Auto Tasks

#6726: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-05 14:53:14 2020-06-05 15:00:32 438 seconds Show Options Show Log
procdump = yes
2020-05-13 09:26:20,071 [root] INFO: Date set to: 20200605T14:53:13, timeout set to: 200
2020-06-05 14:53:13,093 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-06-05 14:53:13,093 [root] DEBUG: Storing results at: C:\cMZnJUhg
2020-06-05 14:53:13,093 [root] DEBUG: Pipe server name: \\.\PIPE\QHRBcN
2020-06-05 14:53:13,093 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-05 14:53:13,093 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-05 14:53:13,093 [root] INFO: Automatically selected analysis package "exe"
2020-06-05 14:53:13,093 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-05 14:53:13,125 [root] DEBUG: Imported analysis package "exe".
2020-06-05 14:53:13,140 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-05 14:53:13,140 [root] DEBUG: Initialized analysis package "exe".
2020-06-05 14:53:13,812 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-05 14:53:13,812 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-05 14:53:13,828 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-05 14:53:13,890 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-05 14:53:13,890 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-05 14:53:13,953 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-05 14:53:13,968 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-05 14:53:14,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-05 14:53:14,562 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-05 14:53:14,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-05 14:53:14,562 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-05 14:53:14,656 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-05 14:53:14,656 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-05 14:53:14,796 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-05 14:53:14,796 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-05 14:53:14,796 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-05 14:53:14,796 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-05 14:53:14,796 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-05 14:53:14,796 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-05 14:53:14,859 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-05 14:53:14,859 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-05 14:53:24,390 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-05 14:53:24,500 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-05 14:53:24,671 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-05 14:53:24,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-05 14:53:24,671 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-05 14:53:24,687 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-05 14:53:24,687 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-05 14:53:24,796 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-05 14:53:24,796 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-05 14:53:24,812 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-05 14:53:24,812 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-05 14:53:24,812 [root] DEBUG: Started auxiliary module Browser
2020-06-05 14:53:24,812 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-05 14:53:24,812 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-05 14:53:24,812 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-05 14:53:24,812 [root] DEBUG: Started auxiliary module Curtain
2020-06-05 14:53:24,812 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-05 14:53:24,812 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-05 14:53:24,812 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-05 14:53:24,812 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-05 14:53:26,968 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-05 14:53:26,968 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-05 14:53:26,984 [root] DEBUG: Started auxiliary module DigiSig
2020-06-05 14:53:26,984 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-05 14:53:26,984 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-05 14:53:26,984 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-05 14:53:27,000 [root] DEBUG: Started auxiliary module Disguise
2020-06-05 14:53:27,000 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-05 14:53:27,000 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-05 14:53:27,000 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-05 14:53:27,015 [root] DEBUG: Started auxiliary module Human
2020-06-05 14:53:27,015 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-05 14:53:27,015 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-05 14:53:27,031 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-05 14:53:27,031 [root] DEBUG: Started auxiliary module Procmon
2020-06-05 14:53:27,031 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-05 14:53:27,031 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-05 14:53:27,031 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-05 14:53:27,031 [root] DEBUG: Started auxiliary module Screenshots
2020-06-05 14:53:27,031 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-05 14:53:27,046 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-05 14:53:27,046 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-05 14:53:27,046 [root] DEBUG: Started auxiliary module Sysmon
2020-06-05 14:53:27,046 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-05 14:53:27,046 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-05 14:53:27,046 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-05 14:53:27,046 [root] DEBUG: Started auxiliary module Usage
2020-06-05 14:53:27,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-05 14:53:27,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-05 14:53:27,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-05 14:53:27,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-05 14:53:27,093 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe" with arguments "" with pid 1120
2020-06-05 14:53:27,093 [lib.api.process] INFO: Monitor config for process 1120: C:\tmp2ssujfce\dll\1120.ini
2020-06-05 14:53:27,093 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:53:27,093 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:53:27,234 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:53:27,234 [root] DEBUG: Loader: Injecting process 1120 (thread 312) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:53:27,234 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:53:27,234 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:53:27,249 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:53:27,249 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:53:27,249 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1120
2020-06-05 14:53:29,249 [lib.api.process] INFO: Successfully resumed process with pid 1120
2020-06-05 14:53:29,281 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:53:29,281 [root] DEBUG: Process dumps disabled.
2020-06-05 14:53:29,281 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:53:29,296 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1120 at 0x6fb80000, image base 0x3e0000, stack from 0x2a6000-0x2b0000
2020-06-05 14:53:29,296 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe".
2020-06-05 14:53:29,359 [root] INFO: loaded: b'1120'
2020-06-05 14:53:29,359 [root] INFO: Loaded monitor into process with pid 1120
2020-06-05 14:53:29,359 [root] DEBUG: set_caller_info: Adding region at 0x001B0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-05 14:53:29,359 [root] DEBUG: set_caller_info: Adding region at 0x01F50000 to caller regions list (ntdll::RtlDispatchException).
2020-06-05 14:53:29,375 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1f50000
2020-06-05 14:53:29,375 [root] INFO: ('dump_file', 'C:\\cMZnJUhg\\CAPE\\1120_23459648293366662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO .EXCEL.xls.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO .EXCEL.xls.exe;?0x01F50000;?', ['1120'], 'CAPE')
2020-06-05 14:53:29,484 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\cMZnJUhg\CAPE\1120_23459648293366662020 (size 0xffe)
2020-06-05 14:53:29,484 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x001B0000.
2020-06-05 14:53:29,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x72D60000 to global list.
2020-06-05 14:53:29,625 [root] DEBUG: DLL loaded at 0x72D60000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-05 14:53:29,625 [root] DEBUG: DLL unloaded from 0x760C0000.
2020-06-05 14:53:29,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x00460000 to global list.
2020-06-05 14:53:29,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 amd local view 0x00460000 to global list.
2020-06-05 14:53:29,656 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-05 14:53:29,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F5C0000 for section view with handle 0xe8.
2020-06-05 14:53:29,687 [root] DEBUG: DLL loaded at 0x6F5C0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-05 14:53:29,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F520000 for section view with handle 0xec.
2020-06-05 14:53:29,703 [root] DEBUG: DLL loaded at 0x6F520000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80 (0x9b000 bytes).
2020-06-05 14:53:29,734 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1120, handle 0xf8.
2020-06-05 14:53:29,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x001A0000 to global list.
2020-06-05 14:53:29,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x002B0000 to global list.
2020-06-05 14:53:29,734 [root] INFO: Disabling sleep skipping.
2020-06-05 14:53:29,750 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1120.
2020-06-05 14:53:29,750 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1120.
2020-06-05 14:53:29,750 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-05 14:53:29,765 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-05 14:53:29,765 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1120.
2020-06-05 14:53:29,781 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1120.
2020-06-05 14:53:29,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b8 amd local view 0x6DF20000 to global list.
2020-06-05 14:53:29,796 [root] DEBUG: DLL loaded at 0x6DF20000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-05 14:53:29,812 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-06-05 14:53:29,875 [root] DEBUG: set_caller_info: Adding region at 0x00160000 to caller regions list (kernel32::SetErrorMode).
2020-06-05 14:53:29,937 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x19ffff
2020-06-05 14:53:29,937 [root] DEBUG: DumpMemory: Nothing to dump at 0x00160000!
2020-06-05 14:53:29,937 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00160000 size 0x40000.
2020-06-05 14:53:29,937 [root] INFO: ('dump_file', 'C:\\cMZnJUhg\\CAPE\\1120_1739022365293366662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO .EXCEL.xls.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO .EXCEL.xls.exe;?0x00160000;?', ['1120'], 'CAPE')
2020-06-05 14:53:29,984 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\cMZnJUhg\CAPE\1120_1739022365293366662020 (size 0xffe)
2020-06-05 14:53:29,984 [root] DEBUG: DumpRegion: Dumped stack region from 0x00160000, size 0x1000.
2020-06-05 14:53:29,984 [root] DEBUG: set_caller_info: Adding region at 0x002D0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-05 14:53:29,984 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x002D0000.
2020-06-05 14:53:29,984 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1cc amd local view 0x00540000 to global list.
2020-06-05 14:53:30,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c8 amd local view 0x03360000 to global list.
2020-06-05 14:53:30,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F4C0000 for section view with handle 0x1c8.
2020-06-05 14:53:30,734 [root] DEBUG: DLL loaded at 0x6F4C0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-06-05 14:53:31,562 [root] DEBUG: set_caller_info: Adding region at 0x00570000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-05 14:53:31,859 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x57ffff
2020-06-05 14:53:31,859 [root] DEBUG: DumpMemory: Nothing to dump at 0x00570000!
2020-06-05 14:53:31,875 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00570000 size 0x10000.
2020-06-05 14:53:31,875 [root] INFO: ('dump_file', 'C:\\cMZnJUhg\\CAPE\\1120_1870260064313366662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO .EXCEL.xls.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO .EXCEL.xls.exe;?0x00570000;?', ['1120'], 'CAPE')
2020-06-05 14:53:31,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\cMZnJUhg\CAPE\1120_1870260064313366662020 (size 0x89)
2020-06-05 14:53:33,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e0 amd local view 0x6ECD0000 to global list.
2020-06-05 14:53:33,156 [root] DEBUG: DLL loaded at 0x6ECD0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-05 14:53:33,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6EB40000 for section view with handle 0x1e0.
2020-06-05 14:53:33,171 [root] DEBUG: DLL loaded at 0x6EB40000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-05 14:53:33,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6D340000 for section view with handle 0x1e0.
2020-06-05 14:53:33,187 [root] DEBUG: DLL loaded at 0x6D340000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-05 14:53:33,406 [root] DEBUG: DLL loaded at 0x736C0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-06-05 14:53:33,421 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e8 amd local view 0x6CE70000 to global list.
2020-06-05 14:53:39,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 amd local view 0x6D1A0000 to global list.
2020-06-05 14:53:39,656 [root] DEBUG: DLL loaded at 0x6D1A0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-05 14:53:39,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1fc amd local view 0x00490000 to global list.
2020-06-05 14:53:40,000 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\GDIPFONTCACHEV1.DAT', '', False, 'files')
2020-06-05 14:53:40,031 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x00490000 to global list.
2020-06-05 14:53:40,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c amd local view 0x004A0000 to global list.
2020-06-05 14:53:40,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063D0000 for section view with handle 0x20c.
2020-06-05 14:53:40,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:53:40,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063D0000 for section view with handle 0x20c.
2020-06-05 14:53:40,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:53:40,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07450000 for section view with handle 0x20c.
2020-06-05 14:53:40,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063D0000 for section view with handle 0x20c.
2020-06-05 14:53:41,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x20c.
2020-06-05 14:53:41,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063D0000 for section view with handle 0x20c.
2020-06-05 14:53:41,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:53:41,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:41,328 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07450000 for section view with handle 0x20c.
2020-06-05 14:53:41,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:41,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:53:41,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:42,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06D20000 for section view with handle 0x20c.
2020-06-05 14:53:42,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:42,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x20c.
2020-06-05 14:53:42,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07450000 for section view with handle 0x20c.
2020-06-05 14:53:43,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:43,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07450000 for section view with handle 0x20c.
2020-06-05 14:53:43,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:44,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:53:44,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:44,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x20c.
2020-06-05 14:53:45,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:53:45,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:45,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:53:45,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:45,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063D0000 for section view with handle 0x20c.
2020-06-05 14:53:45,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:45,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07450000 for section view with handle 0x20c.
2020-06-05 14:53:45,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:45,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063D0000 for section view with handle 0x20c.
2020-06-05 14:53:46,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x20c.
2020-06-05 14:53:46,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:47,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063D0000 for section view with handle 0x20c.
2020-06-05 14:53:47,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x20c.
2020-06-05 14:53:47,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:51,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x20c.
2020-06-05 14:53:51,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:52,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07450000 for section view with handle 0x20c.
2020-06-05 14:53:52,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:53,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06D20000 for section view with handle 0x20c.
2020-06-05 14:53:53,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:53,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x063D0000 for section view with handle 0x20c.
2020-06-05 14:53:53,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:53,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06D20000 for section view with handle 0x20c.
2020-06-05 14:53:53,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:54,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:53:54,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:54,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06D20000 for section view with handle 0x20c.
2020-06-05 14:53:55,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:58,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06D20000 for section view with handle 0x20c.
2020-06-05 14:53:58,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x20c.
2020-06-05 14:53:58,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:53:58,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x09C90000 for section view with handle 0x20c.
2020-06-05 14:53:58,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08420000 for section view with handle 0x20c.
2020-06-05 14:53:58,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x09C90000 for section view with handle 0x20c.
2020-06-05 14:53:59,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08420000 for section view with handle 0x20c.
2020-06-05 14:53:59,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x09C90000 for section view with handle 0x20c.
2020-06-05 14:53:59,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08420000 for section view with handle 0x20c.
2020-06-05 14:53:59,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:54:02,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08420000 for section view with handle 0x20c.
2020-06-05 14:54:02,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:54:03,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06D20000 for section view with handle 0x20c.
2020-06-05 14:54:03,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:54:03,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:54:03,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:54:03,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06D20000 for section view with handle 0x20c.
2020-06-05 14:54:03,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:54:04,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03360000 for section view with handle 0x20c.
2020-06-05 14:54:04,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004A0000 for section view with handle 0x20c.
2020-06-05 14:54:04,343 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\GDIPFONTCACHEV1.DAT', '', False, 'files')
2020-06-05 14:54:04,375 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\GDIPFONTCACHEV1.DAT', '', False, 'files')
2020-06-05 14:54:04,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 amd local view 0x08420000 to global list.
2020-06-05 14:54:04,546 [root] DEBUG: set_caller_info: Adding region at 0x004A0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-05 14:54:04,546 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x4affff
2020-06-05 14:54:04,562 [root] DEBUG: DumpMemory: Nothing to dump at 0x004A0000!
2020-06-05 14:54:04,562 [root] INFO: ('dump_file', 'C:\\cMZnJUhg\\CAPE\\1120_168178065443466662020', b'9;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO .EXCEL.xls.exe;?C:\\Users\\Louise\\AppData\\Local\\Temp\\PO .EXCEL.xls.exe;?0x004A0000;?', ['1120'], 'CAPE')
2020-06-05 14:54:04,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\cMZnJUhg\CAPE\1120_168178065443466662020 (size 0x19f)
2020-06-05 14:54:04,578 [root] DEBUG: DumpRegion: Dumped stack region from 0x004A0000, size 0x1000.
2020-06-05 14:54:04,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x004B0000 to global list.
2020-06-05 14:54:04,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x005D0000 to global list.
2020-06-05 14:54:04,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 amd local view 0x73D80000 to global list.
2020-06-05 14:54:04,765 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-06-05 14:54:04,765 [root] DEBUG: DLL unloaded from 0x73D80000.
2020-06-05 14:54:04,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06320000 for section view with handle 0x224.
2020-06-05 14:54:04,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004C0000 for section view with handle 0x224.
2020-06-05 14:54:04,906 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 amd local view 0x72F80000 to global list.
