Detections

Yara:

NanoCore

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-10-18 06:33:06 2020-10-18 06:39:14 368 seconds Show Options Show Log
route = tor
2020-05-13 09:26:01,758 [root] INFO: Date set to: 20201018T06:33:04, timeout set to: 200
2020-10-18 06:33:04,046 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-10-18 06:33:04,046 [root] DEBUG: Storing results at: C:\BRuQIh
2020-10-18 06:33:04,062 [root] DEBUG: Pipe server name: \\.\PIPE\JLwAznp
2020-10-18 06:33:04,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-10-18 06:33:04,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 06:33:04,062 [root] INFO: Automatically selected analysis package "exe"
2020-10-18 06:33:04,062 [root] DEBUG: Importing analysis package "exe"...
2020-10-18 06:33:04,312 [root] DEBUG: Initializing analysis package "exe"...
2020-10-18 06:33:05,968 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 06:33:05,984 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 06:33:06,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 06:33:06,359 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 06:33:07,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 06:33:07,281 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 06:33:07,359 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 06:33:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 06:33:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 06:33:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 06:33:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 06:33:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 06:33:07,484 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 06:33:07,484 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 06:33:07,484 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 06:33:16,375 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 06:33:16,640 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 06:33:17,015 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 06:33:17,015 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 06:33:17,031 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 06:33:17,218 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 06:33:17,218 [root] DEBUG: Started auxiliary module Browser
2020-10-18 06:33:17,218 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 06:33:17,234 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 06:33:17,234 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 06:33:17,234 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 06:33:20,796 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 06:33:20,796 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 06:33:20,796 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 06:33:20,796 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 06:33:20,843 [modules.auxiliary.disguise] INFO: Disguising GUID to 27524949-1000-4c11-bf17-01b4a3882232
2020-10-18 06:33:20,843 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 06:33:20,843 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 06:33:20,843 [root] DEBUG: Started auxiliary module Human
2020-10-18 06:33:20,843 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 06:33:20,859 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 06:33:20,859 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 06:33:20,859 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 06:33:20,859 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 06:33:20,859 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 06:33:20,859 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 06:33:20,859 [root] DEBUG: Started auxiliary module Usage
2020-10-18 06:33:20,859 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-10-18 06:33:20,859 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-10-18 06:33:20,859 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-10-18 06:33:20,859 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-10-18 06:33:20,921 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe" with arguments "" with pid 2000
2020-10-18 06:33:20,921 [lib.api.process] INFO: Monitor config for process 2000: C:\tmp2ssujfce\dll\2000.ini
2020-10-18 06:33:20,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:33:21,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:33:21,046 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:33:21,046 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:33:21,046 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:33:23,062 [lib.api.process] INFO: Successfully resumed process with pid 2000
2020-10-18 06:33:23,109 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:33:23,109 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:33:23,125 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2000 at 0x6fa40000, image base 0xc00000, stack from 0x365000-0x370000
2020-10-18 06:33:23,125 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe"
2020-10-18 06:33:23,187 [root] INFO: Loaded monitor into process with pid 2000
2020-10-18 06:33:23,203 [root] DEBUG: set_caller_info: Adding region at 0x00270000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:33:23,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x270000 - 0x370000.
2020-10-18 06:33:23,203 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x270000
2020-10-18 06:33:23,218 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x270000
2020-10-18 06:33:23,218 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00270000 size 0x100000.
2020-10-18 06:33:23,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_316279830235313180102020 (size 0x820)
2020-10-18 06:33:23,437 [root] DEBUG: DumpRegion: Dumped region at 0x0036F000, size 0x1000.
2020-10-18 06:33:23,453 [root] DEBUG: set_caller_info: Adding region at 0x02220000 to caller regions list (advapi32::RegOpenKeyExW).
2020-10-18 06:33:23,468 [root] DEBUG: DumpPEsInRange: Scanning range 0x2220000 - 0x2620000.
2020-10-18 06:33:23,468 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x2265fc1
2020-10-18 06:33:23,500 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x2220000
2020-10-18 06:33:23,500 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02220000 size 0x400000.
2020-10-18 06:33:23,531 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_356435324235313180102020 (size 0x1a41)
2020-10-18 06:33:23,531 [root] DEBUG: DumpRegion: Dumped region at 0x025DD000, size 0x10000.
2020-10-18 06:33:23,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd4 and local view 0x72D60000 to global list.
2020-10-18 06:33:23,546 [root] DEBUG: DLL loaded at 0x72D60000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-10-18 06:33:23,546 [root] DEBUG: DLL unloaded from 0x760C0000.
2020-10-18 06:33:23,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 and local view 0x03630000 to global list.
2020-10-18 06:33:23,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 and local view 0x03630000 to global list.
2020-10-18 06:33:23,578 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-10-18 06:33:23,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72670000 for section view with handle 0xe4.
2020-10-18 06:33:23,578 [root] DEBUG: DLL loaded at 0x72670000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-10-18 06:33:23,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73380000 for section view with handle 0xe4.
2020-10-18 06:33:23,593 [root] DEBUG: DLL loaded at 0x73380000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-10-18 06:33:24,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 and local view 0x00110000 to global list.
2020-10-18 06:33:25,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x00160000 to global list.
2020-10-18 06:33:25,046 [root] INFO: Disabling sleep skipping.
2020-10-18 06:33:25,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 and local view 0x06090000 to global list.
2020-10-18 06:33:25,984 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 and local view 0x6D680000 to global list.
2020-10-18 06:33:26,031 [root] DEBUG: DLL loaded at 0x6D680000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:33:28,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 and local view 0x6EFF0000 to global list.
2020-10-18 06:33:28,343 [root] DEBUG: DLL loaded at 0x6EFF0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:33:29,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c and local view 0x70B30000 to global list.
2020-10-18 06:33:29,703 [root] DEBUG: DLL loaded at 0x70B30000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-10-18 06:33:30,218 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 and local view 0x70730000 to global list.
2020-10-18 06:33:30,249 [root] DEBUG: DLL loaded at 0x70730000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-10-18 06:33:30,265 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:33:30,281 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:33:32,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6CAD0000 for section view with handle 0x22c.
2020-10-18 06:33:32,296 [root] DEBUG: DLL loaded at 0x6CAD0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-10-18 06:33:32,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 and local view 0x6B7C0000 to global list.
2020-10-18 06:33:32,968 [root] DEBUG: DLL loaded at 0x6B7C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-10-18 06:33:33,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70030000 for section view with handle 0x224.
2020-10-18 06:33:33,375 [root] DEBUG: DLL loaded at 0x70030000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni (0x1f4000 bytes).
2020-10-18 06:33:33,812 [root] DEBUG: DLL loaded at 0x72E60000: C:\Windows\system32\dwrite (0x136000 bytes).
2020-10-18 06:33:33,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x705E0000 for section view with handle 0x224.
2020-10-18 06:33:33,953 [root] DEBUG: DLL loaded at 0x705E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400 (0x149000 bytes).
2020-10-18 06:33:34,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FFB0000 for section view with handle 0x224.
2020-10-18 06:33:34,046 [root] DEBUG: DLL loaded at 0x6FFB0000: C:\Windows\system32\MSVCP120_CLR0400 (0x78000 bytes).
2020-10-18 06:33:34,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FEE0000 for section view with handle 0x22c.
2020-10-18 06:33:34,265 [root] DEBUG: DLL loaded at 0x6FEE0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400 (0xca000 bytes).
2020-10-18 06:33:34,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FE60000 for section view with handle 0x22c.
2020-10-18 06:33:34,468 [root] DEBUG: DLL loaded at 0x6FE60000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:33:35,140 [root] DEBUG: set_caller_info: Adding region at 0x00220000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-10-18 06:33:35,140 [root] DEBUG: DumpPEsInRange: Scanning range 0x220000 - 0x230000.
2020-10-18 06:33:35,140 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x220fc1
2020-10-18 06:33:35,140 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x230000
2020-10-18 06:33:35,140 [root] DEBUG: DumpMemory: Nothing to dump at 0x00220000!
2020-10-18 06:33:35,140 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00220000 size 0x10000.
2020-10-18 06:33:35,187 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_1259490280555313180102020 (size 0x479)
2020-10-18 06:33:35,187 [root] DEBUG: DumpRegion: Dumped region at 0x00220000, size 0x1000.
2020-10-18 06:33:35,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 and local view 0x73000000 to global list.
2020-10-18 06:33:35,843 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-10-18 06:33:35,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06640000 for section view with handle 0x234.
2020-10-18 06:33:35,921 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 06:33:35,937 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 06:33:36,031 [root] DEBUG: set_caller_info: Adding region at 0x00180000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:33:36,031 [root] DEBUG: DumpPEsInRange: Scanning range 0x180000 - 0x190000.
2020-10-18 06:33:36,031 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x180fc1
2020-10-18 06:33:36,046 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x190000
2020-10-18 06:33:36,046 [root] DEBUG: DumpMemory: Nothing to dump at 0x00180000!
2020-10-18 06:33:36,046 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00180000 size 0x10000.
2020-10-18 06:33:36,093 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_539832494565313180102020 (size 0x5a3)
2020-10-18 06:33:36,093 [root] DEBUG: DumpRegion: Dumped region at 0x0018D000, size 0x1000.
2020-10-18 06:33:36,203 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-10-18 06:33:37,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x264 and local view 0x00540000 to global list.
2020-10-18 06:33:39,500 [root] DEBUG: set_caller_info: Adding region at 0x00410000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:33:39,500 [root] DEBUG: DumpPEsInRange: Scanning range 0x410000 - 0x420000.
2020-10-18 06:33:39,500 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x410fc1
2020-10-18 06:33:39,500 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x420000
2020-10-18 06:33:39,500 [root] DEBUG: DumpMemory: Nothing to dump at 0x00410000!
2020-10-18 06:33:39,515 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00410000 size 0x10000.
2020-10-18 06:33:39,546 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_961945307595313180102020 (size 0xf2)
2020-10-18 06:33:39,546 [root] DEBUG: DumpRegion: Dumped region at 0x00410000, size 0x1000.
2020-10-18 06:33:39,640 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813\Fdf.dll
2020-10-18 06:33:39,734 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-10-18 06:33:39,734 [root] DEBUG: DLL loaded at 0x76E50000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-10-18 06:33:39,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x294 and local view 0x72FE0000 to global list.
2020-10-18 06:33:39,906 [root] DEBUG: DLL loaded at 0x72FE0000: C:\Users\Louise\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813\Fdf (0x1b000 bytes).
2020-10-18 06:33:39,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x268 and local view 0x76A70000 to global list.
2020-10-18 06:33:39,921 [root] DEBUG: DLL loaded at 0x76A70000: C:\Windows\syswow64\CRYPT32 (0x122000 bytes).
2020-10-18 06:33:39,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x76EA0000 for section view with handle 0x268.
2020-10-18 06:33:39,937 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-10-18 06:33:40,046 [root] DEBUG: DLL unloaded from 0x6FE60000.
2020-10-18 06:34:05,531 [root] DEBUG: DLL loaded at 0x75B90000: C:\Windows\syswow64\urlmon (0x124000 bytes).
2020-10-18 06:34:05,531 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 06:34:05,531 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:34:05,546 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:34:05,546 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:34:05,546 [root] DEBUG: DLL loaded at 0x76EE0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 06:34:05,546 [root] DEBUG: DLL loaded at 0x767F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-10-18 06:34:05,546 [root] DEBUG: DLL loaded at 0x766F0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-10-18 06:34:05,546 [root] DEBUG: DLL loaded at 0x76BA0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-10-18 06:34:05,578 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-10-18 06:34:05,593 [root] DEBUG: DLL loaded at 0x73230000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-10-18 06:34:05,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x344 and local view 0x00480000 to global list.
2020-10-18 06:34:05,609 [root] DEBUG: DLL loaded at 0x72DF0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-10-18 06:34:05,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x360 and local view 0x6FB60000 to global list.
2020-10-18 06:34:05,812 [root] DEBUG: DLL loaded at 0x6FB60000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:34:05,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x35c and local view 0x6AAA0000 to global list.
2020-10-18 06:34:05,875 [root] DEBUG: DLL loaded at 0x6AAA0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:34:06,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6EE50000 for section view with handle 0x35c.
2020-10-18 06:34:06,093 [root] DEBUG: DLL loaded at 0x6EE50000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-10-18 06:34:06,125 [root] DEBUG: DLL loaded at 0x6ED10000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-10-18 06:34:06,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x358 and local view 0x00580000 to global list.
2020-10-18 06:34:06,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00590000 for section view with handle 0x358.
2020-10-18 06:34:06,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x005A0000 for section view with handle 0x358.
2020-10-18 06:34:37,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x378 and local view 0x00AB0000 to global list.
2020-10-18 06:34:37,312 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll
2020-10-18 06:34:37,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x380 and local view 0x72FC0000 to global list.
2020-10-18 06:34:37,343 [root] DEBUG: DLL loaded at 0x72FC0000: C:\Users\Louise\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT (0x1b000 bytes).
2020-10-18 06:34:37,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x390 and local view 0x07230000 to global list.
2020-10-18 06:34:37,500 [root] DEBUG: DLL loaded at 0x769A0000: C:\Windows\syswow64\WINTRUST (0x2f000 bytes).
2020-10-18 06:34:37,515 [root] DEBUG: DLL loaded at 0x76080000: C:\Windows\syswow64\imagehlp (0x2b000 bytes).
2020-10-18 06:34:37,515 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3ac and local view 0x07230000 to global list.
2020-10-18 06:34:37,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B10000 for section view with handle 0x3ac.
2020-10-18 06:34:37,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3ac.
2020-10-18 06:34:37,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B10000 for section view with handle 0x3ac.
2020-10-18 06:34:37,562 [root] DEBUG: DLL loaded at 0x731F0000: C:\Windows\system32\ncrypt (0x39000 bytes).
2020-10-18 06:34:37,562 [root] DEBUG: DLL loaded at 0x731B0000: C:\Windows\SysWOW64\bcryptprimitives (0x3d000 bytes).
2020-10-18 06:34:37,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3b4 and local view 0x03A70000 to global list.
2020-10-18 06:34:37,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03A70000 for section view with handle 0x3b4.
2020-10-18 06:34:37,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03A70000 for section view with handle 0x3b4.
2020-10-18 06:34:37,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07090000 for section view with handle 0x3b4.
2020-10-18 06:34:37,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03A70000 for section view with handle 0x3b4.
2020-10-18 06:34:37,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07090000 for section view with handle 0x3b4.
2020-10-18 06:34:37,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06AA0000 for section view with handle 0x3b4.
2020-10-18 06:34:37,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06A00000 for section view with handle 0x3b4.
2020-10-18 06:34:37,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B30000 for section view with handle 0x3b4.
2020-10-18 06:34:37,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B30000 for section view with handle 0x3b4.
2020-10-18 06:34:37,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06AA0000 for section view with handle 0x3b4.
2020-10-18 06:34:37,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06AA0000 for section view with handle 0x3b4.
2020-10-18 06:34:37,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08F10000 for section view with handle 0x3b4.
2020-10-18 06:34:37,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08F10000 for section view with handle 0x3b4.
2020-10-18 06:34:37,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08F10000 for section view with handle 0x3b4.
2020-10-18 06:34:37,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03A70000 for section view with handle 0x3b4.
2020-10-18 06:34:37,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03A70000 for section view with handle 0x3b4.
2020-10-18 06:34:37,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08F10000 for section view with handle 0x3b4.
2020-10-18 06:34:37,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:37,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06AA0000 for section view with handle 0x3b4.
2020-10-18 06:34:37,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06AA0000 for section view with handle 0x3b4.
2020-10-18 06:34:37,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:37,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:38,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:38,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06AA0000 for section view with handle 0x3b4.
2020-10-18 06:34:38,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06AA0000 for section view with handle 0x3b4.
2020-10-18 06:34:38,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00BD0000 for section view with handle 0x3b4.
2020-10-18 06:34:38,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00BD0000 for section view with handle 0x3b4.
2020-10-18 06:34:38,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08F10000 for section view with handle 0x3b4.
2020-10-18 06:34:38,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03A70000 for section view with handle 0x3b4.
2020-10-18 06:34:38,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B40000 for section view with handle 0x3b4.
2020-10-18 06:34:38,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B40000 for section view with handle 0x3b4.
2020-10-18 06:34:38,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:38,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:38,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08F10000 for section view with handle 0x3b4.
2020-10-18 06:34:38,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08A40000 for section view with handle 0x3b4.
2020-10-18 06:34:38,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08F10000 for section view with handle 0x3b4.
2020-10-18 06:34:38,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08A40000 for section view with handle 0x3b4.
2020-10-18 06:34:38,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07230000 for section view with handle 0x3b4.
