Detections

Yara:

AgentTeslaV2

Auto Tasks

#17794: Unpacker

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 13:24:35 2020-06-30 13:29:59 324 seconds Show Options Show Log
route = tor
2020-05-13 09:30:48,657 [root] INFO: Date set to: 20200630T13:21:48, timeout set to: 200
2020-06-30 13:21:48,046 [root] DEBUG: Starting analyzer from: C:\tmplodztmkc
2020-06-30 13:21:48,046 [root] DEBUG: Storing results at: C:\HfrpzXFC
2020-06-30 13:21:48,046 [root] DEBUG: Pipe server name: \\.\PIPE\dCwIvQubGq
2020-06-30 13:21:48,046 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-30 13:21:48,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 13:21:48,062 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 13:21:48,062 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 13:21:48,203 [root] DEBUG: Imported analysis package "exe".
2020-06-30 13:21:48,203 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 13:21:48,203 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 13:21:48,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 13:21:48,375 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 13:21:48,375 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 13:21:48,546 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 13:21:48,546 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 13:21:48,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 13:21:48,562 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 13:21:48,718 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 13:21:48,734 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 13:21:48,750 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 13:21:48,750 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 13:21:48,828 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 13:21:48,828 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 13:21:49,000 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 13:21:49,000 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 13:21:49,000 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 13:21:49,000 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 13:21:49,000 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 13:21:49,000 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 13:21:49,000 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 13:21:49,000 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 13:21:50,078 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 13:21:50,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 13:21:50,109 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 13:21:50,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 13:21:50,109 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 13:21:50,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 13:21:50,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 13:21:50,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 13:21:50,156 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 13:21:50,156 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 13:21:50,156 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 13:21:50,156 [root] DEBUG: Started auxiliary module Browser
2020-06-30 13:21:50,156 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 13:21:50,156 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 13:21:50,156 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 13:21:50,156 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 13:21:50,156 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 13:21:50,156 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 13:21:50,156 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 13:21:50,156 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 13:21:51,640 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 13:21:51,640 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 13:21:51,656 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 13:21:51,656 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 13:21:51,656 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 13:21:51,656 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 13:21:51,671 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 13:21:51,671 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 13:21:51,671 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 13:21:51,671 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 13:21:51,687 [root] DEBUG: Started auxiliary module Human
2020-06-30 13:21:51,687 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 13:21:51,687 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 13:21:51,687 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 13:21:51,703 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 13:21:51,703 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 13:21:51,703 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 13:21:51,703 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 13:21:51,703 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 13:21:51,703 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 13:21:51,718 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 13:21:51,718 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 13:21:51,718 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 13:21:51,718 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 13:21:51,718 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 13:21:51,718 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 13:21:51,718 [root] DEBUG: Started auxiliary module Usage
2020-06-30 13:21:51,718 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 13:21:51,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 13:21:51,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 13:21:51,734 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 13:21:51,968 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe" with arguments "" with pid 3548
2020-06-30 13:21:51,968 [lib.api.process] INFO: Monitor config for process 3548: C:\tmplodztmkc\dll\3548.ini
2020-06-30 13:21:52,015 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:21:52,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:21:52,093 [root] DEBUG: Loader: Injecting process 3548 (thread 3136) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:21:52,093 [root] DEBUG: Process image base: 0x00F30000
2020-06-30 13:21:52,093 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:21:52,093 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:21:52,109 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:21:52,109 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3548
2020-06-30 13:21:54,109 [lib.api.process] INFO: Successfully resumed process with pid 3548
2020-06-30 13:21:54,484 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:21:54,500 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:21:54,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3548 at 0x6f360000, image base 0xf30000, stack from 0x3e5000-0x3f0000
2020-06-30 13:21:54,515 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe".
2020-06-30 13:21:54,562 [root] INFO: Loaded monitor into process with pid 3548
2020-06-30 13:21:54,562 [root] DEBUG: set_caller_info: Adding region at 0x002F0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 13:21:54,562 [root] DEBUG: set_caller_info: Adding region at 0x00990000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 13:21:54,578 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x990000
2020-06-30 13:21:54,593 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00990000 size 0x400000.
2020-06-30 13:21:54,593 [root] DEBUG: DumpPEsInRange: Scanning range 0x990000 - 0xa0f000.
2020-06-30 13:21:54,593 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x990000-0xa0f000.
2020-06-30 13:21:54,656 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\3548_166953622254131372020 (size 0x109ae)
2020-06-30 13:21:54,656 [root] DEBUG: DumpRegion: Dumped stack region from 0x00990000, size 0x7f000.
2020-06-30 13:21:54,656 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x002F0000.
2020-06-30 13:21:54,656 [root] DEBUG: set_caller_info: Adding region at 0x00520000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 13:21:54,687 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x6a7fff
2020-06-30 13:21:54,687 [root] DEBUG: DumpMemory: Nothing to dump at 0x00520000!
2020-06-30 13:21:54,703 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00520000 size 0x188000.
2020-06-30 13:21:54,703 [root] DEBUG: DumpPEsInRange: Scanning range 0x520000 - 0x528000.
2020-06-30 13:21:54,703 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x520000-0x528000.
2020-06-30 13:21:54,734 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\3548_168634122454131372020 (size 0x7ff2)
2020-06-30 13:21:54,734 [root] DEBUG: DumpRegion: Dumped stack region from 0x00520000, size 0x8000.
2020-06-30 13:21:54,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x729C0000 to global list.
2020-06-30 13:21:54,750 [root] DEBUG: DLL loaded at 0x729C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 13:21:54,750 [root] DEBUG: DLL unloaded from 0x74A80000.
2020-06-30 13:21:54,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x00890000 to global list.
2020-06-30 13:21:54,781 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 amd local view 0x00890000 to global list.
2020-06-30 13:21:54,781 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:21:54,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6EDA0000 for section view with handle 0xe8.
2020-06-30 13:21:54,812 [root] DEBUG: DLL loaded at 0x6EDA0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-30 13:21:54,828 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6ED00000 for section view with handle 0xec.
2020-06-30 13:21:54,843 [root] DEBUG: DLL loaded at 0x6ED00000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80 (0x9b000 bytes).
2020-06-30 13:21:54,890 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3548, handle 0xf8.
2020-06-30 13:21:54,890 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x00160000 to global list.
2020-06-30 13:21:54,890 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x00270000 to global list.
2020-06-30 13:21:54,890 [root] INFO: Disabling sleep skipping.
2020-06-30 13:21:54,890 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3548.
2020-06-30 13:21:54,937 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-30 13:21:54,937 [root] DEBUG: DLL loaded at 0x740A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:21:54,953 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3548.
2020-06-30 13:21:54,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x6E200000 to global list.
2020-06-30 13:21:54,968 [root] DEBUG: DLL loaded at 0x6E200000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-30 13:21:55,000 [root] DEBUG: DLL unloaded from 0x74DF0000.
2020-06-30 13:21:55,000 [root] DEBUG: set_caller_info: Adding region at 0x03E80000 to caller regions list (kernel32::SetErrorMode).
2020-06-30 13:21:55,015 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3ebffff
2020-06-30 13:21:55,015 [root] DEBUG: DumpMemory: Nothing to dump at 0x03E80000!
2020-06-30 13:21:55,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e0 amd local view 0x6D9F0000 to global list.
2020-06-30 13:21:55,093 [root] DEBUG: DLL loaded at 0x6D9F0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-30 13:21:55,093 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6D860000 for section view with handle 0x1e0.
2020-06-30 13:21:55,109 [root] DEBUG: DLL loaded at 0x6D860000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-30 13:21:55,125 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6CC80000 for section view with handle 0x1e0.
2020-06-30 13:21:55,125 [root] DEBUG: DLL loaded at 0x6CC80000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-30 13:21:55,234 [root] DEBUG: set_caller_info: Adding region at 0x008B0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:21:55,234 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x8bffff
2020-06-30 13:21:55,234 [root] DEBUG: DumpMemory: Nothing to dump at 0x008B0000!
2020-06-30 13:21:55,234 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x008B0000 size 0x10000.
2020-06-30 13:21:55,234 [root] DEBUG: DumpPEsInRange: Scanning range 0x8b0000 - 0x8b1000.
2020-06-30 13:21:55,234 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8b0000-0x8b1000.
2020-06-30 13:21:55,312 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\3548_143697040855131372020 (size 0x9c)
2020-06-30 13:21:55,312 [root] DEBUG: DumpRegion: Dumped stack region from 0x008B0000, size 0x1000.
2020-06-30 13:21:55,328 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-06-30 13:21:55,328 [root] DEBUG: set_caller_info: Adding region at 0x00290000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-30 13:21:55,328 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00290000.
2020-06-30 13:21:55,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1ec amd local view 0x6C7B0000 to global list.
2020-06-30 13:21:56,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x6CAE0000 to global list.
2020-06-30 13:21:56,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c amd local view 0x00940000 to global list.
2020-06-30 13:21:56,296 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
2020-06-30 13:21:56,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x210 amd local view 0x008F0000 to global list.
2020-06-30 13:21:56,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:21:56,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x068D0000 for section view with handle 0x21c.
2020-06-30 13:21:56,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:21:57,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:21:57,265 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:21:57,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x068D0000 for section view with handle 0x21c.
2020-06-30 13:21:57,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:21:57,875 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:21:57,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:21:57,984 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:21:58,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:21:58,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x068D0000 for section view with handle 0x21c.
2020-06-30 13:21:58,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:21:58,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:21:58,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E60000 for section view with handle 0x21c.
2020-06-30 13:21:58,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x068D0000 for section view with handle 0x21c.
2020-06-30 13:21:59,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E60000 for section view with handle 0x21c.
2020-06-30 13:21:59,234 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x068D0000 for section view with handle 0x21c.
2020-06-30 13:21:59,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E60000 for section view with handle 0x21c.
2020-06-30 13:21:59,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:21:59,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E60000 for section view with handle 0x21c.
2020-06-30 13:21:59,671 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:21:59,734 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:21:59,765 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:21:59,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:22:00,062 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:00,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E60000 for section view with handle 0x21c.
2020-06-30 13:22:00,203 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:00,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:22:00,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:00,453 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:22:00,484 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:00,515 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:22:01,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:02,031 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:22:02,046 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:02,249 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:22:02,296 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:02,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:22:02,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:03,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07E60000 for section view with handle 0x21c.
2020-06-30 13:22:03,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:06,468 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x070D0000 for section view with handle 0x21c.
2020-06-30 13:22:06,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:06,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x03EC0000 for section view with handle 0x21c.
2020-06-30 13:22:06,750 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:06,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x070D0000 for section view with handle 0x21c.
2020-06-30 13:22:06,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:07,000 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x064C0000 for section view with handle 0x21c.
2020-06-30 13:22:07,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:07,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06580000 for section view with handle 0x21c.
2020-06-30 13:22:07,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:07,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06580000 for section view with handle 0x21c.
2020-06-30 13:22:07,890 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:07,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08E30000 for section view with handle 0x21c.
2020-06-30 13:22:08,421 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:13,218 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x08E30000 for section view with handle 0x21c.
2020-06-30 13:22:13,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:15,500 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x070D0000 for section view with handle 0x21c.
2020-06-30 13:22:15,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:15,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x064C0000 for section view with handle 0x21c.
2020-06-30 13:22:15,687 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:15,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06580000 for section view with handle 0x21c.
2020-06-30 13:22:16,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:16,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x064C0000 for section view with handle 0x21c.
2020-06-30 13:22:16,328 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:16,781 [root] DEBUG: set_caller_info: Adding region at 0x008F0000 to caller regions list (kernel32::HeapCreate).
2020-06-30 13:22:16,796 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x8fffff
2020-06-30 13:22:16,796 [root] DEBUG: DumpMemory: Nothing to dump at 0x008F0000!
2020-06-30 13:22:16,796 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x008F0000 size 0x10000.
2020-06-30 13:22:16,796 [root] DEBUG: DumpPEsInRange: Scanning range 0x8f0000 - 0x8f1000.
2020-06-30 13:22:16,812 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8f0000-0x8f1000.
2020-06-30 13:22:16,828 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\3548_19920723216231372020 (size 0xd3)
2020-06-30 13:22:16,828 [root] DEBUG: DumpRegion: Dumped stack region from 0x008F0000, size 0x1000.
2020-06-30 13:22:16,859 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70DD0000 for section view with handle 0x21c.
2020-06-30 13:22:16,859 [root] DEBUG: DLL loaded at 0x70DD0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-06-30 13:22:16,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00940000 for section view with handle 0x21c.
2020-06-30 13:22:17,000 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 amd local view 0x03560000 to global list.
2020-06-30 13:22:17,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x230 amd local view 0x732B0000 to global list.
2020-06-30 13:22:17,140 [root] DEBUG: DLL loaded at 0x732B0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-06-30 13:22:17,156 [root] DEBUG: DLL unloaded from 0x732B0000.
2020-06-30 13:22:17,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x06580000 for section view with handle 0x230.
2020-06-30 13:22:17,312 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00950000 for section view with handle 0x230.
2020-06-30 13:22:27,437 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:22:27,453 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:22:27,625 [root] DEBUG: DLL loaded at 0x70C90000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-30 13:22:27,625 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x00DE0000 to global list.
2020-06-30 13:22:27,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00DF0000 for section view with handle 0x234.
2020-06-30 13:22:27,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00E00000 for section view with handle 0x234.
2020-06-30 13:22:27,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c amd local view 0x03790000 to global list.
2020-06-30 13:22:28,062 [root] DEBUG: DLL loaded at 0x732B0000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-06-30 13:22:28,093 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\bheWEoOklI.exe
2020-06-30 13:22:28,171 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp
2020-06-30 13:22:28,203 [root] DEBUG: DLL loaded at 0x72A50000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-30 13:22:28,218 [root] DEBUG: DLL loaded at 0x76930000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-30 13:22:28,218 [root] DEBUG: DLL loaded at 0x73690000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-30 13:22:28,234 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 13:22:28,296 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-30 13:22:28,312 [root] DEBUG: DLL loaded at 0x6C020000: C:\Windows\SysWOW64\ieframe (0xaba000 bytes).
2020-06-30 13:22:28,312 [root] DEBUG: DLL loaded at 0x75EF0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2020-06-30 13:22:28,312 [root] DEBUG: DLL loaded at 0x75F00000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2020-06-30 13:22:28,312 [root] DEBUG: DLL loaded at 0x76320000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2020-06-30 13:22:28,328 [root] DEBUG: DLL loaded at 0x73210000: C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-06-30 13:22:28,328 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2020-06-30 13:22:28,328 [root] DEBUG: DLL loaded at 0x74A00000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2020-06-30 13:22:28,328 [root] DEBUG: DLL loaded at 0x75170000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2020-06-30 13:22:28,328 [root] DEBUG: DLL loaded at 0x74F50000: C:\Windows\syswow64\iertutil (0x215000 bytes).
2020-06-30 13:22:28,359 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-06-30 13:22:28,359 [root] DEBUG: DLL loaded at 0x75E60000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-06-30 13:22:28,375 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-06-30 13:22:28,390 [root] DEBUG: DLL loaded at 0x73F70000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-06-30 13:22:28,390 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-06-30 13:22:28,406 [root] DEBUG: DLL unloaded from 0x75180000.
2020-06-30 13:22:28,406 [root] DEBUG: DLL loaded at 0x76650000: C:\Windows\SysWOW64\urlmon (0x124000 bytes).
2020-06-30 13:22:28,406 [root] DEBUG: DLL loaded at 0x76330000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-06-30 13:22:28,421 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\syswow64\WININET (0x1c4000 bytes).
2020-06-30 13:22:28,421 [root] DEBUG: DLL loaded at 0x73200000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-06-30 13:22:28,468 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3952
2020-06-30 13:22:28,468 [lib.api.process] INFO: Monitor config for process 3952: C:\tmplodztmkc\dll\3952.ini
2020-06-30 13:22:28,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:28,515 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:28,531 [root] DEBUG: Loader: Injecting process 3952 (thread 3956) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:28,531 [root] DEBUG: Process image base: 0x00EE0000
2020-06-30 13:22:28,531 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:28,593 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:22:28,593 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:28,609 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3952
2020-06-30 13:22:28,656 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3952, ImageBase: 0x00EE0000
2020-06-30 13:22:28,656 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3952
2020-06-30 13:22:28,656 [lib.api.process] INFO: Monitor config for process 3952: C:\tmplodztmkc\dll\3952.ini
2020-06-30 13:22:28,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:28,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:28,687 [root] DEBUG: Loader: Injecting process 3952 (thread 3956) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:28,687 [root] DEBUG: Process image base: 0x00EE0000
2020-06-30 13:22:28,687 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:28,687 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:22:28,687 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:28,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3952
2020-06-30 13:22:28,718 [root] DEBUG: DLL loaded at 0x732F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:22:28,765 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:22:28,781 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:22:28,781 [root] INFO: Disabling sleep skipping.
2020-06-30 13:22:28,781 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:22:28,781 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3952 at 0x6f360000, image base 0xee0000, stack from 0x266000-0x270000
2020-06-30 13:22:28,843 [root] INFO: Loaded monitor into process with pid 3952
2020-06-30 13:22:28,859 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2020-06-30 13:22:28,859 [root] DEBUG: DLL unloaded from 0x00EE0000.
2020-06-30 13:22:28,875 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x037A0000 to global list.
2020-06-30 13:22:28,875 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 3952).
2020-06-30 13:22:28,890 [root] INFO: Stopping Task Scheduler Service
2020-06-30 13:22:29,109 [root] INFO: Stopped Task Scheduler Service
2020-06-30 13:22:29,171 [root] INFO: Starting Task Scheduler Service
2020-06-30 13:22:29,312 [root] INFO: Started Task Scheduler Service
2020-06-30 13:22:29,312 [lib.api.process] INFO: Monitor config for process 848: C:\tmplodztmkc\dll\848.ini
2020-06-30 13:22:29,328 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:22:29,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:29,359 [root] DEBUG: Loader: Injecting process 848 (thread 0) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:22:29,359 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 852, handle 0xa4
2020-06-30 13:22:29,375 [root] DEBUG: Process image base: 0x00000000FFAF0000
2020-06-30 13:22:29,375 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-06-30 13:22:29,375 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 13:22:29,390 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:22:29,390 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:22:29,406 [root] INFO: Disabling sleep skipping.
2020-06-30 13:22:29,406 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 848 at 0x0000000070B90000, image base 0x00000000FFAF0000, stack from 0x0000000001526000-0x0000000001530000
2020-06-30 13:22:29,406 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-30 13:22:29,468 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:22:29,484 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:22:29,500 [root] INFO: Loaded monitor into process with pid 848
2020-06-30 13:22:29,515 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:22:29,515 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:22:29,515 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:22:31,515 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-30 13:22:31,531 [root] DEBUG: DLL loaded at 0x73310000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-06-30 13:22:32,484 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3952