2020-06-05 14:54:04,906 [root] DEBUG: DLL loaded at 0x72F80000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-06-05 14:54:14,953 [root] DEBUG: DLL loaded at 0x71090000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-05 14:54:14,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00580000 for section view with handle 0x220.
2020-06-05 14:54:14,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00590000 for section view with handle 0x220.
2020-06-05 14:54:14,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x220.
2020-06-05 14:54:15,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 amd local view 0x03360000 to global list.
2020-06-05 14:54:15,875 [root] DEBUG: DLL loaded at 0x71080000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-06-05 14:54:15,968 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-06-05 14:54:15,968 [root] DEBUG: DLL loaded at 0x76E50000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-06-05 14:54:16,000 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Roaming\\JnGQvnqb.exe', '', False, 'files')
2020-06-05 14:54:16,031 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Roaming\\JnGQvnqb.exe', '', False, 'files')
2020-06-05 14:54:16,046 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Roaming\\JnGQvnqb.exe', '', False, 'files')
2020-06-05 14:54:16,281 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1120.
2020-06-05 14:54:16,281 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1120.
2020-06-05 14:54:16,375 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp9668.tmp', '', False, 'files')
2020-06-05 14:54:16,468 [root] DEBUG: DLL loaded at 0x70F80000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-05 14:54:16,468 [root] DEBUG: DLL loaded at 0x76430000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-05 14:54:16,484 [root] DEBUG: DLL loaded at 0x73A10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-05 14:54:16,484 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-05 14:54:16,546 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 14:54:16,562 [root] DEBUG: DLL loaded at 0x704C0000: C:\Windows\SysWOW64\ieframe (0xaba000 bytes).
2020-06-05 14:54:16,562 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-05 14:54:16,562 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-05 14:54:16,562 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-05 14:54:16,562 [root] DEBUG: DLL loaded at 0x704B0000: C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-06-05 14:54:16,562 [root] DEBUG: DLL loaded at 0x76EE0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-05 14:54:16,562 [root] DEBUG: DLL loaded at 0x767F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-05 14:54:16,562 [root] DEBUG: DLL loaded at 0x766F0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-06-05 14:54:16,578 [root] DEBUG: DLL loaded at 0x76BA0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-06-05 14:54:16,593 [root] DEBUG: DLL loaded at 0x76800000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-06-05 14:54:16,593 [root] DEBUG: DLL loaded at 0x76200000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-06-05 14:54:16,609 [root] DEBUG: DLL loaded at 0x76EC0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-06-05 14:54:16,609 [root] DEBUG: DLL loaded at 0x75B90000: C:\Windows\SysWOW64\urlmon (0x124000 bytes).
2020-06-05 14:54:16,640 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-05 14:54:16,656 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-06-05 14:54:16,687 [root] DEBUG: DLL loaded at 0x704A0000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-05 14:54:16,687 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-06-05 14:54:16,718 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3544
2020-06-05 14:54:16,718 [lib.api.process] INFO: Monitor config for process 3544: C:\tmp2ssujfce\dll\3544.ini
2020-06-05 14:54:16,718 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:16,718 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:16,750 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:16,750 [root] DEBUG: Loader: Injecting process 3544 (thread 3212) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:16,750 [root] DEBUG: Process image base: 0x00540000
2020-06-05 14:54:16,750 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:16,750 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-05 14:54:16,750 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:16,765 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3544
2020-06-05 14:54:16,796 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3544, ImageBase: 0x00540000
2020-06-05 14:54:16,796 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3544
2020-06-05 14:54:16,796 [lib.api.process] INFO: Monitor config for process 3544: C:\tmp2ssujfce\dll\3544.ini
2020-06-05 14:54:16,796 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:16,796 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:16,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:16,812 [root] DEBUG: Loader: Injecting process 3544 (thread 3212) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:16,812 [root] DEBUG: Process image base: 0x00540000
2020-06-05 14:54:16,812 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:16,812 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-05 14:54:16,812 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:16,828 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3544
2020-06-05 14:54:16,843 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-05 14:54:16,859 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-05 14:54:16,859 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-05 14:54:16,875 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:54:16,875 [root] DEBUG: Process dumps disabled.
2020-06-05 14:54:16,875 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:54:16,890 [root] INFO: Disabling sleep skipping.
2020-06-05 14:54:16,890 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-05 14:54:16,890 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3544 at 0x6fb80000, image base 0x540000, stack from 0x2e6000-0x2f0000
2020-06-05 14:54:16,890 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\System32\schtasks.exe" \Create \TN "Updates\JnGQvnqb" \XML "C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp".
2020-06-05 14:54:16,937 [root] INFO: loaded: b'3544'
2020-06-05 14:54:16,953 [root] INFO: Loaded monitor into process with pid 3544
2020-06-05 14:54:17,000 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2020-06-05 14:54:17,000 [root] DEBUG: DLL unloaded from 0x00540000.
2020-06-05 14:54:17,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x037D0000 to global list.
2020-06-05 14:54:17,031 [root] INFO: Stopping Task Scheduler Service
2020-06-05 14:54:17,750 [root] INFO: Stopped Task Scheduler Service
2020-06-05 14:54:17,828 [root] INFO: Starting Task Scheduler Service
2020-06-05 14:54:17,921 [root] INFO: Started Task Scheduler Service
2020-06-05 14:54:17,921 [lib.api.process] INFO: Monitor config for process 844: C:\tmp2ssujfce\dll\844.ini
2020-06-05 14:54:17,921 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:17,921 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp2ssujfce\dll\NAlDZG.dll, loader C:\tmp2ssujfce\bin\KLkvvhaG.exe
2020-06-05 14:54:17,937 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:17,937 [root] DEBUG: Loader: Injecting process 844 (thread 0) with C:\tmp2ssujfce\dll\NAlDZG.dll.
2020-06-05 14:54:17,937 [root] DEBUG: Error 0 (0x0) - GetProcessInitialThreadId: Remote PEB 0x000007FFFFFDD000 Local PEB 0x000007FFFFFDE000 Local TEB 0x000007FFFFFD8000: The operation completed successfully.
2020-06-05 14:54:17,953 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-05 14:54:17,953 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-05 14:54:17,953 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-05 14:54:17,953 [root] DEBUG: Process dumps disabled.
2020-06-05 14:54:17,968 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-05 14:54:17,968 [root] INFO: Disabling sleep skipping.
2020-06-05 14:54:17,968 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 844 at 0x0000000070390000, image base 0x00000000FFEF0000, stack from 0x0000000002C86000-0x0000000002C90000
2020-06-05 14:54:17,968 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-05 14:54:18,031 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-05 14:54:18,031 [root] WARNING: b'Unable to hook LockResource'
2020-06-05 14:54:18,078 [root] INFO: loaded: b'844'
2020-06-05 14:54:18,078 [root] INFO: Loaded monitor into process with pid 844
2020-06-05 14:54:18,078 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-05 14:54:18,078 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-05 14:54:18,093 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\NAlDZG.dll.
2020-06-05 14:54:20,093 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-05 14:54:20,125 [root] DEBUG: DLL loaded at 0x73640000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-06-05 14:54:21,046 [root] DEBUG: DLL unloaded from 0x76680000.
2020-06-05 14:54:21,046 [root] WARNING: Unable to open termination event for pid 3544.
2020-06-05 14:54:21,093 [root] INFO: ('delete_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp9668.tmp')
2020-06-05 14:54:21,093 [root] INFO: ('dump_file', 'C:\\Users\\Louise\\AppData\\Local\\Temp\\tmp9668.tmp', '', False, 'files')
2020-06-05 14:54:21,156 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 2072
2020-06-05 14:54:21,156 [lib.api.process] INFO: Monitor config for process 2072: C:\tmp2ssujfce\dll\2072.ini
2020-06-05 14:54:21,156 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:21,156 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:21,296 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:21,296 [root] DEBUG: Loader: Injecting process 2072 (thread 1160) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:21,296 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:21,296 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:21,296 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:21,312 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:21,312 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2072
2020-06-05 14:54:21,343 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2072, ImageBase: 0x003E0000
2020-06-05 14:54:21,343 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 2072
2020-06-05 14:54:21,343 [lib.api.process] INFO: Monitor config for process 2072: C:\tmp2ssujfce\dll\2072.ini
2020-06-05 14:54:21,343 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:21,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:21,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:21,437 [root] DEBUG: Loader: Injecting process 2072 (thread 1160) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:21,437 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:21,484 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:21,484 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:21,484 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:21,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2072
2020-06-05 14:54:21,656 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 1900
2020-06-05 14:54:21,703 [lib.api.process] INFO: Monitor config for process 1900: C:\tmp2ssujfce\dll\1900.ini
2020-06-05 14:54:21,750 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:21,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:21,781 [root] DEBUG: DLL unloaded from 0x000007FEFD5B0000.
2020-06-05 14:54:21,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:21,796 [root] DEBUG: Loader: Injecting process 1900 (thread 3608) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:21,796 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:21,796 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:21,796 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:21,796 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:21,812 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1900
2020-06-05 14:54:21,843 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1900, ImageBase: 0x003E0000
2020-06-05 14:54:21,843 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 1900
2020-06-05 14:54:21,843 [lib.api.process] INFO: Monitor config for process 1900: C:\tmp2ssujfce\dll\1900.ini
2020-06-05 14:54:21,843 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:21,843 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:21,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:21,859 [root] DEBUG: Loader: Injecting process 1900 (thread 3608) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:21,875 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:21,875 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:21,875 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:21,875 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:21,875 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1900
2020-06-05 14:54:21,890 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 3812
2020-06-05 14:54:21,890 [lib.api.process] INFO: Monitor config for process 3812: C:\tmp2ssujfce\dll\3812.ini
2020-06-05 14:54:21,906 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:21,906 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:22,031 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:22,031 [root] DEBUG: Loader: Injecting process 3812 (thread 1980) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,031 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:22,031 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:22,046 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:22,046 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,046 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3812
2020-06-05 14:54:22,125 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3812, ImageBase: 0x003E0000
2020-06-05 14:54:22,171 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 3812
2020-06-05 14:54:22,187 [lib.api.process] INFO: Monitor config for process 3812: C:\tmp2ssujfce\dll\3812.ini
2020-06-05 14:54:22,187 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:22,187 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:22,281 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:22,281 [root] DEBUG: Loader: Injecting process 3812 (thread 1980) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,281 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:22,328 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:22,328 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:22,328 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,328 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3812
2020-06-05 14:54:22,375 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 2848
2020-06-05 14:54:22,375 [lib.api.process] INFO: Monitor config for process 2848: C:\tmp2ssujfce\dll\2848.ini
2020-06-05 14:54:22,375 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:22,375 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:22,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:22,437 [root] DEBUG: Loader: Injecting process 2848 (thread 1836) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,437 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:22,437 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:22,437 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:22,437 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2020-06-05 14:54:22,484 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2848, ImageBase: 0x003E0000
2020-06-05 14:54:22,484 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 2848
2020-06-05 14:54:22,484 [lib.api.process] INFO: Monitor config for process 2848: C:\tmp2ssujfce\dll\2848.ini
2020-06-05 14:54:22,484 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:22,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:22,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:22,500 [root] DEBUG: Loader: Injecting process 2848 (thread 1836) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,515 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:22,515 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:22,515 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:22,515 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,562 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2020-06-05 14:54:22,562 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 5056
2020-06-05 14:54:22,562 [lib.api.process] INFO: Monitor config for process 5056: C:\tmp2ssujfce\dll\5056.ini
2020-06-05 14:54:22,578 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:22,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:22,593 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:22,593 [root] DEBUG: Loader: Injecting process 5056 (thread 684) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,593 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:22,609 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:22,609 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:22,609 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,609 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5056
2020-06-05 14:54:22,640 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5056, ImageBase: 0x003E0000
2020-06-05 14:54:22,656 [root] INFO: Announced 32-bit process name: PO .EXCEL.xls.exe pid: 5056
2020-06-05 14:54:22,656 [lib.api.process] INFO: Monitor config for process 5056: C:\tmp2ssujfce\dll\5056.ini
2020-06-05 14:54:22,656 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-05 14:54:22,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\kMtXsm.dll, loader C:\tmp2ssujfce\bin\egtBrPM.exe
2020-06-05 14:54:22,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QHRBcN.
2020-06-05 14:54:22,687 [root] DEBUG: Loader: Injecting process 5056 (thread 684) with C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,687 [root] DEBUG: Process image base: 0x003E0000
2020-06-05 14:54:22,687 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-05 14:54:22,687 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-05 14:54:22,687 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\kMtXsm.dll.
2020-06-05 14:54:22,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5056
2020-06-05 14:54:22,828 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-06-05 14:54:22,843 [root] DEBUG: DLL unloaded from 0x70F80000.
2020-06-05 14:54:22,843 [root] DEBUG: DLL unloaded from 0x76680000.
2020-06-05 14:54:22,843 [root] DEBUG: DLL unloaded from 0x74380000.
2020-06-05 14:54:22,843 [root] DEBUG: DLL unloaded from 0x6F5C0000.
2020-06-05 14:54:22,859 [root] DEBUG: DLL unloaded from 0x72D60000.
2020-06-05 14:54:22,875 [root] WARNING: Unable to open termination event for pid 1120.
2020-06-05 14:54:43,875 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF55A0000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-06-05 14:54:43,890 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF55A0000 skipped.
2020-06-05 14:54:46,437 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6F70000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-05 14:54:46,437 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF6F70000 skipped.
2020-06-05 14:54:47,953 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5D60000 to caller regions list (msvcrt::memcpy).
2020-06-05 14:54:47,953 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5D60000 skipped.
2020-06-05 14:56:49,859 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-05 14:56:49,859 [lib.api.process] ERROR: Failed to open terminate event for pid 1120
2020-06-05 14:56:49,859 [root] INFO: Terminate event set for process 1120.
2020-06-05 14:56:49,859 [lib.api.process] ERROR: Failed to open terminate event for pid 3544
2020-06-05 14:56:49,859 [root] INFO: Terminate event set for process 3544.
2020-06-05 14:56:49,859 [root] DEBUG: Terminate Event: Skipping dump of process 844
2020-06-05 14:56:49,875 [lib.api.process] INFO: Terminate event set for process 844
2020-06-05 14:56:49,875 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 844
2020-06-05 14:56:54,875 [lib.api.process] INFO: Termination confirmed for process 844
2020-06-05 14:56:54,875 [root] INFO: Terminate event set for process 844.
2020-06-05 14:56:54,875 [root] INFO: Created shutdown mutex.
2020-06-05 14:56:55,875 [root] INFO: Shutting down package.
2020-06-05 14:56:55,875 [root] INFO: Stopping auxiliary modules.
2020-06-05 14:56:55,890 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4000000 to caller regions list (msvcrt::memcpy).
2020-06-05 14:56:55,890 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF4000000 skipped.
2020-06-05 14:56:55,984 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1010 amd local view 0x0000000005290000 to global list.
2020-06-05 14:56:56,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdb8 amd local view 0x0000000049ED0000 to global list.
2020-06-05 14:56:56,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf80 amd local view 0x0000000000BD0000 to global list.
2020-06-05 14:56:56,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000CD0000 for section view with handle 0xdb8.
2020-06-05 14:56:56,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000CF0000 for section view with handle 0xf80.
2020-06-05 14:56:56,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfbc amd local view 0x0000000049ED0000 to global list.
2020-06-05 14:56:56,078 [lib.common.results] WARNING: File C:\cMZnJUhg\bin\procmon.xml doesn't exist anymore
2020-06-05 14:56:56,078 [root] INFO: Finishing auxiliary modules.
2020-06-05 14:56:56,078 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-05 14:56:56,078 [root] WARNING: Folder at path "C:\cMZnJUhg\debugger" does not exist, skip.
2020-06-05 14:56:56,093 [root] WARNING: Monitor injection attempted but failed for process 2072.
2020-06-05 14:56:56,093 [root] WARNING: Monitor injection attempted but failed for process 1900.
2020-06-05 14:56:56,093 [root] WARNING: Monitor injection attempted but failed for process 3812.
2020-06-05 14:56:56,093 [root] WARNING: Monitor injection attempted but failed for process 2848.
2020-06-05 14:56:56,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1318 amd local view 0x0000000000CD0000 to global list.
2020-06-05 14:56:56,093 [root] WARNING: Monitor injection attempted but failed for process 5056.
2020-06-05 14:56:56,109 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-06-05 14:53:14 2020-06-05 15:00:31

