisandbox_sunbelt_files
    • 0.001 antisandbox_threattrack_files
    • 0.001 antivm_vpc_files
    • 0.001 banker_cridex
    • 0.001 browser_addon
    • 0.001 disables_system_restore
    • 0.001 disables_windows_defender
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 network_tor_service
    • 0.001 packer_armadillo_regkey
    • 0.001 persistence_shim_database
    • 0.001 nemty_regkeys
    • 0.001 revil_mutexes
    • 0.001 dcrat_files
    • 0.001 warzonerat_files
    • 0.001 remcos_files
    • 0.001 sniffer_winpcap
    • 0.001 stealth_hiddenreg
    • 0.001 stealth_hide_notifications
    • 0.001 targeted_flame

    Reporting ( 12.369 seconds )

    • 12.328 BinGraph
    • 0.041 MITRE_TTPS