2020-06-30 13:22:32,500 [root] DEBUG: GetHookCallerBase: thread 3956 (handle 0x0), return address 0x00EF7569, allocation base 0x00EE0000.
2020-06-30 13:22:32,500 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00EE0000.
2020-06-30 13:22:32,500 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:22:32,500 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00EE0000.
2020-06-30 13:22:32,500 [root] DEBUG: DumpProcess: Module entry point VA is 0x00017683.
2020-06-30 13:22:32,546 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2b400.
2020-06-30 13:22:32,562 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-06-30 13:22:32,562 [root] INFO: Process with pid 3952 has terminated
2020-06-30 13:22:32,640 [root] INFO: Announced 32-bit process name: 2020060308611765434567.exe pid: 4216
2020-06-30 13:22:32,640 [lib.api.process] INFO: Monitor config for process 4216: C:\tmplodztmkc\dll\4216.ini
2020-06-30 13:22:32,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:32,671 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:32,671 [root] DEBUG: Loader: Injecting process 4216 (thread 3256) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:32,687 [root] DEBUG: Process image base: 0x00F30000
2020-06-30 13:22:32,687 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:22:32,687 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:22:32,687 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:32,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4216
2020-06-30 13:22:32,734 [root] DEBUG: CreateProcessHandler: Injection info set for new process 4216, ImageBase: 0x00F30000
2020-06-30 13:22:32,734 [root] INFO: Announced 32-bit process name: 2020060308611765434567.exe pid: 4216
2020-06-30 13:22:32,734 [lib.api.process] INFO: Monitor config for process 4216: C:\tmplodztmkc\dll\4216.ini
2020-06-30 13:22:32,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:32,765 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:32,765 [root] DEBUG: Loader: Injecting process 4216 (thread 3256) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:32,781 [root] DEBUG: Process image base: 0x00F30000
2020-06-30 13:22:32,781 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:22:32,781 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:22:32,781 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:32,781 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4216
2020-06-30 13:22:32,796 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 4216 (ImageBase 0x400000)
2020-06-30 13:22:32,796 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 13:22:32,812 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x055885D0.
2020-06-30 13:22:32,875 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x46200.
2020-06-30 13:22:32,875 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x55885d0, SizeOfImage 0x4c000.
2020-06-30 13:22:32,890 [root] INFO: Announced 32-bit process name: 2020060308611765434567.exe pid: 4216
2020-06-30 13:22:32,890 [lib.api.process] INFO: Monitor config for process 4216: C:\tmplodztmkc\dll\4216.ini
2020-06-30 13:22:32,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:32,906 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:32,921 [root] DEBUG: Loader: Injecting process 4216 (thread 0) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:32,921 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3256, handle 0xbc
2020-06-30 13:22:32,921 [root] DEBUG: Process image base: 0x00F30000
2020-06-30 13:22:32,921 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:22:32,921 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:22:32,921 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:32,937 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4216
2020-06-30 13:22:32,937 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-30 13:22:32,937 [root] INFO: Announced 32-bit process name: 2020060308611765434567.exe pid: 4216
2020-06-30 13:22:32,937 [lib.api.process] INFO: Monitor config for process 4216: C:\tmplodztmkc\dll\4216.ini
2020-06-30 13:22:32,953 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:32,968 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:32,984 [root] DEBUG: Loader: Injecting process 4216 (thread 0) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:32,984 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3256, handle 0xbc
2020-06-30 13:22:32,984 [root] DEBUG: Process image base: 0x00F30000
2020-06-30 13:22:32,984 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:22:32,984 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:22:32,984 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,000 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4216
2020-06-30 13:22:33,000 [root] DEBUG: WriteMemoryHandler: shellcode at 0x04805B88 (size 0x400) injected into process 4216.
2020-06-30 13:22:33,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\3548_06431372020 (size 0x2e0)
2020-06-30 13:22:33,046 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 13:22:33,046 [root] INFO: Announced 32-bit process name: 2020060308611765434567.exe pid: 4216
2020-06-30 13:22:33,046 [lib.api.process] INFO: Monitor config for process 4216: C:\tmplodztmkc\dll\4216.ini
2020-06-30 13:22:33,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:33,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:33,078 [root] DEBUG: Loader: Injecting process 4216 (thread 0) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,078 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3256, handle 0xbc
2020-06-30 13:22:33,078 [root] DEBUG: Process image base: 0x00F30000
2020-06-30 13:22:33,078 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:22:33,093 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:22:33,093 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,093 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4216
2020-06-30 13:22:33,093 [root] DEBUG: WriteMemoryHandler: shellcode at 0x04805F94 (size 0x200) injected into process 4216.
2020-06-30 13:22:33,140 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\3548_6976378656431372020 (size 0x9)
2020-06-30 13:22:33,140 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 13:22:33,140 [root] INFO: Announced 32-bit process name: 2020060308611765434567.exe pid: 4216
2020-06-30 13:22:33,140 [lib.api.process] INFO: Monitor config for process 4216: C:\tmplodztmkc\dll\4216.ini
2020-06-30 13:22:33,156 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:33,171 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:33,171 [root] DEBUG: Loader: Injecting process 4216 (thread 0) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,171 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3256, handle 0xbc
2020-06-30 13:22:33,171 [root] DEBUG: Process image base: 0x00F30000
2020-06-30 13:22:33,171 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:22:33,187 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:22:33,187 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,187 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4216
2020-06-30 13:22:33,187 [root] INFO: Announced 32-bit process name: 2020060308611765434567.exe pid: 4216
2020-06-30 13:22:33,187 [lib.api.process] INFO: Monitor config for process 4216: C:\tmplodztmkc\dll\4216.ini
2020-06-30 13:22:33,203 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:33,218 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:33,218 [root] DEBUG: Loader: Injecting process 4216 (thread 0) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,234 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 3256, handle 0xbc
2020-06-30 13:22:33,234 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:22:33,234 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:22:33,234 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:22:33,234 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,249 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4216
2020-06-30 13:22:33,249 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x000478EE (process 4216).
2020-06-30 13:22:33,249 [root] INFO: Announced 32-bit process name: 2020060308611765434567.exe pid: 4216
2020-06-30 13:22:33,249 [lib.api.process] INFO: Monitor config for process 4216: C:\tmplodztmkc\dll\4216.ini
2020-06-30 13:22:33,249 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplodztmkc\dll\DVBISmfR.dll, loader C:\tmplodztmkc\bin\PdIeTxP.exe
2020-06-30 13:22:33,281 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:33,281 [root] DEBUG: Loader: Injecting process 4216 (thread 3256) with C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,296 [root] DEBUG: Process image base: 0x00400000
2020-06-30 13:22:33,296 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 13:22:33,296 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 13:22:33,296 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\DVBISmfR.dll.
2020-06-30 13:22:33,312 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4216
2020-06-30 13:22:33,312 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:22:33,578 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3548
2020-06-30 13:22:33,593 [root] INFO: Disabling sleep skipping.
2020-06-30 13:22:33,593 [root] DEBUG: GetHookCallerBase: thread 3136 (handle 0x0), return address 0x008B2F24, allocation base 0x008B0000.
2020-06-30 13:22:33,593 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00F30000.
2020-06-30 13:22:33,609 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 4216 at 0x6f360000, image base 0x400000, stack from 0x1d6000-0x1e0000
2020-06-30 13:22:33,609 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00F32000
2020-06-30 13:22:33,609 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"{path}".
2020-06-30 13:22:33,640 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 13:22:33,656 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00F30000.
2020-06-30 13:22:33,656 [root] INFO: Loaded monitor into process with pid 4216
2020-06-30 13:22:33,656 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:22:33,687 [root] DEBUG: set_caller_info: Adding region at 0x023E0000 to caller regions list (kernel32::GetSystemTime).
2020-06-30 13:22:33,703 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-30 13:22:33,703 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00F30000, dumping memory region.
2020-06-30 13:22:33,765 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x23e0000
2020-06-30 13:22:33,781 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:33,781 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x023E0000 size 0x400000.
2020-06-30 13:22:33,781 [root] DEBUG: DLL unloaded from 0x72A50000.
2020-06-30 13:22:33,781 [root] DEBUG: DumpPEsInRange: Scanning range 0x23e0000 - 0x23e1000.
2020-06-30 13:22:33,796 [root] DEBUG: DLL unloaded from 0x76AB0000.
2020-06-30 13:22:33,796 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x23e0000-0x23e1000.
2020-06-30 13:22:33,812 [root] DEBUG: DLL unloaded from 0x73F70000.
2020-06-30 13:22:33,812 [root] DEBUG: DLL unloaded from 0x6EDA0000.
2020-06-30 13:22:33,812 [root] DEBUG: DLL unloaded from 0x729C0000.
2020-06-30 13:22:33,812 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3548
2020-06-30 13:22:33,812 [root] DEBUG: GetHookCallerBase: thread 3136 (handle 0x0), return address 0x008B2F24, allocation base 0x008B0000.
2020-06-30 13:22:33,812 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00F30000.
2020-06-30 13:22:33,828 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00F32000
2020-06-30 13:22:33,828 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 13:22:33,828 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00F30000.
2020-06-30 13:22:33,890 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-30 13:22:33,890 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00F30000, dumping memory region.
2020-06-30 13:22:33,906 [root] INFO: Process with pid 3548 has terminated
2020-06-30 13:22:33,968 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_95690995633231372020 (size 0x597)
2020-06-30 13:22:33,968 [root] DEBUG: DumpRegion: Dumped stack region from 0x023E0000, size 0x1000.
2020-06-30 13:22:34,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_88494512033231372020 (size 0x12b)
2020-06-30 13:22:34,125 [root] DEBUG: DumpRegion: Dumped stack region from 0x00090000, size 0x1000.
2020-06-30 13:22:34,140 [root] DEBUG: DLL loaded at 0x007B0000: C:\tmplodztmkc\dll\DVBISmfR (0xd5000 bytes).
2020-06-30 13:22:34,140 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,140 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,140 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,156 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,156 [root] DEBUG: DLL unloaded from 0x007B0000.
2020-06-30 13:22:34,171 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:22:34,234 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_64916979034231372020 (size 0x12b)
2020-06-30 13:22:34,249 [root] DEBUG: DumpRegion: Dumped stack region from 0x000A0000, size 0x1000.
2020-06-30 13:22:34,249 [root] DEBUG: DLL loaded at 0x007B0000: C:\tmplodztmkc\dll\DVBISmfR (0xd5000 bytes).
2020-06-30 13:22:34,265 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,265 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,265 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,265 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,281 [root] DEBUG: DLL unloaded from 0x007B0000.
2020-06-30 13:22:34,312 [root] DEBUG: set_caller_info: Adding region at 0x000B0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:22:34,375 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_10558160834231372020 (size 0x12b)
2020-06-30 13:22:34,375 [root] DEBUG: DumpRegion: Dumped stack region from 0x000C0000, size 0x1000.
2020-06-30 13:22:34,437 [root] DEBUG: DLL loaded at 0x007B0000: C:\tmplodztmkc\dll\DVBISmfR (0xd5000 bytes).
2020-06-30 13:22:34,437 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,531 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,546 [root] DEBUG: set_caller_info: Adding region at 0x000D0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:22:34,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_189553029234231372020 (size 0x12b)
2020-06-30 13:22:34,765 [root] DEBUG: DLL loaded at 0x007B0000: C:\tmplodztmkc\dll\DVBISmfR (0xd5000 bytes).
2020-06-30 13:22:34,765 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,781 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,781 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,796 [root] DEBUG: set_caller_info: Adding region at 0x001E0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:22:34,812 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_33486549634231372020 (size 0x12b)
2020-06-30 13:22:34,828 [root] DEBUG: DumpRegion: Dumped stack region from 0x001E0000, size 0x1000.
2020-06-30 13:22:34,828 [root] DEBUG: DLL loaded at 0x007B0000: C:\tmplodztmkc\dll\DVBISmfR (0xd5000 bytes).
2020-06-30 13:22:34,828 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,843 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,843 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,843 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,843 [root] DEBUG: DLL unloaded from 0x007B0000.
2020-06-30 13:22:34,859 [root] DEBUG: set_caller_info: Adding region at 0x001F0000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 13:22:34,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_68999995434231372020 (size 0x12b)
2020-06-30 13:22:34,906 [root] DEBUG: DumpRegion: Dumped stack region from 0x001F0000, size 0x1000.
2020-06-30 13:22:34,921 [root] DEBUG: DLL loaded at 0x007B0000: C:\tmplodztmkc\dll\DVBISmfR (0xd5000 bytes).
2020-06-30 13:22:34,921 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,921 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,921 [root] DEBUG: DLL unloaded from 0x731E0000.
2020-06-30 13:22:34,937 [root] DEBUG: DLL unloaded from 0x763D0000.
2020-06-30 13:22:34,937 [root] DEBUG: DLL unloaded from 0x007B0000.
2020-06-30 13:22:34,953 [root] DEBUG: set_caller_info: Adding region at 0x000E0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 13:22:34,953 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x000E0000.
2020-06-30 13:22:34,953 [root] DEBUG: set_caller_info: Adding region at 0x00540000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 13:22:34,984 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x63ffff
2020-06-30 13:22:34,984 [root] DEBUG: DumpMemory: Nothing to dump at 0x00540000!
2020-06-30 13:22:34,984 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00540000 size 0x100000.
2020-06-30 13:22:34,984 [root] DEBUG: DumpPEsInRange: Scanning range 0x540000 - 0x576000.
2020-06-30 13:22:34,984 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x540000-0x576000.
2020-06-30 13:22:35,062 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_120210089634231372020 (size 0x35ffe)
2020-06-30 13:22:35,078 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x729C0000 to global list.
2020-06-30 13:22:35,078 [root] DEBUG: DLL loaded at 0x729C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 13:22:35,078 [root] DEBUG: DLL unloaded from 0x74A80000.
2020-06-30 13:22:35,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x00450000 to global list.
2020-06-30 13:22:35,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 amd local view 0x00450000 to global list.
2020-06-30 13:22:35,109 [root] DEBUG: DLL loaded at 0x73390000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 13:22:35,140 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x705D0000 for section view with handle 0xe8.
2020-06-30 13:22:35,140 [root] DEBUG: DLL loaded at 0x705D0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5b1000 bytes).
2020-06-30 13:22:35,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72AB0000 for section view with handle 0xec.
2020-06-30 13:22:35,156 [root] DEBUG: DLL loaded at 0x72AB0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80 (0x9b000 bytes).
2020-06-30 13:22:35,187 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4216, handle 0xf8.
2020-06-30 13:22:35,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x002D0000 to global list.
2020-06-30 13:22:35,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc amd local view 0x002E0000 to global list.
2020-06-30 13:22:35,203 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:22:35,203 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\syswow64\shell32 (0xc4c000 bytes).
2020-06-30 13:22:35,218 [root] DEBUG: DLL loaded at 0x740A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 13:22:35,234 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:22:35,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b8 amd local view 0x6E860000 to global list.
2020-06-30 13:22:35,265 [root] DEBUG: DLL loaded at 0x6E860000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni (0xafe000 bytes).
2020-06-30 13:22:35,312 [root] DEBUG: DLL unloaded from 0x74DF0000.
2020-06-30 13:22:35,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 amd local view 0x00480000 to global list.
2020-06-30 13:22:35,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x007B0000 to global list.
2020-06-30 13:22:35,343 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72A50000 for section view with handle 0x1bc.
2020-06-30 13:22:35,343 [root] DEBUG: DLL loaded at 0x72A50000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-06-30 13:22:35,421 [root] DEBUG: set_caller_info: Adding region at 0x00900000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 13:22:35,437 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x90ffff
2020-06-30 13:22:35,437 [root] DEBUG: DumpMemory: Nothing to dump at 0x00900000!
2020-06-30 13:22:35,437 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00900000 size 0x10000.
2020-06-30 13:22:35,453 [root] DEBUG: DumpPEsInRange: Scanning range 0x900000 - 0x90e000.
2020-06-30 13:22:35,453 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x900000-0x90e000.
2020-06-30 13:22:35,484 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_188119092135231372020 (size 0xd28a)
2020-06-30 13:22:35,500 [root] DEBUG: DumpRegion: Dumped stack region from 0x00900000, size 0xe000.
2020-06-30 13:22:35,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1dc amd local view 0x6FE20000 to global list.
2020-06-30 13:22:35,562 [root] DEBUG: DLL loaded at 0x6FE20000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni (0x7a5000 bytes).
2020-06-30 13:22:35,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70DE0000 for section view with handle 0x1dc.
2020-06-30 13:22:35,578 [root] DEBUG: DLL loaded at 0x70DE0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni (0x189000 bytes).
2020-06-30 13:22:35,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6DC80000 for section view with handle 0x1dc.
2020-06-30 13:22:35,593 [root] DEBUG: DLL loaded at 0x6DC80000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni (0xbdf000 bytes).
2020-06-30 13:22:35,609 [root] DEBUG: set_caller_info: Adding region at 0x00340000 to caller regions list (ntdll::memcpy).
2020-06-30 13:22:35,609 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00340000.
2020-06-30 13:22:35,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x004D0000 for section view with handle 0x1dc.
2020-06-30 13:22:35,640 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1e4 amd local view 0x00640000 to global list.
2020-06-30 13:22:35,640 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-30 13:22:35,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f8 amd local view 0x6FC80000 to global list.
2020-06-30 13:22:35,703 [root] DEBUG: DLL loaded at 0x6FC80000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-06-30 13:22:46,781 [root] DEBUG: DLL loaded at 0x74130000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 13:22:46,796 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 13:22:46,828 [root] DEBUG: DLL loaded at 0x732F0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 13:22:46,843 [root] DEBUG: DLL loaded at 0x75DD0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-06-30 13:22:46,843 [root] DEBUG: DLL loaded at 0x76930000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-30 13:22:46,875 [root] DEBUG: DLL loaded at 0x70DA0000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-06-30 13:22:46,890 [root] DEBUG: DLL loaded at 0x70D40000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-06-30 13:22:46,906 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-06-30 13:22:46,906 [root] DEBUG: DLL loaded at 0x76780000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-30 13:22:46,921 [root] INFO: Stopping WMI Service
2020-06-30 13:22:46,984 [root] DEBUG: set_caller_info: Adding region at 0x000007FEEF9B0000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:22:47,000 [root] DEBUG: set_caller_info: Calling region at 0x000007FEEF9B0000 skipped.
2020-06-30 13:22:47,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xecc amd local view 0x0000000006DF0000 to global list.
2020-06-30 13:22:47,203 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4D80000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-06-30 13:22:47,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x11cc amd local view 0x00000000071E0000 to global list.
2020-06-30 13:22:47,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1114 amd local view 0x0000000000CF0000 to global list.
2020-06-30 13:22:47,312 [root] DEBUG: DLL unloaded from 0x000007FEF6500000.
2020-06-30 13:22:47,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf30 amd local view 0x0000000000CF0000 to global list.
2020-06-30 13:22:47,343 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF4D80000 skipped.
2020-06-30 13:22:47,343 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x9e8 amd local view 0x00000000010F0000 to global list.
2020-06-30 13:22:47,359 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000CF0000 for section view with handle 0x9e8.
2020-06-30 13:22:47,421 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5780000 to caller regions list (ntdll::NtCreateEvent).
2020-06-30 13:22:47,421 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5780000 skipped.
2020-06-30 13:22:47,437 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4400000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:22:47,437 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF4400000 skipped.
2020-06-30 13:22:47,437 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5430000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:22:47,437 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5430000 skipped.
2020-06-30 13:22:47,484 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF61E0000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:22:47,500 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF61E0000 skipped.
2020-06-30 13:22:49,890 [root] DEBUG: DLL unloaded from 0x000007FEF6140000.
2020-06-30 13:22:49,921 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF5920000 to caller regions list (ntdll::NtClose).
2020-06-30 13:22:49,921 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF5920000 skipped.
2020-06-30 13:22:50,156 [root] INFO: Added new file to list with pid None and path C:\Windows\Temp\fwtsqmfile01.sqm
2020-06-30 13:22:52,484 [root] DEBUG: DLL unloaded from 0x000007FEF6500000.
2020-06-30 13:22:52,484 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6570000 to caller regions list (ole32::CoCreateInstance).
2020-06-30 13:22:52,578 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF6570000 skipped.
2020-06-30 13:22:52,609 [root] DEBUG: DLL unloaded from 0x000007FEF64E0000.
2020-06-30 13:22:52,796 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4550000 to caller regions list (ntdll::LdrGetDllHandle).
2020-06-30 13:22:52,796 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF4550000 skipped.
2020-06-30 13:22:52,812 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9F10000 to caller regions list (msvcrt::memcpy).
2020-06-30 13:22:52,828 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF9F10000 skipped.
2020-06-30 13:22:52,875 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4490000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-06-30 13:22:52,875 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF4490000 skipped.
2020-06-30 13:22:52,937 [root] DEBUG: DLL unloaded from 0x000007FEF5780000.
2020-06-30 13:22:52,937 [root] DEBUG: DLL unloaded from 0x000007FEFA190000.
2020-06-30 13:22:52,953 [root] DEBUG: DLL unloaded from 0x000007FEF9F10000.
2020-06-30 13:22:52,953 [root] DEBUG: DLL unloaded from 0x000007FEF5430000.
2020-06-30 13:22:52,968 [root] DEBUG: DLL unloaded from 0x000007FEF4400000.
2020-06-30 13:22:52,968 [root] DEBUG: DLL unloaded from 0x000007FEF54A0000.
2020-06-30 13:22:52,984 [root] DEBUG: DLL unloaded from 0x000007FEF5920000.
2020-06-30 13:22:53,000 [root] DEBUG: DLL unloaded from 0x000007FEF6500000.
2020-06-30 13:22:55,000 [root] INFO: Stopped WMI Service
2020-06-30 13:22:55,062 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc04 amd local view 0x0000000004920000 to global list.
2020-06-30 13:22:55,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x738 amd local view 0x0000000000C50000 to global list.
2020-06-30 13:22:55,156 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C60000 for section view with handle 0x738.
2020-06-30 13:22:55,171 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C50000 for section view with handle 0x738.
2020-06-30 13:22:55,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C60000 for section view with handle 0x738.
2020-06-30 13:22:55,187 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C50000 for section view with handle 0x738.
2020-06-30 13:22:55,343 [lib.api.process] INFO: Monitor config for process 592: C:\tmplodztmkc\dll\592.ini
2020-06-30 13:22:55,359 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:22:55,390 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:55,390 [root] DEBUG: Loader: Injecting process 592 (thread 0) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:22:55,390 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:22:55,390 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:22:55,406 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:22:55,421 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:22:55,421 [root] INFO: Disabling sleep skipping.
2020-06-30 13:22:55,421 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 592 at 0x0000000070B90000, image base 0x00000000FFAF0000, stack from 0x0000000001896000-0x00000000018A0000