File Details

File Name PO .EXCEL.xls.exe
File Size 468992 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2050-03-05 09:50:57
MD5 91e7afe7bc252fada486a7735ed1610e
SHA1 8198ea4a6798af2b7780520d4fee98902fb47825
SHA256 59e63b779abe35ef5d5337c096fa4460da3683efa171f006706cb78723af192c
SHA512 461bc4918c636ede2aed8d1b600c465c91b336930b3a41ec6c88fb29e0bbb8400d083c63f5988fe0f6fa241030001ff8b4993ff3a23bcef96f07fc44be97748f
CRC32 A474E5BA
Ssdeep 6144:zcUIoRjNe4jHhIKV7h5lB4hqJrwEtX+LbNUuW3ruWuN5ernCEllU5rbGc6yd:tJFjBxV7hRmqJr14LbyXKa2gy
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GlobalMemoryStatusEx
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetSysColorW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: KERNEL32.dll/FindAtom
DynamicLoader: KERNEL32.dll/FindAtomW
DynamicLoader: KERNEL32.dll/AddAtom
DynamicLoader: KERNEL32.dll/AddAtomW
DynamicLoader: MSCOREE.DLL/LoadLibraryShim
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipCreateFontFamilyFromName
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyA
DynamicLoader: KERNEL32.dll/RegCloseKey
DynamicLoader: KERNEL32.dll/RegCreateKeyExW
DynamicLoader: KERNEL32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/RegEnumValueW
DynamicLoader: gdiplus.dll/GdipCreateFont
DynamicLoader: gdiplus.dll/GdipGetFontSize
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCID
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCIDW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: USER32.dll/GetDC
DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyW
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
DynamicLoader: mscoreei.dll/ND_RU1
DynamicLoader: gdiplus.dll/GdipGetFontUnit
DynamicLoader: gdiplus.dll/GdipGetFontStyle
DynamicLoader: gdiplus.dll/GdipGetFamily
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: gdiplus.dll/GdipCreateFromHDC
DynamicLoader: gdiplus.dll/GdipGetDpiY
DynamicLoader: gdiplus.dll/GdipGetFontHeight
DynamicLoader: gdiplus.dll/GdipGetEmHeight
DynamicLoader: gdiplus.dll/GdipGetLineSpacing
DynamicLoader: gdiplus.dll/GdipDeleteGraphics
DynamicLoader: gdiplus.dll/GdipDeleteFont
DynamicLoader: gdiplus.dll/GdipGetFamilyName
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/GetCurrentObject
DynamicLoader: GDI32.dll/SaveDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetMapMode
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: USER32.dll/DrawTextExW
DynamicLoader: USER32.dll/DrawTextExWW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: gdiplus.dll/GdipGetLogFontW
DynamicLoader: MSCOREE.DLL/ND_WU1
DynamicLoader: mscoreei.dll/ND_WU1_RetAddr
DynamicLoader: mscoreei.dll/ND_WU1
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: GDI32.dll/GetTextExtentPoint32W
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/GetMonitorInfo
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: GDI32.dll/CreateDC
DynamicLoader: GDI32.dll/CreateDCW
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: KERNEL32.dll/SetErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: KERNEL32.dll/OpenMutex
DynamicLoader: KERNEL32.dll/OpenMutexW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/ReleaseMutex
DynamicLoader: KERNEL32.dll/CreateMutex
DynamicLoader: KERNEL32.dll/CreateMutexW
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoWW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/SetFileAttributes
DynamicLoader: KERNEL32.dll/SetFileAttributesW
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaOpenPolicyW
DynamicLoader: ADVAPI32.dll/LsaLookupNames2
DynamicLoader: ADVAPI32.dll/LsaLookupNames2W
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: MSCOREE.DLL/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: ADVAPI32.dll/LsaLookupSids
DynamicLoader: ADVAPI32.dll/LsaLookupSidsW
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/RtlMoveMemory
DynamicLoader: KERNEL32.dll/RtlMoveMemoryW
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/EnumProcessesW
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: KERNEL32.dll/TerminateProcess
DynamicLoader: KERNEL32.dll/TerminateProcessW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/UnregisterClass
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/DestroyWindowW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: KERNEL32.dll/DeleteAtom
DynamicLoader: KERNEL32.dll/DeleteAtomW
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: GDI32.dll/RestoreDC
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ole32.dll/CoTaskMemAlloc
A process created a hidden window
Process: PO .EXCEL.xls.exe -> schtasks.exe
CAPE extracted potentially suspicious content
PO .EXCEL.xls.exe: Unpacked Shellcode
PO .EXCEL.xls.exe: Unpacked Shellcode
PO .EXCEL.xls.exe: Unpacked Shellcode
PO .EXCEL.xls.exe: Unpacked Shellcode
Attempts to mimic the file extension of a Excel 97-2003 spreadsheet by having 'xls' in the file name.
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.77, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00071e00, virtual_size: 0x00071d44
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnGQvnqb" /XML "C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp"
command: schtasks.exe /Create /TN "Updates\JnGQvnqb" /XML "C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp"
Network activity detected but not expressed in API logs
File has been identified by 20 Antiviruses on VirusTotal as malicious
Cylance: Unsafe
Sangfor: Malware
APEX: Malicious
Paloalto: generic.ml
Kaspersky: UDS:DangerousObject.Multi.Generic
Endgame: malicious (high confidence)
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Generic.gc
Trapmine: malicious.high.ml.score
FireEye: Generic.mg.91e7afe7bc252fad
SentinelOne: DFI - Malicious PE
Webroot: W32.Trojan.Gen
ZoneAlarm: UDS:DangerousObject.Multi.Generic
Microsoft: Trojan:Win32/Wacatac.C!ml
BitDefenderTheta: Gen:[email protected]
Malwarebytes: Trojan.PCrypt
ESET-NOD32: a variant of MSIL/Kryptik.WER
Ikarus: Trojan.MSIL.Crypt
CrowdStrike: win/malicious_confidence_80% (D)
Qihoo-360: HEUR/QVM03.0.B374.Malware.Gen
Creates a copy of itself
copy: C:\Users\Louise\AppData\Roaming\JnGQvnqb.exe
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe.config
C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.config
C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.INI
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Globalization\en-us.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\calibrili.ttf
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF
C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\CAMBRIA.TTC
C:\Windows\Fonts\CANDARA.TTF
C:\Windows\Fonts\CONSOLA.TTF
C:\Windows\Fonts\CONSTAN.TTF
C:\Windows\Fonts\CORBEL.TTF
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\CAMBRIAB.TTF
C:\Windows\Fonts\CAMBRIAI.TTF
C:\Windows\Fonts\CAMBRIAZ.TTF
C:\Windows\Fonts\CANDARAB.TTF
C:\Windows\Fonts\CANDARAI.TTF
C:\Windows\Fonts\CANDARAZ.TTF
C:\Windows\Fonts\CONSOLAB.TTF
C:\Windows\Fonts\CONSOLAI.TTF
C:\Windows\Fonts\CONSOLAZ.TTF
C:\Windows\Fonts\CONSTANB.TTF
C:\Windows\Fonts\CONSTANI.TTF
C:\Windows\Fonts\CONSTANZ.TTF
C:\Windows\Fonts\CORBELB.TTF
C:\Windows\Fonts\CORBELI.TTF
C:\Windows\Fonts\CORBELZ.TTF
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Fonts\staticcache.dat
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Users\Louise\AppData\Local\Temp\en-US\VXRE.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\VXRE.resources\VXRE.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\VXRE.resources.exe
C:\Users\Louise\AppData\Local\Temp\en-US\VXRE.resources\VXRE.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\Globalization\en.nlp
C:\Users\Louise\AppData\Local\Temp\en\VXRE.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\VXRE.resources\VXRE.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\VXRE.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\VXRE.resources\VXRE.resources.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Users\Louise\AppData\Local\Temp\en-US\ReZer0V2.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\ReZer0V2.resources\ReZer0V2.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\ReZer0V2.resources.exe
C:\Users\Louise\AppData\Local\Temp\en-US\ReZer0V2.resources\ReZer0V2.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\ReZer0V2.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\ReZer0V2.resources\ReZer0V2.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\ReZer0V2.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\ReZer0V2.resources\ReZer0V2.resources.exe
C:\Users\Louise\AppData\Roaming\JnGQvnqb.exe
C:\Users\Louise\AppData\Roaming\
C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\shell32.dll
\??\MountPointManager
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1120.36233687
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1120.36233687
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1120.36233703
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\AutoKMS
C:\Windows\sysnative\Tasks\Updates\JnGQvnqb
C:\Windows\sysnative\Tasks\Updates
C:\Windows\sysnative\Tasks\Updates\
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\*.*
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe.config
C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\CAMBRIA.TTC
C:\Windows\Fonts\CANDARA.TTF
C:\Windows\Fonts\CONSOLA.TTF
C:\Windows\Fonts\CONSTAN.TTF
C:\Windows\Fonts\CORBEL.TTF
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\CAMBRIAB.TTF
C:\Windows\Fonts\CAMBRIAI.TTF
C:\Windows\Fonts\CAMBRIAZ.TTF
C:\Windows\Fonts\CANDARAB.TTF
C:\Windows\Fonts\CANDARAI.TTF
C:\Windows\Fonts\CANDARAZ.TTF
C:\Windows\Fonts\CONSOLAB.TTF
C:\Windows\Fonts\CONSOLAI.TTF
C:\Windows\Fonts\CONSOLAZ.TTF
C:\Windows\Fonts\CONSTANB.TTF
C:\Windows\Fonts\CONSTANI.TTF
C:\Windows\Fonts\CONSTANZ.TTF
C:\Windows\Fonts\CORBELB.TTF
C:\Windows\Fonts\CORBELI.TTF
C:\Windows\Fonts\CORBELZ.TTF
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Fonts\staticcache.dat
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\cmd.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Louise\AppData\Roaming\JnGQvnqb.exe
C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp
C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1120.36233687
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1120.36233687
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1120.36233703
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PO .EXCEL.xls.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2dad98f6\73220b4
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xbed0\x234EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Microsoft Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7333af8d\360d78d8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|PO .EXCEL.xls.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|PO .EXCEL.xls.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|PO .EXCEL.xls.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7333af8d\257a6d15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\25fd5cf0\fe3ad34
