SecondWrite DeepView - 036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8

Malicious

This predictive confidence of maliciousness for this sample is 92%.

036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8

547.8 kB

Size

2020-04-28 09:00:09

First seen 7 days ago

Windows PE32 Executable

Classification

Full Detail

Ransomware

Low

Trojan

Low

Virus

Low

Banker

Low

Bot

Low

Rat

Low

Adware

Low

Infostealer

High

Worm

Low

Spyware

Low

Indicators

Expand All

SecondWrite Indicators

Forced Code Execution

Automatic Sequence Detection

Program Level Indicators

Anti-Analysis

Attempts to repeatedly call a single API many times in order to delay analysis time

Spam:: dw20.exe (2556) called API ReadProcessMemory 530938 times

Anti-Sandbox

Tries to suspend Sandbox threads to prevent logging of malicious activity

Looks for the Windows Idle Time to determine the uptime

PID	API	Arguments
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8
2704	NtQuerySystemInformation	information_class: 8

A process attempted to delay the analysis task.

Description:: RegSvcs.exe tried to sleep 2728525 seconds, actually delayed analysis time by 2728525 seconds

Anti-Vm

Queries for the computername

PID	API	Arguments
2556	GetComputerNameA	computer_name: VIRTUAL-PC
2556	GetComputerNameW	computer_name: VIRTUAL-PC

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

PID	API	Arguments
2440	GlobalMemoryStatusEx	N/A

Checks adapter addresses which can be used to detect virtual network interfaces

PID	API	Arguments
2556	GetAdaptersAddresses	flags: 15 family: 0
2556	GetAdaptersAddresses	flags: 15 family: 0
2556	GetAdaptersAddresses	flags: 640 family: 0
2556	GetAdaptersAddresses	flags: 640 family: 0

Checks the system manufacturer, likely for anti-virtualization

Generic

Strings possibly contain hardcoded IP Addresses.

Ip Address:: 16.0.0.0
Ip Address:: 16.1.0.0
Ip Address:: 1.0.0.0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

One or more of the buffers contains an embedded PE file

Buffer:: Buffer with sha1: f11665c8721466f78a96c106b08f17fc29a12f6c
Buffer:: Buffer with sha1: 15e3fb6f37a5835cd130fbfea2838c0628b557b0

Attempts to remove evidence of file being downloaded from the Internet

Infostealer

Steals private information from local Internet browsers

File:: C:\Users\Virtual\AppData\Local\Google\Chrome\User Data\Default\Login Data
File:: C:\Users\Virtual\AppData\Local\Google\Chrome\User Data\Local State
File:: C:\Users\Virtual\AppData\Local\Google\Chrome\User Data\Login Data
File:: C:\Users\Virtual\AppData\Local\Google\Chrome\User Data\
File:: C:\Users\Virtual\AppData\Local\Chromium\User Data
File:: C:\Users\Virtual\AppData\Local\MapleStudio\ChromePlus\User Data
File:: C:\Users\Virtual\AppData\Local\Yandex\YandexBrowser\User Data

Harvests credentials from local email clients

Registry:: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Registry:: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Registry:: HKEY_CURRENT_USER\Software\RimArts\B2\Settings

Injection

Executed a process and injected code into it, probably while unpacking

PID	API	Arguments
2440	NtResumeThread	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2500
2440	NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 2500
2440	WriteProcessMemory	buffer: base_address: 0x7ddf45bf process_identifier: 2500 process_handle: 0x000001a4
2440	WriteProcessMemory	buffer: base_address: 0x7dd7435f process_identifier: 2500 process_handle: 0x000001a8
2440	CreateProcessInternalW	thread_identifier: 2560 thread_handle: 0x000001f0 process_identifier: 2556 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe track: 1 command_line: dw20.exe -x -s 472 filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe stack_pivoted: 0 creation_flags: 0 inherit_handles: 1 process_handle: 0x000001ec

Network

Connects to IP address(es) that are no longer responding to requests (legitimate services will remain up-and-running usually)

Dead Host:: 172.217.12.238:80

Packer

Allocates read-write-execute memory (usually to unpack itself)

PID	API	Arguments
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 77824 protection: 64 base_address: 0x00301000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x00317000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x00318000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 32768 protection: 64 base_address: 0x00321000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x0032a000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x0032b000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 442368 protection: 64 base_address: 0x0ac11000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x0ac81000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x0ac82000 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 base_address: 0x0ac83000 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0c4f0000 allocation_type: 8192 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c630000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x79e71000 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x006fa000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 base_address: 0x79e72000 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x006f2000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x00812000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x7ddf4000 process_handle: 0x000001a4
2440	NtProtectVirtualMemory	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 base_address: 0x7dd74000 process_handle: 0x000001a8
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0084b000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x00847000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x00813000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x00814000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0082a000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x00827000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0083a000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x006fb000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 base_address: 0x0c710000 allocation_type: 8192 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c780000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c781000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c782000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c783000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c784000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c785000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x00832000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x00845000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c786000 allocation_type: 4096 process_handle: 0xffffffff
2440	NtAllocateVirtualMemory	process_identifier: 2500 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 base_address: 0x0c78a000 allocation_type: 4096 process_handle: 0xffffffff

The binary likely contains encrypted or compressed data.

