View difference between Paste ID: <a href="/tBfPpDaJ">tBfPpDaJ</a> and <a href="/RnK6Pg88">RnK6Pg88</a> - Pastebin.com

View difference between Paste ID: tBfPpDaJ and RnK6Pg88

SHOW: | | - or go back to the newest paste.

[#############################################################################]
    Analysis Report for MW3sa Reporting tool.exe
                   MD5: 517e2d8869c36c0dca8e2dfef4e3255e
[#############################################################################]

Summary: 
    - Write to foreign memory areas: 
        This executable tampers with the execution of another process.

    - Execution did not terminate correctly: 
        The executable crashed.

    - Performs File Modification and Destruction:
        The executable modifies and destructs files which are not temporary.

    - Spawns Processes:
        The executable produces processes during the execution.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- MW3sa Repo.exe
  a) Registry Activities
  b) File Activities
  c) Process Activities
  d) Other Activities
    - DW20.EXE
      a) Registry Activities
      b) File Activities


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        252 s
        Report created:     05/11/12, 00:42:08 UTC
        Termination reason: Timeout
        Program version:    1.76.3886


[#############################################################################]
    2. MW3sa Repo.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        MW3sa Repo.exe
        MD5:             517e2d8869c36c0dca8e2dfef4e3255e
        SHA-1:           76fe8c9291fd48d1a5ab647172a7feb86d805c8e
        File Size:       38912 Bytes
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\mscoree.dll ],
               Base Address: [0x79000000 ], Size: [0x0004A000 ]
        Module Name: [ C:\WINDOWS\system32\KERNEL32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ],
               Base Address: [0x603B0000 ], Size: [0x00066000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll ],
               Base Address: [0x79140000 ], Size: [0x0066F000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCR100_CLR0400.dll ],
               Base Address: [0x79060000 ], Size: [0x000BE000 ]
        Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\4ff1f12a08d455f195ba996fe77497c6\mscorlib.ni.dll ],
               Base Address: [0x79880000 ], Size: [0x00DC3000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\culture.dll ],
               Base Address: [0x60340000 ], Size: [0x0000D000 ]
        Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll ],
               Base Address: [0x60930000 ], Size: [0x00010000 ]
        Module Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clrjit.dll ],
               Base Address: [0x79810000 ], Size: [0x00060000 ]
        Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\161c6f80ad93b0505054d244f1c6243c\System.ni.dll ],
               Base Address: [0x7A820000 ], Size: [0x00898000 ]
        Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2fe09cc54a8390b20e380239db34228f\System.Drawing.ni.dll ],
               Base Address: [0x7B1D0000 ], Size: [0x00196000 ]
        Module Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f3cdd09fc0acc85c7febbd2e2ef9c4e5\System.Windows.Forms.ni.dll ],
               Base Address: [0x7B370000 ], Size: [0x00C6B000 ]
        Module Name: [ C:\WINDOWS\system32\uxtheme.dll ],
               Base Address: [0x5AD70000 ], Size: [0x00038000 ]
        Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ],
               Base Address: [0x4EC50000 ], Size: [0x001A6000 ]
        Module Name: [ C:\WINDOWS\system32\dciman32.dll ],
               Base Address: [0x73BC0000 ], Size: [0x00006000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]