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\25fd5cf0\21bb12f8
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\PO .EXCEL.xls.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\JnGQvnqb
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\JnGQvnqb\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\JnGQvnqb\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F1CFB55D-77F1-47B5-9A43-21BF6384BCFF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F1CFB55D-77F1-47B5-9A43-21BF6384BCFF}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F1CFB55D-77F1-47B5-9A43-21BF6384BCFF}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{186A6B7C-1BB4-4ACE-A83F-373868CA3D1C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{186A6B7C-1BB4-4ACE-A83F-373868CA3D1C}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{186A6B7C-1BB4-4ACE-A83F-373868CA3D1C}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{982A4928-18A9-4764-89E0-08B69AAACC56}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{982A4928-18A9-4764-89E0-08B69AAACC56}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{982A4928-18A9-4764-89E0-08B69AAACC56}\DynamicInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xbed0\x234EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F1CFB55D-77F1-47B5-9A43-21BF6384BCFF}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F1CFB55D-77F1-47B5-9A43-21BF6384BCFF}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{186A6B7C-1BB4-4ACE-A83F-373868CA3D1C}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{186A6B7C-1BB4-4ACE-A83F-373868CA3D1C}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{982A4928-18A9-4764-89E0-08B69AAACC56}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{982A4928-18A9-4764-89E0-08B69AAACC56}\DynamicInfo
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\JnGQvnqb\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\JnGQvnqb\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{055CB0B5-4020-4DAA-8F40-913F6CD2A5F5}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F1CFB55D-77F1-47B5-9A43-21BF6384BCFF}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{186A6B7C-1BB4-4ACE-A83F-373868CA3D1C}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{982A4928-18A9-4764-89E0-08B69AAACC56}\DynamicInfo
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetFullPathNameW
kernel32.dll.GetVersionExW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
kernel32.dll.GlobalMemoryStatusEx
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
user32.dll.GetSystemMetrics
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
kernel32.dll.GetUserDefaultUILanguage
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
kernel32.dll.DeactivateActCtx
user32.dll.GetUserObjectInformationA
kernel32.dll.SetConsoleCtrlHandler
user32.dll.GetClassInfoW
user32.dll.GetSysColor
kernel32.dll.GetCurrentProcessId
kernel32.dll.FindAtomW
kernel32.dll.AddAtomW
mscoree.dll.LoadLibraryShim
mscoreei.dll.LoadLibraryShim
gdiplus.dll.GdiplusStartup
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateFontFamilyFromName
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
kernel32.dll.RegEnumValueW
gdiplus.dll.GdipCreateFont
gdiplus.dll.GdipGetFontSize
kernel32.dll.GetSystemDefaultLCID
gdi32.dll.GetObjectW
user32.dll.GetDC
gdiplus.dll.GdipCreateFontFromLogfontW
kernel32.dll.RegQueryInfoKeyW
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
mscoree.dll.ND_RU1
mscoreei.dll.ND_RU1
gdiplus.dll.GdipGetFontUnit
gdiplus.dll.GdipGetFontStyle
gdiplus.dll.GdipGetFamily
user32.dll.ReleaseDC
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipGetDpiY
gdiplus.dll.GdipGetFontHeight
gdiplus.dll.GdipGetEmHeight
gdiplus.dll.GdipGetLineSpacing
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipDeleteFont
gdiplus.dll.GdipGetFamilyName
gdi32.dll.CreateCompatibleDC
gdi32.dll.GetCurrentObject
gdi32.dll.SaveDC
gdi32.dll.GetDeviceCaps
gdi32.dll.CreateFontIndirectW
gdi32.dll.SelectObject
gdi32.dll.GetMapMode
gdi32.dll.GetTextMetricsW
user32.dll.DrawTextExW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
gdiplus.dll.GdipGetLogFontW
mscoree.dll.ND_WU1
mscoreei.dll.ND_WU1
gdi32.dll.GetTextExtentPoint32W
gdi32.dll.DeleteDC
user32.dll.GetCursorPos
user32.dll.MonitorFromPoint
user32.dll.GetMonitorInfoW
gdi32.dll.CreateDCW
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
culture.dll.ConvertLangIdToCultureName
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
gdiplus.dll.GdipDisposeImage
kernel32.dll.OpenMutexW
kernel32.dll.CloseHandle
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
shfolder.dll.SHGetFolderPathW
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.SetNamedSecurityInfoW
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.CopyFileW
advapi32.dll.GetUserNameW
kernel32.dll.SetFileAttributesW
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupNames2
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
mscoree.dll.ND_RI4
mscoreei.dll.ND_RI4
advapi32.dll.LsaLookupSids
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
kernel32.dll.RtlMoveMemory
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.DeleteFileW
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
advapi32.dll.LookupPrivilegeValueW
psapi.dll.EnumProcesses
kernel32.dll.OpenProcess
kernel32.dll.TerminateProcess
user32.dll.SetClassLongW
user32.dll.PostMessageW
user32.dll.UnregisterClassW
user32.dll.IsWindow
user32.dll.DestroyWindow
kernel32.dll.DeleteAtom
gdi32.dll.DeleteObject
gdi32.dll.RestoreDC
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
cryptsp.dll.CryptReleaseContext
advapi32.dll.EventUnregister
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
sspicli.dll.GetUserNameExW
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnGQvnqb" /XML "C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp"
schtasks.exe /Create /TN "Updates\JnGQvnqb" /XML "C:\Users\Louise\AppData\Local\Temp\tmp9668.tmp"
"{path}"
C:\Users\Louise\AppData\Local\Temp\PO .EXCEL.xls.exe "{path}"
Global\CLR_CASOFF_MUTEX
LjQVoVHbUPikNsVXiRLjaQZ

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x00473d3e 0x00000000 0x00077512 4.0 2050-03-05 09:50:57 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x00071d44 0x00071e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.77
.rsrc 0x00072000 0x00074000 0x000005b0 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.11
.reloc 0x00072600 0x00076000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x000740a0 0x00000324 LANG_NEUTRAL SUBLANG_NEUTRAL 3.29 None
RT_MANIFEST 0x000743c4 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name VXRE
Version 1.0.0.0

Assembly References

Name Version
mscorlib 2.0.0.0
System.Windows.Forms 2.0.0.0
System 2.0.0.0
System.Drawing 2.0.0.0
Microsoft.VisualBasic 8.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 20
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute MineSweeperG
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.0.0
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 5a85e55a-2d77-4c76-8788-fa7aa58b14
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute MineSweeperG

Type References

Assembly Type Name
mscorlib System.ValueType
mscorlib System.Object
mscorlib System.IO.Stream
System.Windows.Forms System.Windows.Forms.Form
mscorlib System.Collections.Generic.List`1
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.TextBox
System.Windows.Forms System.Windows.Forms.MenuStrip
System.Windows.Forms System.Windows.Forms.ToolStripMenuItem
System.Windows.Forms System.Windows.Forms.Button
mscorlib System.EventArgs
mscorlib System.Random
System.Windows.Forms System.Windows.Forms.ImageList
mscorlib System.Reflection.Assembly
System System.Diagnostics.Stopwatch
System.Windows.Forms System.Windows.Forms.Timer
System.Windows.Forms System.Windows.Forms.Panel
System.Windows.Forms System.Windows.Forms.PictureBox
System.Windows.Forms System.Windows.Forms.GroupBox
System.Windows.Forms System.Windows.Forms.RadioButton
mscorlib System.IComparable
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System.Drawing System.Drawing.Bitmap
System System.Configuration.ApplicationSettingsBase
System.Windows.Forms System.Windows.Forms.ProgressBar
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.STAThreadAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.IO.MemoryStream
mscorlib System.Byte
mscorlib System.UInt32
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Array
mscorlib System.RuntimeFieldHandle
mscorlib System.Text.Encoding
mscorlib System.String
mscorlib System.Buffer
mscorlib System.Type
mscorlib System.RuntimeTypeHandle
mscorlib System.Math
mscorlib System.Double
mscorlib System.Int32
System.Windows.Forms System.Windows.Forms.MessageBox
System.Windows.Forms System.Windows.Forms.DialogResult
System.Windows.Forms System.Windows.Forms.Control
mscorlib System.IDisposable
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Size
mscorlib System.EventHandler
System.Windows.Forms System.Windows.Forms.ToolStrip
System.Windows.Forms System.Windows.Forms.ToolStripItemCollection
System.Windows.Forms System.Windows.Forms.ToolStripItem
System.Windows.Forms System.Windows.Forms.ToolStripDropDownItem
System.Windows.Forms System.Windows.Forms.ButtonBase
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Windows.Forms System.Windows.Forms.FormStartPosition
mscorlib System.Collections.IEnumerator
System.Windows.Forms System.Windows.Forms.Layout.ArrangedElementCollection
mscorlib System.Collections.Generic.List`1/Enumerator
System.Windows.Forms System.Windows.Forms.Application
System System.ComponentModel.ComponentResourceManager
System System.ComponentModel.Container
System.Windows.Forms System.Windows.Forms.ImageListStreamer
System.Drawing System.Drawing.Color
System.Windows.Forms System.Windows.Forms.ImageList/ImageCollection
System.Windows.Forms System.Windows.Forms.DockStyle
System.Drawing System.Drawing.SystemColors
System.Windows.Forms System.Windows.Forms.FlatStyle
mscorlib System.Reflection.MethodInfo
mscorlib System.Reflection.MethodBase
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.ProjectData
mscorlib System.TimeSpan
System.Windows.Forms System.Windows.Forms.MessageBoxButtons
System.Windows.Forms System.Windows.Forms.MouseEventHandler
System.Windows.Forms System.Windows.Forms.MouseEventArgs
System.Windows.Forms System.Windows.Forms.MouseButtons
System.Drawing System.Drawing.Image
System.Windows.Forms System.Windows.Forms.ImageLayout
System System.ComponentModel.ISupportInitialize
System.Windows.Forms System.Windows.Forms.Padding
mscorlib System.IO.FileInfo
mscorlib System.Char
mscorlib System.IO.File
System System.Configuration.SettingsBase
System.Windows.Forms System.Windows.Forms.BorderStyle
System.Drawing System.Drawing.ContentAlignment
System.Windows.Forms System.Windows.Forms.PictureBoxSizeMode
System.Windows.Forms System.Windows.Forms.FormWindowState