Section:: .text, at virtual address 0x00002000
Entropy:: 7.73854007735
Description:: A section with a high entropy has been found

Entropy:: 0.995322731525
Description:: Overall entropy of this PE file is high

Persistence

Creates an Alternate Data Stream (ADS)

File:: C:\Users\Virtual\AppData\Roaming\XohSjP\XohSjP.exe:Zone.Identifier

Installs itself for autorun at Windows startup

Registry:: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XohSjP

Static

This sample contains high entropy sections

Section:: .text, at virtual address 0x00002000
Entropy:: 7.73854007735

This sample contains low entropy sections

Section:: .reloc, at virtual address 0x00088000
Entropy:: 0.101910425663

Yara

Yara Pattern Name	Description
IsPE32	No Description Available
Base64Encode	Base64 encoding detected

Static Analysis

Version Infos

Translation:: 0x0000 0x04b0
LegalCopyright:: Copyright \xc2\xa9 2013
Assembly Version:: 1.0.0.0
InternalName:: vvUDLoIsLSV.exe
FileVersion:: 1.0.0.0
CompanyName:
LegalTrademarks:
Comments:
ProductName:: SMS
ProductVersion:: 1.0.0.0
FileDescription:: SMS
OriginalFilename:: vvUDLoIsLSV.exe

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00002000	0x00084f60	0x00085000	7.73854007735
.reloc	0x00088000	0x0000000c	0x00000200	0.101910425663
.rsrc	0x0008a000	0x00000694	0x00000800	4.80895839467

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_VERSION	0x0008a0a0	0x0000030c	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_MANIFEST	0x0008a3ac	0x000002e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None

Imports

Library mscoree.dll:

_CorExeMain

Strings

!This program cannot be run in DOS mode.
`.reloc
B.rsrc
Y]sA
Y+sA
.sA
fmsD
fmsD
4?sD
2?sD
4?sD
2?sD
2?sD
4?sD
2?sD
4?sD
2?sD
2?sD
\'sD
\'sD
90sA
9gsA
Y'sD
Y'sD
Y'sD
;csA
;<sA
4?sD
2?sD
4?sD
2?sD
2?sD
ZLsA
ZmsA
Z+sA
\'sD
\'sD
4?sD
2?sD
4?sD
2?sD
2?sD
afeffeefefef y
Xfeffefefea
afefeffeefa
Xffefeeffeef
afefefeffefea
Yffefeeffe
Yfefefeffefehah
Xfefefeffehah
Yfeffeefefa
Yfefeffeef_-
Yfeffefeeffea
4?sD
2?sD
4?sD
2?sD
2?sD
Y'sD
Y'sD
.]sA
.=sA
4?sD
2?sD
4?sD
2?sD
2?sD
ZNsA
ZrsA
Z-sA
4?sD
2?sD
4?sD
2?sD
2?sD
4?sD
2?sD
4?sD
2?sD
2?sD
kZX$sA
lZXA
(ZXsA
(ZXsA
4?sD
2?sD
4?sD
2?sD
2?sD
iQsD
iQsD
8YsA
89sA
Y'sD
Y'sD
<osA
<>sA
4?sD
2?sD
4?sD
2?sD
2?sD
<ZXsA
<ZXXsA
4?sD
2?sD
4?sD
2?sD
2?sD
OSsA
\2sA
4?sD
2?sD
4?sD
2?sD
2?sD
pmsD
pmsD
pmsD
feffeefeffea
Zfeffeefef(
fefefeffea(
wfeffefefe
feffefefefe
feffeeffefe
feffefefe
afeffeefef
9fefeffefefe
fefefeffe
fefeffeeffe
feffeefef
wfefefeffe
afeffeefefef
DffeeffefeYa*
l-feffeefefY
Y=ffefeeffeXa*
feffefefeY
,$ ."?
, 8"?
,$ 8"?
, c#?
,$ c#?
, @#?
,$ @#?
, [#?
,$ [#?
$, ."?
*B 6Z?
Y_c_
F#sD
F#sD
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^
gX\1v)
ZM81^y
|$O_]Cw
mTI|5i
+CKnNo
Rcl&.!
ykLHlov$z
J+a[e2
UNZ&0e
\tO|gX
Ab7(Iz
\,6}An
DPcvx_N]
R'oG[U
Ik8n&V
Ji~\IPn2~
cJy)MC}
D{fr`C
me!Em{
]]F+;#
&s?3YP
-E|U%q
3_bONd~
ky>k&/
tI;bL*h
NPoJ,{
xDJ\2
/YA?E&[
c@,YGd
C'zPbb]Wkl
X56E>D
VM8a!Y
C\$^dl
.g s.a
YPcm-x
h8!svb
p]ftOX
,aMWmf
wD5OPu
+W0_P}
Jvwv!eC#
cuGvnKg
;9Spl:
KONE2i
?.F_,
4B/=a|
z_R3ZJ
m"#{)1a
$^;*63W
<RPI>%
t=iZV;
#!AP}J
MxGAh2_"
kqWPq(e]
g'5_2C
B]-8`Lk
7I!`g[^Hg
yAQlm_p
Y~<;W| &R
Dg"lu8
*ZDr +Z
Ki6ERm
o"A3ANNd
?!T]ws|
1#nI6_
BF0%q$
vq;Yr@
m)Y[or
oJZm;N
r=CNBe
q^k6s/Fsb`K
Pj GgF
-?';`x7
]eW_/t
m?MAEF
`?:[CP
5l~zKy[
)%mE}F
~z7[=Z
qxT4f>
#/k&/&
5/fWCk^
q1[LXX
S;~!DP
8JHSqb
eNNkKl
jG1op.
Xj\Wr+
}~/;-O
\Kfg=!
y<mmn2m
#A%Nxd
/}*"Ys
-TlPaD
ye6YC+un
0.w&mL4
!?OZswb
_p"/k-j
\.'5B
3`'z>$
//G02.
MB99j
({@IoM
lWWNOy
n$Ho)U
.6k80_P
'-=(}2
ERWurk
:Emt'Z
@y:.j>
eYL4K>f0Om3;
X,7(O,A=
H%%Rk
*&<<j~
q^w,V}
pvIB-X
=MX7t%]
MMevUc
V"/5c~
&Sk$/%Fl
-kN&bo
rg}OJs$
)Pl3C"
D]PGM&
RI/d/;2
E}Znwe
TobD}v
|CvZ.y+
KIWNxT(
5f^V7^<2
lG?/ut
=;&Le|
G7f7k@
uFb{O5
5wxx`+Q
%R0c#kl
XJRk)e#^p
fINX5He]S
h6&$q8
yGI'=N
jB7Wgvm
SPk(3..
lM{f-9
9Y^BA*
sNP}.7
QCo>U^
x-E]28
P];Vi"
4k'MV:
pe?^}+
fMIcw:(
54dAh_
}R*]5M
Mgp'kJ
s$e(a#
=7S#H(;,
DFrz{=.5
.[Hm+G'r
Z$FeHJ
/XmS.w
s/r)u/[4z
YPYjs{Z
a!?DUd/L/
:LAke"
bmto5c{U,
D}nH)m
EL\9UI
5'G\Cp
ckY>X4+
}]_k9
[QW9c
8g)#i
KSj?+8S
<sSX"I
)VV4|\
)'p*s)
|I) Vk>9A
m[rWLF
@A7y$i
f8MBVS
mSN|KW
isi?<H
t\g4D[Q
<"$[lY
+'B[xp
Vl`vgC~m;
QqXT]'i
@*!%o(mLBi
~WQiC
BR.cX+=
=">=zR
vev4;*
j|DxL'
'riv:kS
lycZ&Z
2>al^C
ZtWzxlj
[l9u">C6
Q(8X,S9
_|:q-'a
$S*Mi T
xB[er[
mi=KPk
DTS5NyZ
<s#%&G1
A,WCO[
|J*'yy
M_#_~Dm
P-5hHFQ
jN;GXnS,
O{<[<`e
*g1c+M
"ii/,ZLP
&OAGkp>;
JgC|&<f_
#!!'74`
{)sq z
?G918k
s=Hk&T
H"%(,l
L$-#W5{Q;EA
(hnr7;A
v8f\$%:
8`#im{
l,7Gcb
HqjJ]h
Y;,'<'=
%Q<b/.
`;<$ d
A%A/%t
k4K7bPw
<)DS$F
,Dmb&#>
&dngit
]ac@k:
.<,v$X
}-9,hc
su4Sesx\
%]dU4Y
/Uy">i
,Q'<&X
q7J!kR_
sXP}"C
dgrN}&
*WsLPj
v2VvP\\
}A%Su)
VEpJPs
63wU1;
R;Z9{1
AVd^eH
`e-:e,f
pWkj[,
6jGl"r
D.cP|!#j$<
wB|81;
ixv0Y"
3Bw|!K
5o#i>v
R0zPB|
{/(54b|N
]PQ1}^|
x{4|]0
1U-X=h6
o=KH=k
|/r2ZA
~J8c^vf}
0XPIit
~6=Hu^
0WR}V(
w. |m$
Yh%t#nt7BMN
=C7G3]P
yJ<zoJ
WT+X#y
:2VNBaB:
+{m[bp^
#h$7vx
N-jPw0c\
+8xf6I
1dg6P6
N$+t,1
;7eDX(
,b*;Q!
+l5;p2k8F
#Plt[L
S5bN-aE
HN_FIe
@-b?mf
fU(6l!)6
**U,h[
"{Tq{`9;J
S)fYz1
gi6-W6
nFsi>'
pm71.}
&9~a<
*2Cit<
Xc}.si{s
~ 57$<
JRvPst-
kI#^L
k|'p<
ao(cem
yQdf6!
Ut=e4()
i:/cza
5ps|_:
D)3\Pos,
APIkB/
iC[AmN
ot~+]>
/droc..
NrGF,iM
A:W4~>
vrny47
.gr85B
]%h|)E
3;,IpK
kv[/1
z_tgDOmRN
`N?WR/w
g;2{a6{T
:V0xh'
RL{'qQ
2TPqD^&
\EZB1G
o+6/-A
]e&G.d Y
sq2.#KxwH
0kg^+/g
bf~M#w
m{1}g!
`x>jGF
A?6ISy
nf"K*
5>@9}$}
U9kewy
Q:n[H@nk&
|r3'.m
tV~0eH\8
6t8WMAssl
E;o!^~
+h~n&N{v
M{7`GW
SLsL]'p
qq}/$F
5j`R]E
,3{^%Z
^61?j8
2tgl$+[
jEvr'J
/x]/55j
Nb9g*&
KzV[:V:
l?3Vh.
3fc4\N
{*.r93
9F2lN;
3wO7!;
4cE|'^
hd.B~j
1D=qx
@uZi(3S2iwMPk
7\pS*i
j"=d4*
XjLCx(=@^
ed{wF[\
hGz*ry
~'3y6#
qR\^
IDAT163
WSP}V(
_&tq%o
]:6$H-
NV8c~1
1gt%mL~
gZ(t2X
(:g;sa
+tssd?
Glx6|?
P_LSZr*_
}s:;+h
@PwZz
Gsn{7Zv;
{7}FMK
EP}ZCt
u4lNp{
3qK_2g
9gjN[A
-.U%sk
r,F|ci`
v]k:}=
GZ;FLM
H:SPow
*^MqQ?f*
Sze7CS
/"339[W
{kIn
'QvV,L;
yY,1-"
`>b%o_
i0q9oX4
3{.kR"_
0bR?cN
wm@5s.Z
\<&."pp/
SY}c0C
zb_Kh#'
s{b.*F
a9=r=ik
l"zg!f
Us]Z<<6i
4:Gu!c
\DiRGB
? !wQ4o'Z
=%zD~c