2020-06-30 13:22:55,437 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2020-06-30 13:22:55,484 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:22:55,500 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:22:55,515 [root] INFO: Loaded monitor into process with pid 592
2020-06-30 13:22:55,515 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:22:55,531 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:22:55,531 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:22:57,531 [root] INFO: Starting WMI Service
2020-06-30 13:22:57,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000CF0000 for section view with handle 0x738.
2020-06-30 13:22:58,000 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4864, handle 0x4d8.
2020-06-30 13:22:58,062 [root] INFO: Started WMI Service
2020-06-30 13:22:58,078 [lib.api.process] INFO: Monitor config for process 4864: C:\tmplodztmkc\dll\4864.ini
2020-06-30 13:22:58,078 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:22:58,093 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:22:58,093 [root] DEBUG: Loader: Injecting process 4864 (thread 0) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:22:58,093 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:22:58,109 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:22:58,125 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:22:58,125 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:22:58,125 [root] INFO: Disabling sleep skipping.
2020-06-30 13:22:58,140 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 4864 at 0x0000000070B90000, image base 0x00000000FFAF0000, stack from 0x00000000013B6000-0x00000000013C0000
2020-06-30 13:22:58,140 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-06-30 13:22:58,203 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:22:58,203 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:22:58,218 [root] INFO: Loaded monitor into process with pid 4864
2020-06-30 13:22:58,218 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:22:58,234 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:22:58,234 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:00,249 [root] DEBUG: DLL loaded at 0x732B0000: C:\Windows\system32\wbem\wbemprox (0xb000 bytes).
2020-06-30 13:23:00,281 [root] DEBUG: DLL loaded at 0x70CD0000: C:\Windows\system32\wbemcomn2 (0x61000 bytes).
2020-06-30 13:23:00,296 [root] DEBUG: DLL loaded at 0x73200000: C:\Windows\system32\wbem\wmiutils (0x1a000 bytes).
2020-06-30 13:23:00,375 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2a4 amd local view 0x06700000 to global list.
2020-06-30 13:23:00,437 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2a8 amd local view 0x6F930000 to global list.
2020-06-30 13:23:00,437 [root] DEBUG: DLL loaded at 0x6F930000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni (0x106000 bytes).
2020-06-30 13:23:00,453 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:23:00,562 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:23:00,593 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x2f4 amd local view 0x70CB0000 to global list.
2020-06-30 13:23:00,609 [root] DEBUG: DLL loaded at 0x70CB0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils (0x1e000 bytes).
2020-06-30 13:23:00,625 [root] DEBUG: set_caller_info: Adding region at 0x00770000 to caller regions list (ole32::CoCreateInstance).
2020-06-30 13:23:00,640 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x77ffff
2020-06-30 13:23:00,640 [root] DEBUG: DumpMemory: Nothing to dump at 0x00770000!
2020-06-30 13:23:00,640 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00770000 size 0x10000.
2020-06-30 13:23:00,640 [root] DEBUG: DumpPEsInRange: Scanning range 0x770000 - 0x773000.
2020-06-30 13:23:00,640 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x770000-0x773000.
2020-06-30 13:23:00,968 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_20740593280531372020 (size 0x2164)
2020-06-30 13:23:00,968 [root] DEBUG: DumpRegion: Dumped stack region from 0x00770000, size 0x3000.
2020-06-30 13:23:01,062 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:23:08,093 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6BA0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-30 13:23:08,109 [root] DEBUG: set_caller_info: Calling region at 0x000007FEF6BA0000 skipped.
2020-06-30 13:23:14,125 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:23:14,125 [root] DEBUG: set_caller_info: Adding region at 0x00780000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-06-30 13:23:14,125 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x78ffff
2020-06-30 13:23:14,140 [root] DEBUG: DumpMemory: Nothing to dump at 0x00780000!
2020-06-30 13:23:14,140 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00780000 size 0x10000.
2020-06-30 13:23:14,140 [root] DEBUG: DumpPEsInRange: Scanning range 0x780000 - 0x781000.
2020-06-30 13:23:14,140 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x780000-0x781000.
2020-06-30 13:23:14,171 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_117077478841031372020 (size 0x235)
2020-06-30 13:23:14,171 [root] DEBUG: DumpRegion: Dumped stack region from 0x00780000, size 0x1000.
2020-06-30 13:23:14,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x35c amd local view 0x00790000 to global list.
2020-06-30 13:23:14,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x358 amd local view 0x00790000 to global list.
2020-06-30 13:23:22,218 [root] DEBUG: set_caller_info: Adding region at 0x008F0000 to caller regions list (kernel32::SetErrorMode).
2020-06-30 13:23:22,234 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x8fffff
2020-06-30 13:23:22,234 [root] DEBUG: DumpMemory: Nothing to dump at 0x008F0000!
2020-06-30 13:23:22,234 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x008F0000 size 0x10000.
2020-06-30 13:23:22,234 [root] DEBUG: DumpPEsInRange: Scanning range 0x8f0000 - 0x8f4000.
2020-06-30 13:23:22,234 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8f0000-0x8f4000.
2020-06-30 13:23:22,296 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_886988118521131372020 (size 0x36be)
2020-06-30 13:23:22,296 [root] DEBUG: DumpRegion: Dumped stack region from 0x008F0000, size 0x4000.
2020-06-30 13:23:22,296 [root] DEBUG: DLL loaded at 0x731F0000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-06-30 13:23:22,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72A40000 for section view with handle 0x358.
2020-06-30 13:23:22,593 [root] DEBUG: DLL loaded at 0x72A40000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-06-30 13:23:22,609 [root] DEBUG: DLL unloaded from 0x72A40000.
2020-06-30 13:23:22,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x007C0000 for section view with handle 0x358.
2020-06-30 13:23:22,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x6D740000 to global list.
2020-06-30 13:23:22,656 [root] DEBUG: DLL loaded at 0x6D740000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni (0x53b000 bytes).
2020-06-30 13:23:22,734 [root] DEBUG: DLL loaded at 0x73220000: C:\Windows\system32\sxs (0x5f000 bytes).
2020-06-30 13:23:22,765 [root] DEBUG: DLL loaded at 0x6F900000: C:\Windows\SysWOW64\wshom.ocx (0x21000 bytes).
2020-06-30 13:23:22,765 [root] DEBUG: DLL loaded at 0x70C90000: C:\Windows\SysWOW64\MPR (0x12000 bytes).
2020-06-30 13:23:22,781 [root] DEBUG: DLL loaded at 0x6F8D0000: C:\Windows\SysWOW64\ScrRun (0x2a000 bytes).
2020-06-30 13:23:22,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x380 amd local view 0x00790000 to global list.
2020-06-30 13:23:23,031 [root] DEBUG: set_caller_info: Adding region at 0x03810000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-06-30 13:23:23,046 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x381ffff
2020-06-30 13:23:23,062 [root] DEBUG: DumpMemory: Nothing to dump at 0x03810000!
2020-06-30 13:23:23,062 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x03810000 size 0x10000.
2020-06-30 13:23:23,062 [root] DEBUG: DumpPEsInRange: Scanning range 0x3810000 - 0x3817000.
2020-06-30 13:23:23,062 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3810000-0x3817000.
2020-06-30 13:23:23,093 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_1134897436531131372020 (size 0x6b63)
2020-06-30 13:23:23,093 [root] DEBUG: DumpRegion: Dumped stack region from 0x03810000, size 0x7000.
2020-06-30 13:23:23,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x370 amd local view 0x00860000 to global list.
2020-06-30 13:23:23,437 [root] DEBUG: DLL loaded at 0x72A40000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-06-30 13:23:23,453 [root] DEBUG: DLL unloaded from 0x76560000.
2020-06-30 13:23:23,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x730 amd local view 0x0000000004920000 to global list.
2020-06-30 13:23:23,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x83c amd local view 0x0000000000C50000 to global list.
2020-06-30 13:23:23,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C60000 for section view with handle 0x83c.
2020-06-30 13:23:23,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C50000 for section view with handle 0x83c.
2020-06-30 13:23:23,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C60000 for section view with handle 0x83c.
2020-06-30 13:23:23,656 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C50000 for section view with handle 0x83c.
2020-06-30 13:23:23,968 [root] INFO: Announced starting service "b'VaultSvc'"
2020-06-30 13:23:23,984 [lib.api.process] INFO: Monitor config for process 472: C:\tmplodztmkc\dll\472.ini
2020-06-30 13:23:23,984 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:23:24,000 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:23:24,000 [root] DEBUG: Loader: Injecting process 472 (thread 0) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:24,015 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-06-30 13:23:24,015 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-06-30 13:23:24,031 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:23:24,031 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:23:24,046 [root] INFO: Disabling sleep skipping.
2020-06-30 13:23:24,046 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 472 at 0x0000000070B90000, image base 0x00000000FF540000, stack from 0x0000000000F36000-0x0000000000F40000
2020-06-30 13:23:24,046 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-06-30 13:23:24,125 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:23:24,125 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:23:24,140 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:23:24,156 [root] INFO: Loaded monitor into process with pid 472
2020-06-30 13:23:24,156 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 13:23:24,156 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 13:23:24,156 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:25,203 [root] INFO: Announced 64-bit process name: lsass.exe pid: 2720
2020-06-30 13:23:25,203 [lib.api.process] INFO: Monitor config for process 2720: C:\tmplodztmkc\dll\2720.ini
2020-06-30 13:23:25,218 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:23:25,234 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:23:25,249 [root] DEBUG: Loader: Injecting process 2720 (thread 1692) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:25,249 [root] DEBUG: Process image base: 0x00000000FFA50000
2020-06-30 13:23:25,249 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:25,249 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:23:25,265 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:25,265 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2720
2020-06-30 13:23:25,265 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\lsass.exe.
2020-06-30 13:23:25,265 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2720, ImageBase: 0x00000000FFA50000
2020-06-30 13:23:25,281 [root] INFO: Announced 64-bit process name: lsass.exe pid: 2720
2020-06-30 13:23:25,281 [lib.api.process] INFO: Monitor config for process 2720: C:\tmplodztmkc\dll\2720.ini
2020-06-30 13:23:25,281 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:23:25,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:23:25,312 [root] DEBUG: Loader: Injecting process 2720 (thread 1692) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:25,312 [root] DEBUG: Process image base: 0x00000000FFA50000
2020-06-30 13:23:25,312 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:25,312 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:23:25,312 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:23:25,328 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2720
2020-06-30 13:23:25,328 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2720.
2020-06-30 13:23:25,390 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:23:25,437 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:23:25,453 [root] INFO: Disabling sleep skipping.
2020-06-30 13:23:25,453 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:23:25,453 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 2720 at 0x0000000070B90000, image base 0x00000000FFA50000, stack from 0x0000000000114000-0x0000000000120000
2020-06-30 13:23:25,453 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2020-06-30 13:23:25,515 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:23:25,515 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:23:25,531 [root] INFO: Loaded monitor into process with pid 2720
2020-06-30 13:23:28,078 [root] DEBUG: DLL loaded at 0x000007FEF6570000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2020-06-30 13:23:28,078 [root] DEBUG: DLL loaded at 0x000007FEFAA30000: C:\Windows\system32\ATL (0x19000 bytes).
2020-06-30 13:23:28,093 [root] DEBUG: DLL loaded at 0x000007FEF64E0000: C:\Windows\system32\VssTrace (0x17000 bytes).
2020-06-30 13:23:28,140 [root] DEBUG: DLL loaded at 0x000007FEFA150000: C:\Windows\system32\samcli (0x14000 bytes).
2020-06-30 13:23:28,156 [root] DEBUG: DLL loaded at 0x000007FEFB1C0000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2020-06-30 13:23:28,203 [root] DEBUG: DLL loaded at 0x000007FEFB1F0000: C:\Windows\system32\netutils (0xc000 bytes).
2020-06-30 13:23:28,234 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1dc amd local view 0x0000000002A10000 to global list.
2020-06-30 13:23:28,234 [root] DEBUG: DLL unloaded from 0x000007FEF64E0000.
2020-06-30 13:23:57,796 [root] INFO: Process with pid 2720 has terminated
2020-06-30 13:23:57,953 [root] DEBUG: set_caller_info: Adding region at 0x008D0000 to caller regions list (shell32::SHGetFolderPathW).
2020-06-30 13:23:57,953 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x8dffff
2020-06-30 13:23:57,953 [root] DEBUG: DumpMemory: Nothing to dump at 0x008D0000!
2020-06-30 13:24:02,906 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x008D0000 size 0x10000.
2020-06-30 13:24:02,921 [root] DEBUG: DLL unloaded from 0x000007FEFD7A0000.
2020-06-30 13:24:08,984 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\HfrpzXFC\CAPE\4216_140214001582231372020 (size 0x5da)
2020-06-30 13:24:14,921 [root] DEBUG: DumpRegion: Dumped stack region from 0x008D0000, size 0x1000.
2020-06-30 13:24:21,812 [root] INFO: Added new file to list with pid None and path C:\Windows\System32\drivers\etc\hosts
2020-06-30 13:25:03,125 [root] INFO: Announced 64-bit process name: taskeng.exe pid: 3304
2020-06-30 13:25:03,140 [lib.api.process] INFO: Monitor config for process 3304: C:\tmplodztmkc\dll\3304.ini
2020-06-30 13:25:03,156 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:25:03,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:25:03,312 [root] DEBUG: Loader: Injecting process 3304 (thread 3296) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:03,328 [root] DEBUG: Process image base: 0x00000000FFDE0000
2020-06-30 13:25:03,359 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:03,375 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:25:03,375 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:03,390 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3304
2020-06-30 13:25:03,390 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3304, ImageBase: 0x00000000FFDE0000
2020-06-30 13:25:03,390 [root] INFO: Announced 64-bit process name: taskeng.exe pid: 3304
2020-06-30 13:25:03,406 [lib.api.process] INFO: Monitor config for process 3304: C:\tmplodztmkc\dll\3304.ini
2020-06-30 13:25:03,406 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:25:03,421 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:25:03,421 [root] DEBUG: Loader: Injecting process 3304 (thread 3296) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:03,453 [root] DEBUG: Process image base: 0x00000000FFDE0000
2020-06-30 13:25:03,468 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:03,515 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:25:03,515 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:03,531 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3304
2020-06-30 13:25:03,562 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:25:03,578 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:25:03,578 [root] INFO: Disabling sleep skipping.
2020-06-30 13:25:03,593 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:25:03,593 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 3304 at 0x0000000070B90000, image base 0x00000000FFDE0000, stack from 0x0000000000116000-0x0000000000120000
2020-06-30 13:25:03,593 [root] DEBUG: Commandline: C:\Windows\sysnative\taskeng.exe {7762BC04-2AA3-4ED8-B18D-44D77D69EFB2} S-1-5-21-1339698970-4093829097-1161395185-1000:Louise-PC\Louise:Interactive:[1].
2020-06-30 13:25:03,640 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:25:03,640 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:25:03,656 [root] INFO: Loaded monitor into process with pid 3304
2020-06-30 13:25:03,921 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2020-06-30 13:25:03,937 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 3304).
2020-06-30 13:25:03,984 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3304, handle 0x5b4.
2020-06-30 13:25:04,000 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2020-06-30 13:25:04,015 [root] DEBUG: DLL loaded at 0x000007FEFC0B0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-06-30 13:25:04,187 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2020-06-30 13:25:04,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x14c amd local view 0x0000000000190000 to global list.
2020-06-30 13:25:04,437 [root] DEBUG: DLL loaded at 0x000007FEFEE80000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2020-06-30 13:25:04,453 [root] DEBUG: DLL loaded at 0x000007FEF9FE0000: C:\Windows\system32\tschannel (0x9000 bytes).
2020-06-30 13:25:04,656 [root] INFO: Announced 64-bit process name: taskeng.exe pid: 3164
2020-06-30 13:25:04,656 [lib.api.process] INFO: Monitor config for process 3164: C:\tmplodztmkc\dll\3164.ini
2020-06-30 13:25:04,656 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:25:04,718 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:25:04,718 [root] DEBUG: Loader: Injecting process 3164 (thread 3268) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:04,734 [root] DEBUG: Process image base: 0x00000000FFDE0000
2020-06-30 13:25:04,734 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:04,734 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 13:25:04,734 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:04,750 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3164
2020-06-30 13:25:04,796 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3164, ImageBase: 0x00000000FFDE0000
2020-06-30 13:25:04,812 [root] INFO: Announced 64-bit process name: taskeng.exe pid: 3164
2020-06-30 13:25:04,812 [lib.api.process] INFO: Monitor config for process 3164: C:\tmplodztmkc\dll\3164.ini
2020-06-30 13:25:04,812 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmplodztmkc\dll\jQzuEaWx.dll, loader C:\tmplodztmkc\bin\uyobsSaD.exe
2020-06-30 13:25:04,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dCwIvQubGq.
2020-06-30 13:25:04,875 [root] DEBUG: Loader: Injecting process 3164 (thread 3268) with C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:04,875 [root] DEBUG: Process image base: 0x00000000FFDE0000
2020-06-30 13:25:04,875 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:04,921 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 13:25:04,921 [root] DEBUG: Successfully injected DLL C:\tmplodztmkc\dll\jQzuEaWx.dll.
2020-06-30 13:25:05,015 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3164
2020-06-30 13:25:05,062 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 13:25:05,062 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 13:25:05,093 [root] INFO: Disabling sleep skipping.
2020-06-30 13:25:05,093 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 13:25:05,093 [root] DEBUG: CAPE initialised: 64-bit monitor loaded in process 3164 at 0x0000000070B90000, image base 0x00000000FFDE0000, stack from 0x00000000000C6000-0x00000000000D0000
2020-06-30 13:25:05,125 [root] DEBUG: Commandline: C:\Windows\sysnative\taskeng.exe {8953FA73-45C1-47AA-A38D-D1B39E19EAA5} S-1-5-21-1339698970-4093829097-1161395185-1000:Louise-PC\Louise:Interactive:[1].
2020-06-30 13:25:05,171 [root] WARNING: b'Unable to place hook on LockResource'
2020-06-30 13:25:05,187 [root] WARNING: b'Unable to hook LockResource'
2020-06-30 13:25:05,203 [root] INFO: Loaded monitor into process with pid 3164
2020-06-30 13:25:05,234 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2020-06-30 13:25:05,234 [root] DEBUG: ResumeThreadHandler: CurrentInjectionInfo 0x0 (Pid 3164).
2020-06-30 13:25:05,249 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3164, handle 0x5b4.
2020-06-30 13:25:05,265 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2020-06-30 13:25:05,281 [root] DEBUG: DLL loaded at 0x000007FEFC0B0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-06-30 13:25:05,390 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2020-06-30 13:25:05,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x150 amd local view 0x0000000000290000 to global list.
2020-06-30 13:25:05,515 [root] DEBUG: DLL loaded at 0x000007FEFEE80000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2020-06-30 13:25:05,546 [root] DEBUG: DLL loaded at 0x000007FEF9FE0000: C:\Windows\system32\tschannel (0x9000 bytes).
2020-06-30 13:25:07,125 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2148, handle 0x5f4.
2020-06-30 13:25:14,500 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 13:25:14,500 [lib.api.process] INFO: Terminate event set for process 848
2020-06-30 13:25:14,500 [root] DEBUG: Terminate Event: Attempting to dump process 848
2020-06-30 13:25:14,546 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFAF0000.
2020-06-30 13:25:14,609 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:25:14,640 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFAF0000.
2020-06-30 13:25:15,156 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x71200.
2020-06-30 13:25:15,234 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-30 13:25:15,234 [lib.api.process] INFO: Termination confirmed for process 848
2020-06-30 13:25:15,234 [root] INFO: Terminate event set for process 848.
2020-06-30 13:25:15,249 [lib.api.process] INFO: Terminate event set for process 4216
2020-06-30 13:25:15,249 [root] DEBUG: Terminate Event: Attempting to dump process 4216
2020-06-30 13:25:15,281 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-30 13:25:15,296 [lib.api.process] INFO: Termination confirmed for process 4216
2020-06-30 13:25:15,312 [root] INFO: Terminate event set for process 4216.
2020-06-30 13:25:15,359 [lib.api.process] INFO: Terminate event set for process 592
2020-06-30 13:25:15,359 [root] DEBUG: Terminate Event: Attempting to dump process 592
2020-06-30 13:25:15,406 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFAF0000.
2020-06-30 13:25:15,500 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFAF0000.
2020-06-30 13:25:18,249 [root] DEBUG: DLL unloaded from 0x000007FEFD7A0000.
2020-06-30 13:25:18,328 [root] DEBUG: DLL unloaded from 0x000007FEF9FE0000.
2020-06-30 13:25:18,437 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3164
2020-06-30 13:25:18,437 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-30 13:25:18,625 [root] DEBUG: GetHookCallerBase: thread 3268 (handle 0x0), return address 0x00000000FFDE23E5, allocation base 0x00000000FFDE0000.
2020-06-30 13:25:18,625 [lib.api.process] INFO: Termination confirmed for process 592
2020-06-30 13:25:18,625 [root] INFO: Terminate event set for process 592.
2020-06-30 13:25:18,625 [lib.api.process] INFO: Terminate event set for process 4864
2020-06-30 13:25:18,625 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 592
2020-06-30 13:25:18,625 [root] DEBUG: Terminate Event: Attempting to dump process 4864
2020-06-30 13:25:18,671 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FFDE0000.
2020-06-30 13:25:18,718 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 13:25:19,000 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem renaming the file: The system cannot find the file specified.
2020-06-30 13:25:19,015 [root] DEBUG: Error 2 (0x2) - savePeFileToDisk: There was a problem deleting the file: C:\Windows\system32\CapeOutput.bin: The system cannot find the file specified.
2020-06-30 13:25:19,031 [root] DEBUG: DumpProcess: Failed to dump image at 0x00000000FFDE0000.
2020-06-30 13:25:19,218 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6800.
2020-06-30 13:25:19,390 [lib.api.process] INFO: Termination confirmed for process 4864
2020-06-30 13:25:19,390 [root] INFO: Terminate event set for process 4864.
2020-06-30 13:25:19,390 [lib.api.process] INFO: Terminate event set for process 472
2020-06-30 13:25:19,421 [root] DEBUG: DLL unloaded from 0x000007FEFED70000.
2020-06-30 13:25:19,421 [root] DEBUG: Terminate Event: Attempting to dump process 472
2020-06-30 13:25:19,578 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00000000FF540000.
2020-06-30 13:25:19,703 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x50000.
2020-06-30 13:25:19,921 [lib.api.process] INFO: Termination confirmed for process 472
2020-06-30 13:25:19,921 [root] INFO: Terminate event set for process 472.
2020-06-30 13:25:20,015 [lib.api.process] ERROR: Failed to open terminate event for pid 3304
2020-06-30 13:25:20,015 [root] INFO: Terminate event set for process 3304.
2020-06-30 13:25:20,015 [lib.api.process] ERROR: Failed to open terminate event for pid 3164
2020-06-30 13:25:20,109 [root] INFO: Terminate event set for process 3164.
2020-06-30 13:25:20,109 [root] INFO: Created shutdown mutex.
2020-06-30 13:25:21,109 [root] INFO: Shutting down package.
2020-06-30 13:25:21,109 [root] INFO: Stopping auxiliary modules.
2020-06-30 13:25:21,218 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbd0 amd local view 0x0000000004920000 to global list.
2020-06-30 13:25:21,312 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd14 amd local view 0x000000004A250000 to global list.
2020-06-30 13:25:21,375 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C50000 for section view with handle 0xd14.
2020-06-30 13:25:21,390 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x000000004A250000 for section view with handle 0xd14.
2020-06-30 13:25:21,406 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C50000 for section view with handle 0xd14.
2020-06-30 13:25:21,437 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x000000004A250000 for section view with handle 0xd14.
2020-06-30 13:25:21,484 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1218 amd local view 0x0000000004920000 to global list.
2020-06-30 13:25:21,593 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x000000004A250000 for section view with handle 0x738.
2020-06-30 13:25:21,609 [lib.common.results] WARNING: File C:\HfrpzXFC\bin\procmon.xml doesn't exist anymore
2020-06-30 13:25:21,609 [root] INFO: Finishing auxiliary modules.
2020-06-30 13:25:21,609 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 13:25:21,609 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x0000000000C50000 for section view with handle 0x738.
2020-06-30 13:25:21,984 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 4216.
2020-06-30 13:25:22,125 [root] WARNING: Folder at path "C:\HfrpzXFC\debugger" does not exist, skip.
2020-06-30 13:25:22,156 [root] DEBUG: DLL unloaded from 0x000007FEFEFA0000.
2020-06-30 13:25:22,203 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_4 win7x64_8 KVM 2020-06-30 13:24:35 2020-06-30 13:29:59