[=============================================================================]
    2.a) MW3sa Repo.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ], 
             Value Name: [ AllOrNone ], Value: [ 1 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ], 
             Value Name: [ DoReport ], Value: [ 1 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting ], 
             Value Name: [ ShowUI ], Value: [ 1 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug ], 
             Value Name: [ Auto ], Value: [ 1 ], 2 times
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug ], 
             Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 6 times
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Arial Baltic,186 ], Value: [ Arial,186 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Arial CE,238 ], Value: [ Arial,238 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Arial CYR,204 ], Value: [ Arial,204 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Arial Greek,161 ], Value: [ Arial,161 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Arial TUR,162 ], Value: [ Arial,162 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Courier New Baltic,186 ], Value: [ Courier New,186 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Courier New CE,238 ], Value: [ Courier New,238 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Courier New CYR,204 ], Value: [ Courier New,204 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Courier New Greek,161 ], Value: [ Courier New,161 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Courier New TUR,162 ], Value: [ Courier New,162 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Helv ], Value: [ MS Sans Serif ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Helvetica ], Value: [ Arial ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ MS Shell Dlg ], Value: [ Microsoft Sans Serif ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ MS Shell Dlg 2 ], Value: [ Tahoma ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Times ], Value: [ Times New Roman ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Times New Roman Baltic,186 ], Value: [ Times New Roman,186 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Times New Roman CE,238 ], Value: [ Times New Roman,238 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Times New Roman CYR,204 ], Value: [ Times New Roman,204 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Times New Roman Greek,161 ], Value: [ Times New Roman,161 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Times New Roman TUR,162 ], Value: [ Times New Roman,162 ], 1 time
        Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes ], 
             Value Name: [ Tms Rmn ], Value: [ MS Serif ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\.NETFramework ], 
             Value Name: [ InstallRoot ], Value: [ C:\WINDOWS\Microsoft.NET\Framework\ ], 9 times
        Key: [ HKLM\Software\Microsoft\.NETFramework\Policy\\v4.0 ], 
             Value Name: [ 30319 ], Value: [ 30319-30319 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ Accessibility,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0xb0b518f748cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ System,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0x923ed9fd48cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ System.Configuration,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x189984f948cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ System.Deployment,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x5607dbfb48cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x820dabfe48cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ System.Runtime.Serialization.Formatters.Soap,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0xccc2561749cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ System.Security,4.0.0.0,,b03f5f7f11d50a3a,MSIL ], Value: [ 0x2029aaff48cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0xc2b2590149cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ System.Xml,4.0.0.0,,b77a5c561934e089,MSIL ], Value: [ 0xa019a50249cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default ], 
             Value Name: [ mscorlib,4.0.0.0,,b77a5c561934e089,x86 ], Value: [ 0x7af6f1f448cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32 ], 
             Value Name: [ LatestIndex ], Value: [ 128 ], 4 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], 
             Value Name: [ DisplayName ], Value: [ mscorlib,4.0.0.0,,b77a5c561934e089 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], 
             Value Name: [ LastModTime ], Value: [ 0x7af6f1f448cecb01 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], 
             Value Name: [ Modules ], Value: [ normidna.nlp|normnfc.nlp|normnfd.nlp|normnfkc.nlp|normnfkd.nlp ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], 
             Value Name: [ SIG ], Value: [ 0xd74ebd98377318409551ee0825ada7bad7d8789378521e6bea0d6e989d21 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], 
             Value Name: [ Status ], Value: [ 8198 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\1499ca42\653465f8\1 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], 
             Value Name: [ DisplayName ], Value: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], 
             Value Name: [ LastModTime ], Value: [ 0xc2b2590149cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], 
             Value Name: [ SIG ], Value: [ 0x79b04eec0f762c4bad3017bac4150f5920332fc7d1d63954cd26fedf1009 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\27e1f7e2\4e1b5ff2\28 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], 
             Value Name: [ DisplayName ], Value: [ System.Xml,4.0.0.0,,b77a5c561934e089 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], 
             Value Name: [ LastModTime ], Value: [ 0xa019a50249cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], 
             Value Name: [ SIG ], Value: [ 0xc5001c24e7b69a47b45f038d12d280c5a05ed9d07250af4dfda78fa43f6f ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\34f474d5\65246f3f\7 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], 
             Value Name: [ DisplayName ], Value: [ Accessibility,4.0.0.0,,b03f5f7f11d50a3a ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], 
             Value Name: [ LastModTime ], Value: [ 0xb0b518f748cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], 
             Value Name: [ SIG ], Value: [ 0x57ceb6d0aebee44a86da4080b3cee6719172a9d7469f0bdaa99f1daf6c55 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\491f93ce\3fe97dbf\17 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], 
             Value Name: [ DisplayName ], Value: [ System.Deployment,4.0.0.0,,b03f5f7f11d50a3a ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], 
             Value Name: [ LastModTime ], Value: [ 0x5607dbfb48cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], 
             Value Name: [ SIG ], Value: [ 0x30a1e4cabbcfa643b2c1db433397519b93fcf9ca788e7b63b5de5a6140e4 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\58364143\24da33f5\16 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], 
             Value Name: [ DisplayName ], Value: [ System,4.0.0.0,,b77a5c561934e089 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], 
             Value Name: [ LastModTime ], Value: [ 0x923ed9fd48cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], 
             Value Name: [ SIG ], Value: [ 0x317b4fe04715534ba83d8704c85662619cb5d7d82f52e76c37ce1d20af69 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5a99e5cd\6598e7b6\8 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], 
             Value Name: [ DisplayName ], Value: [ System.Runtime.Serialization.Formatters.Soap,4.0.0.0,,b03f5f7f11d50a3a ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], 
             Value Name: [ LastModTime ], Value: [ 0xccc2561749cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], 
             Value Name: [ SIG ], Value: [ 0x111e988ed985ba478d919c3054b95e4e26a34e9fec62bc33acb451c286f9 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d0933fc\a425901\27 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], 
             Value Name: [ DisplayName ], Value: [ System.Configuration,4.0.0.0,,b03f5f7f11d50a3a ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], 
             Value Name: [ LastModTime ], Value: [ 0x189984f948cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], 
             Value Name: [ SIG ], Value: [ 0x15fa5d2766c57d40893a33ef21db2cef56a8a5d4c0ca417d1533e9b0d7b0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\5d94bc56\3b150cef\6 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], 
             Value Name: [ DisplayName ], Value: [ System.Security,4.0.0.0,,b03f5f7f11d50a3a ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], 
             Value Name: [ LastModTime ], Value: [ 0x2029aaff48cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], 
             Value Name: [ SIG ], Value: [ 0x1d175efd3ba191438dec6514f010658c6257289cff6e1d0690f3714305a6 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\62a6b5be\32040726\e ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], 
             Value Name: [ DisplayName ], Value: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], 
             Value Name: [ LastModTime ], Value: [ 0x820dabfe48cecb01 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], 
             Value Name: [ SIG ], Value: [ 0x08151e88e059db47a143982f9ad099a80b66942d7261045bb91131a930c6 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], 
             Value Name: [ Status ], Value: [ 4098 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\IL\910bc3f\306db89e\18 ], 
             Value Name: [ TargetedPatchBand ], Value: [ 0x01312e302e32312d30000000000000000000000000000000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], 
             Value Name: [ ConfigMask ], Value: [ 4361 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], 
             Value Name: [ ConfigString ], Value: [  ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], 
             Value Name: [ DisplayName ], Value: [ mscorlib,4.0.0.0,,b77a5c561934e089 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], 
             Value Name: [ ILDependencies ], Value: [ 0x42ca9914f8653465010000000400000000000000 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], 
             Value Name: [ MVID ], Value: [ 0x4ff1f12a08d455f195ba996fe77497c6 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\181938c6\1499ca42\1 ], 
             Value Name: [ Status ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], 
             Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], 
             Value Name: [ ConfigString ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], 
             Value Name: [ DisplayName ], Value: [ System,4.0.0.0,,b77a5c561934e089 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], 
             Value Name: [ ILDependencies ], Value: [ 0x56bc945def0c153b060000000400000000000000d574f4343f6f24650700 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], 
             Value Name: [ MVID ], Value: [ 0x161c6f80ad93b0505054d244f1c6243c ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], 
             Value Name: [ NIDependencies ], Value: [ 0xc638191842ca9914010000000400000000000000c638191842ca99140100 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\30bc7c4f\5a99e5cd\8 ], 
             Value Name: [ Status ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], 
             Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], 
             Value Name: [ ConfigString ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], 
             Value Name: [ DisplayName ], Value: [ System.Drawing,4.0.0.0,,b03f5f7f11d50a3a ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], 
             Value Name: [ ILDependencies ], Value: [ 0x3fbc10099eb86d30180000000400000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], 
             Value Name: [ MVID ], Value: [ 0x2fe09cc54a8390b20e380239db34228f ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], 
             Value Name: [ NIDependencies ], Value: [ 0xc638191842ca99140100000004000000000000004f7cbc30cde5995a0800 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\3cca06a0\910bc3f\18 ], 
             Value Name: [ Status ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], 
             Value Name: [ ConfigMask ], Value: [ 4361 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], 
             Value Name: [ ConfigString ], Value: [  ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], 
             Value Name: [ DisplayName ], Value: [ System.Windows.Forms,4.0.0.0,,b77a5c561934e089 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], 
             Value Name: [ ILDependencies ], Value: [ 0xce931f49bf7de93f17000000040000000000000056bc945def0c153b0600 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], 
             Value Name: [ MVID ], Value: [ 0xf3cdd09fc0acc85c7febbd2e2ef9c4e5 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], 
             Value Name: [ NIDependencies ], Value: [ 0xc638191842ca9914010000000400000000000000a006ca3c3fbc10091800 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\NI\61e7e666\27e1f7e2\16 ], 
             Value Name: [ Status ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\index80 ], 
             Value Name: [ ILUsageMask ], Value: [ 0xffffffffffffffffffffffffffffffff ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v4.0.30319_32\index80 ], 
             Value Name: [ NIUsageMask ], Value: [ 0xffffffffffffffffffffffffffffffff ], 2 times
        Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ], 
             Value Name: [ Latest ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ], 
             Value Name: [ LegacyPolicyTimeStamp ], Value: [ 0x0000000000000000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default ], 
             Value Name: [ index1 ], Value: [ 0x00 ], 1 time
        Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting\DW\Installed ], 
             Value Name: [ DW0200 ], Value: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll ], 
             Value Name: [ CheckAppHelp ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ PC ], 3 times
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 
             Value Name: [ 1 ], Value: [ 1 ], 5 times
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 
             Value Name: [ 00000409 ], Value: [ 1 ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 
             Value Name: [ 00000C07 ], Value: [ 1 ], 3 times
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ NumShape ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ iCurrDigits ], Value: [ 2 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ iCurrency ], Value: [ 2 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ iDigits ], Value: [ 2 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ iNegCurr ], Value: [ 9 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ iNegNumber ], Value: [ 1 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sCurrency ], Value: [  ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sDecimal ], Value: [ , ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sGrouping ], Value: [ 3;0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sMonDecimalSep ], Value: [ , ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sMonGrouping ], Value: [ 3;0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sMonThousandSep ], Value: [ . ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sNativeDigits ], Value: [ 0123456789 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sNegativeSign ], Value: [ - ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sPositiveSign ], Value: [  ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\International ], 
             Value Name: [ sThousand ], Value: [ . ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\GDIPlus ], 
             Value Name: [ FontCachePath ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Application Data ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time