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
7,8A5
L'Q(AYsv
ziSdu
Jr%I0
wQzw)
:7!_A
ElKrh
_cX*j
xROT(
qyI[(
#_ s(
+#333333
+#333333
)t>S(
8^4i(
|F9n(
@1/*(
#333333
RU(P(
`q?Q(
%x(9(
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
System.Windows.Forms.ImageListStreamer, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089PADPADP
WSystem.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
&System.Windows.Forms.ImageListStreamer
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
*BSJB
v2.0.50727
#Strings
#GUID
#Blob
ServiceHost
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
mscorlib
.ctor
System
Int32
Boolean
RuntimeCompatibilityAttribute
DebuggableAttribute
System.Diagnostics
DebuggingModes
AssemblyTitleAttribute
System.Reflection
String
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
AssemblyFileVersionAttribute
ServiceHost.dll
<Module>
bDQPQeGuUpnq73rMLX
Object
RuntimeBroker
Array
Bitmap
System.Drawing
List`1
System.Collections.Generic
Color
get_Height
GetPixel
FromArgb
op_Inequality
ToArray
get_Width
get_R
get_G
get_B
AddRange
IEnumerable`1
ResourceManager
System.Resources
Concat
Assembly
GetEntryAssembly
Start
MethodInfo
AppDomain
get_CurrentDomain
get_EntryPoint
LateBinding
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic
LateCall
QBG2WMvb2U7ThqgkkB
XbnLnGinAjAOhHbEFE
MDFqn1VhLGtJKbXXGt
Image
get_Size
wVwenkC4o6985x5jHf
GetObject
Kuq7go1b7iRomqjDbJ
Thread
System.Threading
Sleep
akyJjZeIPBx3wmVG78
WrapNonExceptionThrows
ServiceHost
Copyright
2020
$d3d39800-48f3-47c5-b77d-a91e415e6fed
1.0.0.0
W"eU{T
ServiceHost.pdb
_CorDllMain
mscoree.dll
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^
w],&nAj8
1~Ik
iu~+7
>v\08
wBwdb
x`9m}
}v,'A3~
'meJT_
k9=s'9
,X(D0
Ba/H^M
y3A8
ZE0&q
n'na>*
0<|53
s}T:E
6c,6qq
n2nf6%
SY.Dp
}5&6D
.9QYE
ueD^k
7&oH$
'\ aQ'^
w5Rc[
<M#}`
krGrsl
8GT!=
ySEzeO
A3a:W
"6b0#>z
|1~RF
(9"HH
N-lIYcK
d+#rg
'J1~V)=
s;^N3
w"K[@
Vc.I`
UsvL?
fwX.Hbc$
,9rab
A%=4G
S:Q$1
-|yl5
i7&O%=
^Gq~(
9Y71t
y5$Z6#}C
Wh5N0
ZgJZD2
"N:x#
O1~Gvp)H
GjBL[C
]Y.S5
yWBL
EYs}1~
{3asG1F
OByl8
Wh5Npt
wXi'Q
'\BYr
S3n~'
eS{Ys
9m'nz
")NJd
p8sr5G
VPtII
LB|5k
r[)Dw
Oz?}1~u
gi#d:2
v,][N
)Oafogm
bF<c|
GS>ez
dJt]h
p;zN{Dm
@qUIN
@^6ND&D
$$5LD
1'7DM
'Tu-h
ud;p7+
)pkVJVz9n
t&FW3
gh!RsO
pp<.&
nr4$Q
)*G&H
q~+7CCH_
9?e6'
~{Q{=
7w;v#
L]]L{
lr7fI
E#I6c
M&ea9T
}$Q%S)
'Fovc
L[Z=u
#.REF
-HxwT=
Y:X[l
]!)l,
@}1IP
~C(_#ey
8^.H^
ab~eD
RaCPQ
j!b=d
u^k[)
&!5tb
(|VgSk
9F%Eq
#bs{w
-csTCj
BDC:R,D
^IL_#
~H\Owr
Dg$Uf
i12&}
H+abn
2"Tkb
XfW2*p
$HvPW
dyoVo
FRC67
eqjW2
ePD8o
nl s37
hDPo"
^nDt/S
d\b#f
$D`3RK
W1~_~fk
,W5 J
^B:f4
1bM{K
l\RZ`
9o]n2w
v*Nho
Jv';ik
b'Abu
?+n0\R
I3&T:
9+(*F
1j*Rj
5?r 8
KnfGQ
t/&X_
9}PEl
LKP2nc<
l0ssD
{DG\g
'dH)\
tJU2"
.f~Y>
bW!["
T>boURsl
ziL?s
XQXFnZLu
$j6\_
Egx qQ
3is>}q'b
>MPsS
qc8kz
7ylWJ
Rl"W!
\vzCq
z e/L\
:b1R2+
qM94`1
'\vse
rFH-N
aBz[%
LCeb{
Qv&A0
Lpv\!
"sP){
u!`r2
Eh&{(
;s<9Y
NN_[m
mfl59
18w[M
CQIpKQ
kWNkY
a\t$f.%4
9UBt#W&o
qg08(
4^fp.5
L~FGrL"izq
pi&5
H4nK(
}RplW
OVi(3
G~]i]
hAp~\;
42t"_
wSQVr
NeVV9
1p/#zF4
W2+\%8
A:9FS9f
Iiu;^
YTw06ue
VJ?7cT!ql
p,Q2u
2df2>.
8#_2+
!L&w`
f.$0t3
h*@p;
`3jVG
vg,[7
JJ2+$J]C
s"b>2
2Vw}E
NO3Hv
zs0\;
g0%gD1
ML8l6
f&*zpi{K
{;iVV
Af?Kyf
mQq8_
;gnNg
Fhc[Lf-A
fd{4`
RFHn4
]z<[Z$
flYOW
SyW_W0
&(]lE+
&e)+9
y1m$Y
;h8Ow
v40~C
YArlu}
rNo&&_
,cvnu,
&>w4<
w)@H2+\
M[3Ju
#+lWl
p&jZ[v
TR-^Cy
\?r!o
PS^BP
`([WJQ
MJlGa
b;G3\
L&6|*W
&c_so
biFYgo
uf/o'
ry?:V
`V|jHF^
4-7W{
\ViA0
)R(uB
2`r*7m
aaAGf
|6KV^
vhV'P
o#W`}
kA0P01)
`rM)y
`ac|*S
(befb
b6]2+
mx#SLw
0Z}6f3mq
da|!{*
Z/jq_
3.Q\*
v*>(/
{'OGgM
6l'>O
LR<KI
&1x$9
tW}&E
RfZfC
/w!'m
=}Un|
qTT4)c
il_mFU
W9m4c
gi:b*C
[sh6z:
RR"p)i
q)hAD
Du6ao
L~=0c
{Ahh67
O'HE|6
SE+I>
hNj%Q
QM;Ab
a)_Gt
w9IepK
t ds:
D4!bc
N18+J
&+\RNV
J9YAG
4<i6w.UQ
5n$Z'
n&iRc
6_"WR}
~Uq|kb
8.KAmT6_Z-
Gxe_>w
wObMLs
;Cy&8H
^)lrn
fcSS"
5v'vG
aIuiaw
PpO#ph
JPjqQl
U|{93
@;X0AU
'9;'_BV
E81M:
YA8NY
VKX7O
[GCvt2`l
Y:5Wl
FT#WR
CB85h
[_DW{?
$|wgI
(HLRY
*+\v5
;2Gmc
%a;T]
5j&@Pq
TUyU6
BwZd,
3u[5H
(qR7b
>:2\j
RLV(pS
)s8"@
Mcv2i
$MOBm
_v5Py&
`fu[&
(&+h:l%Y
yro&0
q0=N6
)Mmjq
Cc'$Ir
f#7.!
8i-A:>
:~^Qa
#}&W`=a
`^.6Z
%m?sm
Y1^&W(9u
~ki7n
9l,Tg
p]9Ya
"hb3*'
guzW&
!bp*z
Du3E'
%xXQ]`Y*
DAbvrk
=>xWN
xJUI{
3.$s[
6%V3p
6('+l
Fobz|
Z?<fj3
x1}x,
!{w&I
_tD:q
'!.DW
Utl=g
.)fbC
86n>
6y4[\
39)FY,
eGjz3
N7\k+
`oeuF
2I%D8
JX7|1i
4a>=s
(@0uY
U6+Xd
gGzzf
.\Y,|W
X5)ACe
nwF7I
&mI7n
b;91.8
%_++c
%o(MC
P.H4{
m9]54
]M9(,h
cyL46
;;*m6
m2ZIM
ApQ{>
?R\lE
)XlA;
X&N8&
D/$R+
bM|Gy
,#Q(Y
9RcC{
!bS3j
!euF2
9/ZJ0):E
kjv\C
Zb ys
<g~Q,?
Ul"kL*
]7[P6E
ySqo!i
i`29c
E_$Y|
TzHis
fJZO)
iPo&@4
^(yIo
!$&x#_
Df'NT
x5$Sk8
N[Abrl
Rw=>MK
3E"'KO
*2/6aa
y)6Ay
1:(6Q
~24Vt
+]yTQ
ZssL[$
J;\;j75
AaY$C^
$(H"ta
:z6<@N
5K$U|
C4$9,
Fy`.U
R~=}%
vLecj'
E(,@m
iH0za
YR#]!H0
&#+-e
O_bMC
(s#,y
}4ltF-9
L&:08
<[Rf'%p
"y!H>
Ty^ i
*OwFQ
/T#=o
x-7gif
7'k{c
D_knh
jw?rw/
;:_FQ
IbSJ'
1n|<=
F(VwE:^
Cy,Dp
jV(T>qZ
/03Su
^M\X,3w
"9`JJ
Mh,D03,
76Y,E
.TPS-
=of\*dM
8LnE5c
/dRR<C~
Hr[#
7P#DpB
")&5Fx77
q{&&'5
{Ly&_
"RJwI<
\IVW,
[0]y&_
e>-Mf
i*H^5Ya
Z3.k"VqE
J"r/pqj%
jVPvl
N-Xec
-faJ5
n0~B*k#
[azJJ
UD)Q5}
sW~4I
%I|jn
i~$E[
CeTt{
KhZQG
\3Q6+
lSG14
-<U$?BaG
=[u&X
)Yl1y
wM:V8
vmZ,:
mPAEJ
(gRUG
nMd~_R{{
sO0WR
("Jj0
,cme%w{
dhl2UUI
m#\U3
|kGJ'
Qd?cd
`1k*InF|
xZWZX
jk$;M
UT7\[
I)aLNX
:#xDfD<
]X:/b
dBmn-
|j/j>*S
:Vf(HR
tt"-<
54OhNP
C>;,W
-<(;c
,?&D0K
S7qhZ
_dV(i
FAIlM
#AW2P
%l5z%6
9^5#m
$LfMf
pLF>,
$6Qoy
a,7~+
OZW1>
kI6UP
TE?2?
+&nD_A
rdxmw$
D0"k
e +V9Plj
m$>D.
d#}n4,%
aWDEtg
W]lEZ
0*zd1
:&Sw>C?
}?EzD6
aPa,o6u
$cv`O
(Z}oD
JfNNb\
Zr<VQ
Dg6)|h
~Rvb&
7X}i(^Y
+}8,D
>a.H|O
Dg~WbE
6oOa1
nXgZ19{
K.3RC
.Q*Hp
TPk*D
W.#v~
PbCjm
GGma
m%gv+
7i=,,
$/2O2yk
c7RoG1
XS^1z
AjRJZ7
7^41kR6LREIj
r;j{O
$fgmc
SPluD
[}7Z2
BNoy>
7&K4l
:mB^d
(@p2:
:_Ea*
hJ2TW
W%3/p
lRyEMwe%
Rf/xs
nNp"q
ZbN^a
iv*;Uf
M&W0A
JwP>@
:&ty)
W:lpC'a
[4.Ng
'<K4)I%
+S7wG
uB&wY5
hVQHj
{f*og
`eb}B
[Nmc}$;
ec>(.
\0;o[^
b1c4%
~w8v7
cN>91
k{/rB
vZS:g)
D%;mTW
@Zi#
UnKRI/
AIPglJ
2s^$OG
1\FK{9S
]7"/qS
YAi6y
2}!/GYpa
,dX^$
h6J&_m
BvG\Ev
@ukdD
j6E6d
T[eVx
_ly_J
ek#@0
oJ\Z8N
"m|~-a
w<+.E
)zEnD%
$ZeVP9&
=OF:vb
mQg$}
7i%ey
CyEm=
3J0y?
I%c#F0
D~F^`
qpT#m
f~;1u
Z2M|v
bhWW"zL
=v_ci79_
YA9#mq
:n )*
m74uz
Qhobu
?DNe
Sx|o8
pX"Aw]
xUTb6
YAGeV
lSB=2
g3jD%
ND'w$o
X?N's
2bEkv}1
MAkF*
gZs.f
FraV5K
f.EZQ
mTStE
.!S|?3
j:lV2A9
sN/4V
*gSz%=*
Yaf^5
FWxo"'
EqzWO
NE;e.Y
mXv~GD
`vPCZL
A\_C*
%@PFJ
?Hs#[
V3kI7
ywa=C
jOWR{
?TWd\7:0ku
Z&,m$
3 1v8
bECY-
"y1]9-w
';0H0
jOWi[
vs(\N
V1Cs$~
*^iVh
2+l\g
ubH`G
v'=jFr
Jfw[&
.H>tdn^!
Z-!hY*
l"B9rZ
oi)]G
ivO]<k[
wPq$Du
$zO[,l
Sk:1XZ
zR;~f
?'v~F
:KmVH
WWfhfg
}Z.Je|
7 OYL
9u5,X
y<c5m
@DHol
T}<Jy3]Z
|{K2g?
w}gZH'
`gJZx
@cVP;
7:s}kS
.q~Cg
u{hP&
As|Eb
Pw'h#
-WmV8
3h9%c
7v[A/
)l5o&
W0D>I
$>4rA
d=Cwb
wJKr1
hZbyd!
LX)EYO
b2UQBNj
X="E
-;v|.E/
!+JI
6+D{0
YI{q~
t7ko'L(
>-6Zb%
#~^0A
iJr|Z
"w6>_K
Js9ce
Y!1r$:#{
W:Gd
e31A]
~&S~$2E
/i.]YQ)@0^
~%mu$
X%%*y
oFqS&
Syyw8&
DL1$h
YT'gn`0
Vq~E$n
Q}h#Y:7
_n'Xl.
6,h"@a
}#Jn\
1|^o`
E+pm1
Vp9j(
KF_={!
ICG9)a
qA=v9Y3A
o:?wcr
{n#tL
p[c,Z'
0^-iI
,{'2_
!Qp2*FS
9<[0y{%
x"j*_
3p/Nb
"/[gt
!W_gT;h
iwf.o
]9vHP
f4UmN
~9)m_
Xrh!
:3D0I
nF^$O
m'GeM
CqxiE
s}?~,
(a%gN
}$#w\"
IVQ_=
dgCw>
}|tyO
F|o/=i
6>Cns'
xq2t?Q
]+Y3T
v&s^=fn
^T.)a
bzWuaRE
4hZH?Y
gv?xpOF]
}&Xus
M:&1_
|/oN{&
~.kIX
)TT{j
g7q~6
du-fI
1+d-oMm
+0jUI
rV(iu
Is#BQB
]:||.
VF|Ej>
J^5{Gml+
c 7'l
}iL^[
UoV('D
H#4n1
[-0P'
_7ObN
nc(!~c
Ok&33s
Y!}O9
+8RmC
-;dqs
)3Gn:
8xSAA39m
C4,v!
UdL."!
k_1{#
rZhm'
+yd>hIR
MwFSc
p`w=jJ
1MZKd
)_v4`A
+~,)8
(j^nE
z 'q~
;QEVk
5&^$1
:D?xEx
Lqw"t
&sT0A
"'Um[
^BE{kf
(H;F:1
[N^v:
=86y0]
r2c~#=nO
B7TR,
Y}mYaW
@5-75a
&A<::
Dlv~Q
Ifgxe
VGv&Y
4+|# Q
8`:cr
4x;1BN
\BQ]
3k-!!b
ETpkC_
7YAiV
[3es+
#@T'1
N1'hhUC
p>:9r`
;dT)Jxi
M4V0y)I%/
2+,,\%
AFF}$nG'
?o 7ME
i+Xjp
&2'_0YA
r6TTf
NYAH^
P0OqI.
`QD'i)S
|gfX6
PaoCd
IDATGw
<S2`Ef
r2F3+(S
8ih(/
w=5kYVv
(Dgm%
ghwe,
12h*:G
q~k82c
&>Tn6$
1i)gb/
$*9,7
2+Xe90
E!*9l[
V2\OJ
n.vbo
El$C%
Uusys=
qTp[+^{
;y?6P
Bas]5-WiV
MnW.#
QpjN5
[9Qh_
-)MfQ]g
?IiVx
gGcrU
TeVP2
Jtr>P!
,1+3e
~;054g
%Swe*SN
7qE{<
<Ze%@
7fsbPw
T[w U
^g+0S:
nqg_qK
_Ky{M
4y[D;
F<#zr
X&pb
_{mxk
}A[Bs
9Xl"}
"G5YA
r<IE{
638ug
EXHDb
$M3 u
JqR3<LT
k)~MK
h/RZD
@CI1/&
14CrP
:'U}j
>9pos6'b
j,4sYt
9JnN5m
nd47Cn
xbbNH
/x4l;Z
t"&l+
U/>?<
s9xd0
|wU2L
M5Y!kZW
And|=
#;Y"6
Z|`oWg
AGbzO
H*fl b{9
_p`1g
M+%iYgd
hSD%(
x49v?
as|9sm
-$tV_v
=.[29p8
m%+)>m
*uq8P
Qq`%nI
kL.aJ_g4S
ZeVP*
q6g&n
`T;TQ
kVx>\
<xkSM
?d2 #
8<D&Xy
.B{c2
]g6LJ
tONcz
M,5WgE
3P52|
fa%6SL
{r8n,
1L8VN
n *q"qAw)}w
PzVW2Vj
k|N_D
Ni+J~
9\(@T
}&usS
^;PeVP2y
p-^J~x
&t$Q}%wS
.8Tga5)
2+tv3
-iyi3
&Bw q
~Qy`-
{Rrf
F(uHi
6x{kc
tq-F!
1T=_M]
eU[ZFw
t1I"<v
5XtI#!
"xss0
O-`HiW
2<l*mV-
K0ySo
1-WEO
r_{B\G
^wk"z:P
mx/@p
ck8sb
S]01-on
'kbvR4
>Y4^a&
YAG9Y!
i>3[(
aCx2L(
PiVPD
|5,f$
Y:&E0
tj<[y
fh-5i
Cmp:{
rUQ}U
7"FZF
dr7}#'
${08%
]iVh<3
6K&55
8i 'V
v`%WZ
-2M72
>KxXU
5y8t8
:Frut0i}
o_:YwbQ
+I\RL
ck1pJB5=
Lpxwb
MmjH0
Hbu~k
EL4~F
-^Cyl
AEC=j
KLK7$
Nt{UGc
4+(.&
~E*#onk
"W\l5[H
sX#@pF
2ZhQ-
":'=A
4^,e[
6RMedI4
)=)R/A