File Details

File Name 2020060308611765434567.exe
File Size 436224 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-06-30 01:17:56
MD5 73879715ca072971d061ab4a227a649c
SHA1 ceb47d58621b19e04ae737f12ad71f1b2ff5ebf5
SHA256 d9db86325cb63915a31775ab7b78f14802fa077e3aed9122f0fb03e9f39d05f2
SHA512 1be81a26cb07a2904b3defc3b3feae63a57ea0e757671fc90147428803d8f286ff1d6e48ddb160bf11b6b569fcef7c8b376d7b5c7c04f77c1ada75c2847791b7
CRC32 0E800E43
Ssdeep 12288:v7PivEhl9ZRMe1Gg6Hcwk92lg2YiiRlN/br9:DH/ZL1GzHcwOKy5//9
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3548 trigged the Yara rule 'AgentTeslaV2'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
A process attempted to delay the analysis task.
Process: 2020060308611765434567.exe tried to sleep 371.52 seconds, actually delayed analysis time by 0.0 seconds
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: KERNEL32.dll/FindAtom
DynamicLoader: KERNEL32.dll/FindAtomW
DynamicLoader: KERNEL32.dll/AddAtom
DynamicLoader: KERNEL32.dll/AddAtomW
DynamicLoader: MSCOREE.DLL/LoadLibraryShim
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipCreateFontFamilyFromName
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyA
DynamicLoader: KERNEL32.dll/RegCloseKey
DynamicLoader: KERNEL32.dll/RegCreateKeyExW
DynamicLoader: KERNEL32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/RegEnumValueW
DynamicLoader: gdiplus.dll/GdipCreateFont
DynamicLoader: gdiplus.dll/GdipGetFontSize
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCID
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCIDW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: USER32.dll/GetDC
DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyW
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
DynamicLoader: mscoreei.dll/ND_RU1
DynamicLoader: gdiplus.dll/GdipGetFontUnit
DynamicLoader: gdiplus.dll/GdipGetFontStyle
DynamicLoader: gdiplus.dll/GdipGetFamily
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: gdiplus.dll/GdipCreateFromHDC
DynamicLoader: gdiplus.dll/GdipGetDpiY
DynamicLoader: gdiplus.dll/GdipGetFontHeight
DynamicLoader: gdiplus.dll/GdipGetEmHeight
DynamicLoader: gdiplus.dll/GdipGetLineSpacing
DynamicLoader: gdiplus.dll/GdipDeleteGraphics
DynamicLoader: gdiplus.dll/GdipDeleteFont
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetSysColorW
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: gdiplus.dll/GdipGetLogFontW
DynamicLoader: MSCOREE.DLL/ND_WU1
DynamicLoader: mscoreei.dll/ND_WU1_RetAddr
DynamicLoader: mscoreei.dll/ND_WU1
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: GDI32.dll/GetTextExtentPoint32W
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: KERNEL32.dll/SetErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGetProvParam
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: KERNEL32.dll/GlobalMemoryStatusEx
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: MSCOREE.DLL/ND_RI4
DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
DynamicLoader: mscoreei.dll/ND_RI4
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaOpenPolicyW
DynamicLoader: ADVAPI32.dll/LsaLookupSids
DynamicLoader: ADVAPI32.dll/LsaLookupSidsW
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/RtlMoveMemory
DynamicLoader: KERNEL32.dll/RtlMoveMemoryW
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/UnregisterClass
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: KERNEL32.dll/DeleteAtom
DynamicLoader: KERNEL32.dll/DeleteAtomW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/DestroyWindowW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: pcwum.dll/PerfDeleteInstance
DynamicLoader: pcwum.dll/PerfStopProvider
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: wbemcore.dll/Shutdown
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoDisconnectObject
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: kernel32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/[email protected]@[email protected]
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: MSCOREE.DLL/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: MSCOREE.DLL/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/GetVersionEx
DynamicLoader: KERNEL32.dll/GetVersionExW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
DynamicLoader: KERNEL32.dll/SetErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: KERNEL32.dll/lstrlen
DynamicLoader: KERNEL32.dll/lstrlenW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/CreateEvent
DynamicLoader: KERNEL32.dll/CreateEventW
DynamicLoader: KERNEL32.dll/SwitchToThread
DynamicLoader: KERNEL32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryA
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: wminet_utils.dll/GetErrorInfo
DynamicLoader: wminet_utils.dll/Initialize
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: KERNEL32.dll/ZeroMemory
DynamicLoader: KERNEL32.dll/ZeroMemoryA
DynamicLoader: KERNEL32.dll/RtlZeroMemory
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/GetComputerName
DynamicLoader: KERNEL32.dll/GetComputerNameW
DynamicLoader: KERNEL32.dll/CreateIoCompletionPort
DynamicLoader: KERNEL32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetSystemTimeAsFileTime
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: sxs.dll/SxsLookupClrGuid
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: sxs.dll/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: sxs.dll/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/ReadFile
DynamicLoader: KERNEL32.dll/GetFileSize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/GetACP
DynamicLoader: KERNEL32.dll/UnmapViewOfFile
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: KERNEL32.dll/FindFirstFile
DynamicLoader: KERNEL32.dll/FindFirstFileW
DynamicLoader: KERNEL32.dll/FindClose
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/FindNextFile
DynamicLoader: KERNEL32.dll/FindNextFileW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/SetClipboardViewerW
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleGetClipboard
DynamicLoader: KERNEL32.dll/GlobalLock
DynamicLoader: KERNEL32.dll/GlobalUnlock
DynamicLoader: KERNEL32.dll/GlobalFree
DynamicLoader: USER32.dll/SendMessage
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/SetWindowsHookEx
DynamicLoader: USER32.dll/SetWindowsHookExW
DynamicLoader: KERNEL32.dll/SetFilePointer
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: ole32.dll/CoRegisterMessageFilter
DynamicLoader: USER32.dll/PeekMessage
DynamicLoader: USER32.dll/PeekMessageW
DynamicLoader: USER32.dll/WaitMessage
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: SAMLIB.dll/SamEnumerateDomainsInSamServer
DynamicLoader: SAMLIB.dll/SamLookupDomainInSamServer
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: ole32.dll/CoTaskMemRealloc
DynamicLoader: ADVAPI32.dll/RegisterEventSourceW
DynamicLoader: ADVAPI32.dll/ReportEventW
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: SHLWAPI.dll/PathIsDirectoryW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: tschannel.dll/DllGetClassObject
DynamicLoader: tschannel.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: SHLWAPI.dll/PathIsDirectoryW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegNotifyChangeKeyValue
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CLSIDFromOle1Class
DynamicLoader: CLBCatQ.DLL/GetCatalogObject
DynamicLoader: CLBCatQ.DLL/GetCatalogObject2
DynamicLoader: tschannel.dll/DllGetClassObject
DynamicLoader: tschannel.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
A process created a hidden window
Process: 2020060308611765434567.exe -> schtasks.exe
CAPE extracted potentially suspicious content
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: AgentTeslaV2 Payload: 32-bit executable
2020060308611765434567.exe: AgentTeslaV2
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Injected Shellcode/Data
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Injected Shellcode/Data
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
2020060308611765434567.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.81, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00069e00, virtual_size: 0x00069ca4
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bheWEoOklI" /XML "C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp"
command: schtasks.exe /Create /TN "Updates\bheWEoOklI" /XML "C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp"
Behavioural detection: Injection (Process Hollowing)
Injection: 2020060308611765434567.exe(3548) -> 2020060308611765434567.exe(4216)
Executed a process and injected code into it, probably while unpacking
Injection: 2020060308611765434567.exe(3548) -> 2020060308611765434567.exe(4216)
Sniffs keystrokes
SetWindowsHookExW: Process: 2020060308611765434567.exe(4216)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (472) called API GetSystemTimeAsFileTime 2287825 times
Steals private information from local Internet browsers
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
file: C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
file: C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
CAPE detected the AgentTeslaV2 malware family
File has been identified by 29 Antiviruses on VirusTotal as malicious
MicroWorld-eScan: Trojan.GenericKDZ.68299
FireEye: Generic.mg.73879715ca072971
Cylance: Unsafe
Sangfor: Malware
Alibaba: Trojan:Win32/starter.ali1000139
CrowdStrike: win/malicious_confidence_100% (W)
Invincea: heuristic
F-Prot: W32/MSIL_Kryptik.ALK.gen!Eldorado
APEX: Malicious
Kaspersky: HEUR:Trojan-PSW.MSIL.Coins.gen
Paloalto: generic.ml
Endgame: malicious (high confidence)
Fortinet: MSIL/Kryptik.ALK!tr
Trapmine: malicious.moderate.ml.score
Ikarus: Win32.Outbreak
Cyren: W32/MSIL_Kryptik.ALK.gen!Eldorado
eGambit: Unsafe.AI_Score_100%
MAX: malware (ai score=82)
Microsoft: Trojan:Win32/Wacatac.DD!ml
ZoneAlarm: HEUR:Trojan-PSW.MSIL.Coins.gen
McAfee: Artemis!73879715CA07
Ad-Aware: Trojan.GenericKDZ.68299
Malwarebytes: Trojan.MalPack
ESET-NOD32: a variant of MSIL/Kryptik.WPI
Yandex: Trojan.AvsArher.bTJEKx
SentinelOne: DFI - Malicious PE
MaxSecure: Trojan.Malware.300983.susgen
GData: Trojan.GenericKDZ.68299
Qihoo-360: HEUR/QVM03.0.3EDF.Malware.Gen
Creates a copy of itself
copy: C:\Users\Louise\AppData\Roaming\bheWEoOklI.exe
Harvests credentials from local FTP client softwares
file: C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
file: C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file: C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\Louise\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file: C:\cftp\Ftplist.txt
key: HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Harvests information related to installed mail clients
file: C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
key: HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
The sample wrote data to the system hosts file.
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Eitest