2020-10-18 06:34:38,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B40000 for section view with handle 0x3b4.
2020-10-18 06:34:38,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B20000 for section view with handle 0x3b4.
2020-10-18 06:34:38,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00B40000 for section view with handle 0x3b4.
2020-10-18 06:34:38,375 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:38,375 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:38,390 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:38,421 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:38,421 [root] DEBUG: Loader: Injecting process 2396 (thread 2276) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:38,421 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:38,421 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:38,421 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:38,437 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:34:38,484 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2396, ImageBase: 0x00C00000
2020-10-18 06:34:38,484 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:38,484 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:38,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:38,515 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:38,515 [root] DEBUG: Loader: Injecting process 2396 (thread 2276) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:38,515 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:38,515 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:38,515 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:42,093 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 2396 (ImageBase 0x400000)
2020-10-18 06:34:42,109 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:34:42,109 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x051BC0D8.
2020-10-18 06:34:42,218 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xc3a00.
2020-10-18 06:34:42,218 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x51bc0d8, SizeOfImage 0xcc000.
2020-10-18 06:34:42,218 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:42,218 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:42,218 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:42,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:42,249 [root] DEBUG: Loader: Injecting process 2396 (thread 0) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:42,249 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 2276, handle 0xbc
2020-10-18 06:34:42,249 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:42,249 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:42,249 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:42,468 [root] DEBUG: WriteMemoryHandler: shellcode at 0x04468D80 (size 0x4200) injected into process 2396.
2020-10-18 06:34:42,500 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_600620824151914180102020 (size 0x41c3)
2020-10-18 06:34:42,500 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:34:42,500 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:42,500 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:42,500 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:42,531 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:42,531 [root] DEBUG: Loader: Injecting process 2396 (thread 0) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:42,531 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 2276, handle 0xbc
2020-10-18 06:34:42,531 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:42,531 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:42,531 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:42,718 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0451A778 (size 0x200) injected into process 2396.
2020-10-18 06:34:42,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_1600178320151914180102020 (size 0x95)
2020-10-18 06:34:42,765 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:42,765 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:42,765 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:42,781 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:42,796 [root] DEBUG: Loader: Injecting process 2396 (thread 0) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:42,796 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 2276, handle 0xbc
2020-10-18 06:34:42,812 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:42,812 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:42,812 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:43,000 [root] DEBUG: WriteMemoryHandler: shellcode at 0x053F4EA8 (size 0xbf000) injected into process 2396.
2020-10-18 06:34:43,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_434898225151914180102020 (size 0xbf000)
2020-10-18 06:34:43,046 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:34:43,062 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:43,062 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:43,062 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:43,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:43,078 [root] DEBUG: Loader: Injecting process 2396 (thread 0) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:43,078 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 2276, handle 0xbc
2020-10-18 06:34:43,078 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:43,078 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:43,078 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:43,296 [root] DEBUG: WriteMemoryHandler: shellcode at 0x041A2B98 (size 0x200) injected into process 2396.
2020-10-18 06:34:43,343 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2000_1115684301171914180102020 (size 0xa)
2020-10-18 06:34:43,343 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-10-18 06:34:43,343 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:43,343 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:43,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:43,375 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:43,375 [root] DEBUG: Loader: Injecting process 2396 (thread 0) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:43,375 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 2276, handle 0xbc
2020-10-18 06:34:43,375 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:43,375 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:43,375 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:43,578 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:43,593 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:43,609 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:43,640 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:43,640 [root] DEBUG: Loader: Injecting process 2396 (thread 0) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:43,640 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 2276, handle 0xbc
2020-10-18 06:34:43,640 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:43,640 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:43,640 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:46,515 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x000061BE (process 2396).
2020-10-18 06:34:46,515 [root] INFO: Announced 32-bit process name: Invoices 073.exe pid: 2396
2020-10-18 06:34:46,515 [lib.api.process] INFO: Monitor config for process 2396: C:\tmp2ssujfce\dll\2396.ini
2020-10-18 06:34:46,531 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:34:46,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:34:46,562 [root] DEBUG: Loader: Injecting process 2396 (thread 2276) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:46,562 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:34:46,562 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:34:46,562 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:34:46,875 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2396.
2020-10-18 06:34:46,890 [root] DEBUG: DLL unloaded from 0x705E0000.
2020-10-18 06:34:46,906 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:34:46,906 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:34:46,921 [root] INFO: Disabling sleep skipping.
2020-10-18 06:34:46,921 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2396 at 0x6fa40000, image base 0x400000, stack from 0x3f6000-0x400000
2020-10-18 06:34:46,921 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe"
2020-10-18 06:34:46,984 [root] DEBUG: DLL unloaded from 0x6FEE0000.
2020-10-18 06:34:46,984 [root] INFO: Loaded monitor into process with pid 2396
2020-10-18 06:34:46,984 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:34:46,984 [root] DEBUG: DumpPEsInRange: Scanning range 0x90000 - 0x91000.
2020-10-18 06:34:46,984 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x90000-0x91000.
2020-10-18 06:34:47,000 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2000
2020-10-18 06:34:47,000 [root] DEBUG: GetHookCallerBase: thread 2624 (handle 0x0), return address 0x6FA71B6C, allocation base 0x6FA40000.
2020-10-18 06:34:47,000 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00C00000.
2020-10-18 06:34:47,015 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00C02000
2020-10-18 06:34:47,015 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:34:47,015 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00C00000.
2020-10-18 06:34:47,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_1595395592465413180102020 (size 0x12c)
2020-10-18 06:34:47,015 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00D25200 to 0x00D25400).
2020-10-18 06:34:47,031 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00090000, size 0x1000.
2020-10-18 06:34:47,031 [root] DEBUG: DLL loaded at 0x00B10000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:34:47,031 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,031 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,046 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,046 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,046 [root] DEBUG: DLL unloaded from 0x00B10000.
2020-10-18 06:34:47,046 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:34:47,046 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00C00000, dumping memory region.
2020-10-18 06:34:47,046 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:34:47,062 [root] DEBUG: DLL loaded at 0x00B10000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:34:47,062 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,078 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,078 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,078 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,078 [root] DEBUG: DLL unloaded from 0x00B10000.
2020-10-18 06:34:47,078 [root] DEBUG: DLL unloaded from 0x76680000.
2020-10-18 06:34:47,078 [root] DEBUG: DLL unloaded from 0x74380000.
2020-10-18 06:34:47,078 [root] DEBUG: DLL unloaded from 0x72670000.
2020-10-18 06:34:47,093 [root] DEBUG: set_caller_info: Adding region at 0x000C0000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:34:47,093 [root] DEBUG: DLL unloaded from 0x72D60000.
2020-10-18 06:34:47,093 [root] DEBUG: DumpPEsInRange: Scanning range 0xc0000 - 0xc1000.
2020-10-18 06:34:47,093 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2000
2020-10-18 06:34:47,093 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xc0000-0xc1000.
2020-10-18 06:34:47,109 [root] DEBUG: GetHookCallerBase: thread 2624 (handle 0x0), return address 0x6FA71B6C, allocation base 0x6FA40000.
2020-10-18 06:34:47,156 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00C00000.
2020-10-18 06:34:47,156 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00C02000
2020-10-18 06:34:47,156 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:34:47,171 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00C00000.
2020-10-18 06:34:47,171 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00D25200 to 0x00D25400).
2020-10-18 06:34:47,187 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_739708372475413180102020 (size 0x12c)
2020-10-18 06:34:47,187 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x000C0000, size 0x1000.
2020-10-18 06:34:47,187 [root] DEBUG: DLL loaded at 0x00B10000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:34:47,187 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,203 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,203 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,203 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,218 [root] DEBUG: DLL unloaded from 0x00B10000.
2020-10-18 06:34:47,234 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:34:47,249 [root] DEBUG: set_caller_info: Adding region at 0x000D0000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:34:47,249 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00C00000, dumping memory region.
2020-10-18 06:34:47,265 [root] DEBUG: DumpPEsInRange: Scanning range 0xd0000 - 0xd1000.
2020-10-18 06:34:47,265 [root] INFO: Process with pid 2000 has terminated
2020-10-18 06:34:47,265 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xd0000-0xd1000.
2020-10-18 06:34:47,359 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_1869372299475413180102020 (size 0x12c)
2020-10-18 06:34:47,359 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x000D0000, size 0x1000.
2020-10-18 06:34:47,359 [root] DEBUG: DLL loaded at 0x00B10000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:34:47,375 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,375 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,375 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,375 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,375 [root] DEBUG: DLL unloaded from 0x00B10000.
2020-10-18 06:34:47,390 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:34:47,390 [root] DEBUG: DumpPEsInRange: Scanning range 0xe0000 - 0xe1000.
2020-10-18 06:34:47,390 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xe0000-0xe1000.
2020-10-18 06:34:47,421 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_980375964475413180102020 (size 0x12c)
2020-10-18 06:34:47,437 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x000E0000, size 0x1000.
2020-10-18 06:34:47,437 [root] DEBUG: DLL loaded at 0x00B10000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:34:47,437 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,437 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,437 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,453 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,453 [root] DEBUG: DLL unloaded from 0x00B10000.
2020-10-18 06:34:47,453 [root] DEBUG: set_caller_info: Adding region at 0x000F0000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:34:47,468 [root] DEBUG: DumpPEsInRange: Scanning range 0xf0000 - 0xf1000.
2020-10-18 06:34:47,468 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf0000-0xf1000.
2020-10-18 06:34:47,484 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_1025856448475413180102020 (size 0x12c)
2020-10-18 06:34:47,500 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x000F0000, size 0x1000.
2020-10-18 06:34:47,500 [root] DEBUG: DLL loaded at 0x00B10000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:34:47,500 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,500 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,515 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,515 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,515 [root] DEBUG: DLL unloaded from 0x00B10000.
2020-10-18 06:34:47,531 [root] DEBUG: set_caller_info: Adding region at 0x00100000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:34:47,531 [root] DEBUG: DumpPEsInRange: Scanning range 0x100000 - 0x101000.
2020-10-18 06:34:47,562 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x100000-0x101000.
2020-10-18 06:34:47,593 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_1351429586475413180102020 (size 0x12c)
2020-10-18 06:34:47,593 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00100000, size 0x1000.
2020-10-18 06:34:47,593 [root] DEBUG: DLL loaded at 0x00B10000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:34:47,609 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,609 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,609 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:34:47,609 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:34:47,609 [root] DEBUG: DLL unloaded from 0x00B10000.
2020-10-18 06:34:47,625 [root] DEBUG: set_caller_info: Adding region at 0x00300000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:34:47,625 [root] DEBUG: DumpPEsInRange: Scanning range 0x300000 - 0x400000.
2020-10-18 06:34:47,625 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x300000
2020-10-18 06:34:47,640 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x300000
2020-10-18 06:34:47,640 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00300000 size 0x100000.
2020-10-18 06:34:47,687 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_1327199104475413180102020 (size 0x85c)
2020-10-18 06:34:47,703 [root] DEBUG: DumpRegion: Dumped region at 0x003FF000, size 0x1000.
2020-10-18 06:34:47,703 [root] DEBUG: set_caller_info: Adding region at 0x021C0000 to caller regions list (advapi32::RegOpenKeyExW).
2020-10-18 06:34:47,718 [root] DEBUG: DumpPEsInRange: Scanning range 0x21c0000 - 0x25c0000.
2020-10-18 06:34:47,734 [root] DEBUG: TestPERequirements: Exception occurred reading region at 0x2240007
2020-10-18 06:34:47,734 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x223ffc1
2020-10-18 06:34:47,750 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x21c0000
2020-10-18 06:34:47,750 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x021C0000 size 0x400000.
2020-10-18 06:34:47,828 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_1971651278475413180102020 (size 0x1a41)
2020-10-18 06:34:47,843 [root] DEBUG: DumpRegion: Dumped region at 0x0257D000, size 0x10000.
2020-10-18 06:34:47,843 [root] DEBUG: set_caller_info: Adding region at 0x00500000 to caller regions list (kernel32::FindFirstFileExW).
2020-10-18 06:34:47,859 [root] DEBUG: DumpPEsInRange: Scanning range 0x500000 - 0x600000.
2020-10-18 06:34:47,859 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x538fc1
2020-10-18 06:34:47,875 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x600000
2020-10-18 06:34:47,875 [root] DEBUG: DumpMemory: Nothing to dump at 0x00500000!
2020-10-18 06:34:47,875 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00500000 size 0x100000.
2020-10-18 06:34:47,906 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x600000
2020-10-18 06:34:47,906 [root] DEBUG: DumpMemory: Nothing to dump at 0x00570000!
2020-10-18 06:34:47,906 [root] DEBUG: DumpRegion: Failed to dump region at 0x00570000 size 0x90000.
2020-10-18 06:34:47,906 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 and local view 0x72D60000 to global list.
2020-10-18 06:34:47,921 [root] DEBUG: DLL loaded at 0x72D60000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-10-18 06:34:47,921 [root] DEBUG: DLL unloaded from 0x760C0000.
2020-10-18 06:34:47,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 and local view 0x03B80000 to global list.
2020-10-18 06:34:47,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 and local view 0x03B80000 to global list.
2020-10-18 06:34:47,953 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-10-18 06:34:47,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72670000 for section view with handle 0xe4.
2020-10-18 06:34:47,968 [root] DEBUG: DLL loaded at 0x72670000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-10-18 06:34:47,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73380000 for section view with handle 0xe4.
2020-10-18 06:34:47,968 [root] DEBUG: DLL loaded at 0x73380000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-10-18 06:34:48,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 and local view 0x00120000 to global list.
2020-10-18 06:34:48,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x00130000 to global list.
2020-10-18 06:34:48,062 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c0 and local view 0x06050000 to global list.
2020-10-18 06:34:48,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f8 and local view 0x6C2E0000 to global list.
2020-10-18 06:34:48,093 [root] DEBUG: DLL loaded at 0x6C2E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:34:48,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 and local view 0x70900000 to global list.
2020-10-18 06:34:48,171 [root] DEBUG: DLL loaded at 0x70900000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:34:48,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F220000 for section view with handle 0x224.
2020-10-18 06:34:48,203 [root] DEBUG: DLL loaded at 0x6F220000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-10-18 06:34:48,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 and local view 0x70720000 to global list.
2020-10-18 06:34:48,234 [root] DEBUG: DLL loaded at 0x70720000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni (0x1d1000 bytes).
2020-10-18 06:34:48,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c and local view 0x72F20000 to global list.
2020-10-18 06:34:48,343 [root] DEBUG: DLL loaded at 0x72F20000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:34:48,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70090000 for section view with handle 0x224.
2020-10-18 06:34:48,375 [root] DEBUG: DLL loaded at 0x70090000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:34:48,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6DD00000 for section view with handle 0x220.
2020-10-18 06:34:48,421 [root] DEBUG: DLL loaded at 0x6DD00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:34:48,468 [root] DEBUG: set_caller_info: Adding region at 0x004F0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:34:48,468 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f0000 - 0x500000.
2020-10-18 06:34:48,484 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x4f0fc1
2020-10-18 06:34:48,484 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x500000
2020-10-18 06:34:48,500 [root] DEBUG: DumpMemory: Nothing to dump at 0x004F0000!
2020-10-18 06:34:48,500 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x004F0000 size 0x10000.
2020-10-18 06:34:48,578 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_111763293685513180102020 (size 0x518)
2020-10-18 06:34:48,578 [root] DEBUG: DumpRegion: Dumped region at 0x004F0000, size 0x1000.
2020-10-18 06:34:48,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 and local view 0x72E20000 to global list.
2020-10-18 06:34:48,671 [root] DEBUG: DLL loaded at 0x72E20000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni (0xfc000 bytes).
2020-10-18 06:34:48,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 and local view 0x72FE0000 to global list.
2020-10-18 06:34:48,703 [root] DEBUG: DLL loaded at 0x72FE0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-10-18 06:34:48,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x064A0000 for section view with handle 0x230.
2020-10-18 06:34:48,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6EAE0000 for section view with handle 0x230.
2020-10-18 06:34:48,843 [root] DEBUG: DLL loaded at 0x6EAE0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni (0x73e000 bytes).
2020-10-18 06:34:48,921 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 06:34:48,937 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 06:34:48,953 [root] DEBUG: set_caller_info: Adding region at 0x00190000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:34:48,953 [root] DEBUG: DumpPEsInRange: Scanning range 0x190000 - 0x1a0000.
2020-10-18 06:34:48,953 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x190fc1
2020-10-18 06:34:48,968 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1a0000
2020-10-18 06:34:48,968 [root] DEBUG: DumpMemory: Nothing to dump at 0x00190000!