:kQ;<
]~_P!kP?
[%XnR0
}"GX!Q
x"sR\l
az|<Z~
%t>&+
AgQXZJ+
WEsp84
*Hefl/h
vZwVV8cz
f+Q_;
""e3Y
](?yS
{G+~4x
`EK-L
o.U'l1
g6O{xc
Y{pKQ
m%qO$v
_D`[y
%\0yi
a/98u
D7"df
70"R%
a><)}D
65,69
sS0AQ
>g%2aO
Ph*%vo
t2[b)
.Y&P~
3]yt&
!6tLT4
26X>FZ
4v6!-
qK1Ya
p~u/a
k>6$'3
GS|Kr
5+$,%=3
&@O0A
~t&/[
Hk-Se]
=l+Uo
7CvUM
umv{<
i.H,8wt
'UiVP
&cSX
<+f+n
[K>2:h
|:rSO
&(u#rEOew
w5fow
]^IeP
`"m,N`
*@0;O
rU^LN
7J0yKL
f;'1k
[2CZA
I,w&|w/
>O=e:
)\9rmfV
EH]~(
(bi,o
^ZKR;u
o|S?OU
-np<CNt
i"O:X
1J/f#
GWJvi(
?io1P
fFrs4
n,3nw
(6Meu
Z+_b}tk
~.,LK
;{=c\
(@t]?
uz06r
Dqmu9
`Vz<ch
bFNs\G'
^l%a
'L?[F
pbym3
4C0ay
r"n[k1
L8c_u
}z$m/xb
1%~6:G
>x7/R$
9'@0^
Cy @0Q
WeL5x
a;Y7I
0kc-K
i%@PO
F%$Z*sY0YK
Q6,`n
ARc:F
1Xu2df
(=nG*
/c][Sl
&0)c)
a8TMf
f4y_M
&27MH
h!3,b
kLhw/
PY'@1g4#vTS
QmcVG?f
t%4_V
)$h~/
`_FvD
:&z^#mv
i$EHY
|$NQX[
c;h,=
(&+\:
M~\dO
HByKF
;ogkSoT
'QD+p
>SX;i4
wmQ?x
K:f+&+
8LQD
Nc/ U
K$QV8
1(Q1muL
,Sf_t!
#g?kM
ojKpB
)-pVv#f
~-v3F
,1J4e
fQ5yN
3w5$twk`^
PInVhA
'eRoF}
0=s1G
@7JnV
![o*l
;-X0.
#^6Qe
wD#x!~
M<E52
v2[kg
a##oQg67
3$h4VWd
gNnTa
o.U"X
S_QDGP6
runN2
3uZ&{K
r"YF!
&ULR5"
QI['E
f+U&K1
8+s1O&
7Ree&
hd3sy4
7HkdB
V2][0
5F0A=
'cD%Z
P~i;!
BuZ.+;
Q?R>#
hH'cb>
!fn8H3
gfW}#
]ulF6b
'|^XN
,1#Y>(R0
`Q>h0
JQf5M
DX0'+
(B0Y'
oHi\8A/
4JuSP^\@
L)Ua&l
:{"v#%
TN;VS
kVP"$
,u0Gs
v2oIG
:j2?\
)N+Sh?
dMfFR
r8c^?
NRV$+
J&c<3
-IZ]+
3A+b.u
Pqr%&
Ms5~z
^hC]h"
m8bQO
x/h5n{
3;InV
B,u>*
r|p}4
}'379
;~6pi
;}if|
T;5a`
7NRL;
eqTv]
Lt$2|
YN#gI
DU~5]H
cB|<Y+n
dl._L
_~;#6TH_
j&)@pn
7EM(O5i5Co
X(.Kw3
5l ~h8
`$~o_
Y7y9Km
bV8[c
F:afE
l#U3{
EC1(r
fe)@P
2z4;L
:=tbN
~KZ,&z
z_N0_
REXe5
u%xr"G[.
<LUi>
pLNN
5i<p=
"JbTf
f#_tV
hl:5S?
eKcTf
(bkY<
w-swc
W4\<GeV
,6Q>#mg
c&c8u(
1fW:Q
NQty8
h$5lX
tj.Qa
qbqY7
5Ty1bG
XJtaS
XRIpt
I$ntb
xtp,
Rf/LcV
>I[Ix!
e82>;
OXX=%
|/2cYg
B6Q|@J&
DeVhy#
tR^l-
#W}"u|4
S63ppC
iKLMg
<9M_Z
M#)y3
:d_tER%#`
C<Dnp
nu|5q
NOeJ|
$h3&Zo
\91N(i
/1*9\
XN\Ov
`B1s:n%
p?B_H
`+5SW3S
QXv~K
FoU$p
->B{e
s86\E
%1i:uq
L>Z9(R
}z z6
dmqF9^
oH"/361~
.)Ap;-
T. hI
-gG8r
&J52|
$V0oevD\M
Y(9e;
|6wBjQl
b<#2f`
2s^m-$D
EV*'+
Sv"}]
4J3"92b
pg:74
1yqs:
?>Ph*eGa#
3yV*{
&a-mH
!l_m'
`j[!7
VVnA
t>D=A+o
#kh]<
>o\2}
X)@0r
'J2'v&
/=#ny
jvp0m<
d!!Dl"
mzs"{
B7v>o
!uI0C
c%HKVax6
N5Y!0S
VL+=DGI
asynu
qVT>o
Kx=~#
cysNt)
\#'F7|
_DUt=
:boWB
.c|M8
3-WNV
G1/V0
2;6T6
+uKm(uo
3<2.Q
,$)IA
&<izO
S=^0i
~MH%^
2p,wO
IygnO
h)@pz
.3n3~
lpx_C
>ctsp
S{]HI
Pu;<Fl
CF0Bc:w
Q,@0Cu
Q3[At
'R{L&)x
m6lZ&
(V$R]
@m*'<ec
Xo*L+
JF[es
yKbfuF
u%7NH
84IFs
uQy&/
CUl$cnF
R>MW0
q$ ([u&]
UKhD&
[3,a,i[KHqV
H,sgX
^2c}}){
)\r;K2
x'kDY
KjXc]F
8)'cL
6\RNVP)
J,gg)
xdY{dC
Oz+TJ
UEpt<
qV2w^
QGd`*
%`v,wl
Cb(/:
tf%=%I<s
42#q[ c
PaJ&hH
xI{F|}
jLU-R!
ecp/R`
:Qa[Q
1LsYG
?Q TGVO
D/)Tu
+Ok/q
!_/]b
HUkk<
$_L!}N
n^W*#
UzqWiJ
p'`Fg
wF-kn
=;P|>
-tVZa5
QDO}E
k:.Q-
:6j4!o
v1 M0
x/@0`
p_j;4
}OL7V
~'#SMU
0\u:B
S+QX]
;Cy19
%Cj_k
T"y3J
CzhS>O
\a_x1=
}AtH_J
1h+l8}
kjS#;
Jc3svi
h {?T$
;1x?IC1
eD:%Q
d3)&6
LN_}Hk
ONL*av
]mY;U
FudsWm
^WjFOa
oN5}l-9
f)'Vc
(|WKL
8fmKG
?:aj(!A
efb%F)
v$Tf1
@PYZFm
4]?7`
2N]p`rv gV)'~
wlCkD
i8MFA
*/!gM
lWO kA
)@t M
N~*?Z
5q2sVYQ%d
X0A[[
8NZ'@ M$
{Y:qQmhi^A^
z%qqO
,~vkJ
MgkR%
Lp:QoF
r;M4z
P0AMm)
~t6nB
u9&@t
!qj"W
wa<e1
FKy7r6
;2|U+
^F*&1e
saMZ$
fOsi4
E12a8
9YA31
6%Osy3r
uoJh+G
d,dcq
EhagQ
f{M)!
Q\u'3
)oGNd
wF8>@K
9y`5.K
Emuk&
&2l03
)3I#|
\jBJ|_nU.
z/y>]
$3D0yW
!:aX|
Z/@0q
CPsW&9x
PbI4w
INL36&
Dg}-Q6Y
9mbc`
LVxYPi$
EvN0aW
?I$AW4
pMVhJ
'i/'RR?L
cQ[8pn?=
-U7Gr
K$Q#/
A]gsl
nVps{
~ uuC
q(8C~
^6y)5
<*wtbRx1
QS8{#F
;'@@0
zO%~t{
1o^6f
rxzn+
NpH e
ebWfA
Yh&Q-
io(aO
JyopH
l[Q,w
)GOqd
GeSM!
U%-*iOZh
JR9R|
"Rxh'
|.D|*
7Ry<Z
{r.F'G
DkL6~
*VkKq
77q=v
)m\HB
!22[I
6K2Yt
xasg*
;\/D0
Xg}WFI
*&cLCz
O"\}1
oRW17
3`x,_
0m4zF
a4`$)
2{Z{>s
"-lGF
[2:HY
s./,3
'Hb;E
kau8|
VT})dP
> VPpm
V/`aw-e
y:%GW1?=
rlx-i
2{!-d
v2.0.50727
#Strings
#GUID
#Blob
VXRE.exe
<Module>
.cctor
mscorlib
ValueType
System
.ctor
Object
Stream
System.IO
BronzeTreasure
Dungeon_Sheehan
AMOUNT
ToString
CashTreasure
Creature
creature_name
creature_health
HEALTH
get_Creature_Name
set_Creature_Name
value
get_Creature_Health
set_Creature_Health
Creature_Name
Creature_Health
Form1
System.Windows.Forms
GamePlayers
List`1
System.Collections.Generic
components
IContainer
System.ComponentModel
label1
Label
label5
name4
TextBox
name3
name2
name1
menuStrip1
MenuStrip
fileToolStripMenuItem
ToolStripMenuItem
aboutToolStripMenuItem
helpToolStripMenuItem
submit
Button
Form1_Load
EventArgs
sender
label5_Click
textBox1_TextChanged
helpToolStripMenuItem_Click
name11_TextChanged
submit_Click
Dispose
disposing
InitializeComponent
Form2
Game_Treasure
Game_Creature
Game_Rooms
Game_Players
randomNumbers
Random
player_amount
player_counter
newGameToolStripMenuItem
exitToolStripMenuItem
imageList1
ImageList
Player1
Player2
Player3
Player4
TreasureList1
TreasureList2
TreasureList3
TreasureList4
TreasureTotal1
TreasureTotal2
TreasureTotal3
TreasureTotal4
GameLabel
InitializeTreasures
InitializeCreatures
InitializeRooms
InitializeButtons
CheckGameOver
DetermineWinner
gmplyr
exitToolStripMenuItem_Click
Form2_Load
Button_Click
button_enter
button_leave
Display_Player
Display_Treasure_List
Display_Total_Treasure
newGameToolStripMenuItem_Click
GhoulCreature
GoldTreasure
GremlinCreature
JokeTreasure
KrampusCreature
LordZeddCreature
Player
<Name>k__BackingField
treasure_list
get_Name
set_Name
GetTotalTreasureAmount
DisplayTreasure_List
SetTreasure_List
DeleteTreasureList
PokemonCreature
room_health
room_creature
room_treasure
creat
get_Room_Creature
set_Room_Creature
get_Room_Treasure
set_Room_Treasure
Creature_Fight
fight_move
Room_Creature
Room_Treasure
SilverTreasure
Treasure
<TreasureName>k__BackingField
<TreasureAmount>k__BackingField
get_TreasureName
set_TreasureName
get_TreasureAmount
set_TreasureAmount
TreasureName
TreasureAmount
Board
MineSweeperGUI
difficulty
ActivateCells
SetLiveNeighbors
TotalLiveCells
TotalVisitedCells
isVisited
isLive
liveNeighbors
isFlagged
get_LiveNeighbors
set_LiveNeighbors
LiveNeighbors
sdasdad
XXXXXXXXXXXXXXXXXX
FFFFF
Assembly
System.Reflection
sadaddadas
qweqeqwweqweq
board
stopwatch
Stopwatch
System.Diagnostics
timer
Timer
totalFlags
score
panel1
Panel
button_start
label_timer
pictureBox1
PictureBox
label_remaining
pictureBox2
button_difficulty
button_highScores
timer_tick
Button_start_Click
PopulateGrid
Cell_click
RevealSingle
RevealCells
CheckForWin
Button_difficulty_Click
button_highScores_Click
PerformLayout
DifficultyForm
groupBox_difficulty
GroupBox
radioButton_hard
RadioButton
radioButton_medium
radioButton_easy
button_confirm
button_cancel
button_confirm_Click
button_cancel_Click
HighScoreForm
label2
button_saveScore
textBox_name
label3
recordingScore
showScores
recordScore
GetHighscores
button_saveScore_Click
PlayerStats
IComparable
<name>k__BackingField
<difficulty>k__BackingField
<score>k__BackingField
get_name
set_name
get_difficulty
get_score
CompareTo
RecordScore
Program
Resources
MineSweeperGUI.Properties
resourceMan
ResourceManager
System.Resources
resourceCulture
CultureInfo
System.Globalization
get_ResourceManager
get_Culture
set_Culture
get_yCXgbRezfrYWLzLTPfkcuf
System.Drawing
Bitmap
get_ServiceHost2
Culture
yCXgbRezfrYWLzLTPfkcuf
ServiceHost2
Settings
ApplicationSettingsBase
System.Configuration
defaultInstance
get_Default
Default
Archer
JakubPaw
owskiLab2Zad1
arg_on_the_wall
Shoot
Catapult
FormMain
COST_UPGRADE_WOOD_IN_IRON
COST_UPGRADE_FOOD_IN_WOOD
COST_UPGRADE_ROCKIRON_IN_WOOD
COST_UPGRADE_ROCKIRON_IN_IRON
COST_UPGRADE_HOUSE_IN_WOOD
COST_UPGRADE_HOUSE_IN_ROCK
COST_UPGRADE_HOUSE_IN_IRON
COST_UPGRADE_WALL_IN_ROCK
COST_CREATE_SWORDMAN_IN_FOOD
COST_CREATE_SWORDMAN_IN_IRON
COST_CREATE_ARCHER_IN_FOOD
COST_CREATE_ARCHER_IN_WOOD
COST_CREATE_PIKEMAN_IN_WOOD
COST_CREATE_PIKEMAN_IN_FOOD
COST_CREATE_HEALER_IN_FOOD
COST_CREATE_CATAPULT_IN_WOOD
COST_CREATE_CATAPULT_IN_ROCK
COST_CREATE_REPAIRER_IN_IRON
COST_CREATE_REPAIRER_IN_FOOD
levelResourcesWood
levelResourcesFood
levelResourcesRockIron
levelResourcesHouses
levelResourcesWall
numberResourcesWood
numberResourcesFood
numberResourcesRock
numberResourcesIron
numberResourcesVillagers
defenders
attackers
att_list
def_list
labelResourcesWood
labelResourcesRock
labelResourcesIron
labelResourcesFood
pictureBoxField
pictureBoxHill
pictureBoxForest
buttonResourcesFoodUpgrade
labelResourcesFoodLevel
labelResourcesWoodLevel
buttonResourcesWoodUpgrade
labelResourcesRockIronLevel
buttonResourcesRockIronUpgrade
labelResourcesFoodUpgradeCost
labelResourcesWoodUpgradeCost
labelResourcesRockIronUpgradeCost
labelResourcesHousesUpgradeCost
labelResourcesHousesLevel
buttonResourcesHousesUpgrade
timerNaturalResourcesGrowth
labelResourcesVillagers
timerHumanResourcesGrowth
labelSwordmanCost
timerWave
pictureBox3
timerFight
labelAttSwordmen
labelAttArchers
labelWave
pictureBox7
pictureBox8
pictureBox6
pictureBox9
pictureBox10
pictureBox11
pictureBoxHouse