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 13.107.42.23 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe.config
C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.config
C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.INI
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Globalization\en-us.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\calibrili.ttf
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF
C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\CAMBRIA.TTC
C:\Windows\Fonts\CANDARA.TTF
C:\Windows\Fonts\CONSOLA.TTF
C:\Windows\Fonts\CONSTAN.TTF
C:\Windows\Fonts\CORBEL.TTF
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\CAMBRIAB.TTF
C:\Windows\Fonts\CAMBRIAI.TTF
C:\Windows\Fonts\CAMBRIAZ.TTF
C:\Windows\Fonts\CANDARAB.TTF
C:\Windows\Fonts\CANDARAI.TTF
C:\Windows\Fonts\CANDARAZ.TTF
C:\Windows\Fonts\CONSOLAB.TTF
C:\Windows\Fonts\CONSOLAI.TTF
C:\Windows\Fonts\CONSOLAZ.TTF
C:\Windows\Fonts\CONSTANB.TTF
C:\Windows\Fonts\CONSTANI.TTF
C:\Windows\Fonts\CONSTANZ.TTF
C:\Windows\Fonts\CORBELB.TTF
C:\Windows\Fonts\CORBELI.TTF
C:\Windows\Fonts\CORBELZ.TTF
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Users\Louise\AppData\Local\Temp\en-US\liYiCiTGoqVC.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\liYiCiTGoqVC.resources\liYiCiTGoqVC.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\liYiCiTGoqVC.resources.exe
C:\Users\Louise\AppData\Local\Temp\en-US\liYiCiTGoqVC.resources\liYiCiTGoqVC.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\Globalization\en.nlp
C:\Users\Louise\AppData\Local\Temp\en\liYiCiTGoqVC.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\liYiCiTGoqVC.resources\liYiCiTGoqVC.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\liYiCiTGoqVC.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\liYiCiTGoqVC.resources\liYiCiTGoqVC.resources.exe
C:\Users\Louise\AppData\Local\Temp\en-US\Lazarus.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\Lazarus.resources\Lazarus.resources.dll
C:\Users\Louise\AppData\Local\Temp\en-US\Lazarus.resources.exe
C:\Users\Louise\AppData\Local\Temp\en-US\Lazarus.resources\Lazarus.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\Lazarus.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\Lazarus.resources\Lazarus.resources.dll
C:\Users\Louise\AppData\Local\Temp\en\Lazarus.resources.exe
C:\Users\Louise\AppData\Local\Temp\en\Lazarus.resources\Lazarus.resources.exe
C:\Users\Louise\AppData\Roaming\bheWEoOklI.exe
C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\shell32.dll
\??\MountPointManager
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3548.29259406
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3548.29259406
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3548.29259437
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\AutoKMS
C:\Windows\sysnative\Tasks\Updates\bheWEoOklI
C:\Windows\sysnative\Tasks\Updates
C:\Windows\sysnative\Tasks\Updates\
C:\Windows\SysWOW64\net1.exe
C:\Windows\SysWOW64
C:\Windows\SysWOW64\net.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\*.*
C:\Windows\SysWOW64\ui\SwDRM.dll
C:\Windows\Temp\fwtsqmfile00.sqm
C:\Windows\Temp\fwtsqmfile01.sqm
C:\Windows\SysWOW64\sc.exe
C:\Windows\SysWOW64\en-US\sc.exe.mui
C:\Windows\Temp
\Device\LanmanDatagramReceiver
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\OLEAUT32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\oleaut32.dll
C:\%insfolder%\%insname%
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Local\Yandex\YandexBrowser\User Data
C:\Users\Louise\AppData\Local\Coowon\Coowon\User Data
C:\Users\Louise\AppData\Local\Elements Browser\User Data
C:\Users\Louise\AppData\Local\CatalinaGroup\Citrio\User Data
C:\Users\Louise\AppData\Roaming\Opera Software\Opera Stable
C:\Users\Louise\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\Louise\AppData\Local\Kometa\User Data
C:\Users\Louise\AppData\Local\Amigo\User Data
C:\Users\Louise\AppData\Local\liebao\User Data
C:\Users\Louise\AppData\Local\uCozMedia\Uran\User Data
C:\Users\Louise\AppData\Local\Iridium\User Data
C:\Users\Louise\AppData\Local\7Star\7Star\User Data
C:\Users\Louise\AppData\Local\Comodo\Dragon\User Data
C:\Users\Louise\AppData\Local\Orbitum\User Data
C:\Users\Louise\AppData\Local\Epic Privacy Browser\User Data
C:\Users\Louise\AppData\Local\QIP Surf\User Data
C:\Users\Louise\AppData\Local\Chromium\User Data
C:\Users\Louise\AppData\Local\CocCoc\Browser\User Data
C:\Users\Louise\AppData\Local\Chedot\User Data
C:\Users\Louise\AppData\Local\MapleStudio\ChromePlus\User Data
C:\Users\Louise\AppData\Local\CentBrowser\User Data
C:\Users\Louise\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\Louise\AppData\Local\Sputnik\Sputnik\User Data
C:\Users\Louise\AppData\Local\Torch\User Data
C:\Users\Louise\AppData\Local\Vivaldi\User Data
C:\Users\Louise\AppData\Local\360Chrome\Chrome\User Data
C:\Users\Louise\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Louise\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\FTP Navigator\Ftplist.txt
C:\Users\Louise\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Louise\AppData\Roaming\Postbox\profiles.ini
C:\Users\Louise\AppData\Roaming\The Bat!
C:\cftp\Ftplist.txt
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
C:\Users\Louise\AppData\Roaming\Psi\profiles
C:\Users\Louise\AppData\Roaming\Psi+\profiles
C:\Users\Louise\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Louise\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\Users\Louise\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\logins.json
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\signons.sqlite
C:\Users\Louise\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Louise\AppData\Local\Microsoft\Edge\User Data
C:\Users\Louise\AppData\Local\Temp\vaultcli.dll
C:\Storage\
C:\mail\
C:\Users\Louise\AppData\Local\VirtualStore\Program Files\Foxmail\mail\
C:\Users\Louise\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\
C:\Users\Louise\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Louise\AppData\Roaming\FTPGetter\servers.xml
C:\Users\Louise\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Louise\AppData\Local\Tencent\QQBrowser\User Data
C:\Users\Louise\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Program Files (x86)\jDownloader\config\database.script
C:\Users\Louise\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Louise\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Louise\AppData\Local\UCBrowser\*
C:\Users\Louise\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
C:\Users\Louise\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
C:\Users\Louise\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
C:\Users\Louise\AppData\Roaming\Trillian\users\global\accounts.dat
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\Louise\AppData\Roaming\Claws-mail
C:\Users\Louise\AppData\Roaming\Claws-mail\clawsrc
C:\Users\Louise\AppData\Local\Temp\Folder.lst
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\*
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Login Data
C:\Users\Louise\AppData\Roaming\K-Meleon\profiles.ini
C:\Windows\System32\drivers\etc\hosts
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe.config
C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index39c.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8420d8c6ede777377fcff48a4beaa2a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\0a65164b17e5c64bacdc694ea2439c43\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\175df210b784212def386595c25caefb\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\5669120680b52abf616f3876387ca2cc\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\marlett.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\batang.ttc
C:\Windows\Fonts\cour.ttf
C:\Windows\Fonts\couri.ttf
C:\Windows\Fonts\courbd.ttf
C:\Windows\Fonts\courbi.ttf
C:\Windows\Fonts\daunpenh.ttf
C:\Windows\Fonts\dokchamp.ttf
C:\Windows\Fonts\estre.ttf
C:\Windows\Fonts\euphemia.ttf
C:\Windows\Fonts\gautami.ttf
C:\Windows\Fonts\gautamib.ttf
C:\Windows\Fonts\Vani.ttf
C:\Windows\Fonts\Vanib.ttf
C:\Windows\Fonts\gulim.ttc
C:\Windows\Fonts\impact.ttf
C:\Windows\Fonts\iskpota.ttf
C:\Windows\Fonts\iskpotab.ttf
C:\Windows\Fonts\kalinga.ttf
C:\Windows\Fonts\kalingab.ttf
C:\Windows\Fonts\kartika.ttf
C:\Windows\Fonts\kartikab.ttf
C:\Windows\Fonts\KhmerUI.ttf
C:\Windows\Fonts\KhmerUIb.ttf
C:\Windows\Fonts\LaoUI.ttf
C:\Windows\Fonts\LaoUIb.ttf
C:\Windows\Fonts\latha.ttf
C:\Windows\Fonts\lathab.ttf
C:\Windows\Fonts\lucon.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\malgunbd.ttf
C:\Windows\Fonts\mangal.ttf
C:\Windows\Fonts\mangalb.ttf
C:\Windows\Fonts\himalaya.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msjhbd.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Windows\Fonts\mingliu.ttc
C:\Windows\Fonts\mingliub.ttc
C:\Windows\Fonts\monbaiti.ttf
C:\Windows\Fonts\msgothic.ttc
C:\Windows\Fonts\msmincho.ttc
C:\Windows\Fonts\mvboli.ttf
C:\Windows\Fonts\ntailu.ttf
C:\Windows\Fonts\ntailub.ttf
C:\Windows\Fonts\nyala.ttf
C:\Windows\Fonts\phagspa.ttf
C:\Windows\Fonts\phagspab.ttf
C:\Windows\Fonts\plantc.ttf
C:\Windows\Fonts\raavi.ttf
C:\Windows\Fonts\raavib.ttf
C:\Windows\Fonts\segoesc.ttf
C:\Windows\Fonts\segoescb.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\seguisb.ttf
C:\Windows\Fonts\segoeuil.ttf
C:\Windows\Fonts\seguisym.ttf
C:\Windows\Fonts\shruti.ttf
C:\Windows\Fonts\shrutib.ttf
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\simsunb.ttf
C:\Windows\Fonts\sylfaen.ttf
C:\Windows\Fonts\taile.ttf
C:\Windows\Fonts\taileb.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\tunga.ttf
C:\Windows\Fonts\tungab.ttf
C:\Windows\Fonts\vrinda.ttf
C:\Windows\Fonts\vrindab.ttf
C:\Windows\Fonts\Shonar.ttf
C:\Windows\Fonts\Shonarb.ttf
C:\Windows\Fonts\msyi.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\angsa.ttf
C:\Windows\Fonts\angsai.ttf
C:\Windows\Fonts\angsab.ttf
C:\Windows\Fonts\angsaz.ttf
C:\Windows\Fonts\aparaj.ttf
C:\Windows\Fonts\aparajb.ttf
C:\Windows\Fonts\aparajbi.ttf
C:\Windows\Fonts\aparaji.ttf
C:\Windows\Fonts\cordia.ttf
C:\Windows\Fonts\cordiai.ttf
C:\Windows\Fonts\cordiab.ttf
C:\Windows\Fonts\cordiaz.ttf
C:\Windows\Fonts\ebrima.ttf
C:\Windows\Fonts\ebrimabd.ttf
C:\Windows\Fonts\gisha.ttf
C:\Windows\Fonts\gishabd.ttf
C:\Windows\Fonts\kokila.ttf
C:\Windows\Fonts\kokilab.ttf
C:\Windows\Fonts\kokilabi.ttf
C:\Windows\Fonts\kokilai.ttf
C:\Windows\Fonts\leelawad.ttf
C:\Windows\Fonts\leelawdb.ttf
C:\Windows\Fonts\msuighur.ttf
C:\Windows\Fonts\moolbor.ttf
C:\Windows\Fonts\symbol.ttf
C:\Windows\Fonts\utsaah.ttf
C:\Windows\Fonts\utsaahb.ttf
C:\Windows\Fonts\utsaahbi.ttf
C:\Windows\Fonts\utsaahi.ttf
C:\Windows\Fonts\vijaya.ttf
C:\Windows\Fonts\vijayab.ttf
C:\Windows\Fonts\wingding.ttf
C:\Windows\Fonts\modern.fon
C:\Windows\Fonts\roman.fon
C:\Windows\Fonts\script.fon
C:\Windows\Fonts\andlso.ttf
C:\Windows\Fonts\arabtype.ttf
C:\Windows\Fonts\simpo.ttf
C:\Windows\Fonts\simpbdo.ttf
C:\Windows\Fonts\simpfxo.ttf
C:\Windows\Fonts\majalla.ttf
C:\Windows\Fonts\majallab.ttf
C:\Windows\Fonts\trado.ttf
C:\Windows\Fonts\tradbdo.ttf
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\david.ttf
C:\Windows\Fonts\davidbd.ttf
C:\Windows\Fonts\frank.ttf
C:\Windows\Fonts\lvnm.ttf
C:\Windows\Fonts\lvnmbd.ttf
C:\Windows\Fonts\mriam.ttf
C:\Windows\Fonts\mriamc.ttf
C:\Windows\Fonts\nrkis.ttf
C:\Windows\Fonts\rod.ttf
C:\Windows\Fonts\simfang.ttf
C:\Windows\Fonts\simhei.ttf
C:\Windows\Fonts\simkai.ttf
C:\Windows\Fonts\angsau.ttf
C:\Windows\Fonts\angsaui.ttf
C:\Windows\Fonts\angsaub.ttf
C:\Windows\Fonts\angsauz.ttf
C:\Windows\Fonts\browa.ttf
C:\Windows\Fonts\browai.ttf
C:\Windows\Fonts\browab.ttf
C:\Windows\Fonts\browaz.ttf
C:\Windows\Fonts\browau.ttf
C:\Windows\Fonts\browaui.ttf
C:\Windows\Fonts\browaub.ttf
C:\Windows\Fonts\browauz.ttf
C:\Windows\Fonts\cordiau.ttf
C:\Windows\Fonts\cordiaub.ttf
C:\Windows\Fonts\cordiauz.ttf
C:\Windows\Fonts\cordiaui.ttf
C:\Windows\Fonts\upcdl.ttf
C:\Windows\Fonts\upcdi.ttf
C:\Windows\Fonts\upcdb.ttf
C:\Windows\Fonts\upcdbi.ttf
C:\Windows\Fonts\upcel.ttf
C:\Windows\Fonts\upcei.ttf
C:\Windows\Fonts\upceb.ttf
C:\Windows\Fonts\upcebi.ttf
C:\Windows\Fonts\upcfl.ttf
C:\Windows\Fonts\upcfi.ttf
C:\Windows\Fonts\upcfb.ttf
C:\Windows\Fonts\upcfbi.ttf
C:\Windows\Fonts\upcil.ttf
C:\Windows\Fonts\upcii.ttf
C:\Windows\Fonts\upcib.ttf
C:\Windows\Fonts\upcibi.ttf
C:\Windows\Fonts\upcjl.ttf
C:\Windows\Fonts\upcji.ttf
C:\Windows\Fonts\upcjb.ttf
C:\Windows\Fonts\upcjbi.ttf
C:\Windows\Fonts\upckl.ttf
C:\Windows\Fonts\upcki.ttf
C:\Windows\Fonts\upckb.ttf
C:\Windows\Fonts\upckbi.ttf
C:\Windows\Fonts\upcll.ttf
C:\Windows\Fonts\upcli.ttf
C:\Windows\Fonts\upclb.ttf
C:\Windows\Fonts\upclbi.ttf
C:\Windows\Fonts\kaiu.ttf
C:\Windows\Fonts\l_10646.ttf
C:\Windows\Fonts\ariblk.ttf
C:\Windows\Fonts\calibri.ttf
C:\Windows\Fonts\calibrii.ttf
C:\Windows\Fonts\calibrib.ttf
C:\Windows\Fonts\calibriz.ttf
C:\Windows\Fonts\comic.ttf
C:\Windows\Fonts\comicbd.ttf
C:\Windows\Fonts\framd.ttf
C:\Windows\Fonts\framdit.ttf
C:\Windows\Fonts\Gabriola.ttf
C:\Windows\Fonts\georgia.ttf
C:\Windows\Fonts\georgiai.ttf
C:\Windows\Fonts\georgiab.ttf
C:\Windows\Fonts\georgiaz.ttf
C:\Windows\Fonts\pala.ttf
C:\Windows\Fonts\palai.ttf
C:\Windows\Fonts\palab.ttf
C:\Windows\Fonts\palabi.ttf
C:\Windows\Fonts\segoepr.ttf
C:\Windows\Fonts\segoeprb.ttf
C:\Windows\Fonts\trebuc.ttf
C:\Windows\Fonts\trebucit.ttf
C:\Windows\Fonts\trebucbd.ttf
C:\Windows\Fonts\trebucbi.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\webdings.ttf
C:\Windows\Fonts\coure.fon
C:\Windows\Fonts\serife.fon
C:\Windows\Fonts\sserife.fon
C:\Windows\Fonts\smalle.fon
C:\Windows\Fonts\smallf.fon
C:\Windows\Fonts\CALIBRILI.TTF
C:\Windows\Fonts\calibril.ttf
C:\Windows\Fonts\ALGER.TTF
C:\Windows\Fonts\ARIALN.TTF
C:\Windows\Fonts\ARIALNB.TTF
C:\Windows\Fonts\ARIALNBI.TTF
C:\Windows\Fonts\ARIALNI.TTF
C:\Windows\Fonts\BAUHS93.TTF
C:\Windows\Fonts\DUBAI-BOLD.TTF
C:\Windows\Fonts\DUBAI-LIGHT.TTF
C:\Windows\Fonts\DUBAI-MEDIUM.TTF
C:\Windows\Fonts\DUBAI-REGULAR.TTF
C:\Windows\Fonts\GADUGI.TTF
C:\Windows\Fonts\GADUGIB.TTF
C:\Windows\Fonts\HARLOWSI.TTF
C:\Windows\Fonts\MSUIGHUB.TTF
C:\Windows\Fonts\NIRMALA.TTF
C:\Windows\Fonts\NIRMALAB.TTF
C:\Windows\Fonts\SEGOEUISL.TTF
C:\Windows\Fonts\VIVALDII.TTF
C:\Windows\Fonts\MSJH.TTC
C:\Windows\Fonts\MSJHBD.TTC
C:\Windows\Fonts\MSYH.TTC
C:\Windows\Fonts\MSYHBD.TTC
C:\Windows\Fonts\ARIALUNI.TTF
C:\Windows\Fonts\meiryo.ttc
C:\Windows\Fonts\BKANT.TTF
C:\Windows\Fonts\GOTHIC.TTF
C:\Windows\Fonts\HATTEN.TTF
C:\Windows\Fonts\TEMPSITC.TTF
C:\Windows\Fonts\PRISTINA.TTF
C:\Windows\Fonts\PAPYRUS.TTF
C:\Windows\Fonts\MISTRAL.TTF
C:\Windows\Fonts\LHANDW.TTF
C:\Windows\Fonts\ITCKRIST.TTF
C:\Windows\Fonts\JUICE___.TTF
C:\Windows\Fonts\FRSCRIPT.TTF
C:\Windows\Fonts\FREESCPT.TTF
C:\Windows\Fonts\BRADHITC.TTF
C:\Windows\Fonts\MTCORSVA.TTF
C:\Windows\Fonts\BASKVILL.TTF
C:\Windows\Fonts\BELL.TTF
C:\Windows\Fonts\BRLNSB.TTF
C:\Windows\Fonts\BERNHC.TTF
C:\Windows\Fonts\BOD_PSTC.TTF
C:\Windows\Fonts\BRITANIC.TTF
C:\Windows\Fonts\BROADW.TTF
C:\Windows\Fonts\BRUSHSCI.TTF
C:\Windows\Fonts\CALIFR.TTF
C:\Windows\Fonts\CENTAUR.TTF
C:\Windows\Fonts\CHILLER.TTF
C:\Windows\Fonts\COLONNA.TTF
C:\Windows\Fonts\COOPBL.TTF
C:\Windows\Fonts\FTLTLT.TTF
C:\Windows\Fonts\HARNGTON.TTF
C:\Windows\Fonts\HTOWERT.TTF
C:\Windows\Fonts\JOKERMAN.TTF
C:\Windows\Fonts\KUNSTLER.TTF
C:\Windows\Fonts\LBRITE.TTF
C:\Windows\Fonts\LCALLIG.TTF
C:\Windows\Fonts\LFAX.TTF
C:\Windows\Fonts\MAGNETOB.TTF
C:\Windows\Fonts\MATURASC.TTF
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\NIAGENG.TTF
C:\Windows\Fonts\NIAGSOL.TTF
C:\Windows\Fonts\OLDENGL.TTF
C:\Windows\Fonts\ONYX.TTF
C:\Windows\Fonts\PARCHM.TTF
C:\Windows\Fonts\PLAYBILL.TTF
C:\Windows\Fonts\POORICH.TTF
C:\Windows\Fonts\RAVIE.TTF
C:\Windows\Fonts\INFROMAN.TTF
C:\Windows\Fonts\SHOWG.TTF
C:\Windows\Fonts\SNAP____.TTF
C:\Windows\Fonts\STENCIL.TTF
C:\Windows\Fonts\VINERITC.TTF
C:\Windows\Fonts\VLADIMIR.TTF
C:\Windows\Fonts\LATINWD.TTF
C:\Windows\Fonts\TCM_____.TTF
C:\Windows\Fonts\TCCB____.TTF
C:\Windows\Fonts\TCCM____.TTF
C:\Windows\Fonts\TCB_____.TTF
C:\Windows\Fonts\SCRIPTBL.TTF
C:\Windows\Fonts\ROCKEB.TTF
C:\Windows\Fonts\ROCC____.TTF
C:\Windows\Fonts\ROCK.TTF
C:\Windows\Fonts\RAGE.TTF
C:\Windows\Fonts\PERTIBD.TTF
C:\Windows\Fonts\PER_____.TTF
C:\Windows\Fonts\PALSCRI.TTF
C:\Windows\Fonts\OCRAEXT.TTF
C:\Windows\Fonts\MAIAN.TTF
C:\Windows\Fonts\LTYPE.TTF
C:\Windows\Fonts\LSANS.TTF
C:\Windows\Fonts\IMPRISHA.TTF
C:\Windows\Fonts\GOUDYSTO.TTF
C:\Windows\Fonts\GOUDOS.TTF
C:\Windows\Fonts\GLECB.TTF
C:\Windows\Fonts\GILLUBCD.TTF
C:\Windows\Fonts\GILSANUB.TTF
C:\Windows\Fonts\GILC____.TTF
C:\Windows\Fonts\GIL_____.TTF
C:\Windows\Fonts\GLSNECB.TTF
C:\Windows\Fonts\GIGI.TTF
C:\Windows\Fonts\FRAMDCN.TTF
C:\Windows\Fonts\FRAHV.TTF
C:\Windows\Fonts\FRADMCN.TTF
C:\Windows\Fonts\FRADM.TTF
C:\Windows\Fonts\FRABK.TTF
C:\Windows\Fonts\FORTE.TTF
C:\Windows\Fonts\FELIXTI.TTF
C:\Windows\Fonts\ERASMD.TTF
C:\Windows\Fonts\ERASLGHT.TTF
C:\Windows\Fonts\ERASDEMI.TTF
C:\Windows\Fonts\ERASBD.TTF
C:\Windows\Fonts\ENGR.TTF
C:\Windows\Fonts\ELEPHNT.TTF
C:\Windows\Fonts\ITCEDSCR.TTF
C:\Windows\Fonts\CURLZ___.TTF
C:\Windows\Fonts\COPRGTL.TTF
C:\Windows\Fonts\COPRGTB.TTF
C:\Windows\Fonts\CENSCBK.TTF
C:\Windows\Fonts\CASTELAR.TTF
C:\Windows\Fonts\CALIST.TTF
C:\Windows\Fonts\BOD_CR.TTF
C:\Windows\Fonts\BOD_BLAR.TTF
C:\Windows\Fonts\BOD_R.TTF
C:\Windows\Fonts\ITCBLKAD.TTF
C:\Windows\Fonts\ARLRDBD.TTF
C:\Windows\Fonts\AGENCYB.TTF
C:\Windows\Fonts\meiryob.ttc
C:\Windows\Fonts\ANTQUAB.TTF
C:\Windows\Fonts\ANTQUABI.TTF
C:\Windows\Fonts\ANTQUAI.TTF
C:\Windows\Fonts\GOTHICB.TTF
C:\Windows\Fonts\GOTHICBI.TTF
C:\Windows\Fonts\GOTHICI.TTF
C:\Windows\Fonts\BELLB.TTF
C:\Windows\Fonts\BELLI.TTF
C:\Windows\Fonts\BRLNSDB.TTF
C:\Windows\Fonts\BRLNSR.TTF
C:\Windows\Fonts\CALIFB.TTF
C:\Windows\Fonts\CALIFI.TTF
C:\Windows\Fonts\HTOWERTI.TTF
C:\Windows\Fonts\LBRITED.TTF
C:\Windows\Fonts\LBRITEDI.TTF
C:\Windows\Fonts\LBRITEI.TTF
C:\Windows\Fonts\LFAXD.TTF
C:\Windows\Fonts\LFAXDI.TTF
C:\Windows\Fonts\LFAXI.TTF
C:\Windows\Fonts\TCMI____.TTF
C:\Windows\Fonts\TCCEB.TTF
C:\Windows\Fonts\TCBI____.TTF
C:\Windows\Fonts\ROCCB___.TTF
C:\Windows\Fonts\ROCKB.TTF
C:\Windows\Fonts\ROCKBI.TTF
C:\Windows\Fonts\ROCKI.TTF
C:\Windows\Fonts\PERTILI.TTF
C:\Windows\Fonts\PERBI___.TTF
C:\Windows\Fonts\PERB____.TTF
C:\Windows\Fonts\PERI____.TTF
C:\Windows\Fonts\LTYPEB.TTF
C:\Windows\Fonts\LTYPEBO.TTF
C:\Windows\Fonts\LTYPEO.TTF
C:\Windows\Fonts\LSANSD.TTF
C:\Windows\Fonts\LSANSDI.TTF
C:\Windows\Fonts\LSANSI.TTF
C:\Windows\Fonts\GOUDOSB.TTF
C:\Windows\Fonts\GOUDOSI.TTF
C:\Windows\Fonts\GILBI___.TTF
C:\Windows\Fonts\GILB____.TTF
C:\Windows\Fonts\GILI____.TTF
C:\Windows\Fonts\FRAHVIT.TTF
C:\Windows\Fonts\FRADMIT.TTF
C:\Windows\Fonts\FRABKIT.TTF
C:\Windows\Fonts\ELEPHNTI.TTF
C:\Windows\Fonts\SCHLBKB.TTF
C:\Windows\Fonts\SCHLBKBI.TTF
C:\Windows\Fonts\SCHLBKI.TTF
C:\Windows\Fonts\CALISTB.TTF
C:\Windows\Fonts\CALISTBI.TTF
C:\Windows\Fonts\CALISTI.TTF
C:\Windows\Fonts\BOD_CB.TTF
C:\Windows\Fonts\BOD_CBI.TTF
C:\Windows\Fonts\BOD_CI.TTF
C:\Windows\Fonts\BOD_BLAI.TTF
C:\Windows\Fonts\BOD_B.TTF
C:\Windows\Fonts\BOD_BI.TTF
C:\Windows\Fonts\BOD_I.TTF
C:\Windows\Fonts\AGENCYR.TTF
C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
C:\Windows\Fonts\OUTLOOK.TTF
C:\Windows\Fonts\CENTURY.TTF
C:\Windows\Fonts\CAMBRIA.TTC
C:\Windows\Fonts\CANDARA.TTF
C:\Windows\Fonts\CONSOLA.TTF
C:\Windows\Fonts\CONSTAN.TTF
C:\Windows\Fonts\CORBEL.TTF
C:\Windows\Fonts\WINGDNG2.TTF
C:\Windows\Fonts\WINGDNG3.TTF
C:\Windows\Fonts\GARA.TTF
C:\Windows\Fonts\BOOKOS.TTF
C:\Windows\Fonts\CAMBRIAB.TTF
C:\Windows\Fonts\CAMBRIAI.TTF
C:\Windows\Fonts\CAMBRIAZ.TTF
C:\Windows\Fonts\CANDARAB.TTF
C:\Windows\Fonts\CANDARAI.TTF
C:\Windows\Fonts\CANDARAZ.TTF
C:\Windows\Fonts\CONSOLAB.TTF
C:\Windows\Fonts\CONSOLAI.TTF
C:\Windows\Fonts\CONSOLAZ.TTF
C:\Windows\Fonts\CONSTANB.TTF
C:\Windows\Fonts\CONSTANI.TTF
C:\Windows\Fonts\CONSTANZ.TTF
C:\Windows\Fonts\CORBELB.TTF
C:\Windows\Fonts\CORBELI.TTF
C:\Windows\Fonts\CORBELZ.TTF
C:\Windows\Fonts\BSSYM7.TTF
C:\Windows\Fonts\REFSAN.TTF
C:\Windows\Fonts\REFSPCL.TTF
C:\Windows\Fonts\GARABD.TTF
C:\Windows\Fonts\GARAIT.TTF
C:\Windows\Fonts\BOOKOSB.TTF
C:\Windows\Fonts\BOOKOSBI.TTF
C:\Windows\Fonts\BOOKOSI.TTF
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\4ac828c8c4c76f3ba59f8f9c7dab1cb3\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\net1.exe
C:\Windows\SysWOW64\net.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\
C:\Windows\Temp\fwtsqmfile01.sqm
C:\Windows\SysWOW64\sc.exe
C:\Windows\SysWOW64\en-US\sc.exe.mui
\Device\LanmanDatagramReceiver
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\81ab4c39c6a7c9f50721aca2db09b417\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\System32\tzres.dll
C:\Users\Louise\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\Louise\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini
C:\FTP Navigator\Ftplist.txt
C:\Users\Louise\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\Louise\AppData\Roaming\Postbox\profiles.ini
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b065f84b49a27b648015c08fab8cd00e\System.Xml.ni.dll
C:\Users\Louise\AppData\Roaming\CoreFTP\sites.idx
C:\Windows\SysWOW64\wshom.ocx
C:\Users\Louise\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\Firefox\Profiles\0f9yudun.default\key4.db
C:\Users\Louise\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\Louise\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\Louise\AppData\Local\falkon\profiles\profiles.ini
C:\Users\Louise\AppData\Roaming\Waterfox\profiles.ini
C:\Users\Louise\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\Louise\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\Louise\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Louise\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Louise\AppData\Roaming\K-Meleon\profiles.ini
\??\PIPE\samr
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Louise\AppData\Roaming\bheWEoOklI.exe
C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp
C:\Windows\Temp\fwtsqmfile01.sqm
\Device\LanmanDatagramReceiver
C:\Windows\System32\drivers\etc\hosts
\??\PIPE\samr
C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3548.29259406
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3548.29259406
C:\Users\Louise\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3548.29259437
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2020060308611765434567.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30184296\24218a55
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\bc8492c\23a02737
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|2020060308611765434567.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|2020060308611765434567.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Louise|AppData|Local|Temp|2020060308611765434567.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1339698970-4093829097-1161395185-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\bc8492c\7e60f6b5
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1d0e73eb\1cb4ac38
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1d0e73eb\2d08b1b5
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\2020060308611765434567.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\bheWEoOklI
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\bheWEoOklI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\bheWEoOklI\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\DynamicInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\net1.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\net.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PreviousServiceShutdown
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\winmgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\sc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75F53380-9847-4C40-95C9-324CD9F2595B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75F53380-9847-4C40-95C9-324CD9F2595B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75F53380-9847-4C40-95C9-324CD9F2595B}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{7762BC04-2AA3-4ED8-B18D-44D77D69EFB2}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Environment
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Volatile Environment
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Volatile Environment\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{7762BC04-2AA3-4ED8-B18D-44D77D69EFB2}\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F82CE6E-AD98-4E4E-A69C-61F38848FDD9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F82CE6E-AD98-4E4E-A69C-61F38848FDD9}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F82CE6E-AD98-4E4E-A69C-61F38848FDD9}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{8953FA73-45C1-47AA-A38D-D1B39E19EAA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{8953FA73-45C1-47AA-A38D-D1B39E19EAA5}\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\DynamicInfo
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\390cda52\57fdf851
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6E6DF46E
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\WMIDisableCOMSecurity
HKEY_CURRENT_USER\Software\DownloadManager\Passwords
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power\PowerRequestOverride
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\PowerRequestOverride\Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Environment
HKEY_CURRENT_USER\Software\Classes\AppID\taskeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\DataVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\EnableBackCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\MissedTasksStartupDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\TasksInMemoryQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\TasksPerHighestPrivEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\TasksPerLeastPrivEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\TracingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\WindowSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6BA0E3C1
HKEY_CURRENT_USER\Software\Classes\Interface\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\Software\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}
HKEY_CURRENT_USER\Software\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\TreatAs
HKEY_CURRENT_USER\Software\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\Progid
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index39c\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\c8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\780ee13f\c9\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\ba\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\cb\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\cf\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\cc\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\ce\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\c0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\c6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\c1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\c7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\257bdb20\d0\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\bb\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\c8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\b7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\5d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\b6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\3f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\DynamicInfo
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75F53380-9847-4C40-95C9-324CD9F2595B}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75F53380-9847-4C40-95C9-324CD9F2595B}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1339698970-4093829097-1161395185-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-1339698970-4093829097-1161395185-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{7762BC04-2AA3-4ED8-B18D-44D77D69EFB2}\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F82CE6E-AD98-4E4E-A69C-61F38848FDD9}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F82CE6E-AD98-4E4E-A69C-61F38848FDD9}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{8953FA73-45C1-47AA-A38D-D1B39E19EAA5}\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\DynamicInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6E6DF46E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\5c\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\61f4f6f6\ae\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\41a2a33b\5b\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\c2\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\658578aa\c2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\DataVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\EnableBackCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\MissedTasksStartupDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\TasksInMemoryQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\TasksPerHighestPrivEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\TasksPerLeastPrivEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\TracingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\WindowSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6BA0E3C1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\bheWEoOklI\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\bheWEoOklI\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AECEFA8-AD30-4BD4-A230-3AB28D38330D}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PreviousServiceShutdown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75F53380-9847-4C40-95C9-324CD9F2595B}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{7762BC04-2AA3-4ED8-B18D-44D77D69EFB2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F82CE6E-AD98-4E4E-A69C-61F38848FDD9}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{8953FA73-45C1-47AA-A38D-D1B39E19EAA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F417FC0C-A2EF-4C2E-9032-217D1482E5C1}\DynamicInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{7762BC04-2AA3-4ED8-B18D-44D77D69EFB2}\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{8953FA73-45C1-47AA-A38D-D1B39E19EAA5}\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
[email protected]@[email protected]
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetFullPathNameW
kernel32.dll.GetVersionExW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
user32.dll.GetSystemMetrics
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
kernel32.dll.GetUserDefaultUILanguage
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentProcessId
kernel32.dll.FindAtomW
kernel32.dll.AddAtomW
mscoree.dll.LoadLibraryShim
mscoreei.dll.LoadLibraryShim
gdiplus.dll.GdiplusStartup
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateFontFamilyFromName
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
kernel32.dll.RegEnumValueW
gdiplus.dll.GdipCreateFont
gdiplus.dll.GdipGetFontSize
kernel32.dll.GetSystemDefaultLCID
gdi32.dll.GetObjectW
user32.dll.GetDC
gdiplus.dll.GdipCreateFontFromLogfontW
kernel32.dll.RegQueryInfoKeyW
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
mscoree.dll.ND_RU1
mscoreei.dll.ND_RU1
gdiplus.dll.GdipGetFontUnit
gdiplus.dll.GdipGetFontStyle
gdiplus.dll.GdipGetFamily
user32.dll.ReleaseDC
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipGetDpiY
gdiplus.dll.GdipGetFontHeight
gdiplus.dll.GdipGetEmHeight
gdiplus.dll.GdipGetLineSpacing
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipDeleteFont
user32.dll.GetUserObjectInformationA
kernel32.dll.SetConsoleCtrlHandler
user32.dll.GetClassInfoW
user32.dll.GetSysColor
gdi32.dll.CreateCompatibleDC
gdiplus.dll.GdipGetLogFontW
mscoree.dll.ND_WU1
mscoreei.dll.ND_WU1
gdi32.dll.CreateFontIndirectW
gdi32.dll.SelectObject
gdi32.dll.GetTextMetricsW
gdi32.dll.GetTextExtentPoint32W
gdi32.dll.DeleteDC
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
culture.dll.ConvertLangIdToCultureName
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGetProvParam
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptSetKeyParam
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptEncrypt
ole32.dll.CoCreateGuid
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
kernel32.dll.GlobalMemoryStatusEx
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptReleaseContext
shfolder.dll.SHGetFolderPathW
kernel32.dll.CopyFileW
kernel32.dll.CloseHandle
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
mscoree.dll.ND_RI4
mscoreei.dll.ND_RI4
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupSids
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
kernel32.dll.RtlMoveMemory
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.DeleteFileW
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
user32.dll.SetClassLongW
user32.dll.PostMessageW
user32.dll.UnregisterClassW
kernel32.dll.DeleteAtom
user32.dll.IsWindow
user32.dll.DestroyWindow
gdi32.dll.DeleteObject
api-ms-win-downlevel-advapi32-l1-1-0.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
advapi32.dll.EventUnregister
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
sspicli.dll.GetUserNameExW
pcwum.dll.PerfDeleteInstance
pcwum.dll.PerfStopProvider
sechost.dll.ConvertSidToStringSidW
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
ole32.dll.CoDisconnectObject
wbemcore.dll.Shutdown
ole32.dll.CoUninitialize
kernel32.dll.RegDeleteValueW
bcrypt.dll.BCryptGetFipsAlgorithmMode
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
cryptsp.dll.CryptCreateHash
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
ole32.dll.MkParseDisplayName
oleaut32.dll.#200
oleaut32.dll.#2
oleaut32.dll.#7
oleaut32.dll.#6
kernel32.dll.CreateEventW
kernel32.dll.SwitchToThread
kernel32.dll.SetEvent
ole32.dll.IIDFromString
kernel32.dll.LoadLibraryA
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
wminet_utils.dll.GetErrorInfo
wminet_utils.dll.Initialize
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
oleaut32.dll.#500
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
kernel32.dll.GetEnvironmentVariableW
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtGetCurrentProcessorNumber
kernel32.dll.GetSystemTimeAsFileTime
user32.dll.GetLastInputInfo
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsLookupClrGuid
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
oleaut32.dll.#9
oleaut32.dll.#4
kernel32.dll.ReadFile
kernel32.dll.GetFileSize
oleaut32.dll.#204
oleaut32.dll.#203
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
vaultcli.dll.VaultEnumerateVaults
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
oleaut32.dll.#201
kernel32.dll.FindNextFileW
oleaut32.dll.#179
user32.dll.SetClipboardViewer
ole32.dll.OleInitialize
ole32.dll.OleGetClipboard
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalFree
user32.dll.SendMessageW
user32.dll.SetWindowsHookExW
kernel32.dll.SetFilePointer
ole32.dll.CoRegisterMessageFilter
user32.dll.PeekMessageW
user32.dll.WaitMessage
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
samlib.dll.SamEnumerateDomainsInSamServer
samlib.dll.SamLookupDomainInSamServer
ole32.dll.CoTaskMemRealloc
advapi32.dll.CryptAcquireContextW
advapi32.dll.RegCreateKeyExW
shlwapi.dll.PathIsDirectoryW
advapi32.dll.RegNotifyChangeKeyValue
ole32.dll.CLSIDFromOle1Class
clbcatq.dll.GetCatalogObject
clbcatq.dll.GetCatalogObject2
tschannel.dll.DllGetClassObject
tschannel.dll.DllCanUnloadNow
advapi32.dll.RegSetValueExW
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bheWEoOklI" /XML "C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp"
schtasks.exe /Create /TN "Updates\bheWEoOklI" /XML "C:\Users\Louise\AppData\Local\Temp\tmpD3F0.tmp"
"{path}"
C:\Users\Louise\AppData\Local\Temp\2020060308611765434567.exe "{path}"
taskeng.exe {7762BC04-2AA3-4ED8-B18D-44D77D69EFB2} S-1-5-21-1339698970-4093829097-1161395185-1000:Louise-PC\Louise:Interactive:[1]
taskeng.exe {8953FA73-45C1-47AA-A38D-D1B39E19EAA5} S-1-5-21-1339698970-4093829097-1161395185-1000:Louise-PC\Louise:Interactive:[1]
C:\Windows\system32\lsass.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
Global\CLR_CASOFF_MUTEX
VaultSvc
gupdate