[=============================================================================]
    2.b) MW3sa Repo.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\config\machine.config ]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ PIPE\lsarpc ]
        File Name: [ WMIDataDevice ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 4 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
        File: [ WMIDataDevice ], Control Code: [ 0x0022414C ], 1 time
        File: [ WMIDataDevice ], Control Code: [ 0x00228144 ], 2 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ]
        File Name: [ C:\MW3sa Repo.exe ]
        File Name: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]
        File Name: [ C:\WINDOWS\FONTS\MICROSS.TTF ]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp ]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll ]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clrjit.dll ]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\culture.dll ]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\locale.nlp ]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll ]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll ]
        File Name: [ C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll ]
        File Name: [ C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2fe09cc54a8390b20e380239db34228f\System.Drawing.ni.dll ]
        File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f3cdd09fc0acc85c7febbd2e2ef9c4e5\System.Windows.Forms.ni.dll ]
        File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\161c6f80ad93b0505054d244f1c6243c\System.ni.dll ]
        File Name: [ C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\4ff1f12a08d455f195ba996fe77497c6\mscorlib.ni.dll ]
        File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\MSVCR100_CLR0400.dll ]
        File Name: [ C:\WINDOWS\system32\comctl32.dll ]
        File Name: [ C:\WINDOWS\system32\dciman32.dll ]
        File Name: [ C:\WINDOWS\system32\imm32.dll ]
        File Name: [ C:\WINDOWS\system32\mscoree.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]
        File Name: [ C:\WINDOWS\system32\uxtheme.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
    2.c) MW3sa Repo.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], Command Line: [  ]
        Executable: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ], Command Line: [ dw20.exe -x -s 444 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE ]