2020-10-18 06:34:49,078 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_212569538485513180102020 (size 0x5b7)
2020-10-18 06:34:49,093 [root] DEBUG: DumpRegion: Dumped region at 0x0019D000, size 0x1000.
2020-10-18 06:34:49,109 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-10-18 06:34:49,125 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:34:49,140 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:34:49,187 [root] DEBUG: DLL loaded at 0x70690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32 (0x84000 bytes).
2020-10-18 06:34:49,203 [root] DEBUG: set_caller_info: Adding region at 0x001A0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-10-18 06:34:49,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x1a0000 - 0x1b0000.
2020-10-18 06:34:49,203 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x1a9fc1
2020-10-18 06:34:49,203 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x1b0000
2020-10-18 06:34:49,218 [root] DEBUG: DumpMemory: Nothing to dump at 0x001A0000!
2020-10-18 06:34:49,218 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x001A0000 size 0x10000.
2020-10-18 06:34:49,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\2396_122292182295513180102020 (size 0xf6)
2020-10-18 06:34:49,265 [root] DEBUG: DumpRegion: Dumped region at 0x001AD000, size 0x1000.
2020-10-18 06:34:49,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x270 and local view 0x705C0000 to global list.
2020-10-18 06:34:49,359 [root] DEBUG: DLL loaded at 0x705C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni (0xc9000 bytes).
2020-10-18 06:34:49,421 [root] DEBUG: DLL loaded at 0x736C0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-10-18 06:34:49,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x268 and local view 0x6D800000 to global list.
2020-10-18 06:34:49,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x274 and local view 0x6FEF0000 to global list.
2020-10-18 06:34:49,625 [root] DEBUG: DLL loaded at 0x6FEF0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-10-18 06:34:49,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x27c and local view 0x008D0000 to global list.
2020-10-18 06:34:49,671 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
2020-10-18 06:34:49,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x280 and local view 0x00700000 to global list.
2020-10-18 06:34:49,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x28c and local view 0x00720000 to global list.
2020-10-18 06:34:49,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06A00000 for section view with handle 0x28c.
2020-10-18 06:34:49,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:49,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06A00000 for section view with handle 0x28c.
2020-10-18 06:34:49,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:49,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06BC0000 for section view with handle 0x28c.
2020-10-18 06:34:49,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06850000 for section view with handle 0x28c.
2020-10-18 06:34:50,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:50,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:50,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:50,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:50,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:50,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06BC0000 for section view with handle 0x28c.
2020-10-18 06:34:50,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:50,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:50,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:51,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:51,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:51,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03750000 for section view with handle 0x28c.
2020-10-18 06:34:51,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:51,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06BC0000 for section view with handle 0x28c.
2020-10-18 06:34:51,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:51,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06850000 for section view with handle 0x28c.
2020-10-18 06:34:51,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08150000 for section view with handle 0x28c.
2020-10-18 06:34:51,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06BC0000 for section view with handle 0x28c.
2020-10-18 06:34:52,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08150000 for section view with handle 0x28c.
2020-10-18 06:34:52,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06BC0000 for section view with handle 0x28c.
2020-10-18 06:34:52,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08150000 for section view with handle 0x28c.
2020-10-18 06:34:52,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:52,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08150000 for section view with handle 0x28c.
2020-10-18 06:34:52,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:52,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:52,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:52,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:52,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06850000 for section view with handle 0x28c.
2020-10-18 06:34:52,968 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:53,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:34:53,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03750000 for section view with handle 0x28c.
2020-10-18 06:34:53,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:53,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08150000 for section view with handle 0x28c.
2020-10-18 06:34:53,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:53,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:53,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:53,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:34:53,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06850000 for section view with handle 0x28c.
2020-10-18 06:34:53,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:34:53,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06850000 for section view with handle 0x28c.
2020-10-18 06:34:53,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:54,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:54,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03750000 for section view with handle 0x28c.
2020-10-18 06:34:54,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:54,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06850000 for section view with handle 0x28c.
2020-10-18 06:34:54,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:54,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:54,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:54,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03750000 for section view with handle 0x28c.
2020-10-18 06:34:54,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:54,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:54,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:54,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:54,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:54,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:54,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:54,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:54,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:54,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:54,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06850000 for section view with handle 0x28c.
2020-10-18 06:34:54,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:55,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:55,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:55,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:55,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08150000 for section view with handle 0x28c.
2020-10-18 06:34:55,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:56,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:56,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:56,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:56,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:56,531 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:56,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:56,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:56,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:56,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:56,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:34:56,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03750000 for section view with handle 0x28c.
2020-10-18 06:34:56,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:56,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:34:56,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:56,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:57,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:57,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:34:57,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:57,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:34:57,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:57,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:57,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:57,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:57,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:57,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:34:57,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06A00000 for section view with handle 0x28c.
2020-10-18 06:34:57,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:57,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:57,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:57,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:58,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:58,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:58,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:34:58,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06850000 for section view with handle 0x28c.
2020-10-18 06:34:58,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:58,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x09120000 for section view with handle 0x28c.
2020-10-18 06:34:59,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:59,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:59,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:59,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:59,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:59,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:34:59,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:59,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:59,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:59,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:59,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:59,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:34:59,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:34:59,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:00,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:00,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:00,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:00,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:00,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:00,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:00,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:00,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:00,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:00,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:00,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:00,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:00,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:01,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:01,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:01,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:01,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:01,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:01,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:01,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:01,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:01,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:01,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:01,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:01,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:01,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:01,906 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:02,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:02,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:02,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x09120000 for section view with handle 0x28c.
2020-10-18 06:35:02,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:02,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:02,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:02,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:02,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:02,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:02,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:02,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:03,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:03,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:03,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:03,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:03,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:03,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:03,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:03,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:03,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:03,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:03,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:03,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:03,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:03,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:03,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:03,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:03,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:35:03,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:03,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:35:04,015 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:04,078 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x008D0000 for section view with handle 0x28c.
2020-10-18 06:35:04,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:04,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:04,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x073C0000 for section view with handle 0x28c.
2020-10-18 06:35:04,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:04,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x038A0000 for section view with handle 0x28c.
2020-10-18 06:35:04,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03750000 for section view with handle 0x28c.
2020-10-18 06:35:04,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:04,718 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:04,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00720000 for section view with handle 0x28c.
2020-10-18 06:35:04,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00AC0000 for section view with handle 0x28c.
2020-10-18 06:35:05,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 and local view 0x00AC0000 to global list.
2020-10-18 06:35:05,265 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\Client-built.exe
2020-10-18 06:35:05,296 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\Bin.exe
2020-10-18 06:35:05,312 [root] DEBUG: DLL loaded at 0x6FC00000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-10-18 06:35:05,328 [root] DEBUG: DLL loaded at 0x73A10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-10-18 06:35:05,328 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:35:05,453 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 06:35:05,468 [root] DEBUG: DLL loaded at 0x6DAC0000: C:\Windows\system32\wpdshext (0x238000 bytes).
2020-10-18 06:35:05,515 [root] DEBUG: DLL loaded at 0x6FEB0000: C:\Windows\system32\WINMM (0x32000 bytes).
2020-10-18 06:35:05,625 [root] DEBUG: DLL loaded at 0x70590000: C:\Windows\System32\shdocvw (0x2f000 bytes).
2020-10-18 06:35:05,734 [root] DEBUG: DLL loaded at 0x6AD60000: C:\Windows\SysWOW64\ieframe (0xaba000 bytes).
2020-10-18 06:35:05,750 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:35:05,765 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:05,765 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:05,781 [root] DEBUG: DLL loaded at 0x73240000: C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:05,796 [root] DEBUG: DLL loaded at 0x76EE0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:05,796 [root] DEBUG: DLL loaded at 0x767F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-10-18 06:35:05,812 [root] DEBUG: DLL loaded at 0x766F0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-10-18 06:35:05,828 [root] DEBUG: DLL loaded at 0x76BA0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-10-18 06:35:05,859 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-10-18 06:35:05,859 [root] DEBUG: DLL loaded at 0x76E50000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-10-18 06:35:05,875 [root] DEBUG: DLL loaded at 0x76800000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-10-18 06:35:05,890 [root] DEBUG: DLL loaded at 0x76200000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-10-18 06:35:05,906 [root] DEBUG: DLL loaded at 0x76EC0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-10-18 06:35:05,953 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-10-18 06:35:05,968 [root] DEBUG: DLL loaded at 0x75B90000: C:\Windows\SysWOW64\urlmon (0x124000 bytes).
2020-10-18 06:35:05,968 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:05,968 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-10-18 06:35:05,984 [root] DEBUG: DLL loaded at 0x73230000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-10-18 06:35:06,000 [root] DEBUG: DLL loaded at 0x72DF0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-10-18 06:35:06,203 [root] INFO: Announced 32-bit process name: Client-built.exe pid: 4020
2020-10-18 06:35:06,203 [lib.api.process] INFO: Monitor config for process 4020: C:\tmp2ssujfce\dll\4020.ini
2020-10-18 06:35:06,218 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:06,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:06,281 [root] DEBUG: Loader: Injecting process 4020 (thread 3536) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:06,281 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:06,312 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:06,328 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:06,390 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4020, ImageBase: 0x00120000
2020-10-18 06:35:06,406 [root] INFO: Announced 32-bit process name: Client-built.exe pid: 4020
2020-10-18 06:35:06,406 [lib.api.process] INFO: Monitor config for process 4020: C:\tmp2ssujfce\dll\4020.ini
2020-10-18 06:35:06,406 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:06,531 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:06,531 [root] DEBUG: Loader: Injecting process 4020 (thread 3536) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:06,546 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:06,546 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:06,546 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:06,609 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:06,625 [root] INFO: Announced 32-bit process name: Bin.exe pid: 4608
2020-10-18 06:35:06,625 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:06,625 [lib.api.process] INFO: Monitor config for process 4608: C:\tmp2ssujfce\dll\4608.ini
2020-10-18 06:35:06,640 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:06,640 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4020 at 0x6fa40000, image base 0x120000, stack from 0x396000-0x3a0000
2020-10-18 06:35:06,640 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Client-built.exe"
2020-10-18 06:35:06,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:06,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:06,703 [root] INFO: Loaded monitor into process with pid 4020
2020-10-18 06:35:06,703 [root] DEBUG: Loader: Injecting process 4608 (thread 3516) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:06,703 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:35:06,718 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:06,718 [root] DEBUG: DumpPEsInRange: Scanning range 0x90000 - 0x91000.
2020-10-18 06:35:06,718 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:06,718 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x90000-0x91000.
2020-10-18 06:35:06,734 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:06,781 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4608, ImageBase: 0x00200000
2020-10-18 06:35:06,796 [root] INFO: Announced 32-bit process name: Bin.exe pid: 4608
2020-10-18 06:35:06,796 [lib.api.process] INFO: Monitor config for process 4608: C:\tmp2ssujfce\dll\4608.ini
2020-10-18 06:35:06,796 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:06,796 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4020_26917562465513180102020 (size 0x12c)
2020-10-18 06:35:06,812 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00090000, size 0x1000.
2020-10-18 06:35:06,812 [root] DEBUG: DLL loaded at 0x03740000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:35:06,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:06,812 [root] DEBUG: Loader: Injecting process 4608 (thread 3516) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:06,828 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:35:06,828 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:06,828 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:35:06,828 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:06,828 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:06,843 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:35:06,843 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:35:06,890 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x3bc and local view 0x096F0000 to global list.
2020-10-18 06:35:06,890 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:06,890 [root] DEBUG: DLL unloaded from 0x03740000.
2020-10-18 06:35:06,906 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:06,906 [root] DEBUG: set_caller_info: Adding region at 0x002A0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:35:06,921 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:06,921 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x3a0000.
2020-10-18 06:35:06,921 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4608 at 0x6fa40000, image base 0x200000, stack from 0x166000-0x170000
2020-10-18 06:35:06,921 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x2a0000
2020-10-18 06:35:06,921 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x2a0000
2020-10-18 06:35:06,937 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Bin.exe"
2020-10-18 06:35:06,968 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x002A0000 size 0x100000.
2020-10-18 06:35:07,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6BD20000 for section view with handle 0xe0.
2020-10-18 06:35:07,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 and local view 0x00180000 to global list.
2020-10-18 06:35:07,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x001D0000 to global list.
2020-10-18 06:35:07,156 [root] DEBUG: DLL loaded at 0x6BD20000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-10-18 06:35:07,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c0 and local view 0x05DA0000 to global list.
2020-10-18 06:35:07,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 and local view 0x6C2E0000 to global list.
2020-10-18 06:35:07,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6FB60000 for section view with handle 0xe4.
2020-10-18 06:35:07,187 [root] DEBUG: DLL loaded at 0x6C2E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:35:07,187 [root] DEBUG: DLL loaded at 0x6FB60000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80 (0x9b000 bytes).
2020-10-18 06:35:07,218 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec and local view 0x004B0000 to global list.
2020-10-18 06:35:07,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d4 and local view 0x72F20000 to global list.
2020-10-18 06:35:07,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 and local view 0x004C0000 to global list.
2020-10-18 06:35:07,249 [root] DEBUG: DLL loaded at 0x72F20000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:35:07,249 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 06:35:07,281 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 and local view 0x70900000 to global list.
2020-10-18 06:35:07,281 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 06:35:07,312 [root] DEBUG: DLL loaded at 0x70900000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:35:07,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 and local view 0x70090000 to global list.
2020-10-18 06:35:07,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b4 and local view 0x6A260000 to global list.
2020-10-18 06:35:07,343 [root] DEBUG: DLL loaded at 0x70090000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:35:07,359 [root] DEBUG: DLL loaded at 0x6A260000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-10-18 06:35:07,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 and local view 0x6DD00000 to global list.
2020-10-18 06:35:07,375 [root] DEBUG: DLL loaded at 0x6DD00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:35:07,375 [root] DEBUG: DLL unloaded from 0x75E90000.
2020-10-18 06:35:07,390 [root] DEBUG: set_caller_info: Adding region at 0x00430000 to caller regions list (kernel32::SetErrorMode).
2020-10-18 06:35:07,390 [root] DEBUG: set_caller_info: Adding region at 0x004E0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:35:07,390 [root] DEBUG: DumpPEsInRange: Scanning range 0x430000 - 0x470000.
2020-10-18 06:35:07,390 [root] DEBUG: DumpPEsInRange: Scanning range 0x4e0000 - 0x4f0000.
2020-10-18 06:35:07,390 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x430fc1
2020-10-18 06:35:07,390 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x4e0fc1
2020-10-18 06:35:07,390 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x470000
2020-10-18 06:35:07,406 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x4f0000
2020-10-18 06:35:07,406 [root] DEBUG: DumpMemory: Nothing to dump at 0x00430000!
2020-10-18 06:35:07,406 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00430000 size 0x40000.
2020-10-18 06:35:07,406 [root] DEBUG: DumpMemory: Nothing to dump at 0x004E0000!
2020-10-18 06:35:07,421 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x004E0000 size 0x10000.
2020-10-18 06:35:07,453 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4608_30216149275513180102020 (size 0xfff)
2020-10-18 06:35:07,453 [root] DEBUG: DumpRegion: Dumped region at 0x00430000, size 0x1000.
2020-10-18 06:35:07,468 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 and local view 0x00540000 to global list.
2020-10-18 06:35:07,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x01C90000 for section view with handle 0x1c4.
2020-10-18 06:35:07,531 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4020_2112694891275513180102020 (size 0x4c6)
2020-10-18 06:35:07,531 [root] DEBUG: DLL loaded at 0x736C0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-10-18 06:35:07,546 [root] DEBUG: DLL loaded at 0x69AB0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-10-18 06:35:07,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 and local view 0x6B820000 to global list.
2020-10-18 06:35:07,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6D930000 for section view with handle 0x1d0.
2020-10-18 06:35:07,562 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 06:35:07,562 [root] DEBUG: DLL loaded at 0x6D930000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-10-18 06:35:07,578 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x238 and local view 0x72FE0000 to global list.
2020-10-18 06:35:07,593 [root] DEBUG: DLL loaded at 0x72FE0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-10-18 06:35:07,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06520000 for section view with handle 0x238.
2020-10-18 06:35:07,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68ED0000 for section view with handle 0x1d0.
2020-10-18 06:35:07,593 [root] DEBUG: DLL loaded at 0x68ED0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-10-18 06:35:07,609 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-10-18 06:35:07,625 [root] DEBUG: set_caller_info: Adding region at 0x001F0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:35:07,625 [root] DEBUG: DumpPEsInRange: Scanning range 0x1f0000 - 0x200000.
2020-10-18 06:35:07,640 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x1f0fc1
2020-10-18 06:35:07,640 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x200000
2020-10-18 06:35:07,640 [root] DEBUG: DumpMemory: Nothing to dump at 0x001F0000!