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x0046bc9e 0x00000000 0x00078fc2 4.0 2020-06-30 01:17:56 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x00069ca4 0x00069e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.81
.reloc 0x0006a000 0x0006c000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10
.rsrc 0x0006a200 0x0006e000 0x000005a8 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.39

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x0006e0a0 0x00000354 LANG_NEUTRAL SUBLANG_NEUTRAL 3.31 None
RT_MANIFEST 0x0006e3f4 0x000001b4 LANG_NEUTRAL SUBLANG_NEUTRAL 4.94 None

Imports


Assembly Information

Name liYiCiTGoqVC
Version 1.0.0.0

Assembly References

Name Version
mscorlib 2.0.0.0
System.Windows.Forms 2.0.0.0
System 2.0.0.0
System.Drawing 2.0.0.0
Microsoft.VisualBasic 8.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute Realdolm
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute BeheerA
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 1.0.0
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 Realdolmen 20
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute e5407721-112c-4231-b396-ffa4c30aeb
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute BeheerA

Type References

Assembly Type Name
Microsoft.VisualBasic Microsoft.VisualBasic.CallType
Microsoft.VisualBasic Microsoft.VisualBasic.Interaction
mscorlib System.AppDomain
mscorlib System.ArgumentOutOfRangeException
mscorlib System.Array
mscorlib System.Attribute
mscorlib System.Boolean
mscorlib System.Buffer
mscorlib System.Byte
mscorlib System.Char
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Collections.Generic.IEnumerable`1
mscorlib System.Collections.Generic.List`1
System System.ComponentModel.CancelEventArgs
System System.ComponentModel.CancelEventHandler
System System.ComponentModel.Container
System System.ComponentModel.IContainer
System System.ComponentModel.ISupportInitialize
mscorlib System.DateTime
mscorlib System.Delegate
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.Diagnostics.DebuggerHiddenAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Diagnostics.StackFrame
mscorlib System.Diagnostics.StackTrace
mscorlib System.Double
System.Drawing System.Drawing.Bitmap
System.Drawing System.Drawing.Color
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Size
System.Drawing System.Drawing.SizeF
mscorlib System.Enum
mscorlib System.EventArgs
mscorlib System.EventHandler
mscorlib System.EventHandler`1
mscorlib System.Exception
mscorlib System.Globalization.CultureInfo
mscorlib System.IDisposable
mscorlib System.IO.EndOfStreamException
mscorlib System.IO.Stream
mscorlib System.Int16
mscorlib System.Int32
mscorlib System.Int64
mscorlib System.IntPtr
mscorlib System.NotImplementedException
mscorlib System.NotSupportedException
mscorlib System.Object
mscorlib System.Reflection.Assembly
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Reflection.AssemblyName
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Reflection.MemberInfo
mscorlib System.Reflection.MethodBase
mscorlib System.Resources.ResourceManager
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Runtime.CompilerServices.SuppressIldasmAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.RuntimeMethodHandle
mscorlib System.RuntimeTypeHandle
mscorlib System.STAThreadAttribute
mscorlib System.Single
mscorlib System.String
mscorlib System.Text.Encoding
mscorlib System.Text.StringBuilder
mscorlib System.Threading.Interlocked
mscorlib System.Threading.Monitor
mscorlib System.Threading.Thread
mscorlib System.TimeSpan
mscorlib System.Type
mscorlib System.UInt16
mscorlib System.UInt32
mscorlib System.UInt64
mscorlib System.ValueType
mscorlib System.Void
System.Windows.Forms System.Windows.Forms.Application
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.ButtonBase
System.Windows.Forms System.Windows.Forms.ComboBox
System.Windows.Forms System.Windows.Forms.ComboBox/ObjectCollection
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Windows.Forms System.Windows.Forms.Control
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
System.Windows.Forms System.Windows.Forms.DataGridView
System.Windows.Forms System.Windows.Forms.DataGridViewCell
System.Windows.Forms System.Windows.Forms.DataGridViewCellCollection
System.Windows.Forms System.Windows.Forms.DataGridViewCellEventArgs
System.Windows.Forms System.Windows.Forms.DataGridViewCellEventHandler
System.Windows.Forms System.Windows.Forms.DataGridViewColumnHeadersHeightSizeMode
System.Windows.Forms System.Windows.Forms.DataGridViewRow
System.Windows.Forms System.Windows.Forms.DataGridViewRowCollection
System.Windows.Forms System.Windows.Forms.DateTimePicker
System.Windows.Forms System.Windows.Forms.ErrorProvider
System.Windows.Forms System.Windows.Forms.Form
System.Windows.Forms System.Windows.Forms.FormClosedEventArgs
System.Windows.Forms System.Windows.Forms.FormClosedEventHandler
System.Windows.Forms System.Windows.Forms.FormClosingEventArgs
System.Windows.Forms System.Windows.Forms.FormClosingEventHandler
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.ListControl
System.Windows.Forms System.Windows.Forms.Padding
System.Windows.Forms System.Windows.Forms.TextBox
System.Windows.Forms System.Windows.Forms.TextBoxBase