v|9lH7-;JWocAawAB
BsT66f
*\J%(9
Fz]$P}0
?S*Pqn
$x^e*v
4[R@J%
-u/bNN
ej(;;q<
3umkV%
VWCUOo<
PVF8p~
f4gWlG}J
}F1gL
BEG98&
=kL0VG
h+reeG^
*^!4n9
]v{~dl
])##r/
1-) {}
*x2{w}d
h=O%YX_C
.e;ky?
;y3e5
Avc*sg
nfT~>O
|Qve`C
%qL,V}
L^#PaZP
KZM0Z7
\FuE_Fi]
"jY9y=
E>@lPL
![Ds)v
y5^<Y%
Kw*HS@:
NPc2?s
'lT1xc
E,;:&U
*&4S}&
cSR?g
d^j@mn!
!i@,j7by
eU?v4Er<f
rq=gM;1
7wx|=KWK
X9r"FuO
#vk0oZ
GE}&c9|
~oB$bQ
m.3zi--
EaD9v#s
-Cdm9$
To1gF8pFP}ma
s{4c#x
+0n<HT
"TOI747
b\K;`:F
vxLSxDb
/C7i79
`dbGN+t'{
j?Ypd%c7)`Vt
E5ywe)
.azo:v2
'j)/MCn
9+c[2k
?H+A%Y
2m\I:
zoQ#Md
bs`-1%
[$d|bD
j>;n]f
eh3x4{?
ZP}xc
03T;N'eb
stC!?g
A\oM%3
/3%Mdy
1aDm1s-
HnB&mg|
s+ZPcv
+Y[&>/\
;<l[^%K
vaQq$m
uV$CA7?
"~]C&t
m?Z&J8
K]g*^GH;p
o"tJp.
?K|n?^
aZOWglI=
_*+pi'T
"'2HHi
%tj{&m
MiOZli@
R4&kPh7
)JHV\ 4
8\lL8R3
o$HU)
n\l*Acw
|)>jh
vn!a[
mq0Pbd
ER!YS;`
=>{1SPI
f%bU)#R{
%bw%7&
RoW=|
C[N2qj0
v6 7a"G|{1
^C(9PC
Tm*zIy
=X<'?9eJk
u9{~<R
aci0[{
{:3HPn%y
Bj4=)_
bCO1no
%dbe,7v
(dA})^
vw$zs[
<2qV~D3D
*2o7"j
Bh}v&=
R U[;cVG
Y,t-$,
439AHV.
aa/Ycs
sls*&dqN>
)KMDke:
i?:*W0
d-Uv\<
I-Uux$rt
=dP'm-^
(.lJV{D
hGSfjU
pr~7&>
dO{)IU
K$Ke?(H-c
DOL*{h
8x{p5U
4WnQ{D
.T{:*K
+l]_f*
*4{2]t
GHK~K
17sZWl
d+S"W2
HNXag4Cf
S|$S)
s|Ux.m
P4z=fB
K.:XoHb
"gR>:{^0
AYwFDW0`
G~F!uJS
"O3e1
u*]f}
rSZOyO
{gyrfN
cU_`S!
UPY{TCuXRn
7oaFP:
pcc>>q
WJ18*>_tK4F
j.TO%j
?^Ng\
&?BzIMP}
v6YBvf
q+'j(R@~i
2B{` G
5N)p$\PaN
p}ssNMN
i82Gm/YQ
-N<+>KLt
r;"&,E
bMm%NbQ
2KPIJu$u3
]9p}/#
|/xGdM
D>Iq^X
/c^c+&
2}\}Ki
QRS6De
qo{k4,
TUBMLw
wcR~:5
,@Po%[s
6#Gv%d|1
Q!qc{^
4~:G'XP
ftG%HP
"l$d|B
ch'qE^
6u1Icj
\6|D~u
$BuMz{
h\DLg}
%o&fPO
GU:H4e
CY90^,
SotAEP
v+OJNe
|'sxb5
KM7Ev\
_-D}?
?`Ol3+
&O,gIH
k?@CP}
MZ+6u>J
.sv\OU
PYisTw
9N(zUn|I`P
K;ra@,vv
x:n+!nY
DV<c""
:>1G0J
O'wF>x
#3eHV/
2EPcg
*#An,T
vEPocL
3nj|C5
.71`\
9M'VfK
{RqV_a
49czCP
Zrl[sjKt
9###d8V
Kco@Or
JE5|Wz@
=C.3oK;
[1S<_;
)K!p%:+
]Eb}C"tC
dJn%:
eS_`8y
fJ#64np
j_Cv\*
hRbaBfu$
:P.L`
oGR<|>+
*n+%M{
uS#j4os+
7SuZr>k
`If-FOU
:!)I m
V@Fm(J
r7p9){
sgwl8O
itWzj.'a
=N1&c(
b}8*/O
DT?sn>
"dIKb^
9U!6Dzd
T3v9{0
?K>q3f
N1dL{'
>dW(Xo
d {(cs
rlW+rv
osn}Iby
1D/r.=4
f&qYZt
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
&vV m'
De4lCT
&NXi`E
;)c!cx
)=U?6
uBukP3
Pe\!0y,
g*sjnr
oFFK,,
n@i[xR
`5kk8Q
2b8g"/m
$K6$(3&Fx
1Yt^}pz.j
l>C~y[`E
z/@_-a
(2K7qL
n7 lQY/
;-=0c4
^ChX(q
SpFuD{h
.?[d"{
0HU@Qy
61q^plj
%{XX5%O
R7]!,_
XF2#d{'
w]}2@W
gk+y&,
V0^tE8d
a1Arn9
BypQbYL
JfJ96%x
w*W2 r
]j=53P
nv$PgU
JIseyC
'wy<bUQ
C|pgw
yuJ7x5
+{&R+
},v?'[
:|MDx#f
L0H|._K
CrsIcD
]+poq2
w(8~a
g?0^rd
[K'% E
mqh0$//N
;0/R;>
v@$Pt0
%+UWg3
;!fu2o
uk@[&8Egh
;[U8;-}H
iS;kq 8Z
= E+r'
(9~o:"
ftkQP~|
S$==45
mA5JL:
>WkYx%/d
;$GrD8<
v2.0.50727
#Strings
vvUDLoIsLSV
vvUDLoIsLSV.exe
mscorlib
System.Windows.Forms
System
System.Data
System.Drawing
Microsoft.VisualBasic
System.Configuration
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
SMS.Properties.Resources.resources
.resources
.resources
.resources
.resources
.resources
.resources
.resources
ProjectData
Microsoft.VisualBasic.CompilerServices
AppDomain
ArgumentOutOfRangeException
Boolean
Buffer
GeneratedCodeAttribute
System.CodeDom.Compiler
ArrayList
System.Collections
Dictionary`2
System.Collections.Generic
Enumerator
IDictionary`2
IEnumerable`1
KeyValuePair`2
List`1
Container
System.ComponentModel
IContainer
ISupportInitialize
ApplicationSettingsBase
ConfigurationManager
ConnectionStringSettings
ConnectionStringSettingsCollection
SettingsBase
Convert
CommandType
DbCommand
System.Data.Common
DbConnection
DbDataReader
ConnectionState
SqlCommand
System.Data.SqlClient
SqlConnection
SqlDataReader
SqlParameter
SqlParameterCollection
DateTime
DateTimeKind
Decimal
DebuggerBrowsableAttribute
System.Diagnostics
DebuggerBrowsableState
DebuggerHiddenAttribute
DebuggerNonUserCodeAttribute
StackFrame
StackTrace
Double
Bitmap
ContentAlignment
FontFamily
FontStyle
GraphicsUnit
SystemColors
EventArgs
EventHandler
Exception
CultureInfo
System.Globalization
IDisposable
EndOfStreamException
System.IO
Stream
IntPtr
NotSupportedException
NullReferenceException
Object
Assembly
System.Reflection
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyName
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
Binder
BindingFlags
MemberInfo
MethodBase
ResourceManager
System.Resources
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
CompilerGeneratedAttribute
RuntimeCompatibilityAttribute
SuppressIldasmAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
RuntimeMethodHandle
RuntimeTypeHandle
STAThreadAttribute
CipherMode
System.Security.Cryptography
DESCryptoServiceProvider
HashAlgorithm
ICryptoTransform
MD5CryptoServiceProvider
SymmetricAlgorithm
Single
String
StringComparison
Encoding
System.Text
System.Text.RegularExpressions
StringBuilder
Monitor
System.Threading
Thread
UInt16
UInt32
UInt64
ValueType
Application
AutoScaleMode
BindingSource
BorderStyle
Button
ButtonBase
ComboBox
ContainerControl
Control
ControlCollection
Cursor
Cursors
DialogResult
DockStyle
FlatButtonAppearance
FlatStyle
FormBorderStyle
GroupBox
ImageLayout
KeyEventArgs
ListBox
ListControl
MessageBox
MessageBoxButtons
MonthCalendar
Padding
PictureBox
RichTextBox
ScrollableControl
SplitContainer
SplitterPanel
TabControl
TabPage
TextBox
TextBoxBase
UserControl
<Module>
Settings
SMS.Properties
Dispose
.cctor
value__
defaultInstance
get_Default
Default
get_CurrentThread
get_ManagedThreadId
get_Chars
get_Length
set_DisplayMember
set_ValueMember
set_DataSource
get_SelectedValue
ToString
get_State
op_Equality
Concat
ExecuteReader
get_HasRows
GetOrdinal
GetString
GetInt32
set_Text
SuspendLayout
get_Controls
set_Location
set_Name
set_Size
set_TabIndex
set_TabStop
get_White
set_BackColor
set_BorderStyle
set_AutoSize
set_Font
set_FormattingEnabled
add_SelectedIndexChanged
set_TextAlign
set_UseVisualStyleBackColor
add_Click
set_ItemHeight
set_AccessibleDescription
get_FlatAppearance
get_Silver
set_MouseOverBackColor
set_FlatStyle
get_HotTrack
set_ForeColor
set_AutoScaleDimensions
set_AutoScaleMode
get_Transparent
ResumeLayout
PerformLayout
get_Text
op_Inequality
get_Parameters
AddWithValue
ExecuteNonQuery
get_Gainsboro
FromArgb
set_BorderColor
set_BorderSize
get_ActiveCaptionText
get_DarkGreen
GetDecimal
ContainsKey
get_Item
set_Item
set_Parent
set_Dock
BringToFront
set_ClientSize
set_FormBorderStyle
set_MaximizeBox
BeginInit
get_Window
get_NoMove2D
set_Cursor
set_Margin
EndInit
get_Message
set_SelectedValue
IsNullOrEmpty
GetEnumerator
get_Current
get_Value
StartsWith
get_Key
MoveNext
add_TextChanged
EnableVisualStyles
SetCompatibleTextRenderingDefault
GetFrame
GetMethod
get_DeclaringType
GetTypeFromHandle
GetExecutingAssembly
GetCallingAssembly
Append
GetManifestResourceStream
set_Position
get_Unicode
Intern
GetName
get_FullName
GetPublicKeyToken
get_Assembly
ReadByte
BlockCopy
set_Enabled
set_CommandType
ExecuteScalar
get_Now
get_Year
get_DarkGray
get_MidnightBlue
set_SelectedIndex
set_Padding
Replace
ToInt32
get_Panel1
get_Panel2
GetDouble
get_Font
get_FontFamily
get_Size
set_BackgroundImageLayout
set_ImageAlign
set_AutoScroll
set_SplitterDistance
set_SplitterWidth
Substring
set_ShowWeekNumbers
get_Highlight
set_TitleBackColor
get_MenuHighlight
get_ControlText
GetObject
AddRange
get_Name
GetBytes
get_Count
get_MetadataToken
get_ConnectionStrings
get_ConnectionString
get_CurrentDomain
GetType
EndApp
InvokeMember
get_ASCII
ComputeHash
set_Key
set_Mode
CreateDecryptor
FromBase64String
TransformFinalBlock
get_UTF8
IndexOf
ToArray
SpecifyKind
get_Kind
get_InvariantCulture
Compare
get_KeyCode
get_Modifiers
get_Hand
get_ButtonHighlight
set_UseSystemPasswordChar
get_Firebrick
Synchronized
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
16.1.0.0
1.0.0.0
$bced77df-6e22-4c92-bc19-e18f9b743ad6
WrapNonExceptionThrows
Copyright
2013
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="utf-8"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"><assemblyIdentity version="1.0.0.0" name="MyApplication.app" /><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges><applicationRequestMinimum><PermissionSet class="System.Security.PermissionSet" version="1" Unrestricted="true" ID="Custom" SameSite="site" /><defaultAssemblyRequest permissionSetReference="Custom" /></applicationRequestMinimum></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application /></compatibility></assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
aUswtyRxHsqFtQgRHvzAgFRHKQxjROTG
)(*(+(,(-(.(/(0(
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
FileVersion
1.0.0.0
InternalName
vvUDLoIsLSV.exe
LegalCopyright
Copyright
2013
LegalTrademarks
OriginalFilename
vvUDLoIsLSV.exe
ProductName
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0