[=============================================================================]
    2.d) MW3sa Repo.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Mutexes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
        Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x30744bd ], 1 time

        Description: [ Exception 0xc000001e at 0x79aa8108 ], 278 times

        Description: [ Exception 0xc00000fd (STATUS_STACK_OVERFLOW) at 0x79495bc5 ], 1 time




[#############################################################################]
    3. DW20.EXE
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by MW3sa Repo.exe
        Filename:        DW20.EXE
        MD5:             a981419c39cc02259b8f2da3974000d9
        SHA-1:           905d359e2c5e8330d39b746132fa9779f52c0b93
        File Size:       637272 Bytes
        Command Line:    dw20.exe -x -s 444
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ],
               Base Address: [0x773D0000 ], Size: [0x00103000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]
        Module Name: [ C:\WINDOWS\system32\OLEACC.dll ],
               Base Address: [0x74C80000 ], Size: [0x0002C000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ],
               Base Address: [0x76080000 ], Size: [0x00065000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
        Module Name: [ C:\WINDOWS\system32\urlmon.dll ],
               Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\WININET.dll ],
               Base Address: [0x771B0000 ], Size: [0x000AA000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]

[=============================================================================]
    3.a) DW20.EXE - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], 
             Value Name: [ * ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], 
             Value Name: [ * ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time


[=============================================================================]
    3.b) DW20.EXE - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ]
        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
        File Name: [ C:\WINDOWS\system32\MSVCP60.dll ]
        File Name: [ C:\WINDOWS\system32\OLEACC.dll ]
        File Name: [ C:\WINDOWS\system32\OLEACCRC.DLL ]
        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
        File Name: [ C:\WINDOWS\system32\WININET.dll ]
        File Name: [ C:\WINDOWS\system32\urlmon.dll ]

Public Pastes

🤑 G2A.com Free Gift Card Guide Apr 2024 FIX 🤑
GetText | 7 min ago | 0.39 KB
NodeMCU Amica RC Bluino App
Arduino | 58 min ago | 7.51 KB
at_command_sim7600_en_reg
Arduino | 58 min ago | 4.25 KB
index.php
PHP | 1 hour ago | 3.38 KB
daftar.php
PHP | 1 hour ago | 4.10 KB
login.php
PHP | 1 hour ago | 3.49 KB
profil.php
PHP | 1 hour ago | 10.41 KB
album.php
PHP | 1 hour ago | 6.02 KB