2020-10-18 06:35:07,640 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x001F0000 size 0x10000.
2020-10-18 06:35:07,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6D8D0000 for section view with handle 0x1d0.
2020-10-18 06:35:07,656 [root] DEBUG: DLL loaded at 0x6D8D0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-10-18 06:35:07,671 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4020_1851616896275513180102020 (size 0x5b7)
2020-10-18 06:35:07,671 [root] DEBUG: DumpRegion: Dumped region at 0x001FD000, size 0x1000.
2020-10-18 06:35:07,687 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-10-18 06:35:07,687 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:35:07,718 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:35:07,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d8 and local view 0x6D730000 to global list.
2020-10-18 06:35:07,812 [root] DEBUG: DLL loaded at 0x6D730000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-10-18 06:35:07,875 [root] DEBUG: set_caller_info: Adding region at 0x01CC0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-10-18 06:35:08,031 [root] DEBUG: set_caller_info: Adding region at 0x004E0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:35:08,062 [root] DEBUG: DumpPEsInRange: Scanning range 0x4e0000 - 0x4f0000.
2020-10-18 06:35:08,062 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x4e0000
2020-10-18 06:35:08,109 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x4f0000
2020-10-18 06:35:08,171 [root] DEBUG: DumpMemory: Nothing to dump at 0x004E0000!
2020-10-18 06:35:08,484 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4608_95175526885513180102020 (size 0x9b0)
2020-10-18 06:35:09,468 [root] DEBUG: DLL loaded at 0x736C0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-10-18 06:35:09,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e4 and local view 0x6B850000 to global list.
2020-10-18 06:35:09,968 [root] DEBUG: api-rate-cap: CryptHashData hook disabled.
2020-10-18 06:35:14,296 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:35:14,343 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-10-18 06:35:15,640 [root] DEBUG: set_caller_info: Adding region at 0x01D40000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-10-18 06:35:15,687 [root] DEBUG: DLL loaded at 0x73010000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-10-18 06:35:15,750 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\run.dat
2020-10-18 06:35:15,953 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 and local view 0x031D0000 to global list.
2020-10-18 06:35:16,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x25c and local view 0x73000000 to global list.
2020-10-18 06:35:16,531 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-10-18 06:35:16,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x28c and local view 0x03240000 to global list.
2020-10-18 06:35:16,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x294 and local view 0x03360000 to global list.
2020-10-18 06:35:16,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03230000 for section view with handle 0x28c.
2020-10-18 06:35:17,140 [root] DEBUG: DLL loaded at 0x763F0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2020-10-18 06:35:17,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68990000 for section view with handle 0x2d4.
2020-10-18 06:35:17,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2f8 and local view 0x03380000 to global list.
2020-10-18 06:35:20,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x254 and local view 0x6F220000 to global list.
2020-10-18 06:35:20,968 [root] DEBUG: DLL loaded at 0x6F220000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-10-18 06:35:21,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6BAF0000 for section view with handle 0x254.
2020-10-18 06:35:21,125 [root] DEBUG: DLL loaded at 0x6BAF0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni (0x123000 bytes).
2020-10-18 06:35:21,312 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 06:35:21,312 [root] DEBUG: DLL loaded at 0x72FC0000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-10-18 06:35:21,375 [root] DEBUG: DLL loaded at 0x6BA80000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-10-18 06:35:21,375 [root] DEBUG: DLL loaded at 0x763F0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-10-18 06:35:21,406 [root] DEBUG: DLL loaded at 0x760B0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-10-18 06:35:21,437 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-10-18 06:35:21,515 [root] DEBUG: DLL loaded at 0x73000000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-10-18 06:35:21,531 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2fc and local view 0x702E0000 to global list.
2020-10-18 06:35:21,578 [root] DEBUG: DLL loaded at 0x702E0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2020-10-18 06:35:21,625 [root] INFO: Stopping WMI Service
2020-10-18 06:35:29,375 [root] INFO: Stopped WMI Service
2020-10-18 06:35:29,906 [lib.api.process] INFO: Monitor config for process 592: C:\tmp2ssujfce\dll\592.ini
2020-10-18 06:35:29,921 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp2ssujfce\dll\FnvGBiY.dll, loader C:\tmp2ssujfce\bin\gqrrIeUZ.exe
2020-10-18 06:35:29,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:29,953 [root] DEBUG: Loader: Injecting process 592 (thread 0) with C:\tmp2ssujfce\dll\FnvGBiY.dll.
2020-10-18 06:35:29,953 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-10-18 06:35:29,968 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-10-18 06:35:29,968 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-10-18 06:35:30,000 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:30,015 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:30,031 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:30,031 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 592 at 0x000007FEF1970000, image base 0x00000000FFEF0000, stack from 0x0000000001626000-0x0000000001630000
2020-10-18 06:35:30,046 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch
2020-10-18 06:35:30,109 [root] WARNING: b'Unable to place hook on LockResource'
2020-10-18 06:35:30,109 [root] WARNING: b'Unable to hook LockResource'
2020-10-18 06:35:30,171 [root] INFO: Loaded monitor into process with pid 592
2020-10-18 06:35:30,171 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-10-18 06:35:30,171 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-10-18 06:35:30,171 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\FnvGBiY.dll.
2020-10-18 06:35:30,171 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 592
2020-10-18 06:35:32,203 [root] INFO: Starting WMI Service
2020-10-18 06:35:32,312 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3160, handle 0x5b8.
2020-10-18 06:35:32,390 [root] INFO: Started WMI Service
2020-10-18 06:35:32,421 [lib.api.process] INFO: Monitor config for process 3160: C:\tmp2ssujfce\dll\3160.ini
2020-10-18 06:35:32,468 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp2ssujfce\dll\FnvGBiY.dll, loader C:\tmp2ssujfce\bin\gqrrIeUZ.exe
2020-10-18 06:35:32,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:32,500 [root] DEBUG: Loader: Injecting process 3160 (thread 0) with C:\tmp2ssujfce\dll\FnvGBiY.dll.
2020-10-18 06:35:32,500 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-10-18 06:35:32,500 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-10-18 06:35:32,515 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:32,531 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:32,531 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:32,562 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 3160 at 0x000007FEF1970000, image base 0x00000000FFEF0000, stack from 0x0000000000C96000-0x0000000000CA0000
2020-10-18 06:35:32,562 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs
2020-10-18 06:35:32,640 [root] WARNING: b'Unable to place hook on LockResource'
2020-10-18 06:35:32,640 [root] WARNING: b'Unable to hook LockResource'
2020-10-18 06:35:32,656 [root] INFO: Loaded monitor into process with pid 3160
2020-10-18 06:35:32,671 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-10-18 06:35:32,718 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-10-18 06:35:32,718 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\FnvGBiY.dll.
2020-10-18 06:35:32,734 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3160
2020-10-18 06:35:34,921 [root] DEBUG: DLL unloaded from 0x00120000.
2020-10-18 06:35:34,921 [root] DEBUG: DLL unloaded from 0x6BAF0000.
2020-10-18 06:35:35,062 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat
2020-10-18 06:35:35,078 [root] DEBUG: DLL loaded at 0x6FC00000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-10-18 06:35:35,093 [root] DEBUG: DLL loaded at 0x73A10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-10-18 06:35:35,109 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-10-18 06:35:35,109 [root] DEBUG: DLL loaded at 0x76E50000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-10-18 06:35:35,140 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:35:35,218 [root] DEBUG: DLL loaded at 0x70590000: C:\Windows\System32\shdocvw (0x2f000 bytes).
2020-10-18 06:35:35,234 [root] DEBUG: DLL loaded at 0x75B90000: C:\Windows\SysWOW64\urlmon (0x124000 bytes).
2020-10-18 06:35:35,234 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,249 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,249 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:35:35,249 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,265 [root] DEBUG: DLL loaded at 0x76EE0000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-10-18 06:35:35,281 [root] DEBUG: DLL loaded at 0x767F0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-10-18 06:35:35,296 [root] DEBUG: DLL loaded at 0x766F0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-10-18 06:35:35,296 [root] DEBUG: DLL loaded at 0x76BA0000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-10-18 06:35:35,343 [root] DEBUG: DLL loaded at 0x75CC0000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-10-18 06:35:35,343 [root] DEBUG: DLL loaded at 0x73230000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-10-18 06:35:35,343 [root] DEBUG: DLL loaded at 0x76800000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-10-18 06:35:35,359 [root] DEBUG: DLL loaded at 0x76200000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-10-18 06:35:35,375 [root] DEBUG: DLL loaded at 0x76EC0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-10-18 06:35:35,375 [root] DEBUG: DLL loaded at 0x72DF0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-10-18 06:35:35,437 [root] INFO: Announced 32-bit process name: cmd.exe pid: 3276
2020-10-18 06:35:35,437 [lib.api.process] INFO: Monitor config for process 3276: C:\tmp2ssujfce\dll\3276.ini
2020-10-18 06:35:35,453 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-10-18 06:35:35,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:35,484 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:35,500 [root] DEBUG: Loader: Injecting process 3276 (thread 3032) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:35,500 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:35,515 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:35:35,515 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:35,531 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat" .
2020-10-18 06:35:35,531 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3276, ImageBase: 0x4A9F0000
2020-10-18 06:35:35,546 [root] INFO: Announced 32-bit process name: cmd.exe pid: 3276
2020-10-18 06:35:35,546 [lib.api.process] INFO: Monitor config for process 3276: C:\tmp2ssujfce\dll\3276.ini
2020-10-18 06:35:35,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:35,609 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:35,625 [root] DEBUG: Loader: Injecting process 3276 (thread 3032) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:35,640 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:35,656 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:35,656 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:35,718 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:35,734 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4020
2020-10-18 06:35:35,734 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:35,734 [root] DEBUG: GetHookCallerBase: thread 3536 (handle 0x0), return address 0x004E4CD6, allocation base 0x004E0000.
2020-10-18 06:35:35,750 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00120000.
2020-10-18 06:35:35,765 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00122000
2020-10-18 06:35:35,765 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:35,765 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:35:35,796 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:35:35,812 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00120000.
2020-10-18 06:35:35,812 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3276 at 0x6fa40000, image base 0x4a9f0000, stack from 0x1f3000-0x2f0000
2020-10-18 06:35:35,828 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00177000 to 0x00177200).
2020-10-18 06:35:35,828 [root] DEBUG: Commandline: C:\Windows\System32\cmd.exe \c ""C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat" "
2020-10-18 06:35:35,875 [root] INFO: Loaded monitor into process with pid 3276
2020-10-18 06:35:35,875 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:35:35,875 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00120000, dumping memory region.
2020-10-18 06:35:35,906 [root] DEBUG: DLL unloaded from 0x6FC00000.
2020-10-18 06:35:35,906 [root] DEBUG: DLL unloaded from 0x76680000.
2020-10-18 06:35:35,921 [root] DEBUG: DLL unloaded from 0x74380000.
2020-10-18 06:35:35,921 [root] DEBUG: DLL unloaded from 0x72670000.
2020-10-18 06:35:35,921 [root] DEBUG: DLL unloaded from 0x72D60000.
2020-10-18 06:35:35,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec and local view 0x03A10000 to global list.
2020-10-18 06:35:35,937 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4020
2020-10-18 06:35:35,953 [root] DEBUG: GetHookCallerBase: thread 3536 (handle 0x0), return address 0x004E4CD6, allocation base 0x004E0000.
2020-10-18 06:35:35,953 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00120000.
2020-10-18 06:35:35,968 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00122000
2020-10-18 06:35:35,968 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:35:35,984 [root] INFO: Announced 32-bit process name: chcp.com pid: 4768
2020-10-18 06:35:35,984 [lib.api.process] INFO: Monitor config for process 4768: C:\tmp2ssujfce\dll\4768.ini
2020-10-18 06:35:35,984 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00120000.
2020-10-18 06:35:36,015 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00177000 to 0x00177200).
2020-10-18 06:35:36,031 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:36,031 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-10-18 06:35:36,046 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00120000, dumping memory region.
2020-10-18 06:35:36,046 [root] INFO: Process with pid 4020 has terminated
2020-10-18 06:35:36,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:36,093 [root] DEBUG: Loader: Injecting process 4768 (thread 2928) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:36,093 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:36,093 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:35:36,109 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:36,125 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:35:36,156 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4768, ImageBase: 0x005D0000
2020-10-18 06:35:36,171 [root] INFO: Announced 32-bit process name: chcp.com pid: 4768
2020-10-18 06:35:36,171 [lib.api.process] INFO: Monitor config for process 4768: C:\tmp2ssujfce\dll\4768.ini
2020-10-18 06:35:36,187 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:36,218 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:36,218 [root] DEBUG: Loader: Injecting process 4768 (thread 2928) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:36,234 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:36,249 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:36,249 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:36,296 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:36,312 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:36,328 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:36,343 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:35:36,343 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4768 at 0x6fa40000, image base 0x5d0000, stack from 0xb6000-0xc0000
2020-10-18 06:35:36,343 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\chcp  65001
2020-10-18 06:35:36,390 [root] INFO: Loaded monitor into process with pid 4768
2020-10-18 06:35:36,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 and local view 0x004D0000 to global list.
2020-10-18 06:35:36,578 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 4768
2020-10-18 06:35:36,578 [root] DEBUG: GetHookCallerBase: thread 2928 (handle 0x0), return address 0x005D1796, allocation base 0x005D0000.
2020-10-18 06:35:36,578 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x005D0000.
2020-10-18 06:35:36,578 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:35:36,578 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x005D0000.
2020-10-18 06:35:36,578 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001AB3.
2020-10-18 06:35:36,671 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2e00.
2020-10-18 06:35:36,687 [root] DEBUG: DLL unloaded from 0x76680000.
2020-10-18 06:35:36,703 [root] INFO: Process with pid 4768 has terminated
2020-10-18 06:35:36,765 [root] INFO: Announced 32-bit process name: PING.EXE pid: 2984
2020-10-18 06:35:36,765 [lib.api.process] INFO: Monitor config for process 2984: C:\tmp2ssujfce\dll\2984.ini
2020-10-18 06:35:36,828 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:36,859 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:36,859 [root] DEBUG: Loader: Injecting process 2984 (thread 3424) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:36,875 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:36,875 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:35:36,906 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:37,000 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2984, ImageBase: 0x00810000
2020-10-18 06:35:37,015 [root] INFO: Announced 32-bit process name: PING.EXE pid: 2984
2020-10-18 06:35:37,015 [lib.api.process] INFO: Monitor config for process 2984: C:\tmp2ssujfce\dll\2984.ini
2020-10-18 06:35:37,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:37,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:37,062 [root] DEBUG: Loader: Injecting process 2984 (thread 3424) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:37,078 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:37,078 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:35:37,078 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:37,093 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:37,109 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:35:37,125 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:37,125 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:35:37,140 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2984 at 0x6fa40000, image base 0x810000, stack from 0x1f6000-0x200000
2020-10-18 06:35:37,140 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\ping  -n 10 localhost
2020-10-18 06:35:37,187 [root] INFO: Loaded monitor into process with pid 2984
2020-10-18 06:35:37,203 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-10-18 06:35:37,203 [root] DEBUG: DLL loaded at 0x746C0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-10-18 06:35:37,218 [root] DEBUG: DLL loaded at 0x72DE0000: C:\Windows\System32\wship6 (0x6000 bytes).
2020-10-18 06:35:37,218 [root] DEBUG: DLL loaded at 0x70250000: C:\Windows\SysWOW64\DNSAPI (0x44000 bytes).
2020-10-18 06:35:37,218 [root] DEBUG: DLL loaded at 0x70230000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2020-10-18 06:35:37,234 [root] DEBUG: DLL loaded at 0x739D0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-10-18 06:35:37,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x138 and local view 0x00120000 to global list.
2020-10-18 06:35:41,640 [root] DEBUG: DLL loaded at 0x70230000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-10-18 06:35:46,296 [root] DEBUG: DLL unloaded from 0x72DE0000.
2020-10-18 06:35:46,296 [root] DEBUG: DLL unloaded from 0x746C0000.
2020-10-18 06:35:46,328 [root] DEBUG: DLL unloaded from 0x74490000.
2020-10-18 06:35:46,328 [root] DEBUG: DLL unloaded from 0x739D0000.
2020-10-18 06:35:46,343 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2984
2020-10-18 06:35:46,375 [root] DEBUG: GetHookCallerBase: thread 3424 (handle 0x0), return address 0x00811B2A, allocation base 0x00810000.
2020-10-18 06:35:46,375 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00810000.
2020-10-18 06:35:46,375 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:35:46,375 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00810000.
2020-10-18 06:35:46,375 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002AA7.