Network

Hosts Involved

IP Address	Country of Origin
172.217.12.238	US

Geolocation

Destination Country

US:: 100%

File

Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
CRC32: E7ACFA2D
MD5: 4e63326270ce758cb0366becccb5c677
SHA1: 7ad467db1c55d82613de4273a574b6733dcd31f5
SHA256: 036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8
SHA512: 35fa1069b684b8975fe2bee732aad03c0b62b0d4cf415875892d58ae3973f1ceec619888a32196007e48677a4c391a466dac06f941b9e47ded8b7b9861219297
Ssdeep: 12288:+qT7/h8jKjRf091X3ztlX37vtFTdnLKj/GcoDmDK9WfwH:+28jKjs1nr37vnTdLIZaN9Wfo
PEiD: None matched

Screenshots

Behavior Summary

File-Read

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\win.ini

File-Written

C:\Users\Virtual\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_P5IGMLJE3HMGVIVP_8d7d499464e4138cf6bb32f3ca5e9ba074639830_cab_087f9f46\Report.wer
C:\Users\Virtual\AppData\Local\Temp\WER10D1.tmp.WERInternalMetadata.xml
C:\Users\Virtual\AppData\Local\Temp\WER18CF.tmp.WERDataCollectionFailure.txt
C:\Users\Virtual\AppData\Local\Temp\WER9241.tmp.hdmp

File-Deleted

C:\Users\Virtual\AppData\Local\Temp\WER10D1.tmp
C:\Users\Virtual\AppData\Local\Temp\WER10D1.tmp.WERInternalMetadata.xml
C:\Users\Virtual\AppData\Local\Temp\WER18CF.tmp
C:\Users\Virtual\AppData\Local\Temp\WER18CF.tmp.WERDataCollectionFailure.txt
C:\Users\Virtual\AppData\Local\Temp\WER9241.tmp
C:\Users\Virtual\AppData\Local\Temp\WER9241.tmp.hdmp