pictureBoxHouse1
pictureBoxHouse2
labelResourcesWallUpgradeCost
labelResourcesWallLevel
buttonResourcesWallUpgrade
buttonPlayPause
progressBarNewWave
ProgressBar
labelCredits
labelDefSwordmen
labelDefArchers
labelDefRepairers
labelDefCatapults
labelDefHealers
labelDefPikemen
labelArcherCost
labelHealerCost
labelPikemanCost
labelRepairerCost
labelCatapultCost
labelAttPikemen
labelAttLadders
labelAttCatapults
pictureAttArcher
pictureAttPikeman
pictureAttLadder
pictureAttSwordman
pictureAttCatapult
pictureDefCatapult
pictureDefCatapult3
pictureDefCatapult2
pictureDefHealer
pictureDefRepairer
HpSwordmen
HpArchers
HpHealers
HpPikemen
HpRepairers
HpCatapults
buttonAbout
picturWall2
pictureWall3
RefreshNumbers
CountHp
units
RefreshLevelResources
RefreshCosts
Probability
chance_to_succes
GenerateAttackers
CheckStatus
Attack
Defend
timerFight_Tick
buttonResourcesFoodUpgrade_Click
buttonResourcesWoodUpgrade_Click
buttonResourcesRockIronUpgrade_Click
buttonResourcesHousesUpgrade_Click
timerNaturalResourcesGrowth_Tick
timerHumanResourcesGrowth_Tick
timerWave_Tick
buttonResourcesWallUpgrade_Click
buttonPlayPause_Click
labelDefSwordmen_Click
labelDefArchers_Click
labelDefCatapults_Click
labelDefRepairers_Click
labelDefHealers_Click
labelDefPikemen_Click
buttonAbout_Click
Healer
Ladder
Pikeman
Strike
CLimb
succed
Repairer
Repair
Swordman
<HpMax>k__BackingField
<Attack>k__BackingField
<Attack_range>k__BackingField
<Defence>k__BackingField
on_the_wall
get_HpMax
set_HpMax
get_Attack
set_Attack
get_Attack_range
set_Attack_range
get_Defence
set_Defence
target
HpMax
Attack_range
Defence
Units
swordman
archer
pikeman
ladder
catapult
healer
repairer
<PrivateImplementationDetails>
__StaticArrayInitTypeSize=32
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
DebuggableAttribute
DebuggingModes
AssemblyTitleAttribute
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
AssemblyFileVersionAttribute
CompilerGeneratedAttribute
DebuggerBrowsableAttribute
DebuggerBrowsableState
STAThreadAttribute
GeneratedCodeAttribute
System.CodeDom.Compiler
DebuggerNonUserCodeAttribute
EditorBrowsableAttribute
EditorBrowsableState
Dungeon_Sheehan.Form1.resources
Dungeon_Sheehan.Form2.resources
MineSweeperGUI.qweqeqwweqweq.resources
MineSweeperGUI.DifficultyForm.resources
JakubPaw
owskiLab2Zad1.FormMain.resources
MineSweeperGUI.HighScoreForm.resources
MineSweeperGUI.Properties.Resources.resources
MemoryStream
ReadByte
get_Length
UInt32
RuntimeHelpers
InitializeArray
Array
RuntimeFieldHandle
Encoding
System.Text
get_UTF8
GetString
String
Intern
Buffer
BlockCopy
GetTypeFromHandle
RuntimeTypeHandle
GetElementType
CreateInstance
Write
Double
Format
Int32
MessageBox
DialogResult
Control
get_Text
op_Inequality
IDisposable
SuspendLayout
set_AutoSize
FontStyle
GraphicsUnit
set_Font
Point
set_Location
set_Size
set_TabIndex
set_Text
EventHandler
add_Click
ToolStrip
get_Items
ToolStripItemCollection
ToolStripItem
AddRange
ToolStripDropDownItem
get_DropDownItems
ButtonBase
set_UseVisualStyleBackColor
SizeF
ContainerControl
set_AutoScaleDimensions
set_AutoScaleMode
AutoScaleMode
set_ClientSize
get_Controls
ControlCollection
set_MainMenuStrip
set_MaximizeBox
set_ShowIcon
set_StartPosition
FormStartPosition
add_Load
ResumeLayout
get_Count
get_Item
set_Item
set_Tag
IEnumerator
System.Collections
ArrangedElementCollection
System.Windows.Forms.Layout
GetEnumerator
get_Current
get_Enabled
MoveNext
Enumerator
Application
get_Tag
set_Enabled
Clear
ComponentResourceManager
Container
set_ImageIndex
set_ImageList
add_MouseEnter
add_MouseLeave
GetObject
ImageListStreamer
set_ImageStream
Color
get_Transparent
set_TransparentColor
get_Images
ImageCollection
SetKeyName
set_Dock
DockStyle
SystemColors
get_ControlLight
set_BackColor
get_GradientActiveCaption
Concat
GetUpperBound
GetLowerBound
FromArgb
set_FlatStyle
FlatStyle
GetTypes
GetMethods
MethodInfo
MethodBase
Invoke
Microsoft.VisualBasic
ProjectData
Microsoft.VisualBasic.CompilerServices
EndApp
add_Tick
get_Elapsed
TimeSpan
op_Equality
MessageBoxButtons
Start
StartNew
get_Width
set_Height
set_Width
MouseEventHandler
add_MouseDown
MouseEventArgs
get_Button
MouseButtons
set_BackgroundImage
Image
set_BackgroundImageLayout
ImageLayout
get_DarkGray
get_Gray
get_LawnGreen
get_Yellow
get_Red
get_Orange
get_SkyBlue
get_Indigo
get_Violet
get_White
set_ForeColor
remove_Click
ISupportInitialize
BeginInit
Padding
set_Margin
get_ButtonHighlight
set_TabStop
EndInit
Select
Close
set_Visible
FileInfo
Split
Parse
Replace
AppendAllText
EnableVisualStyles
SetCompatibleTextRenderingDefault
get_Assembly
SettingsBase
Synchronized
RemoveAt
set_Value
get_Value
set_BorderStyle
BorderStyle
set_MinimumSize
set_TextAlign
ContentAlignment
get_Silver
get_Khaki
set_Interval
get_RosyBrown
set_SizeMode
PictureBoxSizeMode
set_Image
set_InitialImage
set_Maximum
set_Step
get_MediumSpringGreen
set_WindowState
FormWindowState
WrapNonExceptionThrows
MineSweeperGUI
Copyright
2018
$5a85e55a-2d77-4c76-8788-fa7aa58b14b7
1.0.0.0
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
16.1.0.0
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
imageList1.ImageStream
ServiceHost2
yCXgbRezfrYWLzLTPfkcuf
)V71VDAV[QV[YV[aV[iV[qV[yV[
.S`.Kf.CJ.k
.[`.;`.
.3`.+`.#J
.Properties.Resources
Invoke
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
ServiceHost
FileVersion
1.0.0.0
InternalName
ServiceHost.dll
LegalCopyright
Copyright
2020
LegalTrademarks
OriginalFilename
ServiceHost.dll
ProductName
ServiceHost
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
MineSweeperGUI
FileVersion
1.0.0.0
InternalName
VXRE.exe
LegalCopyright
Copyright
2018
LegalTrademarks
OriginalFilename
VXRE.exe
ProductName
MineSweeperGUI
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean McAfee Clean Cylance Unsafe
Zillya Clean AegisLab Clean Sangfor Malware
K7AntiVirus Clean Alibaba Clean K7GW Clean
Cybereason Clean TrendMicro Clean Baidu Clean
F-Prot Clean Symantec Clean TotalDefense Clean
APEX Malicious Paloalto generic.ml ClamAV Clean
Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean NANO-Antivirus Clean
SUPERAntiSpyware Clean Avast Clean Rising Clean
Endgame malicious (high confidence) Sophos Clean Comodo Clean
F-Secure Clean DrWeb Clean VIPRE Clean
Invincea heuristic McAfee-GW-Edition BehavesLike.Win32.Generic.gc Trapmine malicious.high.ml.score
FireEye Generic.mg.91e7afe7bc252fad Emsisoft Clean SentinelOne DFI - Malicious PE
Cyren Clean Jiangmin Clean Webroot W32.Trojan.Gen
Avira Clean Fortinet Clean Antiy-AVL Clean
Kingsoft Clean Arcabit Clean ViRobot Clean
ZoneAlarm UDS:DangerousObject.Multi.Generic Avast-Mobile Clean Microsoft Trojan:Win32/Wacatac.C!ml
TACHYON Clean AhnLab-V3 Clean Acronis Clean
BitDefenderTheta Gen:[email protected] ALYac Clean MAX Clean
VBA32 Clean Malwarebytes Trojan.PCrypt Zoner Clean
ESET-NOD32 a variant of MSIL/Kryptik.WER TrendMicro-HouseCall Clean Tencent Clean
Yandex Clean Ikarus Trojan.MSIL.Crypt eGambit Clean
GData Clean Ad-Aware Clean AVG Clean
Panda Clean CrowdStrike win/malicious_confidence_80% (D) Qihoo-360 HEUR/QVM03.0.B374.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.6 49918 1.1.1.1 53
192.168.1.6 50574 1.1.1.1 53
192.168.1.6 50764 1.1.1.1 53
192.168.1.6 50797 1.1.1.1 53
192.168.1.6 52348 1.1.1.1 53
192.168.1.6 52555 1.1.1.1 53
192.168.1.6 54129 1.1.1.1 53
192.168.1.6 56219 1.1.1.1 53
192.168.1.6 56304 1.1.1.1 53
192.168.1.6 57593 1.1.1.1 53
192.168.1.6 57781 1.1.1.1 53
192.168.1.6 58697 1.1.1.1 53
192.168.1.6 60016 1.1.1.1 53
192.168.1.6 60164 1.1.1.1 53
192.168.1.6 60486 1.1.1.1 53
192.168.1.6 60922 1.1.1.1 53
192.168.1.6 62653 1.1.1.1 53
192.168.1.6 63241 1.1.1.1 53
192.168.1.6 63576 1.1.1.1 53
192.168.1.6 63713 1.1.1.1 53
192.168.1.6 64201 1.1.1.1 53
192.168.1.6 64426 1.1.1.1 53
192.168.1.6 65048 1.1.1.1 53
192.168.1.6 137 192.168.1.255 137
192.168.1.6 49918 8.8.8.8 53
192.168.1.6 50574 8.8.8.8 53
192.168.1.6 50764 8.8.8.8 53
192.168.1.6 50797 8.8.8.8 53
192.168.1.6 52348 8.8.8.8 53
192.168.1.6 52555 8.8.8.8 53
192.168.1.6 54129 8.8.8.8 53
192.168.1.6 56219 8.8.8.8 53
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 57781 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 60016 8.8.8.8 53
192.168.1.6 60164 8.8.8.8 53
192.168.1.6 60486 8.8.8.8 53
192.168.1.6 60922 8.8.8.8 53
192.168.1.6 62653 8.8.8.8 53
192.168.1.6 63241 8.8.8.8 53
192.168.1.6 63576 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53
192.168.1.6 64426 8.8.8.8 53
192.168.1.6 65048 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
JSON Report Download
Defense Evasion Execution Persistence Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1099 - Timestomp
    • Signature - pe_compile_timestomping
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task