2020-10-18 06:35:46,468 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x5200.
2020-10-18 06:35:46,468 [root] DEBUG: DLL unloaded from 0x76680000.
2020-10-18 06:35:46,484 [root] INFO: Process with pid 2984 has terminated
2020-10-18 06:35:46,531 [root] INFO: Announced 32-bit process name: Client-built.exe pid: 4304
2020-10-18 06:35:46,546 [lib.api.process] INFO: Monitor config for process 4304: C:\tmp2ssujfce\dll\4304.ini
2020-10-18 06:35:46,562 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:46,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:46,609 [root] DEBUG: Loader: Injecting process 4304 (thread 552) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:46,609 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:46,609 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:46,625 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:46,671 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4304, ImageBase: 0x00D60000
2020-10-18 06:35:46,703 [root] INFO: Announced 32-bit process name: Client-built.exe pid: 4304
2020-10-18 06:35:46,703 [lib.api.process] INFO: Monitor config for process 4304: C:\tmp2ssujfce\dll\4304.ini
2020-10-18 06:35:46,734 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\bLiGXeBZ.dll, loader C:\tmp2ssujfce\bin\IhQjSKQ.exe
2020-10-18 06:35:46,750 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JLwAznp.
2020-10-18 06:35:46,750 [root] DEBUG: Loader: Injecting process 4304 (thread 552) with C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:46,750 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-10-18 06:35:46,765 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-10-18 06:35:46,765 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\bLiGXeBZ.dll.
2020-10-18 06:35:46,765 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4304.
2020-10-18 06:35:46,796 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:35:46,812 [root] INFO: Disabling sleep skipping.
2020-10-18 06:35:46,812 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4304 at 0x6fa40000, image base 0xd60000, stack from 0x406000-0x410000
2020-10-18 06:35:46,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 and local view 0x000A0000 to global list.
2020-10-18 06:35:46,828 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\Client-built.exe"
2020-10-18 06:35:46,859 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3276
2020-10-18 06:35:46,875 [root] INFO: Loaded monitor into process with pid 4304
2020-10-18 06:35:46,875 [root] DEBUG: GetHookCallerBase: thread 3032 (handle 0x0), return address 0x4A9F7302, allocation base 0x4A9F0000.
2020-10-18 06:35:46,875 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrLoadDll).
2020-10-18 06:35:46,875 [root] DEBUG: DumpPEsInRange: Scanning range 0x90000 - 0x91000.
2020-10-18 06:35:46,875 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x4A9F0000.
2020-10-18 06:35:46,890 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x90000-0x91000.
2020-10-18 06:35:46,906 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:35:46,906 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4A9F0000.
2020-10-18 06:35:46,921 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-10-18 06:35:46,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4304_1464945530465513180102020 (size 0x12c)
2020-10-18 06:35:46,984 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2020-10-18 06:35:46,984 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00090000, size 0x1000.
2020-10-18 06:35:47,000 [root] DEBUG: DLL unloaded from 0x76680000.
2020-10-18 06:35:47,000 [root] DEBUG: DLL loaded at 0x038B0000: C:\tmp2ssujfce\dll\bLiGXeBZ (0xd6000 bytes).
2020-10-18 06:35:47,000 [root] INFO: Process with pid 3276 has terminated
2020-10-18 06:35:47,015 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:35:47,031 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:35:47,046 [root] DEBUG: DLL unloaded from 0x73580000.
2020-10-18 06:35:47,046 [root] DEBUG: DLL unloaded from 0x762E0000.
2020-10-18 06:35:47,062 [root] DEBUG: DLL unloaded from 0x038B0000.
2020-10-18 06:35:47,093 [root] DEBUG: set_caller_info: Adding region at 0x00310000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-10-18 06:35:47,109 [root] DEBUG: DumpPEsInRange: Scanning range 0x310000 - 0x410000.
2020-10-18 06:35:47,125 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x310000
2020-10-18 06:35:47,140 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x310000
2020-10-18 06:35:47,140 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00310000 size 0x100000.
2020-10-18 06:35:47,203 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4304_1621189072475513180102020 (size 0xfdc)
2020-10-18 06:35:47,234 [root] DEBUG: DumpRegion: Dumped region at 0x0040F000, size 0x1000.
2020-10-18 06:35:47,234 [root] DEBUG: set_caller_info: Adding region at 0x02240000 to caller regions list (advapi32::RegOpenKeyExW).
2020-10-18 06:35:47,312 [root] DEBUG: DumpPEsInRange: Scanning range 0x2240000 - 0x2640000.
2020-10-18 06:35:47,328 [root] DEBUG: DumpMemory: Exception occurred reading memory address 0x2240000
2020-10-18 06:35:47,343 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02240000 size 0x400000.
2020-10-18 06:35:47,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4304_149501238475513180102020 (size 0x1a41)
2020-10-18 06:35:47,437 [root] DEBUG: DumpRegion: Dumped region at 0x025FD000, size 0x10000.
2020-10-18 06:35:47,453 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 and local view 0x72D60000 to global list.
2020-10-18 06:35:47,531 [root] DEBUG: DLL loaded at 0x72D60000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-10-18 06:35:47,531 [root] DEBUG: DLL unloaded from 0x760C0000.
2020-10-18 06:35:47,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe4 and local view 0x00180000 to global list.
2020-10-18 06:35:47,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 and local view 0x00180000 to global list.
2020-10-18 06:35:47,578 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-10-18 06:35:47,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 and local view 0x00120000 to global list.
2020-10-18 06:35:47,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c and local view 0x00130000 to global list.
2020-10-18 06:35:47,671 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 and local view 0x05FC0000 to global list.
2020-10-18 06:35:47,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c8 and local view 0x6C2E0000 to global list.
2020-10-18 06:35:47,687 [root] DEBUG: DLL loaded at 0x6C2E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-10-18 06:35:47,703 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 and local view 0x72F20000 to global list.
2020-10-18 06:35:47,718 [root] DEBUG: DLL loaded at 0x72F20000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-10-18 06:35:47,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c and local view 0x70900000 to global list.
2020-10-18 06:35:47,734 [root] DEBUG: DLL loaded at 0x70900000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-10-18 06:35:47,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70090000 for section view with handle 0x21c.
2020-10-18 06:35:47,765 [root] DEBUG: DLL loaded at 0x70090000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-10-18 06:35:47,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 and local view 0x6DD00000 to global list.
2020-10-18 06:35:47,781 [root] DEBUG: DLL loaded at 0x6DD00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-10-18 06:35:47,781 [root] DEBUG: set_caller_info: Adding region at 0x00280000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-10-18 06:35:47,796 [root] DEBUG: DumpPEsInRange: Scanning range 0x280000 - 0x290000.
2020-10-18 06:35:47,796 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x280fc1
2020-10-18 06:35:47,796 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x290000
2020-10-18 06:35:47,796 [root] DEBUG: DumpMemory: Nothing to dump at 0x00280000!
2020-10-18 06:35:47,796 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00280000 size 0x10000.
2020-10-18 06:35:47,843 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4304_40808506875613180102020 (size 0x4c6)
2020-10-18 06:35:47,843 [root] DEBUG: DumpRegion: Dumped region at 0x00280000, size 0x1000.
2020-10-18 06:35:47,843 [root] DEBUG: DLL loaded at 0x736C0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-10-18 06:35:47,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x224 and local view 0x68490000 to global list.
2020-10-18 06:35:47,875 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-10-18 06:35:47,906 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-10-18 06:35:47,968 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-10-18 06:35:49,171 [root] DEBUG: api-rate-cap: CryptHashData hook disabled.
2020-10-18 06:35:56,015 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x340 and local view 0x06D80000 to global list.
2020-10-18 06:36:00,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x258 and local view 0x6F220000 to global list.
2020-10-18 06:36:00,125 [root] DEBUG: DLL loaded at 0x6F220000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-10-18 06:36:00,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B9C0000 for section view with handle 0x258.
2020-10-18 06:36:00,140 [root] DEBUG: DLL loaded at 0x6B9C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni (0x123000 bytes).
2020-10-18 06:36:00,171 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-10-18 06:36:00,171 [root] DEBUG: DLL loaded at 0x6BBB0000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-10-18 06:36:00,187 [root] DEBUG: DLL loaded at 0x763F0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-10-18 06:36:00,203 [root] DEBUG: DLL loaded at 0x760B0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-10-18 06:36:00,218 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4304, handle 0x5ec.
2020-10-18 06:36:00,234 [root] DEBUG: DLL loaded at 0x74340000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-10-18 06:36:00,234 [root] DEBUG: DLL loaded at 0x72FD0000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-10-18 06:36:00,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2fc and local view 0x6FE80000 to global list.
2020-10-18 06:36:00,265 [root] DEBUG: DLL loaded at 0x6FE80000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils (0x21000 bytes).
2020-10-18 06:36:00,328 [root] DEBUG: DLL unloaded from 0x00D60000.
2020-10-18 06:36:00,375 [root] DEBUG: DLL unloaded from 0x6B9C0000.
2020-10-18 06:36:00,390 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat
2020-10-18 06:36:00,390 [root] DEBUG: DLL loaded at 0x6FC00000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-10-18 06:36:00,390 [root] DEBUG: DLL loaded at 0x73A10000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-10-18 06:36:00,406 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-10-18 06:36:00,421 [root] DEBUG: DLL loaded at 0x76E50000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-10-18 06:36:00,453 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:36:00,593 [root] DEBUG: DLL loaded at 0x70590000: C:\Windows\System32\shdocvw (0x2f000 bytes).
2020-10-18 06:36:00,625 [root] DEBUG: DLL loaded at 0x76EB0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-10-18 06:36:00,625 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-10-18 06:36:00,640 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-10-18 06:36:00,671 [root] DEBUG: DLL loaded at 0x76E40000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-10-18 06:36:00,812 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-10-18 06:36:02,421 [root] DEBUG: DLL loaded at 0x000007FEF6880000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2020-10-18 06:36:02,421 [root] DEBUG: DLL loaded at 0x000007FEFADD0000: C:\Windows\system32\ATL (0x19000 bytes).
2020-10-18 06:36:02,437 [root] DEBUG: DLL loaded at 0x000007FEF67F0000: C:\Windows\system32\VssTrace (0x17000 bytes).
2020-10-18 06:36:02,562 [root] DEBUG: DLL loaded at 0x000007FEFA570000: C:\Windows\system32\samcli (0x14000 bytes).
2020-10-18 06:36:02,562 [root] DEBUG: DLL loaded at 0x000007FEFB560000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2020-10-18 06:36:02,609 [root] DEBUG: DLL loaded at 0x000007FEFB590000: C:\Windows\system32\netutils (0xc000 bytes).
2020-10-18 06:36:02,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b0 and local view 0x0000000000BA0000 to global list.
2020-10-18 06:36:02,656 [root] DEBUG: DLL unloaded from 0x000007FEF67F0000.
2020-10-18 06:36:12,218 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2904, handle 0x5ec.
2020-10-18 06:36:13,453 [root] DEBUG: DLL loaded at 0x739D0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2020-10-18 06:36:13,484 [root] DEBUG: set_caller_info: Adding region at 0x004F0000 to caller regions list (mswsock::ConnectEx).
2020-10-18 06:36:13,531 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f0000 - 0x500000.
2020-10-18 06:36:13,531 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x4fafc1
2020-10-18 06:36:13,562 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x500000
2020-10-18 06:36:13,562 [root] DEBUG: DumpMemory: Nothing to dump at 0x004F0000!
2020-10-18 06:36:13,562 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x004F0000 size 0x10000.
2020-10-18 06:36:13,625 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\BRuQIh\CAPE\4608_2826474413440191102020 (size 0xd10)
2020-10-18 06:36:13,625 [root] DEBUG: DumpRegion: Dumped region at 0x004FA000, size 0x1000.
2020-10-18 06:36:13,828 [root] DEBUG: set_caller_info: Adding region at 0x034A0000 to caller regions list (cryptsp::CryptEncrypt).
2020-10-18 06:36:13,828 [root] DEBUG: DumpPEsInRange: Scanning range 0x34a0000 - 0x34b0000.
2020-10-18 06:36:13,843 [root] DEBUG: ScanForDisguisedPE: Exception occurred scanning buffer at 0x34a0fc1
2020-10-18 06:36:13,875 [root] DEBUG: ScanForNonZero: Exception occurred reading memory address 0x34b0000
2020-10-18 06:36:13,921 [root] DEBUG: DumpMemory: Nothing to dump at 0x034A0000!
2020-10-18 06:36:25,000 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3520, handle 0x4d8.
2020-10-18 06:36:28,484 [root] DEBUG: api-rate-cap: NtSetTimer hook disabled.
2020-10-18 06:36:32,359 [root] DEBUG: DLL unloaded from 0x000007FEFD5B0000.
2020-10-18 06:36:36,796 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4352, handle 0x5ec.
2020-10-18 06:36:43,500 [root] INFO: Analysis timeout hit, terminating analysis.
2020-10-18 06:36:43,515 [lib.api.process] INFO: Terminate event set for process 2396
2020-10-18 06:36:43,515 [root] DEBUG: Terminate Event: Attempting to dump process 2396
2020-10-18 06:36:43,531 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-10-18 06:36:43,546 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:36:43,546 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-10-18 06:36:43,562 [root] DEBUG: DumpProcess: Error - entry point too big: 0x72f37cef, ignoring.
2020-10-18 06:36:43,656 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xc3c00.
2020-10-18 06:36:43,671 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2396
2020-10-18 06:36:43,687 [lib.api.process] INFO: Termination confirmed for process 2396
2020-10-18 06:36:43,687 [root] INFO: Terminate event set for process 2396.
2020-10-18 06:36:43,687 [lib.api.process] INFO: Terminate event set for process 592
2020-10-18 06:36:43,687 [root] DEBUG: Terminate Event: Attempting to dump process 592
2020-10-18 06:36:43,703 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFEF0000.
2020-10-18 06:36:43,703 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:36:43,703 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFEF0000.
2020-10-18 06:36:43,718 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-10-18 06:36:43,796 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-10-18 06:36:43,812 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 592
2020-10-18 06:36:43,812 [lib.api.process] INFO: Termination confirmed for process 592
2020-10-18 06:36:43,812 [root] INFO: Terminate event set for process 592.
2020-10-18 06:36:43,812 [lib.api.process] INFO: Terminate event set for process 3160
2020-10-18 06:36:43,812 [root] DEBUG: Terminate Event: Attempting to dump process 3160
2020-10-18 06:36:43,828 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFEF0000.
2020-10-18 06:36:43,843 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:36:43,843 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFEF0000.
2020-10-18 06:36:43,843 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-10-18 06:36:43,921 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-10-18 06:36:43,937 [lib.api.process] INFO: Termination confirmed for process 3160
2020-10-18 06:36:43,937 [root] INFO: Terminate event set for process 3160.
2020-10-18 06:36:43,937 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3160
2020-10-18 06:36:43,937 [lib.api.process] ERROR: Failed to open terminate event for pid 4304
2020-10-18 06:36:43,937 [root] INFO: Terminate event set for process 4304.
2020-10-18 06:36:43,953 [root] INFO: Created shutdown mutex.
2020-10-18 06:36:44,968 [root] INFO: Shutting down package.
2020-10-18 06:36:44,968 [root] INFO: Stopping auxiliary modules.
2020-10-18 06:36:45,218 [lib.common.results] WARNING: File C:\BRuQIh\bin\procmon.xml doesn't exist anymore
2020-10-18 06:36:45,234 [root] INFO: Finishing auxiliary modules.
2020-10-18 06:36:45,265 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 06:36:45,609 [root] WARNING: File at path 'c:\\users\\louise\\appdata\\local\\temp\\excwvxnlndy0.bat' does not exist, skip.
2020-10-18 06:36:45,609 [root] WARNING: File at path 'c:\\users\\louise\\appdata\\local\\temp\\8ipk152kxlhe.bat' does not exist, skip.
2020-10-18 06:36:45,625 [root] WARNING: Folder at path "C:\BRuQIh\debugger" does not exist, skip.
2020-10-18 06:36:45,640 [root] WARNING: Monitor injection attempted but failed for process 4608.