!This program cannot be run in DOS mode.
.text
`.reloc
B.rsrc
Xfefefeffe
Yfefeffeefa
Xfefeffeefa
Xffeeffefe
Yffeefeffeefa
afeffefefefe
& }s~
XTGX
Xfeffefeefefhah
Yfefeffeefhah
1 +hGX
afefeffeefa
JSGh
afefeffefeef_-
afeffefefea
ffeeffeefefYa*
ZfeffefeeffeY
ffeeffefeXa*
fefeffeefefY
ffeefeffefea
feffefeeffe(
feffefefea(
ffefeeffe
ffeeffefe
xfeffefefe
fefefeffe
afefefeffeef
9feffefefe
ffeeffefe
feffefefe
xffeeffefeef
ffeefeffefe
affeefefeffe
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD1
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
JJ"Ye
cfX8?"
e OrT
&#X ?yb
Ye G^\ Yefa8
beX8$
Yef *
cA'f
cA'Xa
w'Yf E
0:e v
T)Y @'+
/ZHf h&0
S*Yf
a K[n%Xe
j$#a
aef R
Y 7DZ
X hd7
Ye "3<
af ,\
98fe
#Yf ;~
afe &
Y u}2
^,f v
)Ye ]
Xef ]
_'af
AE%X W52
aef <wE'a
"e 4.4
yI" c
Xe 'f
afe Pm
Y :~J
ae t|4
Yee Y
A Q ?
~}!X ,0
&9*Xa
fe "b
afee o<
afe mc
Y 5V[
Ye Qt
Ye tV
ae g(q
Yef N
aff 8
.,ef &
X $SA
Xefef
c =S7
] uUL
Y [T7 Xfef
Xfef
X _I_*a
*ef 4<
%aef
Xfef
#"ae
Xe Z.a
Xfef A
")Y W
a _R8
Y CS0
Yfe T
zu(Xef
6- ae
cf 'O
Yf ~OC
c ;dJ
cff wb"
'Xef p
cf L-
X QRi
aefea
Ye ve
>fe w
Y ?oV
afef }
|!Yf $S+)Y
Xf 2e
afe ;
a z3)
efe w
ffe a
ae pQC
Xefe Qaw
aef Y
efe *(i
Xfeo.
a H>&
8T%ao.
-V#Xeefe
eU$YfoT
P#Y )
Je |JV
cf Xh
fef .#
a $C~
-(fe
%Ya8z
,c%&a
cfeX8
b 96_
U^-f
YeY8K
afef
'Xe G
6"ae
Xe >nb
eeY8[
af 1`s#Y d
i)aXE
a +vp
i8, g
#a ]0X
ae "R
Y b&,
Y* eJI
f %_`
Y* p_
&`)Y
cf* m
U(a(;
3"Y Oz
\m:$ ]m:$aY
YjX})
bjX})
v2.0.50727
#Strings
#GUID
#Blob
Ldc_I4_0
Ldloc_0
Stloc_0
Ldarg_0
Ldc_I4_M1
Ldloc_1
Stloc_1
ReadInt32
Ldloc_2
Stloc_2
Ldloc_3
Stloc_3
Int64
Ldc_I4
Conv_I4
Ldc_I4_5
ReadUInt16
get_UTF8
<Module>
get_B
CSCSCVDWDD
XAXCASD
WDFEGGEGEGGE
SASASFWF
get_G
IMMMM
System.IO
InverseQ
get_R
YxleytbRUhFS
Ldloc_S
Stloc_S
Brfalse_S
Bne_Un_S
Beq_S
Blt_S
set_IV
XAXAXAX
GetData
FromArgb
mscorlib
Microsoft.VisualBasic
Thread
DefineMethod
GetMethod
OpCode
CryptoStreamMode
Image
EndInvoke
BeginInvoke
IDisposable
Hashtable
RuntimeTypeHandle
GetTypeFromHandle
DefineDynamicModule
StartGame
set_Name
GetName
CallByName
AssemblyName
DefineType
CreateType
ValueType
CallType
SetReturnType
GetType
Dispose
Parse
Reverse
MulticastDelegate
Write
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
SuppressIldasmAttribute
AssemblyFileVersionAttribute
ObfuscationAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
DefaultMemberAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
ReadByte
value
System.Threading
Encoding
FromBase64String
ReadString
GetString
System.Drawing
BinarySearch
ComputeHash
VerifyHash
CandyCrush
get_Width
Newobj
AsyncCallback
callback
DeclareLocal
DefineLabel
MarkLabel
GetPixel
CandyCrush.dll
GetManifestResourceStream
get_BaseStream
CryptoStream
MemoryStream
get_Item
System
SymmetricAlgorithm
HashAlgorithm
ICryptoTransform
ReadBoolean
AppDomain
get_CurrentDomain
Interaction
System.Reflection
set_Position
InvalidOperationException
StringComparison
MethodInfo
ConstructorInfo
Bitmap
Sleep
InvokeMember
BinaryReader
SHA1CryptoServiceProvider
RSACryptoServiceProvider
DESCryptoServiceProvider
MethodBuilder
ModuleBuilder
TypeBuilder
LocalBuilder
ParameterBuilder
AssemblyBuilder
Binder
Buffer
ResourceManager
ParameterModifier
DefineParameter
Color
GetILGenerator
.ctor
.cctor
GetConstructor
CreateDecryptor
Ldstr
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
OpCodes
DebuggingModes
MethodAttributes
TypeAttributes
ParameterAttributes
BindingFlags
System.Collections
RSAParameters
SetParameters
ImportParameters
AssemblyBuilderAccess
Modulus
Concat
GetObject
object
get_Height
Split
System.Reflection.Emit
IAsyncResult
result
Environment
Exponent
get_Count
Insert
Convert
Callvirt
ArrayList
System.Text
index
ToArray
ToCharArray
Juicy
set_Key
GetPublicKey
System.Security.Cryptography
DefineDynamicAssembly
GetExecutingAssembly
GetEntryAssembly
BlockCopy
op_Inequality
Feature
dead codeT
Exclude
StripAfterObfuscation
WrapNonExceptionThrows
CandyCrush
Copyright
2020
$df37b3a7-1a87-4c1c-93b1-eadfc7aa7ec3
1.0.0.0
_CorDllMain
mscoree.dll
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^
}<MaQ
5[yd^
=R~g^0
;`b[F
11-dG
eg~2)K
GG>$oy
X}"C,
cOI63N.
X$&c"1
d?f}j
0~y_j
;lMyGd
zk$vnk(Q(
eFHn,
+Gb}x
o-Yyd5
$&?b{
2>S0s
S(`sR
-z1&J(O[
-r3:L
k/)oI
$&OX:
8j{Fs
SVX](
9bex*
?V)__6
rf]_j
vZ(W'
E`,S"
j7Kys,
{.W_:
?EFqJ
be~S9'm|
8Jnub
`@b*&
|bAJ]Oj
5<T(W
7Nz'rs
Gcwe5e
t9XnsP(\
oOQ~(
l[_W6
ci`_f?y
;S(-g
6Bi_93
u3+|!
qoR{J?
"+(:E
^}UA1
@O(bDK
Eoco/
BqBaJ
$m~;l
7Enw&
rJDFt
%=r:c
{<sxo
cZn7F
B|j^E
8I(u"
8+RV^g
2`NjWz
}v&S~
GdvW|
6s\)o
3NSwM433
}~1f;vq
*I6?%
iTI(0
~_luk(
P(x%g
)PsPx
[m)Z&
rGt;"y
3K_tu
e:gs|x
tWu|v
L`uU_
JnP1#"
cGv`>E
Al=sZ
l]j)q
WBazT
R5SWF
rP"*Bd
~3/"L
DL4jo
;c_\"s
G'Yx}+
!Dyg]_>
78pm%
UJT(C
%3u_c:+
noNNx4
>Q)9;
)AIxnx
wZ7Vi
g8f![
c]Lm[
qBA7"
2R(7C
16*Ro
l7Z.a
r{jk$g
1YWF`b
@B%N'
+[x^?
FqMy.
PnnH_9
t[9L,*(
x{Fu<A
&D1R{
,F%?a
f%,t/
7 r]?t!
Biy,W(
_%_6L
I}>mx
e},fC
%/N^A
Z6f~f
E~D(6
1VN*%
vz]LW
dAF=|
?~vcs
g[3r+e[{
kvDNf
ch;u#~
;)RF_H
PN-3%G
hWTy&
URs$(q
uyr*H
pgVslk|!
vcf~9
3]&r_
FlQ(S(
7kxpi
:mHDR_"
<2n`d
VC(w!
Q?,gX
ZTb&?U:F
B)vBQ
[#Jb'
@~\]D
1wKuV
]6R)Y
0lQE&
$5;]};
9tT}a
J`qo6/
WrD,n
Fd]kj
/4jUF
0HlMo
n1rO'
o(=:x3
^*E+o
%n9B(
W{C(7W(vQ
2mz"I
x4l!C
c+I#?
[#"VO
vi*/u
bB6mg[P4n
&qKlY
!C:&'
Gro~_
Lm})C
)c/tW
NMtXL9
D}%?/
rPXIa
y1Hz+I
\XHyL
!(OPP
UF6;%
xs!'f
GXSk)
LX0RV
\q>e=[
J#c_.
sOSamXS
V(yDhK
KRJk&
)(YXi
5e-ZO
+gehS
n=^YG
KXkGn
xs#Cw+
l>?mM
xYsV1
jK39Cn
J/&6P
\~kKU
^ZLb}
pQ?OP
eBi'Q
U1)j-
{MuqQ
eyc>]
z#aI4c
sT2{]>
zOu\3t
SlOr[o
S^#-Aq
dv})(&
eYrt[
\n,(w
+FuOg
eEOl#(
RmE})k
U<{<O
Q<X]P
j7=zv
rwHou
4)zOP
BPljyOn
.(v=%
*l0]4
(O(%APpU
\A!mD
kwS{.
-([Pb
)ytHV
G{Q"?
rae[4
y'(vE
gfQ"k
U`tQP
9+Cy1
Prj>!
>_Pti[
|4,?2
gY7k3+
K{'>w
&)QMz+
.{$Hz
oZHQL7
wd5+c
s>nQS1wp
uY1g7-
2%+B~
o~<kT
a`LMn
Rs1Mc4HX
8,(UR
_OHQo
YNl\L
_KPd3
/i {<$
=6|F~f
6.a^TM
h{C|#z
sV4T8
Fa|z!
Z<^lO
wcGAQ
]4Y~W
YTEh3
zAY31
%m1vs
Ws:V|
|y3&4
@PVt/
xAq9\
kcAy^
Z+gSv-
~Z|*bZ
0ia_,5Jx
k($k9g+
++Im.n
Qyl!s{
m?J|(-
8V_XAVh
=[qKn[y
d]>'-
=?2CQ
'\g1S;
{R8^P
X~+}q
;L]~g
Lm7&,?
b[z'M"
p):ME
q]Xk*
kvfr$Z
g)rR0
?:m?w
O%[PvA
gs=c6
0e!M{<
o6~{m
#SFgA
'k0<55#tT
?Iw-9}
C[{RE
0>\ (O\
b~#3QnoJ_
0Jm70>
x!Y!.
lq;+(w
]b-.)
3[<el
Ggq)H~
SGPy9
mnmZh
S Q\im9
+= (J
IDATJ#I
*gBw-
9d(i$
!gQx]D
2rT]V
"'q$7
G9UpaZ'&
__PtG
b~%9b"<C
T{7EcL5
PjdSk
e=I:}
<`sl4
q2e6=
'=[SA
-(!VP
[g4o=
96t2*
tE}gMm
IgAq1
kw=&NP
+s35A
y*([VR
A8kSi
*g/i=
`qmDA
JY&Qf
oYoVR
1f[/l
{ucv$<
p$t$-
N\weS
M:"(*
/nQ1a
oU~IO5
?cG1\
mQR=A
nJGV8_
n,>*+e
bm7"f
v}!Hj
{[1~<
8m*We
IRDA:
ccx+(
gFrGP
DM&N5 C
nn#4O*
TaWSP
V^Un6q
[u-Wr
s4jfEuf
Gg.7z
i{i'(v
r6-Wf
i[1/R
n((b"zR\
EJJf6
_%tb:
'qvM/
#n`TX
*J4k)oSKW
y,,YS
5_Enqg9nM
xGjr/
$s_Pr
tZ]t!MW
fZGqv
6IU7b
J;"(B
;kPn%ED
|O.e^
?eK~>
|,qk%
c2r"Ku
p~}F-
ir2Ue
&Y!Z(
{/)lq
qpicK
s_<?ZV[)T
Iyr/6
c9{r4
1D<?Oc.q
'vT'l
%YI7n
9q|~5
k]Nu*!
V-qfG
k2O</S5~4
h,(SP
@I1Q;
}8X Q
]_8&^
|q>jZ
fA9iZ
g&fm+
\V2{!(
a?Y:m"JO'p
>Aa{L
RDHSM
h*OZY`
w.7c&
Ymh>(
5vvyt
t N!(m
)^Ln.
G$X\Q
`aEEW
3l9Rr
FA8+o
=v0GP
CiT03<
~HKZN
_AW!(
|i(QP
=+M*1P
=6FPj'A
Rm07{
llM`X
Mvql>
r,kg?
q?hl_
B6^5b
=qcbP]
}e_vE
}C4l %#
O\'Sp
Z]{j&
Vf3T3
]1~Qn:q
%p8j;
|0y36
kW&u=
J=#(NR
o&(5^
'=$_u"
h.+F&sBP^
@Z(;/
u$JN$
3aD4I
2xy1=
Y}sJ=]
0Vu9DuRG4B%_s
T>`Yd
fUDFE1`y
e+(SP
]31jm'
EQa2_
]9=j5
zX2Zn
t*o$(q#
\;MPje
);nQ8
o~)XI
FGIXAM4
deHJf
:EaI4
+|QmY
q4u9m_
Z_fa\
eJUB'
4N6x'
bQ{pV
}&(Iwu6
JeJ2r
I,_NM
zflh}
C^q4^b/
&QlcA
X0SlH
}jgx^
n((W[P
hro,c
yc_IP
%[)6~9
.E;>Q
pI#AP
5cY81
+)iIz
E\\?f
JKaeo[
Y2<[K
mLmT5
m`G.}
"}~=Y
,mMHX
H).s<
`Wb$S
yjUF\U
tO9"!v
j7%qYj
vII,q
kU59;
UA04
Uci/(x
N0`oN,
gm_#W
6{KBp
1]XBB
u9.6_
rl o'
Op?gC
>*|mb
as5"+
XX%(,
MmWlu'
'4P4b
ZAwbM
!eMd=
rs&{T
}/^G7
MAArm)[
qdyl>
cIOv`
W9P&(l
~m_>|
01~SH
zk2>`
l7}Y.
'e_Mk
7DJJl^
~L+2!F<
he4fM
D\KKj
%_pfD
zvn|NkH?
((WS\
_|>zr
&, [g
)-FPB
e_XSA
(w=/O
4p<[,S
KJc^A
D0|M3
5]G9G^[/
E{eK*
1){PX1/
Qh_Aj
ud_^$
KAiuE
&|4xE
k|!;F
5M\(1h
_'pvrg
q|:)e
[kl&g
O:8d)9-
s\PZ:
o.%ncg
+k T?
?Zgfa3
"n2eJ
"(`L{
t=ZS5A
Rm239
3GPF5
ib~&7
b\3./
^O#W/
m`kJOZo
9Z!i$
`+(VR
%<i:z
I4doy
Di}$_
k"jfU
={*z-<
a+e_4
-XDaf
mc.v~
q`>5V
WQX-1
TPzqA_Aqe
w6C9*
0rg07&L`
$_hS);
|A}!|
'Gl(w
;LXQz
Vy^Tf
?lCO5$
xzr+=
^oYoWS
#B|*}
&=VUsmx
ftjB[
.nDSA
.(OX0
_h{%I
Z$i?'
g6uu=
l%}g/
SpXPD(G
OP|3|3%
xqvS"gv}`
gk`TDejMm
#e gt
_(,zDSC{
N]g-z?
SQ%\E
AX8xQ
&Dnt0
_#fZ/
)NA8$
SB7B}:
?.w%CEX)&7
pO_ g
}mfUK
_WB]z
`>TX'
<H=ZJ
A!n|\
].a?K
`pc'[
q)Ayj9
%EdTi
x1]G_
gS;9;N
G\nSbX
vC/m#
{WrI\mB
+Cl9m
IDAT0
'xto/
^F&oj
j-($?
9Aa:8
:`/Sr
ukONd
W((.r
Y%G<4
fNMeJ
<\S2Yd
C=pw:Gm
m{B/y
ug1HQD
*KGLg
58e*ni
R2F=N
psS:*
p&&Ub|
VPV&5\rY7HP
WO,k(1
koft/71
eJxg"
{[Joq
TQl.(
8nz[M
29"!s
VD)c0
OrZ7f
nCf_A
ZAqR\h`
y#(U<
9/g_=
7BOj3`^
7&hv}
`za>g
/8xe>
A1JA1
SH5hL
z!)}=
7Q5vq
71JcO~
*a>A!
i#IS{
-u63s
0`S<C
CPn=q
3y3!c
Junc5
q_'g?I
n*(RZ_
Y/643Z
JU-|H
;]Ud_
4UFPv
,(*BV
/'~q9).
kRy[PT
b=zUJ
h(S\b
kGSOj
%(>Z-
\(HLck=
kGxyg
5q}%_
M(J|H
R_yS7
J="Z.
1vHHd
[Zgib]
+kk%A
_rctj}ewG
~ew6-[
IKyr.
x2_VQ'&
145\S]
CPV6z
CxP71
d`p.S
H9{LsR=V
sf!=Oh
}V$(O
TR5KP
pFyOM
=,PEF
v(n8b
-/9>a
[JB{Z`
L9"@_
8KE+</O
[3m9[&
sgb_tW
];3vs
gbV8`
}y.U]
&')P}g
OE2I5
`y;v*V
c/eWi&
mA\hs
6GmoU
r'Jgq
WR5WPj
khmPr{
Iz:lYs
KaH&6r
'(7AP
?OzWG4T
'K1wu
qYh'L
wGyTR
!e?)g
'U2Qj
?Z13i1
`Em[oRD
YAq|P
/U`u"
)tzTQn
#Qr_g
ORsk1
4v%4$
or~!1+
7{cYOV
!<c$J
Vcpz,
1U> +8
%Md%8
yxp4u"
j3{z&
RAAg.
O![!]6
?8$(62
-e>vv
n7S2w*Y
zuWRk
A5Qn~C
{;LeHa7t
Jz+UE
OcOE<g
qGk:6
"F$J5,L`zc39{,7d
2L(6]F?q
{/PpC
![vs>
6r$fk%q
w_?RW
\*^7e
O<ANb}
"JGP|
PIo63
-MZ|d
]cwPk
T0|A.
(K'IP^
g\]f-
Y)kT`
#Qfd2
^_oaE
}zv-!s
F~~YG
d__WA
v){,Y
/9RPl
;.k`d
;g\J9
nNge=
[qd^[Z?
uU-TG
/Cuy0?
m|7b<
JUsUn
2eW-[cE
XTb}R
X_"vA
Sj]m1
V(y)v
`%(kJ
d[LFI
54aQq
52*d=[
f,N,!y
NnfNH
hwXFM
-i7x /
2y%9UeT
@nv/gmS
U0<a,
}i2y3;|#1
Ka4s{w
@u[Cx
_l(k
2eJm_
E{^`9
2";:N
y'=xjZ
f2sA/
$^6kDX
*[Q+(K
suWa?
);&isDP
~Q/x#
aWY),
6F|4ZL
?lov?
eT'jv
)V|E
2<g-F53
%m~&F
EZg5c
?Bx9m
:\P'P
+S}R<
5DP^]
QkIiK
td=[eF
:Ou[gVu}
OXLl_
e?BwQ
!Qn1.
I&-y?
7`8K~
4Gs{I}
R,6}i
M~%b{'
z%EPH
pwYCa`
>UE4Ose
{="6$
[<.sf
w9|o3
H1~>5O
A2enw
$O4C?
~+HWs
=.7xBu
q*~.ee
'=9Yp
'fs&R
])<ic
&V2l|%
1fk<:b~
}|g^{?
#AQ#g
jnLil
BP^or
Ie+QO
M6P (wJ
kK#Ax
,jMDX
4xQHd
_[x!Id9
mP1Y5
Y^$$?
|NJ&x
=n?_:?G
r>LPX
CaVCP
'kXHU
x.(OR
[l?,U
n2:s/
i](>bC
KJd~_t
'C&`6
3s4.9
xA9RFB
/Z_LCA
_%/CP`\+-L
J}V<+
Xve=cOlaa
}&QFXT
9Q_PD
Edn2'
3>6]I
a[N51K
RFTTwB{
RlWAl
B|4?Qf+>
F%|:?
-?GIw
#Wo/c
3dXGzG
C8moEL
dAan!
nC~Y2
@T'}1
!ya="
1r}"3
'.r+6
+7,,Q=
uh|s#Zs
{;f;8
R,sXZ:q
J)c\Y
;*I=[G
?GiOi
n.S(,/
xfGsxz=9V
v5D/s`
7IBuG
<&vn=
<>D7b
&JZ=8
U)|pLb
nfsp2
eaaw/
|>dc~i
NfaXMK
Cc$/
'e/On
[R$Rn
>d7/j5
Aw/'-_c<
db.(L
V21m;I
yJk*[
WPt]WAi&
gn-1%
=NDN k
.]vQw
eI;{kB
rM|bH0
r#&=QP
8hW'x
!*s,/d
9!((HPR
jgmG>
fq$Z9
1bt{u
I^D/Aa
L5cMY
+|xWx
cWcv1~
#eUhR
t<'(V
#:v)u5v
_kPms
Y.QFqS
'E<<hj
Z:+O%
U(i|,
OwNZj
!J<_N
)2ELG
B\Mu0
|^Tg4
MqQyR
}[*"F
Aai2e
x=a?IIL
;MU]P
| bz=
OYL8u
BpLU\
$3r-I
KJj=E
|Vm.%
b~i>+
IvH)/
*=Z9"A
"u5zs[
FPzgz
i<t=q
e\q+FSj
W)}%h
/(aFVU
u>7RE
,g=x"
+?y~U
k7v9{q(
dth%S
&e]HfYq3
k`TlL
}_kL;
y]GVB[v-
;WrDPr
m4!VW
uWsqr|&
+lp+I
D^7oJ
e'2:W
X]PnO
tV*({
PR(G,d
)a/I<
zX]\@
/yA9!
M+3X-
>MK_3
LrD1)
Y_,(
t%1fA
5,`UjS|
>Gj##
3l,6o]
mO]vy
K0ZvU
N}Fsl
\t;)k(
^1~#9
goUj#
zu-#y
%W|.`
GPfR{?~8~
ta%&{
.x({q
D>n^H
\m&Jg
]Mfb(e
s^!V6
dyM[B
]W_/LBr
ms9.7
FG)cI#
G7neN
"Qfua
bQ^jZ
=7q.'
d2Ybc
bw1?4
r~K,_
uns6..g
iS0*A
OP^'#V
7AyI$T
-+!Vk8
Jb?+p
n7Vd%sj
PIigG
q<0LP
P4zoC{
01]%(
DPn+A
p[Pfx%Q
,&bn_
93r9'
g+R8-(L
Z?#J=B
_$fwO
}64`GX9
g,HRP
2e;:E
bynUD
_=a?CCF
f`SK.
=9baN
l7#7t
"~,;x
k$G<8
IU}`U
yk-(V
%o4u]
%zO(r
G.q#*
bcawwc+*
KEfLZ
!8l.f
XG*,]
awim[IS
MtKLGiTcn
[*O0pq
KRXn.
nKJQRn+K9
W?Ey8
7/zWR
s*a$9
Ik/ad
5XS!e
j`DnBMX
NaeMw"MQ
e&mcG
L3VxGsv
T)I}"
PC\S5&
"S^5C%
l,Qj0
pmq1m
@<?gR
&L7;C
_MYQ^!(
Ga)Qt
gb|J||
W$l|]
&]V*S~
ONb$(Y
})S}{
T9b!(
s#m/.
4jw|H
TI+1?
T;M"V
|Y)*A3
l'Ue.9-
(aR'
Gk9hQ
c"%?2
%+-W?
+()C{
s?0>w
yrQPf
J]Pt*
$SrmD
Q,(US'
tga%4
{TXY'
9^wH5
z5ZT,
KM(nIV
D*5RI
'dJ)0
-]o9R
<)6p'
^hhJJ_
Us/a)
oEkt'
d.?I`N
)Q9LM
7i~Y{
ib-YIS1
k=[/o?ld
\am^w
^'OPX
&LPU6>
{Rt\X
JzStb9U
A.,=kG
2{1wX
B=eJ[*
d9w!C
5f>^g
rc>?q
qLl&i$H
|{LQP
G?bRw
{TFjRy1
9"*FGX
fGJ<Sx
`enlK
2%_^B
c*}Io"iH
=mmt2
a[HVx
f_san.
|FqzM
R$_rx\
RWPVt
J32;!
C$+LP
79s"7
g+i $
!-^o!X
r\m=A!RD
OU+)wYcQ
OGQ.i$d
E}c,e
6O1m}
RT%_n
P>[Z3
u1~Sv)
t)bc5
X'EL|
e+(Z0
%aCj}
.{K.q
x~+'U
D^7X$Sp^
PW<;M
](+[N
S*(dhJ"[
Rn7e1
k?)Q8
7[.Lb
*%_]m
#QlYOV
SQ)$6A
(ZP$|x
2%+fq
tbNmaU
rcX8C
hQ!G$
<r$%*
lui"Q
;meQ?
/EDDrq
?1/s0
qb}}n
7Q.}+HR
Kfo0`
2y (D
[1hd/A9)
X1_;z
s[,_RFr
1r5':
W+E$l
OYkYL
aiIBF7V
-k(xd
O-f3m
jCF/O
YPj+WQ?]
MXs/<
x~]wp`
'"Ag%
axR[P
0Dc=9M
<j!(1
"k*R9
i)(6G
'vwUq(
bH_jI
P{{,v
\-i\f
bbwP^
Tcsw*
e_c+YIK
/1XFo#q
AIz_{
d,BY[
z>,O+`
]hZ/G+
N'+Q1
@LNGq
b9_r:
-yCm%O7
$(vhk[
*}\/1
Bi2QPjP,/%_
\1?9m
z=&E$
?l#Zw
{v<1A
JYrv#9
Cb|{8
%A%Al
B3UwN%kb
6<MKdF
xrYz=&
(O;NL
@VD{Q?[PP
hZc$(
~vAP|1
1mi'^
TO~=h
/YXQiZ
|)fw4
a_ZKV
sGUPpK
rQ_z}&
.(w17
vTc~O=
wHJ[/
Y.:*(
#(r8%
Ebi+9.
\$\m6]
)A!_9
q<n8'
ZgrD*
$)Cn-nR
3bTGq
8mHaZ
,(W[P
~U\?S
z1B|?
g(A}\P
t#Ds>
>CGY3w
N[Aav
ICAz=ef
4-lGy
})"ajS
{u![m?
s6Wp=
2qN9'
XD%Q8
c)(?=|0Y!
/EdHJiMi
}<[XI
}CLXv
!Kb<1
X}4CS
ERWzY
/[O%s
;$d-a
'wo&K
O(<*E$
=yb}R
e\=|\
m8W>v
WkWqE
7CS=X0u
>S_{<
$=[gj
-4>S$
CKCwx
*7?a<
wM'sm
]}SP^\
r]wAq
73#KP
/=[I#AGP
3JJ=p
W0zHo
.SZ=9"@
7'[uB
DN~*O
a=M>?
*oAJV9,;U
fdlsZ
&()ya
)9E^?I
t9nZMP
,w~li
`AI#~
zPW>8G
>.G<Hz
Z5.Iq
H(+(&
S|.U':
1tOw"1Q
Fk6pE
E:\2]-n
(4k$g
rAy.-p
U;s_K_
D[+V<
fDXtL
'(2bZ,
v5&?<
Z ?JV
&S.?)GLx
sTPnSA
KMw3)
oCyY*F
Q83KP
! e5m
X|:L'e
+Y%na)
f4!,
%ZZ_E
V+Ah{
b!(2NP
~07+/q
iE'*l
jJ4j^
$waKV
5g\Z4
C[EImb
cmLP&
QIxj/
^T$k$H
=;G2;v
e>F-G1
Zq|q9
^lXdC
!wlF1
=}/vNAh
g[:X)G
d97Xr
Q%ep-8
_JLwu
se_kN
r_nKV
!->Kq
*(hR$J
4eoudJ~*
{=&E$
6u:=Uz
nae$(
U1~'Y
6AeF#9b
7hr}7
>2BYP
Qb~t9*
DP~Cno
{YC!|&z
lr|Or
?uJ_Y
I+mXx$
|JIq06>
u:alh<_
n)un(
y4)`qc
zV9Zv=
fX}FT
/|e/E
0se}MK
cYI}j
fEcWl
H}G'?U
]u(*9
@)w:,
/*"[(
IVb*q
j*eE/
,"K(GU
r=G~>6
wQ"*~
PF_jy
}5r:Z
>:oL
Mq=z]<
ejnDE
II};R
>z{pa
5k`Jl
%VHR-S2
Z+\b?
q:fC#
2>E#a
oJDFm
+N]3c
O(B(DW
O24D,}
w|U(V
Ggq#n
9>w>+
unI]M=
7dR#=!
O-v|8Y
'Q]f1
m8UlK
%oy'rk
Nhdm*
OzF<j
gM~~>I
f&eJfJ
poGkZ
p(]GI\)'M[
u')IoA~
+aOL!
Oow.T
,=CV|WV
nw%qAeyK
i4n8;+
J}E#!
ZUI+[c
-N `E[
@rKnKyM>
qWB84w
/fXmE
=#W>$i
n8>>K
Kh^c)
:iud}j
Ld_3W
s}70U
R4&LK
V&AcG
A-v./f
U=[5C
iXvy+
LoV~#
^(uv)>[
!B({7
u!xd-
toI;?
u!AO(
vpg2v
&d0lH
@(E(*
FZtIdj
p3CQ*;
<VlXG
<,_LNv;
f>f5K
;0Po#
joI}Eik)n
RpZPY
P(+X(Cc
J8:GcY
WJHjC
^<>tK
we|?5
?l=r|
{\("B
SR(NS
,t8G(
gBroz<
%VS#*
^,oL_
<)-Rng
Oe|9a,
3e{J0
{Zq9f
|ciri4
M\;oH
Z,J2e
~;nIqdE5"
_aOu|%a2~
qrc^I
\skF`
<q2&m
U](My
u;Xb0
}%"$Q(
[VER~
B21;2
v6+/X
%g1xh(
x?PTR
uq+sW
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
^=Ou:
(Y(O=
I<$*2N
rZt9"
=/y2B
-ct+2
=D'E&/9?
As:vu
N4dO|
>.VjB
*$9h*
6JDCe&
uF9}S
9v!E?
yX$wu
v2.0.50727
#Strings
#GUID
#Blob
liYiCiTGoqVC
liYiCiTGoqVC.exe
mscorlib
System.Windows.Forms
System
System.Drawing
Microsoft.VisualBasic
.resources
.resources
.resources
.resources
.resources
.resources
BeheerApp.Properties.Resources.resources
.resources
.resources
.resources
.resources
.resources
CallType
Interaction
AppDomain
ArgumentOutOfRangeException
Array
Attribute
Boolean
Buffer
GeneratedCodeAttribute
System.CodeDom.Compiler
IEnumerable`1
System.Collections.Generic
List`1
CancelEventArgs
System.ComponentModel
CancelEventHandler
Container
IContainer
ISupportInitialize
DateTime
Delegate
DebuggerBrowsableAttribute
System.Diagnostics
DebuggerBrowsableState
DebuggerHiddenAttribute
DebuggerNonUserCodeAttribute
StackFrame
StackTrace
Double
Bitmap
Color
FontStyle
GraphicsUnit
Point
SizeF
EventArgs
EventHandler
EventHandler`1
Exception
CultureInfo
System.Globalization
IDisposable
EndOfStreamException
System.IO
Stream
Int16
Int32
Int64
IntPtr
NotImplementedException
NotSupportedException
Object
Assembly
System.Reflection
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyName
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
MemberInfo
MethodBase
ResourceManager
System.Resources
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
SuppressIldasmAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
RuntimeMethodHandle
RuntimeTypeHandle
STAThreadAttribute
Single
String
Encoding
System.Text
StringBuilder
Interlocked
System.Threading
Monitor
Thread
TimeSpan
UInt16
UInt32
UInt64
ValueType
Application
AutoScaleMode
Button
ButtonBase
ComboBox
ObjectCollection
ContainerControl
Control
ControlCollection
DataGridView
DataGridViewCell
DataGridViewCellCollection
DataGridViewCellEventArgs
DataGridViewCellEventHandler
DataGridViewColumnHeadersHeightSizeMode
DataGridViewRow
DataGridViewRowCollection
DateTimePicker
ErrorProvider
FormClosedEventArgs
FormClosedEventHandler
FormClosingEventArgs
FormClosingEventHandler
Label
ListControl
Padding
TextBox
TextBoxBase
<Module>
.ctor
Dispose
ToString
.cctor
value__
get_CurrentThread
get_ManagedThreadId
add_FormClosed
Focus
SuspendLayout
set_Font
set_Location
set_Margin
set_Name
set_Size
set_TabIndex
set_Text
set_UseVisualStyleBackColor
add_Click
set_AutoScaleDimensions
set_AutoScaleMode
set_ClientSize
get_Controls
add_Load
ResumeLayout
get_Text
Parse
Empty
SetError
get_Value
get_Date
op_LessThan
get_Now
Clear
BeginInit
add_TextChanged
add_Validating
set_AutoSize
add_ValueChanged
set_ContainerControl
EndInit
PerformLayout
Concat
GetTypeFromHandle
get_Assembly
GetObject
set_Enabled
get_RowIndex
get_Rows
get_Item
get_Cells
set_Value
set_ColumnHeadersHeightSizeMode
set_ReadOnly
add_CellClick
add_CellContentClick
get_RowTemplate
set_Height
EnableVisualStyles
SetCompatibleTextRenderingDefault
GetDomain
Replace
CallByName
set_Visible
get_SelectedItem
get_Items
set_SelectedIndex
op_Inequality
set_Cancel
set_FormattingEnabled
add_SelectedIndexChanged
get_Black
set_ForeColor
Close
add_Validated
GetFrame
GetMethod
get_DeclaringType
Enter
GetExecutingAssembly
GetCallingAssembly
Append
GetManifestResourceStream
set_Position
get_Unicode
GetString
Intern
GetName
get_FullName
GetPublicKeyToken
ReadByte
BlockCopy
Combine
CompareExchange
Remove
Invoke
get_Day
get_Month
AddRange
get_Name
GetBytes
get_Count
set_Item
get_MetadataToken
AddDays
op_LessThanOrEqual
add_FormClosing
op_Subtraction
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
Realdolmen
Copyright
Realdolmen 2019
BeheerApp
1.0.0.0
$e5407721-112c-4231-b396-ffa4c30aeb10
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="utf-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" name="MyApplication.app" /><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo></assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
CandyCrush2
swqZRyIgFFpiCIJoeEjzyHpZBGf
TSP3UWUGf+EXLUIiOYwfBkhMRBtlWEapLE5j9Cp2RRXwd2Z5Tl1qPZpvDHkARC5xa15sbGNhbWU7b3BfSW5lF3VhbGl0eTtnZXRfTGVuZ3RoO0dldFR5cGVGcm9tSGFuZGxlO2dldF9OYW1lO0luZGV4T2Y7UmVhZFN0cmluZztBZGQ7Z2V0X1Bvc2l0aW9uO2dldF9DdXJyZW50RG9tYWluO1NldERhdGE7MjM2Njc7QXNzZW1ibHlTZXJ2ZXI7U2ltcGxlQXNzZW1ibHlFeHBsb3JlcjtiYWJlbHZtO3Ntb2tldGVzdA==
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
CandyCrush
FileVersion
1.0.0.0
InternalName
CandyCrush.dll
LegalCopyright
Copyright
2020
LegalTrademarks
OriginalFilename
CandyCrush.dll
ProductName
CandyCrush
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
$%l%T
! " #"$ +*,*-*.*/*0*1*2*
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
Realdolmen
FileDescription
BeheerApp
FileVersion
1.0.0.0
InternalName
liYiCiTGoqVC.exe
LegalCopyright
Copyright
Realdolmen 2019
LegalTrademarks
OriginalFilename
liYiCiTGoqVC.exe
ProductName
BeheerApp
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Trojan.GenericKDZ.68299 VBA32 Clean
FireEye Generic.mg.73879715ca072971 CAT-QuickHeal Clean ALYac Clean
Cylance Unsafe Zillya Clean SUPERAntiSpyware Clean
Sangfor Malware K7AntiVirus Clean Alibaba Trojan:Win32/starter.ali1000139
K7GW Clean CrowdStrike win/malicious_confidence_100% (W) Arcabit Clean
Invincea heuristic BitDefenderTheta Clean F-Prot W32/MSIL_Kryptik.ALK.gen!Eldorado
Symantec Clean TotalDefense Clean Baidu Clean
APEX Malicious Avast Clean ClamAV Clean
Kaspersky HEUR:Trojan-PSW.MSIL.Coins.gen BitDefender Clean NANO-Antivirus Clean
Paloalto generic.ml ViRobot Clean Tencent Clean
Endgame malicious (high confidence) Sophos Clean Comodo Clean
F-Secure Clean DrWeb Clean VIPRE Clean
TrendMicro Clean Fortinet MSIL/Kryptik.ALK!tr Trapmine malicious.moderate.ml.score
CMC Clean Emsisoft Clean Ikarus Win32.Outbreak
Cyren W32/MSIL_Kryptik.ALK.gen!Eldorado Jiangmin Clean eGambit Unsafe.AI_Score_100%
Avira Clean MAX malware (ai score=82) Antiy-AVL Clean
Kingsoft Clean Microsoft Trojan:Win32/Wacatac.DD!ml AegisLab Clean
ZoneAlarm HEUR:Trojan-PSW.MSIL.Coins.gen Avast-Mobile Clean Cynet Clean
AhnLab-V3 Clean Acronis Clean McAfee Artemis!73879715CA07
TACHYON Clean Ad-Aware Trojan.GenericKDZ.68299 Malwarebytes Trojan.MalPack
Zoner Clean ESET-NOD32 a variant of MSIL/Kryptik.WPI TrendMicro-HouseCall Clean
Rising Clean Yandex Trojan.AvsArher.bTJEKx SentinelOne DFI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen GData Trojan.GenericKDZ.68299 Webroot Clean
AVG Clean Panda Clean Qihoo-360 HEUR/QVM03.0.3EDF.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 13.107.42.23 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.9 49173 13.107.42.23 443
192.168.1.9 49176 13.107.42.23 443