File-Opened

C:\DLLS\dvasion_exp.dll
C:\Users\Virtual\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Virtual\AppData\Local\Temp\036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8.exe
C:\Users\Virtual\AppData\Local\Temp\WER10D1.tmp.WERInternalMetadata.xml
C:\Users\Virtual\AppData\Local\Temp\WER18CF.tmp.WERDataCollectionFailure.txt
C:\Windows\Fonts\MOD20.TTF
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\times.ttf
C:\Windows\Fonts\timesbd.ttf
C:\Windows\Fonts\timesbi.ttf
C:\Windows\Fonts\timesi.ttf
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\SysWOW64\CRYPTBASE.dll
C:\Windows\SysWOW64\KERNELBASE.dll
C:\Windows\SysWOW64\advapi32.dll
C:\Windows\SysWOW64\gdi32.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\SysWOW64\lpk.dll
C:\Windows\SysWOW64\msctf.dll
C:\Windows\SysWOW64\msvcrt.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\psapi.dll
C:\Windows\SysWOW64\rpcrt4.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\shlwapi.dll
C:\Windows\SysWOW64\sspicli.dll
C:\Windows\SysWOW64\user32.dll
C:\Windows\SysWOW64\usp10.dll
C:\Windows\System32\RpcRtRemote.dll
C:\Windows\System32\apphelp.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\System32\en-US\erofflps.txt
C:\Windows\System32\imm32.dll
C:\Windows\System32\l_intl.nls
C:\Windows\System32\mscoree.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\version.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\index128.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\vvUDLoIsLSV\7eef2798135d69856850175af589ae9e\vvUDLoIsLSV.ni.exe
C:\Windows\assembly\pubpol41.dat
C:\Windows\win.ini
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll

File-Copied

C:\Users\Virtual\AppData\Local\Temp\WER10D1.tmp.WERInternalMetadata.xml -> C:\Users\Virtual\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_P5IGMLJE3HMGVIVP_8d7d499464e4138cf6bb32f3ca5e9ba074639830_cab_087f9f46\WER10D1.tmp.WERInternalMetadata.xml
C:\Users\Virtual\AppData\Local\Temp\WER18CF.tmp.WERDataCollectionFailure.txt -> C:\Users\Virtual\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_P5IGMLJE3HMGVIVP_8d7d499464e4138cf6bb32f3ca5e9ba074639830_cab_087f9f46\WER18CF.tmp.WERDataCollectionFailure.txt

Network-Resolves URL

watson.microsoft.com

Directory-Created

C:\Users\Virtual\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_P5IGMLJE3HMGVIVP_8d7d499464e4138cf6bb32f3ca5e9ba074639830_cab_087f9f46

Directory-Enumerated

C:\DLLS
C:\Users
C:\Users\Virtual
C:\Users\Virtual\AppData
C:\Users\Virtual\AppData\Local
C:\Users\Virtual\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_*_8d7d499464e4138cf6bb32f3ca5e9ba074639830_cab_*
C:\Users\Virtual\AppData\Local\Microsoft\Windows\WER\ReportQueue\*_*_*_*
C:\Users\Virtual\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_*_8d7d499464e4138cf6bb32f3ca5e9ba074639830_cab_*
C:\Users\Virtual\AppData\Local\Temp
C:\Users\Virtual\AppData\Local\Temp\036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8.INI
C:\Windows
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\SysWOW64
C:\Windows\SysWOW64\advapi32.dll
C:\Windows\SysWOW64\gdi32.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\SysWOW64\lpk.dll
C:\Windows\SysWOW64\msctf.dll
C:\Windows\SysWOW64\msvcrt.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\psapi.dll
C:\Windows\SysWOW64\rpcrt4.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\shlwapi.dll
C:\Windows\SysWOW64\sspicli.dll
C:\Windows\SysWOW64\user32.dll
C:\Windows\SysWOW64\usp10.dll
C:\Windows\System32
C:\Windows\System32\apphelp.dll
C:\Windows\System32\drivers\*.mrk
C:\Windows\System32\imm32.dll
C:\Windows\System32\mscoree.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\version.dll
C:\Windows\assembly
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\System
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib
C:\Windows\winsxs
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll

Registry Key-Opened

HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-f4-9a-ee
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DebugApplications
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Throttling\CLR20r3
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\dw20.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4d424072\55565f71\a1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index128
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DebugApplications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3131157199-1995805048-2727015567-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\HeapControlledList\036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PeerDist\Service
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaExtensionConfig\SspiCli
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock
\Policy\Standards

Registry Key-Read

HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\CLR20r3
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LastWatsonCabUploaded
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\RestartRunTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4d424072\55565f71\a1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4d424072\55565f71\a1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4d424072\55565f71\a1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4d424072\55565f71\a1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4d424072\55565f71\a1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2598b4b3\4d424072\a1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index128\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index128\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index41
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\44D72C57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\8E33B45E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDBuildNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Service\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\CLR20r3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\RestartRunTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls\C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Users\Virtual\AppData\Local\Temp\036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\SYSTEM32\MSCOREE.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\SysWOW64\ntdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\SysWOW64\sechost.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\assembly\NativeImages_v2.0.50727_32\vvUDLoIsLSV\7eef2798135d69856850175af589ae9e\vvUDLoIsLSV.ni.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\system32\IMM32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\system32\VERSION.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\system32\apphelp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\system32\profapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\system32\uxtheme.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\ADVAPI32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\CRYPTBASE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\GDI32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\KERNEL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\KERNELBASE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\LPK.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\MSCTF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\PSAPI.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\RPCRT4.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\SHLWAPI.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\SspiCli.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\USER32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\USP10.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\msvcrt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\ole32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls\C:\dlls\dvasion_exp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureRoutine
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Comment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\RpcId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\TokenSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Version
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\BIOSVersion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\CSDBuildNumber
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\HelperDllName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\MaxSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\MinSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\UseDelayedAcceptance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip6\WinSock 2.0 Provider ID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress

Mutex-Accessed

Global\dffea0c0-8968-11ea-816d-00163e76853d

Processes

Process Name

PID

Parent PID

dw20.exe 2556 2500

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1588075012.57		GetSystemTimeAsFileTime		Status SUCCESS
1588075012.57		SetUnhandledExceptionFilter		Status FAILURE
1588075012.57		NtAllocateVirtualMemory	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x00283000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1588075012.57		GetSystemDirectoryW	dirpath: "C:\Windows\system32"	Return Value 19 Status SUCCESS
1588075012.57		NtAllocateVirtualMemory	process_identifier: 2556 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x01c30000" allocation_type: 8192 process_handle: "0xffffffff"	Status SUCCESS
1588075012.57		NtFreeVirtualMemory	free_type: 32768 base_address: "0x01c30000" process_identifier: 2556 process_handle: "0xffffffff" size: 1245184	Status SUCCESS
1588075012.57		NtAllocateVirtualMemory	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 base_address: "0x01d60000" allocation_type: 4096 process_handle: "0xffffffff"	Status SUCCESS
1588075012.57		LdrLoadDll	module_name: "C:\Windows\system32\wer.dll" basename: "wer" stack_pivoted: 0 flags: 0 module_address: "0x6e480000"	Status SUCCESS
1588075012.57	7	LdrGetProcedureAddress	ordinal: 0 function_address: "0x6e48eccd" function_name: "WerReportCreate" module: "wer" module_address: "0x6e480000"	Status SUCCESS
1588075012.57		NtMapViewOfSection	section_handle: "0x000001d8" process_identifier: 2556 commit_size: 0 win32_protect: 4 buffer: "" base_address: "0x00660000" allocation_type: 0 section_offset: 0 view_size: 40960 process_handle: "0xffffffff"	Status SUCCESS

Showing 1 to 10 of 4,762 entries

Previous1 2 3 4 5…477Next

036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8.exe 2440 2448

Filter:

Registry File Process Services Network Synchronization

Show entries

Search:

Time	Repeat	API	Arguments	Result
1588075147.01		NtOpenSection	desired_access: "0x0000000f" section_handle: "0x00000048" section_name: "ADVAPI32.dll"	Status SUCCESS
1588075147.01		NtMapViewOfSection	section_handle: "0x00000048" process_identifier: 2440 commit_size: 0 win32_protect: 4 buffer: "" base_address: "0x77c60000" allocation_type: 0 section_offset: 0 view_size: 655360 process_handle: "0xffffffff"	Status SUCCESS
1588075147.01		NtClose	handle: "0x00000048"	Status SUCCESS
1588075147.01		NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 4 base_address: "0x77c61000" process_handle: "0xffffffff"	Status SUCCESS
1588075147.01		NtQueryAttributesFile	filepath_r: "\??\C:\Windows\SysWOW64\sechost.dll" filepath: "C:\Windows\SysWOW64\sechost.dll"	Status SUCCESS
1588075147.01		NtOpenFile	file_handle: "0x00000048" filepath: "C:\Windows\SysWOW64\sechost.dll" desired_access: "0x00100021" filepath_r: "\??\C:\Windows\SysWOW64\sechost.dll" status_info: 1 open_options: 96 share_access: 5	Status SUCCESS
1588075147.01		NtCreateSection	file_handle: "0x00000048" object_handle: "0x00000000" desired_access: "0x0000000f" protection: 16 section_name: "" section_handle: "0x0000004c"	Status SUCCESS
1588075147.01		NtMapViewOfSection	section_handle: "0x0000004c" process_identifier: 2440 commit_size: 0 win32_protect: 4 buffer: "" base_address: "0x00300000" allocation_type: 0 section_offset: 0 view_size: 102400 process_handle: "0xffffffff"	Return Value 1073741827 Status SUCCESS
1588075147.01	6	NtProtectVirtualMemory	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 77824 protection: 64 base_address: "0x00301000" process_handle: "0xffffffff"	Status SUCCESS
1588075147.01	2	NtClose	handle: "0x0000004c"	Status SUCCESS

Showing 1 to 10 of 1,667 entries

Previous1 2 3 4 5…167Next

Classification

Indicators

Yara

Static Analysis

Version Infos

Sections

Resources

Imports

Library mscoree.dll:

Strings

Network

Hosts Involved

Geolocation

Destination Country

File

Screenshots

Behavior Summary

File-Read

File-Written

File-Deleted

File-Opened

File-Copied

Network-Resolves URL

Directory-Created

Directory-Enumerated

Registry Key-Opened

Registry Key-Read

Mutex-Accessed

Processes

dw20.exe25562500

036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8.exe24402448

dw20.exe 2556 2500

036dac6a8b92caca759f4029e2c48c352daf4fbf3297ebf9bb309203c0bbb0f8.exe 2440 2448