2020-10-18 06:36:45,640 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-10-18 06:33:06 2020-10-18 06:39:14

File Details

File Name Invoices 073.exe
File Size 1201152 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2059-08-08 12:46:02
MD5 73001776630fb357ae9f8927e3630d58
SHA1 43872ed3bc2d020e102cb8da8944796cb7254a4b
SHA256 572c44582bd57e673a2fffa68259bd82cf37b9f95030e2d8906b588e71d808e0
SHA512 80e59180e4ef54813bec8724a1278d8b9a2d854f25ba7eec9453bcf28ddf1b43fa357fd741305a427f8ed03be3be85cec5e489fa3275d27af28500e285ee9649
CRC32 9B1AC7E1
Ssdeep 24576:+D/3dD7Z6dQuYKDnTLjEw3XPAAHq7F51dvqA+mH:+D/3dMdsI/53XbK7Fpq
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Attempts to connect to a dead IP:Port (1 unique times)
IP: 3.131.207.170:20027 (United States)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2396 trigged the Yara rule 'QuasarRAT'
Hit: PID 2396 trigged the Yara rule 'NanoCore'
Hit: PID 0 trigged the Yara rule 'NanoCore'
Hit: PID 0 trigged the Yara rule 'QuasarRAT'
Hit: PID 2000 trigged the Yara rule 'QuasarRAT'
Hit: PID 2000 trigged the Yara rule 'NanoCore'
Hit: PID 2000 trigged the Yara rule 'embedded_pe'
Hit: PID 2000 trigged the Yara rule 'embedded_win_api'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/PathAppendW
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: dwrite.dll/DWriteCreateFactory
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: GDI32.dll/GdiEntry13
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: KERNEL32.dll/CreateDirectory
DynamicLoader: KERNEL32.dll/CreateDirectoryW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: ADVAPI32.dll/ConvertStringSidToSidW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/GetSecurityDescriptorLength
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: Fdf.dll/_Initialize
DynamicLoader: Fdf.dll/_Initialize
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: Secur32.dll/GetUserNameExW
DynamicLoader: api-ms-win-downlevel-shlwapi-l1-1-0.dll/PathCreateFromUrlW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0.dll/ConvertStringSidToSidW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: AgileDotNetRT.dll/_Initialize
DynamicLoader: AgileDotNetRT.dll/_Initialize
DynamicLoader: clrjit.dll/getJit
DynamicLoader: WINTRUST.DLL/DllCanUnloadNow
DynamicLoader: WINTRUST.DLL/CryptSIPPutSignedDataMsg
DynamicLoader: WINTRUST.DLL/CryptSIPGetSignedDataMsg
DynamicLoader: imagehlp.dll/ImageGetCertificateData
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ADVAPI32.dll/CreateProcessAsUser
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: KERNEL32.dll/lstrlenA
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: MSVCR120_CLR0400.dll/_unlock
DynamicLoader: MSVCR120_CLR0400.dll/_lock
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryEx
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCID
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCIDW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: USER32.dll/GetDC
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyA
DynamicLoader: KERNEL32.dll/RegCloseKey
DynamicLoader: KERNEL32.dll/RegCreateKeyExW
DynamicLoader: KERNEL32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/RegEnumValueW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
DynamicLoader: mscoreei.dll/ND_RU1
DynamicLoader: gdiplus.dll/GdipGetFontUnit
DynamicLoader: gdiplus.dll/GdipGetFontSize
DynamicLoader: gdiplus.dll/GdipGetFontStyle
DynamicLoader: gdiplus.dll/GdipGetFamily
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: gdiplus.dll/GdipCreateFromHDC
DynamicLoader: gdiplus.dll/GdipGetDpiY
DynamicLoader: gdiplus.dll/GdipGetFontHeight
DynamicLoader: gdiplus.dll/GdipGetEmHeight
DynamicLoader: gdiplus.dll/GdipGetLineSpacing
DynamicLoader: gdiplus.dll/GdipDeleteGraphics
DynamicLoader: gdiplus.dll/GdipCreateFont
DynamicLoader: gdiplus.dll/GdipDeleteFont
DynamicLoader: gdiplus.dll/GdipGetLogFontW
DynamicLoader: MSCOREE.DLL/ND_WU1
DynamicLoader: mscoreei.dll/ND_WU1_RetAddr
DynamicLoader: mscoreei.dll/ND_WU1
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: GDI32.dll/GetTextExtentPoint32W
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: USER32.dll/SetWindowText
DynamicLoader: USER32.dll/SetWindowTextW
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetLayeredWindowAttributes
DynamicLoader: KERNEL32.dll/GetStartupInfo
DynamicLoader: KERNEL32.dll/GetStartupInfoW
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMenu
DynamicLoader: USER32.dll/GetWindowPlacement
DynamicLoader: USER32.dll/EnableMenuItem
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: USER32.dll/CreateIconFromResourceEx
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetWindowTextLength
DynamicLoader: USER32.dll/GetWindowTextLengthW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetWindowText
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: USER32.dll/SetWindowPos
DynamicLoader: USER32.dll/RedrawWindow
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/GetModuleHandleA
DynamicLoader: KERNEL32.dll/FindResource
DynamicLoader: KERNEL32.dll/FindResourceA
DynamicLoader: KERNEL32.dll/LoadResource
DynamicLoader: KERNEL32.dll/SizeofResource
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: USER32.dll/SetForegroundWindow
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/SetFocus
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetSysColorW
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfo
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: GDI32.dll/CreateDC
DynamicLoader: GDI32.dll/CreateDCW
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/GetCurrentObject
DynamicLoader: GDI32.dll/SaveDC
DynamicLoader: GDI32.dll/GetNearestColor
DynamicLoader: GDI32.dll/CreateSolidBrush
DynamicLoader: USER32.dll/FillRect
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/RestoreDC
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/IsWindowUnicode
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/BeginPaint
DynamicLoader: gdiplus.dll/GdipCreateHalftonePalette
DynamicLoader: GDI32.dll/SelectPalette
DynamicLoader: USER32.dll/EndPaint
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ADVAPI32.dll/CryptAcquireContext
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: CRYPTSP.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptContextAddRef
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptContextAddRef
DynamicLoader: ADVAPI32.dll/CryptContextAddRef
DynamicLoader: ADVAPI32.dll/CryptDuplicateKey
DynamicLoader: CRYPTSP.dll/CryptDuplicateKey
DynamicLoader: ADVAPI32.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: KERNEL32.dll/ResolveDelayLoadedAPI
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: USER32.dll/GetWindowTextLength
DynamicLoader: USER32.dll/GetWindowTextLengthW
DynamicLoader: USER32.dll/GetWindowText
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: KERNEL32.dll/GetStartupInfo
DynamicLoader: KERNEL32.dll/GetStartupInfoW
DynamicLoader: USER32.dll/GetWindowPlacement
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/CreateIconFromResourceEx
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMenu
DynamicLoader: USER32.dll/EnableMenuItem
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/SetWindowPos
DynamicLoader: USER32.dll/RedrawWindow
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/IsWindowUnicode
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetFocus
DynamicLoader: KERNEL32.dll/GetModuleFileName
DynamicLoader: KERNEL32.dll/GetModuleFileNameW
DynamicLoader: KERNEL32.dll/SetCurrentDirectory
DynamicLoader: KERNEL32.dll/SetCurrentDirectoryW
DynamicLoader: KERNEL32.dll/FindResourceEx
DynamicLoader: KERNEL32.dll/FindResourceExA
DynamicLoader: KERNEL32.dll/LoadResource
DynamicLoader: KERNEL32.dll/SizeofResource
DynamicLoader: KERNEL32.dll/LockResource
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptGetProvParam
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: KERNEL32.dll/ReleaseMutex
DynamicLoader: KERNEL32.dll/CreateMutex
DynamicLoader: KERNEL32.dll/CreateMutexW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/SetErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/CreateDirectory
DynamicLoader: KERNEL32.dll/CreateDirectoryW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/RegSetValueEx
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: MSCOREE.DLL/DllGetClassObject
DynamicLoader: mscoreei.dll/DllGetClassObject_RetAddr
DynamicLoader: mscoreei.dll/DllGetClassObject
DynamicLoader: diasymreader.dll/DllGetClassObjectInternal
DynamicLoader: MSCOREE.DLL/DllGetClassObject
DynamicLoader: KERNEL32.dll/GetSystemInfo
DynamicLoader: KERNEL32.dll/CreateIoCompletionPort
DynamicLoader: KERNEL32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/EnumProcessesW
DynamicLoader: KERNEL32.dll/GlobalMemoryStatusEx
DynamicLoader: KERNEL32.dll/SwitchToThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: USER32.dll/GetKeyboardLayout
DynamicLoader: USER32.dll/GetWindowText
DynamicLoader: USER32.dll/GetWindowTextW
DynamicLoader: USER32.dll/RegisterRawInputDevices
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ws2_32.dll/WSAStartup
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ws2_32.dll/WSASocket
DynamicLoader: ws2_32.dll/WSASocketW
DynamicLoader: ws2_32.dll/setsockopt
DynamicLoader: ws2_32.dll/WSAEventSelect
DynamicLoader: ws2_32.dll/ioctlsocket
DynamicLoader: ws2_32.dll/closesocket
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptor
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/CreateFileMapping
DynamicLoader: KERNEL32.dll/CreateFileMappingW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/MapViewOfFile
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: KERNEL32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
DynamicLoader: ADVAPI32.dll/CreateWellKnownSidW
DynamicLoader: KERNEL32.dll/WaitForSingleObject
DynamicLoader: KERNEL32.dll/OpenMutex
DynamicLoader: KERNEL32.dll/OpenMutexW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: KERNEL32.dll/GetProcessTimes
DynamicLoader: KERNEL32.dll/GetProcessTimesW
DynamicLoader: ws2_32.dll/inet_addr
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: dnsapi.dll/DnsQuery_A
DynamicLoader: KERNEL32.dll/SetThreadExecutionState
DynamicLoader: ws2_32.dll/getaddrinfo
DynamicLoader: ws2_32.dll/freeaddrinfo
DynamicLoader: KERNEL32.dll/FormatMessage
DynamicLoader: KERNEL32.dll/FormatMessageW
DynamicLoader: MSCOREE.DLL/DllGetClassObject
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ws2_32.dll/setsockopt
DynamicLoader: ws2_32.dll/bind
DynamicLoader: ws2_32.dll/WSAIoctl
DynamicLoader: ws2_32.dll/setsockopt
DynamicLoader: ws2_32.dll/getpeername
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ADVAPI32.dll/CryptAcquireContext
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: CRYPTSP.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptContextAddRef
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptContextAddRef
DynamicLoader: ADVAPI32.dll/CryptContextAddRef
DynamicLoader: ADVAPI32.dll/CryptDuplicateKey
DynamicLoader: CRYPTSP.dll/CryptDuplicateKey
DynamicLoader: ADVAPI32.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: KERNEL32.dll/ResolveDelayLoadedAPI
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
At least one IP Address, Domain, or File Name was found in a crypto call
ioc: u.krµ
ioc: ae.ek
ioc: c.4m0Î
ioc: z.ec
Reads data out of its own binary image
self_read: process: Bin.exe, pid: 4608, offset: 0x00000000, length: 0x00001000
self_read: process: Bin.exe, pid: 4608, offset: 0x000080c2, length: 0x00000200
A process created a hidden window
Process: Client-built.exe -> C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat
Process: Client-built.exe -> C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat
CAPE extracted potentially suspicious content
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Bin.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Client-built.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: NanoCore Payload: 32-bit executable
Invoices 073.exe: QuasarRAT
Invoices 073.exe: Injected Shellcode/Data
Client-built.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Client-built.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Client-built.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Client-built.exe: Unpacked Shellcode
Invoices 073.exe: Injected Shellcode/Data
Invoices 073.exe: NanoCore Payload
Invoices 073.exe: NanoCore
Bin.exe: Unpacked Shellcode
Client-built.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Bin.exe: Unpacked Shellcode
Client-built.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: Unpacked Shellcode
Invoices 073.exe: Injected Shellcode/Data
Drops a binary and executes it
binary: C:\Users\Louise\AppData\Local\Temp\Bin.exe
binary: C:\Users\Louise\AppData\Local\Temp\Client-built.exe
Multiple direct IP connections
direct_ip_connections: Made direct connections to 6 unique IP addresses
Generates DNS query to online reverse proxy
domain: .*\.ngrok\.io$
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.62, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00124800, virtual_size: 0x00124784
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\Invoices 073.exe
A ping command was executed with the -n argument possibly to delay analysis
command: ping -n 10 localhost
command: C:\Windows\system32\PING.EXE ping -n 10 localhost
Uses Windows utilities for basic functionality
command: C:\Windows\system32\cmd.exe /c ""C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat" "
command: ping -n 10 localhost
command: C:\Windows\system32\PING.EXE ping -n 10 localhost
command: C:\Windows\system32\cmd.exe /c ""C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat" "
Uses Windows utilities for basic functionality
command: C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat
command: C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat
Behavioural detection: Injection (Process Hollowing)
Injection: Invoices 073.exe(2000) -> Invoices 073.exe(2396)
Executed a process and injected code into it, probably while unpacking
Injection: Invoices 073.exe(2000) -> Invoices 073.exe(2396)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: Client-built.exe (4020) called API CryptCreateHash 301477 times
Spam: Client-built.exe (4304) called API CryptCreateHash 300427 times
Created a process from a suspicious location
File executed: C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe
Commandline executed: "C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe"
File executed: C:\Users\Louise\AppData\Local\Temp\Client-built.exe
Commandline executed: "C:\Users\Louise\AppData\Local\Temp\Client-built.exe"
File executed: C:\Users\Louise\AppData\Local\Temp\Bin.exe
Commandline executed: "C:\Users\Louise\AppData\Local\Temp\Bin.exe"
File executed: C:\Users\Louise\AppData\Local\Temp\Client-built.exe
Commandline executed: "C:\Users\Louise\AppData\Local\Temp\Client-built.exe"
Installs itself for autorun at Windows startup
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager
data: C:\Program Files (x86)\SMTP Manager\smtpmgr.exe
Exhibits behavior characteristic of Nanocore RAT
CAPE detected the NanoCore malware family
Clamav Hits in Target/Dropped/SuriExtracted
c6847dd3e7b51ba63378e430441ce519a96bd35a1e37b5070b7a125f9b89af9d: Win.Trojan.Nanocore-5, dropped, guest_paths:C:\Users\Louise\AppData\Local\Temp\Bin.exe, type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
c6847dd3e7b51ba63378e430441ce519a96bd35a1e37b5070b7a125f9b89af9d: Win.Packed.Generic-9777790-0, dropped, guest_paths:C:\Users\Louise\AppData\Local\Temp\Bin.exe, type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
e0becb3532bd89ede90dc881735c824e66df23a639a21ecebdddc20b93e69da3: Win.Trojan.Generic-6295765-0, dropped, guest_paths:C:\Users\Louise\AppData\Local\Temp\Client-built.exe, type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