UDP

Source Source Port Destination Destination Port
192.168.1.9 55233 1.1.1.1 53
192.168.1.9 59225 1.1.1.1 53
192.168.1.9 137 192.168.1.255 137
192.168.1.9 53599 8.8.8.8 53
192.168.1.9 55233 8.8.8.8 53
192.168.1.9 59225 8.8.8.8 53
192.168.1.9 64674 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-30 13:26:26.407 192.168.1.9 [VT] 49172 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 13:26:26.427 192.168.1.9 [VT] 49173 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 13:26:26.570 192.168.1.9 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 13:26:26.630 192.168.1.9 [VT] 49177 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3
2020-06-30 13:26:26.682 192.168.1.9 [VT] 49176 13.107.42.23 [VT] 443 TCP 1 2028395 2 ET JA3 Hash - Possible Malware - Various Eitest Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-30 13:26:26.459 192.168.1.9 [VT] 49173 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:26:26.550 192.168.1.9 [VT] 49172 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:26:26.630 192.168.1.9 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:26:26.755 192.168.1.9 [VT] 49176 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-06-30 13:26:26.841 192.168.1.9 [VT] 49177 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.9 49172 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49173 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49175 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49176 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
192.168.1.9 49177 13.107.42.23 443 1074895078955b2db60423ed2bf8ac23 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name services.exe
PID 472
Dump Size 327680 bytes
Module Path C:\Windows\sysnative\services.exe
Type PE image: 64-bit executable
PE timestamp 2015-04-13 02:02:59
MD5 a7e4984e1352e57cbf31e45f0c3810a0
SHA1 92d8a48fd2d8e3c34b454ec83facf5a80e6dce5c
SHA256 d25dad11881f696f2ec881e4b75be39f8ff03e94709b62d2e5303a5526f5ee80
CRC32 BEDFA87E
Ssdeep 6144:YX+dGqMuImU4Zkt8kjM7vFLFb/2JBH4EtLcN8ZE21udxLIzm:YX+dGluImU4s8m/zMzI
Dump Filename d25dad11881f696f2ec881e4b75be39f8ff03e94709b62d2e5303a5526f5ee80
Download Download Zip
Process Name svchost.exe
PID 4864
Dump Size 463360 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2010-11-20 10:04:28
MD5 95962fafff1c401740afe06f27a4a858
SHA1 4f6f62f3fd5d75bc1a5cb9b74cbaa0456d456f1a
SHA256 7a3911e5aa58c295b4ec8cf41b5175f25b39b986dda876d9f56b78595405bbd4
CRC32 64433C5D
Ssdeep 1536:hPs72dnhuvKgPKi8lIrZNUR7VVVV5u6dj+fp:hE72PuyNi8kzu7VVVV5u6djU
Dump Filename 7a3911e5aa58c295b4ec8cf41b5175f25b39b986dda876d9f56b78595405bbd4
Download Download Zip
Process Name svchost.exe
PID 592
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 f45cf5216297e61af21bbdb4fe92abdc
SHA1 30f1d373ffbaec16727fdaf2fce512990b52dc90
SHA256 1bd26bcd2a26df640d13e71be44cd712ae10be87f2c3674e61a49c2cab8c5de4
CRC32 3537BCEC
Ssdeep 384:KvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCE4r1lWcSsEsj45RCOvojaPKW9C56:yWkX7q+f5TYvVeZMmn+0C4xcEbvKaPK
Dump Filename 1bd26bcd2a26df640d13e71be44cd712ae10be87f2c3674e61a49c2cab8c5de4
Download Download Zip
Process Name schtasks.exe
PID 3952
Dump Size 177152 bytes
Module Path C:\Windows\SysWOW64\schtasks.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:20:03
MD5 0de9a8e34e1ac195e9e4067c22a95033
SHA1 c941dd5468acf580f4bb50cf31db883336e7149a
SHA256 112a1867f5c86500679fd7327491cf5bc4695923f4702b8e59e785621f8ca5bf
CRC32 D1A0643A
Ssdeep 3072:Rbzc4reayVnpIEkWQc2hDRg9Le8c8ABDBhEGMnrAGBGAOCx:RPc4retFN66in80hElGA1
Dump Filename 112a1867f5c86500679fd7327491cf5bc4695923f4702b8e59e785621f8ca5bf
Download Download Zip
Process Name svchost.exe
PID 848
Dump Size 26624 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
PE timestamp 2009-07-13 23:31:13
MD5 4f4e56bad7a5ed0fa12bf471c17d8a65
SHA1 fae68be23013bd2039cdd0d8df5bd8cc232f567c
SHA256 3a0b33722e6add3840a7e8558b83d1ce3b44a30ed0f007805f212ca8cdd3947c
CRC32 8E974701
Ssdeep 384:KvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCE4r1lWcSsEsj45RCOvojCPKW9C56:yWkX7q+f5TYvVeZMmn+0C4xcEbvKCPK
Dump Filename 3a0b33722e6add3840a7e8558b83d1ce3b44a30ed0f007805f212ca8cdd3947c
Download Download Zip
Process Name taskeng.exe
PID 3304
Dump Size 463360 bytes
Module Path C:\Windows\sysnative\taskeng.exe
Type PE image: 64-bit executable
PE timestamp 2010-11-20 10:04:28
MD5 1f02c87e53a3a7d7ce3e58e5fe478177
SHA1 358a3fc7f1ab96f2057b35211e050931220b19ea
SHA256 fdbdde3b040d6c7436046e93f352e23b0eeb73168387e65c77b2f2cf6f749dcc
CRC32 E8E71542
Ssdeep 6144:hECPugfkZYP5t4iI+aNtvWNSEtIvV+owuDRQua3327tvZNc7VVVV5u6d:hJlfkZYPb4i2NtebIvVkIa27tv0P
Dump Filename fdbdde3b040d6c7436046e93f352e23b0eeb73168387e65c77b2f2cf6f749dcc
Download Download Zip
Defense Evasion Credential Access Collection Privilege Escalation Execution Persistence
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1045 - Software Packing
    • Signature - packer_entropy
  • T1003 - Credential Dumping
    • Signature - infostealer_browser
  • T1081 - Credentials in Files
    • Signature - infostealer_browser
  • T1005 - Data from Local System
    • Signature - infostealer_browser
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task
  • T1053 - Scheduled Task
    • Signature - uses_windows_utilities_to_create_scheduled_task

    Processing ( 42.934000000000005 seconds )

    • 34.708 BehaviorAnalysis
    • 5.284 Suricata
    • 0.855 CAPE
    • 0.662 NetworkAnalysis
    • 0.497 Static
    • 0.298 VirusTotal
    • 0.194 static_dotnet
    • 0.155 ProcDump
    • 0.089 Dropped
    • 0.062 AnalysisInfo
    • 0.055 TargetInfo
    • 0.03 Deduplicate
    • 0.019 Strings
    • 0.018 Debug
    • 0.008 peid

    Signatures ( 2.665999999999994 seconds )

    • 0.356 antiav_detectreg
    • 0.137 infostealer_ftp
    • 0.117 territorial_disputes_sigs
    • 0.114 mimics_filetime
    • 0.082 stealth_timeout
    • 0.079 infostealer_im
    • 0.075 decoy_document
    • 0.073 guloader_apis
    • 0.073 antianalysis_detectreg
    • 0.072 antivm_generic_disk
    • 0.071 Doppelganging
    • 0.065 api_spamming
    • 0.065 masquerade_process_name
    • 0.061 antiav_detectfile
    • 0.052 NewtWire Behavior
    • 0.048 virus
    • 0.047 reads_self
    • 0.044 stealth_file
    • 0.04 bootkit
    • 0.04 antivm_vbox_keys
    • 0.037 infostealer_bitcoin
    • 0.036 injection_createremotethread
    • 0.033 InjectionCreateRemoteThread
    • 0.033 antianalysis_detectfile
    • 0.03 infostealer_mail
    • 0.027 antivm_vmware_keys
    • 0.026 InjectionInterProcess
    • 0.026 hancitor_behavior
    • 0.024 antivm_vbox_files
    • 0.023 injection_runpe
    • 0.02 InjectionProcessHollowing
    • 0.02 Vidar Behavior
    • 0.02 antivm_parallels_keys
    • 0.02 antivm_xen_keys
    • 0.019 neshta_files
    • 0.018 InjectionSetWindowLong
    • 0.015 exec_crash
    • 0.015 ransomware_files
    • 0.014 geodo_banking_trojan
    • 0.014 predatorthethief_files
    • 0.014 qulab_files
    • 0.013 kovter_behavior
    • 0.013 antivm_generic_diskreg
    • 0.013 antivm_vpc_keys
    • 0.012 antiemu_wine_func
    • 0.012 exploit_heapspray
    • 0.012 injection_explorer
    • 0.011 PlugX
    • 0.011 antivm_generic_scsi
    • 0.011 dynamic_function_loading
    • 0.011 hawkeye_behavior
    • 0.01 antidebug_guardpages
    • 0.01 malicious_dynamic_function_loading
    • 0.01 antidbg_devices
    • 0.009 TransactedHollowing
    • 0.009 h1n1_behavior
    • 0.009 rat_luminosity
    • 0.009 stack_pivot
    • 0.009 antivm_vmware_files
    • 0.009 ransomware_extensions
    • 0.008 Unpacker
    • 0.008 betabot_behavior
    • 0.008 Locky_behavior
    • 0.007 infostealer_browser_password
    • 0.007 kibex_behavior
    • 0.007 network_tor
    • 0.006 persistence_autorun
    • 0.006 blackrat_registry_keys
    • 0.006 recon_programs
    • 0.006 shifu_behavior
    • 0.006 stack_pivot_file_created
    • 0.006 antivm_xen_keys
    • 0.006 antivm_hyperv_keys
    • 0.006 bypass_firewall
    • 0.005 antidbg_windows
    • 0.005 antivm_vbox_devices
    • 0.005 masslogger_files
    • 0.004 antiav_avast_libs
    • 0.004 antivm_vbox_libs
    • 0.004 exploit_getbasekerneladdress
    • 0.004 exploit_gethaldispatchtable
    • 0.004 infostealer_browser
    • 0.004 kazybot_behavior
    • 0.004 OrcusRAT Behavior
    • 0.004 vawtrak_behavior
    • 0.004 antivm_generic_bios
    • 0.004 antivm_generic_system
    • 0.004 ketrican_regkeys
    • 0.004 browser_security
    • 0.004 codelux_behavior
    • 0.004 darkcomet_regkeys
    • 0.004 limerat_regkeys
    • 0.004 rat_pcclient
    • 0.004 recon_fingerprint
    • 0.003 antivm_generic_services
    • 0.003 disables_browser_warn
    • 0.003 obliquerat_files
    • 0.003 sniffer_winpcap
    • 0.002 antiav_bitdefender_libs
    • 0.002 antiav_bullgaurd_libs
    • 0.002 antiav_emsisoft_libs
    • 0.002 antiav_qurb_libs
    • 0.002 antiav_apioverride_libs
    • 0.002 antiav_nthookengine_libs
    • 0.002 antisandbox_sboxie_libs
    • 0.002 antisandbox_sunbelt_libs
    • 0.002 uac_bypass_eventvwr
    • 0.002 encrypted_ioc
    • 0.002 Raccoon Behavior
    • 0.002 office_com_load
    • 0.002 tinba_behavior
    • 0.002 antisandbox_fortinet_files
    • 0.002 antisandbox_threattrack_files
    • 0.002 antivm_vpc_files
    • 0.002 banker_cridex
    • 0.002 network_tor_service
    • 0.002 medusalocker_regkeys
    • 0.002 dcrat_files
    • 0.002 warzonerat_files
    • 0.002 warzonerat_regkeys
    • 0.002 remcos_files
    • 0.002 remcos_regkeys
    • 0.002 targeted_flame
    • 0.001 antivm_vmware_libs
    • 0.001 dyre_behavior
    • 0.001 office_vb_load
    • 0.001 office_wmi_load
    • 0.001 ransomware_message
    • 0.001 rat_nanocore
    • 0.001 sets_autoconfig_url
    • 0.001 antisandbox_cuckoo_files
    • 0.001 antisandbox_joe_anubis_files
    • 0.001 antisandbox_sunbelt_files
    • 0.001 antivm_generic_cpu
    • 0.001 bitcoin_opencl
    • 0.001 bot_drive
    • 0.001 browser_addon
    • 0.001 modify_proxy
    • 0.001 disables_system_restore
    • 0.001 disables_windows_defender
    • 0.001 arkei_files
    • 0.001 azorult_mutexes
    • 0.001 modify_security_center_warnings
    • 0.001 modify_uac_prompt
    • 0.001 office_perfkey
    • 0.001 packer_armadillo_regkey
    • 0.001 nemty_regkeys
    • 0.001 revil_mutexes
    • 0.001 modirat_bheavior
    • 0.001 spreading_autoruninf
    • 0.001 stealth_hiddenreg
    • 0.001 tampers_etw
    • 0.001 lokibot_mutexes

    Reporting ( 31.631 seconds )

    • 22.961 BinGraph
    • 8.497 JsonDump
    • 0.115 SubmitCAPE
    • 0.045 MITRE_TTPS
    • 0.013 PCAP2CERT