    Processing ( 10.177999999999999 seconds )

    • 5.236 Suricata
    • 2.816 BehaviorAnalysis
    • 0.588 NetworkAnalysis
    • 0.475 Static
    • 0.334 CAPE
    • 0.282 VirusTotal
    • 0.129 static_dotnet
    • 0.114 AnalysisInfo
    • 0.065 Dropped
    • 0.059 Deduplicate
    • 0.045 TargetInfo
    • 0.018 Strings
    • 0.011 Debug
    • 0.006 peid

    Signatures ( 1.957999999999997 seconds )

    • 0.225 antiav_detectreg
    • 0.1 infostealer_ftp
    • 0.099 mimics_filetime
    • 0.079 territorial_disputes_sigs
    • 0.067 antiav_detectfile
    • 0.066 stealth_timeout
    • 0.062 Doppelganging
    • 0.061 decoy_document
    • 0.061 masquerade_process_name
    • 0.06 antivm_generic_disk
    • 0.059 infostealer_im
    • 0.055 api_spamming
    • 0.046 antianalysis_detectreg
    • 0.045 NewtWire Behavior
    • 0.041 infostealer_bitcoin
    • 0.04 virus
    • 0.037 reads_self
    • 0.037 stealth_file
    • 0.036 antianalysis_detectfile
    • 0.035 bootkit
    • 0.028 antivm_vbox_files
    • 0.026 injection_createremotethread
    • 0.025 antivm_vbox_keys
    • 0.025 infostealer_mail
    • 0.024 InjectionCreateRemoteThread
    • 0.022 InjectionProcessHollowing
    • 0.022 injection_runpe
    • 0.021 InjectionInterProcess
    • 0.019 hancitor_behavior
    • 0.016 antivm_vmware_keys
    • 0.015 InjectionSetWindowLong
    • 0.015 Vidar Behavior
    • 0.015 ransomware_files
    • 0.014 neshta_files
    • 0.013 antivm_xen_keys
    • 0.013 predatorthethief_files
    • 0.013 qulab_files
    • 0.012 antivm_parallels_keys
    • 0.012 geodo_banking_trojan
    • 0.011 antidbg_devices
    • 0.01 PlugX
    • 0.009 hawkeye_behavior
    • 0.009 ransomware_extensions
    • 0.008 injection_explorer
    • 0.008 antivm_generic_diskreg
    • 0.008 antivm_vmware_files
    • 0.008 antivm_vpc_keys
    • 0.007 TransactedHollowing
    • 0.007 betabot_behavior
    • 0.007 network_tor
    • 0.006 antidebug_guardpages
    • 0.006 exploit_heapspray
    • 0.006 h1n1_behavior
    • 0.006 kibex_behavior
    • 0.006 kovter_behavior
    • 0.006 rat_luminosity
    • 0.006 stack_pivot
    • 0.005 antiemu_wine_func
    • 0.005 dynamic_function_loading
    • 0.005 persistence_autorun
    • 0.005 stack_pivot_file_created
    • 0.005 antivm_vbox_devices
    • 0.005 bypass_firewall
    • 0.005 codelux_behavior
    • 0.005 rat_pcclient
    • 0.004 antivm_generic_scsi
    • 0.004 kazybot_behavior
    • 0.004 Locky_behavior
    • 0.004 malicious_dynamic_function_loading
    • 0.004 shifu_behavior
    • 0.004 antivm_xen_keys
    • 0.004 antivm_hyperv_keys
    • 0.004 browser_security
    • 0.003 antidbg_windows
    • 0.003 infostealer_browser_password
    • 0.003 ketrican_regkeys
    • 0.003 banker_cridex
    • 0.003 limerat_regkeys
    • 0.003 obliquerat_files
    • 0.003 recon_fingerprint
    • 0.003 sniffer_winpcap
    • 0.002 encrypted_ioc
    • 0.002 exec_crash
    • 0.002 exploit_getbasekerneladdress
    • 0.002 infostealer_browser
    • 0.002 blackrat_registry_keys
    • 0.002 recon_programs
    • 0.002 antisandbox_cuckoo_files
    • 0.002 antisandbox_fortinet_files
    • 0.002 antisandbox_threattrack_files
    • 0.002 antivm_generic_bios
    • 0.002 antivm_generic_system
    • 0.002 antivm_vpc_files
    • 0.002 bitcoin_opencl
    • 0.002 darkcomet_regkeys
    • 0.002 disables_browser_warn
    • 0.002 network_tor_service
    • 0.002 dcrat_files
    • 0.002 warzonerat_files
    • 0.002 remcos_files
    • 0.002 remcos_regkeys
    • 0.002 targeted_flame
    • 0.001 Unpacker
    • 0.001 antiav_avast_libs
    • 0.001 antivm_generic_services
    • 0.001 antivm_vbox_libs
    • 0.001 uac_bypass_eventvwr
    • 0.001 exploit_gethaldispatchtable
    • 0.001 ransomware_message
    • 0.001 rat_nanocore
    • 0.001 OrcusRAT Behavior
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 antisandbox_joe_anubis_files
    • 0.001 antisandbox_sunbelt_files
    • 0.001 browser_addon
    • 0.001 modify_proxy
    • 0.001 disables_windows_defender
    • 0.001 arkei_files
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 packer_armadillo_regkey
    • 0.001 medusalocker_regkeys
    • 0.001 revil_mutexes
    • 0.001 warzonerat_regkeys
    • 0.001 spreading_autoruninf
    • 0.001 stealth_hiddenreg

    Reporting ( 7.444 seconds )

    • 6.587 BinGraph
    • 0.796 MITRE_TTPS
    • 0.053 SubmitCAPE
    • 0.008 PCAP2CERT