e0becb3532bd89ede90dc881735c824e66df23a639a21ecebdddc20b93e69da3: Win.Malware.Generic-6623004-0, dropped, guest_paths:C:\Users\Louise\AppData\Local\Temp\Client-built.exe, type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Collects information to fingerprint the system
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - RigEK
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 8.8.4.4 [VT] United States
Y 52.114.75.150 [VT] Netherlands
Y 51.105.208.173 [VT] United Kingdom
N 3.131.207.170 [VT] United States
Y 13.107.42.23 [VT] United States
N 104.18.11.39 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
cacerts.digicert.com [VT] A 104.18.11.39 [VT] 104.18.10.39 [VT]
3.tcp.ngrok.io [VT] A 3.131.207.170 [VT] 3.23.182.29 [VT]

Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe.config
C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\0y!*1vq]59o7f31fc2a#\*
C:\Users\Louise\AppData\Local\Temp\Invoices 073.INI
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationUI\v4.0_4.0.0.0__31bf3856ad364e35\PresentationUI.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Users\Louise\AppData\Local\Temp\MSVCP120_CLR0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Users\Louise\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813\
C:\Users\Louise\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813
C:\Users\Louise\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813\Fdf.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\urlmon.dll
C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe:Zone.Identifier
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Louise\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\
C:\Users\Louise\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9
C:\Users\Louise\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\qagentrt.dll
C:\Windows\System32\dnsapi.dll
C:\Windows\System32\mscoree.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\SysWOW64\KERNELBASE.dll
C:\Windows\SysWOW64\advapi32.dll
C:\Windows\SysWOW64\msvcrt.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\SysWOW64\rpcrt4.dll
C:\Windows\SysWOW64\sspicli.dll
C:\Windows\SysWOW64\CRYPTBASE.dll
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\gdi32.dll
C:\Windows\SysWOW64\user32.dll
C:\Windows\SysWOW64\lpk.dll
C:\Windows\SysWOW64\usp10.dll
C:\Windows\SysWOW64\oleaut32.dll
C:\Windows\SysWOW64\shlwapi.dll
C:\Windows\SysWOW64\psapi.dll
C:\Windows\System32\imm32.dll
C:\Windows\SysWOW64\msctf.dll
C:\Windows\System32\api-ms-win-core-synch-l1-2-0.DLL
C:\Windows\System32\version.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\System32\rsaenh.dll
C:\Windows\System32\DWrite.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\SysWOW64\Wldap32.dll
C:\Windows\SysWOW64\crypt32.dll
C:\Windows\SysWOW64\msasn1.dll
C:\Windows\SysWOW64\urlmon.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
C:\Windows\SysWOW64\normaliz.dll
C:\Windows\SysWOW64\iertutil.dll
C:\Windows\SysWOW64\wininet.dll
C:\Windows\System32\secur32.dll
C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
C:\Windows\System32\WindowsCodecs.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\LLB\*
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\calibrili.ttf
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF
C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\CAMBRIA.TTC
C:\Windows\Fonts\CANDARA.TTF
C:\Windows\Fonts\CONSOLA.TTF
C:\Windows\Fonts\CONSTAN.TTF
C:\Windows\Fonts\CORBEL.TTF
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\CAMBRIAB.TTF
C:\Windows\Fonts\CAMBRIAI.TTF
C:\Windows\Fonts\CAMBRIAZ.TTF
C:\Windows\Fonts\CANDARAB.TTF
C:\Windows\Fonts\CANDARAI.TTF
C:\Windows\Fonts\CANDARAZ.TTF
C:\Windows\Fonts\CONSOLAB.TTF
C:\Windows\Fonts\CONSOLAI.TTF
C:\Windows\Fonts\CONSOLAZ.TTF
C:\Windows\Fonts\CONSTANB.TTF
C:\Windows\Fonts\CONSTANI.TTF
C:\Windows\Fonts\CONSTANZ.TTF
C:\Windows\Fonts\CORBELB.TTF
C:\Windows\Fonts\CORBELI.TTF
C:\Windows\Fonts\CORBELZ.TTF
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Users\Louise\AppData\Local\Temp\Client-built.exe
C:\Users\Louise\AppData\Local\Temp\Bin.exe
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
\??\MountPointManager
C:\Windows\Fonts\staticcache.dat
C:\Users\Louise\AppData\Local\Temp\Client-built.exe.config
C:\Windows\assembly\NativeImages_v4.0.30319_32\Client\*
C:\Users\Louise\AppData\Local\Temp\Client-built.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\VERSION.dll
C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat
C:\Users\Louise\AppData\Local\Temp\Bin.exe.config
C:\Users\Louise\AppData\Local\Temp\Bin.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\System32\l_intl.nls
C:\Users\Louise\AppData\Local\Temp\Bin.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232
C:\Users\Louise\AppData\Roaming
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\run.dat
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\Exceptions\1.2.2.0
C:\Program Files (x86)\SMTP Manager
C:\Program Files (x86)
C:\Program Files (x86)\SMTP Manager\smtpmgr.exe
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\SMTP Manager\smtpmgr.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Users\Louise\AppData\Local\Temp\Bin.PDB
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\catalog.dat
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\storage.dat
C:\Users\Louise\AppData\Local\Temp\ClientPlugin.dll
C:\Users\Louise\AppData\Local\Temp\ClientPlugin\ClientPlugin.dll
C:\Users\Louise\AppData\Local\Temp\ClientPlugin.exe
C:\Users\Louise\AppData\Local\Temp\ClientPlugin\ClientPlugin.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\settings.bin
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\settings.bak
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\Logs\Louise
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\Logs
C:\Users\Louise\AppData\Local\Temp\Lzma#.dll
C:\Users\Louise\AppData\Local\Temp\Lzma#\Lzma#.dll
C:\Users\Louise\AppData\Local\Temp\Lzma#.exe
C:\Users\Louise\AppData\Local\Temp\Lzma#\Lzma#.exe
C:\Users\Louise\AppData\Local\Temp\en-US\SurveillanceExClientPlugin.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\SurveillanceExClientPlugin.resources.exe
C:\Users\Louise\AppData\Local\Temp\en-US\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.exe
C:\Windows\Globalization\en.nlp
C:\Users\Louise\AppData\Local\Temp\en\SurveillanceExClientPlugin.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\SurveillanceExClientPlugin.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.exe
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ws2_32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d22616370e881379e5a7c30ee1e75a6\System.Configuration.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Users\Louise\AppData\Local\Temp\dnsapi.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb
C:\Windows\symbols\dll\System.pdb
C:\Windows\dll\System.pdb
C:\Windows\System.pdb
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat"
C:\Users\Louise\AppData\Local\Temp\chcp.*
C:\Users\Louise\AppData\Local\Temp\chcp
C:\Python27\chcp.*
C:\Python27\chcp
C:\Python27\Scripts\chcp.*
C:\Python27\Scripts\chcp
C:\Windows\System32\chcp.*
C:\Windows\System32\chcp.com
C:\Users\Louise\AppData\Local\Temp\ping.*
C:\Users\Louise\AppData\Local\Temp\ping
C:\Python27\ping.*
C:\Python27\ping
C:\Python27\Scripts\ping.*
C:\Python27\Scripts\ping
C:\Windows\System32\ping.*
C:\Windows\System32\PING.COM
C:\Windows\System32\PING.EXE
\??\nul
C:\
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\System32\en-US\ulib.dll.mui
C:\Windows\SysWOW64\en-US\PING.EXE.mui
C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe.config
C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Louise\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813\Fdf.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Louise\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\System32\mscoree.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\SysWOW64\KERNELBASE.dll
C:\Windows\SysWOW64\advapi32.dll
C:\Windows\SysWOW64\msvcrt.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\SysWOW64\rpcrt4.dll
C:\Windows\SysWOW64\sspicli.dll
C:\Windows\SysWOW64\CRYPTBASE.dll
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\gdi32.dll
C:\Windows\SysWOW64\user32.dll
C:\Windows\SysWOW64\lpk.dll
C:\Windows\SysWOW64\usp10.dll
C:\Windows\SysWOW64\oleaut32.dll
C:\Windows\SysWOW64\shlwapi.dll
C:\Windows\SysWOW64\psapi.dll
C:\Windows\System32\imm32.dll
C:\Windows\SysWOW64\msctf.dll
C:\Windows\System32\api-ms-win-core-synch-l1-2-0.DLL
C:\Windows\System32\version.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\System32\rsaenh.dll
C:\Windows\System32\DWrite.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\SysWOW64\Wldap32.dll
C:\Windows\SysWOW64\crypt32.dll
C:\Windows\SysWOW64\msasn1.dll
C:\Windows\SysWOW64\urlmon.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
C:\Windows\SysWOW64\normaliz.dll
C:\Windows\SysWOW64\iertutil.dll
C:\Windows\SysWOW64\wininet.dll
C:\Windows\System32\secur32.dll
C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
C:\Windows\System32\WindowsCodecs.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\6090b158fd3d10686b422a455e188125\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2f61c87db96dbe27deea0e525a665761\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a3abb36b9f9e867b09bb3a670b074c45\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\badfff92e7e4f52c948920e4a4975073\System.Runtime.Remoting.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\CAMBRIA.TTC
C:\Windows\Fonts\CANDARA.TTF
C:\Windows\Fonts\CONSOLA.TTF
C:\Windows\Fonts\CONSTAN.TTF
C:\Windows\Fonts\CORBEL.TTF
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\CAMBRIAB.TTF
C:\Windows\Fonts\CAMBRIAI.TTF
C:\Windows\Fonts\CAMBRIAZ.TTF
C:\Windows\Fonts\CANDARAB.TTF
C:\Windows\Fonts\CANDARAI.TTF
C:\Windows\Fonts\CANDARAZ.TTF
C:\Windows\Fonts\CONSOLAB.TTF
C:\Windows\Fonts\CONSOLAI.TTF
C:\Windows\Fonts\CONSOLAZ.TTF
C:\Windows\Fonts\CONSTANB.TTF
C:\Windows\Fonts\CONSTANI.TTF
C:\Windows\Fonts\CONSTANZ.TTF
C:\Windows\Fonts\CORBELB.TTF
C:\Windows\Fonts\CORBELI.TTF
C:\Windows\Fonts\CORBELZ.TTF
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\Fonts\staticcache.dat
C:\Users\Louise\AppData\Local\Temp\Client-built.exe.config
C:\Users\Louise\AppData\Local\Temp\Client-built.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d3e15922b03ec29aed46615adda73f3d\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\wminet_utils.dll
C:\Users\Louise\AppData\Local\Temp\Bin.exe.config
C:\Users\Louise\AppData\Local\Temp\Bin.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\System32\tzres.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d22616370e881379e5a7c30ee1e75a6\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb
C:\Windows\symbols\dll\System.pdb
C:\Windows\dll\System.pdb
C:\Windows\System.pdb
\??\PIPE\samr
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\System32\en-US\ulib.dll.mui
C:\Windows\SysWOW64\en-US\PING.EXE.mui
C:\Users\Louise\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813\Fdf.dll
C:\Users\Louise\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Louise\AppData\Local\Temp\Client-built.exe
C:\Users\Louise\AppData\Local\Temp\Bin.exe
C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\run.dat
C:\Program Files (x86)\SMTP Manager\smtpmgr.exe
\??\PIPE\samr
\??\nul
C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat
C:\Program Files (x86)\SMTP Manager\smtpmgr.exe
C:\Users\Louise\AppData\Roaming\27524949-1000-4C11-BF17-01B4A3882232\SMTP Manager\smtpmgr.exe
C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Invoices 073.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Net Framework Setup\NDP\v4\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\ZoneMap\Ranges\
HKEY_CURRENT_USER\ZoneMap\Ranges\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Invoices 073.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Invoices 073.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Namespaces
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9FA65764-C36F-4319-9737-658A34585BB7}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{AB13F5B1-F718-11D0-82AA-00AA00C065E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9FA65764-C36F-4319-9737-658A34585BB7}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{AB13F5B1-F718-11D0-82AA-00AA00C065E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllGetSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1e4\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Invoices 073.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Client-built.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\Client-built.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Bin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5aa75839\10fdf3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorlib.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Drawing.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Windows.Forms.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SMTP Manager
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\diasymreader.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4ecde57e\31d9ddbb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|Bin.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|Bin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|Bin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a054161\46043f61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\219e9581\292d2ab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\219e9581\26d19501
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Library
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\IsMultiInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\First Counter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\CategoryOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\FileMappingSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Counter Names
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#CdRomDELL_DELL_DVD-ROM_______________________2.5+____#5&2d6c8425&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#CdRomDELL_DELL_DVD-ROM_______________________2.5+____#5&2d6c8425&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#CdRomDELL_DELL_DVD-ROM_______________________2.5+____#5&2d6c8425&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{80b5a654-2730-11e9-8620-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{80b5a654-2730-11e9-8620-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{80b5a654-2730-11e9-8620-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{80b5a654-2730-11e9-8620-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{80b5a654-2730-11e9-8620-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{80b5a654-2730-11e9-8620-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Process
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Invoices 073.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Invoices 073.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorlib.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Drawing.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Windows.Forms.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SMTP Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\diasymreader.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\c3\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Library
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\IsMultiInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\First Counter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\CategoryOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\FileMappingSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET CLR Networking\Performance\Counter Names
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#CdRomDELL_DELL_DVD-ROM_______________________2.5+____#5&2d6c8425&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{80b5a654-2730-11e9-8620-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#Volume#{80b5a654-2730-11e9-8620-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\DeviceInstance
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultTTL
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\1E4\52C64B7E\LanguageList
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
kernel32.dll.LocalAlloc
[email protected]@Z
user32.dll.SetProcessDPIAware
kernel32.dll.GetEnvironmentVariableW
shlwapi.dll.PathAppendW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryExW
dwrite.dll.DWriteCreateFactory
shlwapi.dll.PathCombineW
kernel32.dll.LoadLibraryW
gdi32.dll.GdiEntry13
advapi32.dll.EventWrite
advapi32.dll.EventUnregister
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.GetTempPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.CreateDirectoryW
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
advapi32.dll.ConvertStringSidToSidW
kernel32.dll.LocalFree
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.GetNamedSecurityInfoW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.GetSecurityDescriptorLength
advapi32.dll.SetNamedSecurityInfoW
kernel32.dll.LoadLibraryA
kernel32.dll.WideCharToMultiByte
fdf.dll._Initialize
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
psapi.dll.GetModuleFileNameExW
cryptsp.dll.CryptGetDefaultProviderW
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CreateWaitableTimerExW
kernel32.dll.SetWaitableTimerEx
ole32.dll.CoUninitialize
urlmon.dll.CoInternetCreateSecurityManager
secur32.dll.GetUserNameExW
api-ms-win-downlevel-shlwapi-l1-1-0.dll.PathCreateFromUrlW
api-ms-win-downlevel-advapi32-l2-1-0.dll.ConvertStringSidToSidW
oleaut32.dll.#6
kernel32.dll.CompareStringOrdinal
kernel32.dll.ResolveLocaleName
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageEncodersSize
gdiplus.dll.GdipGetImageEncoders
gdiplus.dll.GdipSaveImageToStream
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#10
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
gdiplus.dll.GdipDisposeImage
oleaut32.dll.#500
agiledotnetrt.dll._Initialize
wintrust.dll.CryptSIPPutSignedDataMsg
wintrust.dll.CryptSIPGetSignedDataMsg
imagehlp.dll.ImageGetCertificateData
cryptsp.dll.CryptAcquireContextA
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptDestroyHash
advapi32.dll.CreateProcessAsUserW
kernel32.dll.lstrlenA
kernel32.dll.CreateEventW
kernel32.dll.FreeLibrary
[email protected]@Z
msvcr120_clr0400.dll._unlock
msvcr120_clr0400.dll._lock
cryptsp.dll.CryptReleaseContext
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
user32.dll.RegisterWindowMessageW
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
cryptsp.dll.CryptGenRandom
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
user32.dll.GetSystemMetrics
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
user32.dll.AdjustWindowRectEx
gdi32.dll.CreateCompatibleDC
kernel32.dll.GetSystemDefaultLCID
gdi32.dll.GetObjectW
user32.dll.GetDC
gdiplus.dll.GdipCreateFontFromLogfontW
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
kernel32.dll.RegEnumValueW
kernel32.dll.RegQueryInfoKeyW
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
mscoree.dll.ND_RU1
mscoreei.dll.ND_RU1
gdiplus.dll.GdipGetFontUnit
gdiplus.dll.GdipGetFontSize
gdiplus.dll.GdipGetFontStyle
gdiplus.dll.GdipGetFamily
user32.dll.ReleaseDC
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipGetDpiY
gdiplus.dll.GdipGetFontHeight
gdiplus.dll.GdipGetEmHeight
gdiplus.dll.GdipGetLineSpacing
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipCreateFont
gdiplus.dll.GdipDeleteFont
gdiplus.dll.GdipGetLogFontW
mscoree.dll.ND_WU1
mscoreei.dll.ND_WU1
gdi32.dll.CreateFontIndirectW
gdi32.dll.SelectObject
gdi32.dll.GetTextMetricsW
gdi32.dll.GetTextExtentPoint32W
gdi32.dll.DeleteDC
user32.dll.SetWindowTextW
user32.dll.GetUserObjectInformationA
kernel32.dll.SetConsoleCtrlHandler
user32.dll.GetClassInfoW
user32.dll.SetLayeredWindowAttributes
kernel32.dll.GetStartupInfoW
user32.dll.SendMessageW
user32.dll.GetSystemMenu
user32.dll.GetWindowPlacement
user32.dll.EnableMenuItem
gdi32.dll.GetDeviceCaps
user32.dll.CreateIconFromResourceEx
user32.dll.GetWindowTextLengthW
user32.dll.GetWindowTextW
user32.dll.SetWindowPos
user32.dll.RedrawWindow
user32.dll.ShowWindow
kernel32.dll.GetModuleHandleA
kernel32.dll.FindResourceA
kernel32.dll.LoadResource
kernel32.dll.SizeofResource
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
user32.dll.SetForegroundWindow
ole32.dll.OleInitialize
ole32.dll.CoRegisterMessageFilter
user32.dll.SetFocus
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
user32.dll.GetWindowThreadProcessId
user32.dll.PostMessageW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
user32.dll.GetSysColor
user32.dll.GetMonitorInfoW
gdi32.dll.CreateDCW
gdi32.dll.GetCurrentObject
gdi32.dll.SaveDC
gdi32.dll.GetNearestColor
gdi32.dll.CreateSolidBrush
user32.dll.FillRect
gdi32.dll.DeleteObject
gdi32.dll.RestoreDC
user32.dll.PeekMessageW
user32.dll.IsWindowUnicode
user32.dll.GetMessageW
user32.dll.TranslateMessage
user32.dll.DispatchMessageW
user32.dll.BeginPaint
gdiplus.dll.GdipCreateHalftonePalette
gdi32.dll.SelectPalette
user32.dll.EndPaint
user32.dll.WaitMessage
advapi32.dll.CryptAcquireContextW
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptGetProvParam
cryptsp.dll.CryptGetProvParam
advapi32.dll.CryptContextAddRef
advapi32.dll.CryptImportKey
cryptsp.dll.CryptContextAddRef
advapi32.dll.CryptDuplicateKey
cryptsp.dll.CryptDuplicateKey
advapi32.dll.CryptSetKeyParam
cryptsp.dll.CryptSetKeyParam
advapi32.dll.CryptDecrypt
cryptsp.dll.CryptDecrypt
advapi32.dll.CryptDestroyKey
kernel32.dll.SetEvent
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
ole32.dll.IIDFromString
ole32.dll.CoGetClassObject
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.CoGetObjectContext
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
advapi32.dll.UnregisterTraceGuids
ntdll.dll.EtwUnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.InitializeCriticalSectionAndSpinCount
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
kernel32.dll.GetVersionExW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
user32.dll.GetFocus
kernel32.dll.GetModuleFileNameW
kernel32.dll.SetCurrentDirectoryW
kernel32.dll.FindResourceExA
kernel32.dll.LockResource
cryptsp.dll.CryptEncrypt
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
advapi32.dll.RegOpenKeyExA
shfolder.dll.SHGetFolderPathW
kernel32.dll.SetErrorMode
kernel32.dll.DeleteFileW
kernel32.dll.CopyFileW
advapi32.dll.RegSetValueExW
mscoree.dll.DllGetClassObject
mscoreei.dll.DllGetClassObject
diasymreader.dll.DllGetClassObjectInternal
kernel32.dll.GetSystemInfo
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtGetCurrentProcessorNumber
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
advapi32.dll.GetUserNameW
user32.dll.GetForegroundWindow
psapi.dll.EnumProcesses
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.SwitchToThread
user32.dll.GetKeyboardLayout
user32.dll.RegisterRawInputDevices
user32.dll.SetClipboardViewer
user32.dll.SendMessageA
ole32.dll.CoCreateGuid
ws2_32.dll.WSAStartup
ws2_32.dll.WSASocketW
ws2_32.dll.setsockopt
ws2_32.dll.WSAEventSelect
ws2_32.dll.ioctlsocket
ws2_32.dll.closesocket
kernel32.dll.GetComputerNameW
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
kernel32.dll.CreateFileMappingW
kernel32.dll.MapViewOfFile
kernel32.dll.VirtualQuery
advapi32.dll.CreateWellKnownSid
kernel32.dll.WaitForSingleObject
kernel32.dll.OpenMutexW
kernel32.dll.GetProcessTimes
ws2_32.dll.inet_addr
dnsapi.dll.DnsQuery_A
kernel32.dll.SetThreadExecutionState
ws2_32.dll.getaddrinfo
ws2_32.dll.freeaddrinfo
kernel32.dll.FormatMessageW
ws2_32.dll.bind
ws2_32.dll.WSAIoctl
ws2_32.dll.getpeername
vssapi.dll.CreateWriter
oleaut32.dll.#2
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
sechost.dll.ConvertSidToStringSidW
ole32.dll.CoTaskMemRealloc
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
"C:\Users\Louise\AppData\Local\Temp\Invoices 073.exe"
"C:\Users\Louise\AppData\Local\Temp\Client-built.exe"
C:\Users\Louise\AppData\Local\Temp\Client-built.exe
"C:\Users\Louise\AppData\Local\Temp\Bin.exe"
C:\Users\Louise\AppData\Local\Temp\Bin.exe
"C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat"
C:\Windows\system32\cmd.exe /c ""C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat" "
C:\Users\Louise\AppData\Local\Temp\exCWVxnLndy0.bat
chcp 65001
ping -n 10 localhost
C:\Windows\system32\PING.EXE ping -n 10 localhost
"C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat"
C:\Windows\system32\cmd.exe /c ""C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat" "
C:\Users\Louise\AppData\Local\Temp\8IPk152KxLHe.bat
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1
Global\CLR_CASOFF_MUTEX
Global\{9fcfd287-56cf-4307-be80-4e0bd6eb68ab}
Global\.net clr networking

BinGraph Download graph

2020-10-18T06:47:34.950752 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x0052677e 0x00000000 0x0012c326 4.0 2059-08-08 12:46:02 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x00124784 0x00124800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.62
.rsrc 0x00124a00 0x00128000 0x0000063a 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.69
.reloc 0x00125200 0x0012a000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x001280a0 0x000003b0 LANG_NEUTRAL SUBLANG_NEUTRAL 3.62 None
RT_MANIFEST 0x00128450 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name 0y!*1vq]59o<q_3|7xc$68k:o
Version 1.0.0.0

Assembly References

Name Version
PresentationFramework 4.0.0.0
mscorlib 4.0.0.0
System 4.0.0.0
System.Core 4.0.0.0
System.Xml 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute p]95e)#0u4d|^7yw,3<
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute o$12p(d)7~5c3g_[9w4l%o
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute j:9[0ov|8&3yg%2(4d6b
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute o$12p(d)7~5c3g_[9w4l%o
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 1997 - 20
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute 4n]r&6_3xi^19c:[5p2i$+0u7e{g/8
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 65b8e2b7-10ed-43f5-bbf0-8da6abd4e2

Type References

Assembly Type Name
PresentationFramework System.Windows.Application
mscorlib System.Reflection.Assembly
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
mscorlib System.Object
mscorlib System.DateTime
mscorlib System.DateTimeOffset
mscorlib System.Security.Cryptography.ICryptoTransform
mscorlib System.Text.StringBuilder
mscorlib System.TimeSpan
mscorlib System.IO.MemoryStream
mscorlib System.Reflection.FieldInfo
mscorlib System.Runtime.Serialization.ISerializable
mscorlib System.Runtime.Serialization.SerializationInfo
mscorlib System.Runtime.Serialization.StreamingContext
mscorlib System.Security.Cryptography.Rijndael
PresentationFramework System.Windows.Controls.Page
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System System.Configuration.ApplicationSettingsBase
mscorlib System.ValueType
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
PresentationFramework System.Windows.ThemeInfoAttribute
PresentationFramework System.Windows.ResourceDictionaryLocation
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.Collections.Generic.IEnumerator`1
mscorlib System.Type
mscorlib System.Reflection.MethodInfo
mscorlib System.Func`2
System.Core System.Linq.Enumerable
mscorlib System.Collections.Generic.IEnumerable`1
mscorlib System.Threading.Thread
mscorlib System.AppDomain
System.Core System.Linq.ParallelEnumerable
System.Core System.Linq.ParallelQuery`1
mscorlib System.Reflection.MemberInfo
mscorlib System.Char
mscorlib System.String
mscorlib System.RuntimeTypeHandle
mscorlib System.Delegate
mscorlib System.Collections.IEnumerator
mscorlib System.IDisposable
mscorlib System.Int32
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Array
mscorlib System.RuntimeFieldHandle
System.Xml System.Xml.XmlException
mscorlib System.Exception
mscorlib System.IFormatProvider
mscorlib System.DateTimeKind
mscorlib System.TimeZone
mscorlib System.Security.Cryptography.CryptoStream
mscorlib System.IO.Stream
mscorlib System.Security.Cryptography.CryptoStreamMode
mscorlib System.UInt32
mscorlib System.Byte
mscorlib System.Security.Cryptography.SymmetricAlgorithm
System System.Configuration.SettingsBase

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
x$Qyt
D`=Bg
0Z*J6;
usLZs
i ]ynM
YTX^Y
a1HiP
bB/fo
~od,
n0Vt}
2CsX#n
kTVA
v-g|Q=!
#`rEK|
{ep|,
/-i1_
ir=%2}
Xk!jQ^
8|>\3
.&~9I
,G]yX)
3gDj2S
T^VrV/hH9
}E$&_
*7ZX:Q
7thP-
0U0,Q
$~,uP
?cM^2
-Ux4ee
s}OXq
~iu! u
-9`|FTs"
Us=*;
^0-+E
BC]bbN
Mo^^?
v~J?'
'?2v+
~4.PB
AB(0`
%7]TP
_ar{+
`dE%$
@i#o(
}2 g3yR$
dsSa>
.M[,O
`w6kc
:~)QGD
f,>0u.
>d$cb
.P8~c
^McyN
a !i_
J7\+C
"W"V+
kEa`X
M/S9x
.-WUQE
o:09"u'
u:)<)z
;U-)z
VY{I<5
4T7E^
/H6"{{
Z7Wb\N3
P%~h#'
#^rjN
YnkMhO
[ovus6rX
(){DB|n
H{yvE
dLu8_z
E~3N8
8!OpX
WER";
zEiD;~n
>/0+:U,
ke8EW
jV8UF
.{:UY
:kXAq/}
#Gz).
08GJe.
m`U{y
H6fB]
yOscT
RvxOu
)YU/^
py*Jp
HBU]|
zPJ<g
L]bE.95
!mc.}
]{ a>C
/-4VW
]f"`Bqu
O=p"FIY
rS 1o
m'I}$Ae1#\
1Q8UM
VU+>;
"M^y~
R<~d##
`NTH!
<JJsOK^
Yez<]
LH:uQ
tONT`
!T53
Q]fcOV7Uu
?2XC$
a$T^b8
z7Z=)
UI+[W
`[Zf'r.h
*'Nzd
"@?'a
xUI[S
(}jOsrb
-"v'IS
FvgCYp
5]l\C
]_-pi
kV=\;
cleqY
hv\sFe
}.TlOy
>.|hp
>=!|s
"a'ns
5| .
`L2!!
*WD(d
XPhYR
JYUoT
qDyJ4
(?d/X3*4
R'NI)u
8c^;sX40
}Y/gD
)>;>yt
La8b<
F"mNQP
P$2N+PT_R
=:)k E^
`0Owl
ZHDX
N\\+63
x`<Fo
/X&{Sv
^.5nMC
`!<[ N
()9e/
5JU.D;k=O
P0oS:
\oDk=
3zu+6U
+jcQ#
^zI(&
3\-qg
:'qPk
*PvgZ
[1O-V
R/Qy|
K0>Q7
l-RLpE
I7$|+z
qJ;2|
w1^ZD6
|?ssu
[NA[K
F[*CR
XjCX2
+vMf\
LfMMy&,
*(7Qs*2~2
@'fE`
jv633Pg
w+9y0
?EiEK4
Z$k}G
0Sh9cf:I
<[U;0
r(n^(u
z(KH(
,)Lc}
OJu:y
{hA]L V
yU?~q
),mnM
05pGwJ
r$PWOeU
{}haR
E^k^o
5Iavl
0?)|%
(&y+H
DaI}jV
hw e*
$^Vyl
A=4eC;Y}
7:2y_/"
#iK[V
Fb]xvM
hcv6hw$
\mmJN
x]GTZ
f*4K''
9^h0&
9hl-C
e*E*{
)0D03
}~"V.
sSmd<
}tC2U
A(`wXB
#e}]Q
bR3`?
TuuI_9
0{!D#^
^')0LQ
/9bBp
_#_Lb
sG`7Y
rv%;$R
iUAn\
GsA7kDg
a|hGW
0sAmv
4'J\p
[ W08
=1oQ_)p
:$\PQ
$HP 3
\JExO
FZE:!'
>X(k}%
>\Bi3:]
BYkFd
~t\go
3s9RKI
`s6lX
9z,/6
ZB#!zD
M1ViF
7KRMg
LFOojI
T'&iTl
[x(":)L;
<mP}}AB
DoU8EX
RRz-~*
y,HW(]p
KnitM
K91'i
ijo&~)`
XvlDg
<BM_w
D*076u
8k"r&
3>a[~
'0_mf
!VdU2
k8AN&
O~p4pq
; jET
|nn:;
J(="-
Q8VE+
v2:4h[
{wB4\
I=_ry
Y+7E0
YIBNy
|1)dj
@dv3^(
vXZK,
.k7\Y
oE;3iY
h.s*#
yq?|;P
]\haKv
I_ko\QQ
:No`$u
3ie/k
6qp'u-
lu5+-D
p|^Pn
OY2tf&v
GiQg<
hMO=I
X^<Id
ZoeSXL
D$3;U
p 4i1
U7RxF4m
eh"sCQ&
GT<=*
=C<hC
W*r:Mvh
3m.2f
DU#J(
W;iE!%
C&XZY
457{)$
~Hjn_
ZyKeC
|d~q9&
=[x.UEw
j14$d
((}"K
gO<1Cb
1E],2
^a51b
R5lqy
zmA.Q
t;/r+q
CHuqr
lA+K1
=?:og
XBM"s
o2Bl]
Px:@3h
#a}gK)+O
()fy.
Z25+R
OwgmM
Gq"P'
-ex?o
zWv0Z
gUDTG
7K0vR
0vHe%-
/qj&i
dbcI=
=Su[{
cN5$p
HXm5pL
0gc&u
Qmd^X
"siE)
~KRg%n
Hm~?$
8m7V|
m$'3]
-;R6"
fTB"/
J^V+m
m(8D$V
[iu$4
{4VISH
g~jxH
8Z.1QT
:5\Pl
5syvxz
~8QF$
Xa>9+?
0l#q8
*p{^1;
2j/Ab
/j/\Q5
||[T.x
poi3E
,8OW[
o,aI:
TgNHK
M=W}(
PqKwK
8/S#0
;/q^z%/
i[O;T
g$FN>
}s3+V
O{pd[
UrKh{
u^b)K
~RGM?
{AoS2Z
YvWc7
c}+$M
^oORu
AFOIj
.KRULZ
=^LO-S
EODV}6
zlkCR
/a'OD
{5fL,
73kR{/
hZj>:
7 JWH
x5OhA~
J52sJ
EUiWx
xHm?(
U!F"-
A5P;q*c]
BW%xi{
q8{Be
k1,#E
BtcCv
ah0sh
4l5M*
R'jK:
W8g:o
*>)ye
=,UuM
E3bq.t
mZ-L
t$?/=
RC].X
_6x0?ZM
]#O)$|
l:>T~|
)a^L_
WG'/`S
pzWrd<z
t-.h5
-JM!5
"-%LW%
,{<%c
SNneD#Vq
J3z(B
/=fzF
ys?OL
JOI6c2
%-Z+[
bj19g1
OQ74r
bqc:
.f(jc
Rq;$;%7K
~`bd|
JeLy/,rAY8
72hut
/s6W0
K(N,8Y
q,.fH
^|yC*
Lv|+)
STWMR
Z"|0g
m!m.[X
J46.W
IrRW~
=nabv*
B&/>-N
XV(L'DGmI
U+1Pk
&T&6s
0}%?1W
hUOl6
^o287&
V. 9M
=s90!S
R;1E/
2JV;L
Pe$,6
bI`7R"
]9olX
5kH&4p
oJ~0ZP
~w-jp
,'Q}gCs:Q=
bGvqr
&oYF:
xL<Fu
Qp<tlI
JGxd?
K`(+V,
1-tpX
odmn9oYH
<yXtX2^Pa
HKBLU
H?.Xa
i|"c!
v}i0rY
_:+mRFR1
%qmi\
\[2t8)f;
JSJo]2
P+oc_Y}"-
3ov:~
EG\Om
hpCUt
C^3:e
jys#Y
-, IZW
JAu]`_
`vBNo
EDy0o
DlJ~>au
C-"z;9
\_:i?F
vY|3Y~+)z
bH:iW
w`E*V
oPbpd
(. {+
H\"oH
5(afkE4
TW/ua
)>%G^
,06ooR
!iQ>9
SrC}99
Sc<o%
:gu{V
Tc, T}W
/`;lY }
1YfSn
vb]iE
~]i[kX-
xW H0oq
Gb<X9
7qeVH
H"PBH
iYc{:/OUu
/{@,/
X`<^'x
=%njQ
>.{L>
GSu{q
g[ET2ln
vmBA3
\$Ago`I!
8V?DzE'
FJT<}
r=7{`
7v(l`z1Zo
*41>:
3`)<8
.E,jK<
hZ0A9
$$Yjw
lE2P^c
tE3T'
}(3_6
;0^Xi
~SO~>
X|<*$f
W|k=b6
MFuR4
:Yx|eY
S2"?lam
\PXCoH$
v=?3)
-GC:8H
qykGK
Caq>C
-La24
MCI,6
7o?k
*XQZ_"
E,cz/?
!zr2U
Ax1C|
N4M.C,
`YgFn
dWh'M!
'_M=~`
~b2s>
XVn}p
66}'f
'2UIn
!-;:
@"GId
*T:t"
U6\.8*
=]=?$?{
:_08|
U[neA
ut[d`V
`:<}Y
b.ec2
$l*b8D