CIC.exe is part of TRANQS and developed by unproofread according to the CIC.exe version information.
CIC.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected CIC.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
The following is the available information on CIC.exe:
Property | Value |
---|---|
Product name | TRANQS |
Company name | unproofread |
Internal name | BASRIA9 |
Original filename | BASRIA9.exe |
Comments | UNFLUTED |
Product version | 1.06.0004 |
File version | 1.06.0004 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
Product name | TRANQS |
Company name | unproofread |
Internal name | BASRIA9 |
Original filename | BASRIA9.exe |
Comments | UNFLUTED |
Product version | 1.06.0004 |
File version | 1.06.0004 |
The verification of CIC.exe's digital signature failed.
Property | Value |
---|---|
Signer name | Organization nation 2017 (r) |
Certificate issuer name | Organization nation 2017 (r) |
Certificate serial number | 01 |
44 of the 66 anti-virus programs at VirusTotal detected the CIC.exe file. That's a 67% detection rate.
Scanner | Detection Name |
---|---|
Acronis | suspicious |
Ad-Aware | Trojan.GenericKD.41181222 |
AegisLab | Trojan.Multi.Generic.4!c |
AhnLab-V3 | Trojan/Win32.Injector.R262929 |
Alibaba | Trojan:MSIL/Crypt.1c5252fb |
ALYac | Trojan.GenericKD.41181222 |
Arcabit | Trojan.Generic.D2746026 |
Avast | Win32:DangerousSig [Trj] |
AVG | Win32:DangerousSig [Trj] |
Avira | TR/Injector.felgc |
BitDefender | Trojan.GenericKD.41181222 |
Bkav | HW32.Packed. |
ClamAV | Win.Trojan.VBGeneric-6932073-0 |
CrowdStrike | win/malicious_confidence_100% (W) |
Cybereason | malicious.c7c023 |
DrWeb | Trojan.DownLoader25.28394 |
eGambit | Unsafe.AI_Score_91% |
Emsisoft | Trojan.GenericKD.41181222 (B) |
Endgame | malicious (high confidence) |
ESET-NOD32 | a variant of Win32/Injector.EETJ |
F-Secure | Trojan.TR/Injector.felgc |
FireEye | Generic.mg.7fd50811d9aab156 |
Fortinet | W32/Crypt.EETJ!tr |
GData | Trojan.GenericKD.41181222 |
Ikarus | Trojan.Win32.Injector |
Invincea | heuristic |
K7AntiVirus | Trojan ( 0054b5261 ) |
K7GW | Trojan ( 0054b5261 ) |
Kaspersky | Trojan.MSIL.Crypt.hdoq |
McAfee | Artemis!7FD50811D9AA |
McAfee-GW-Edition | Artemis!Trojan |
Microsoft | VirTool:Win32/VBInject.ADN!bit |
MicroWorld-eScan | Trojan.GenericKD.41181222 |
NANO-Antivirus | Trojan.Win32.Crypt.fovsdv |
Paloalto | generic.ml |
Panda | Trj/GdSda.A |
Qihoo-360 | Win32/Trojan.faf |
Rising | Trojan.Injector!8.C4 (CLOUD) |
SentinelOne | DFI - Malicious PE |
Sophos | Mal/FareitVB-N |
Tencent | Msil.Trojan.Crypt.Angf |
Trapmine | malicious.high.ml.score |
TrendMicro-HouseCall | TROJ_GEN.R004C0DD719 |
ZoneAlarm | Trojan.MSIL.Crypt.hdoq |
The following information was gathered by executing the file inside Cuckoo Sandbox.
Successfully executed process in sandbox.
{ "directory_created": [ "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs", "C:\\Program Files (x86)\\SAAS Host", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs\\cuck" ], "dll_loaded": [ "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll", "kernel32", "ntdll", "api-ms-win-core-localization-l1-2-1", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll", "KERNEL32.dll", "MSVCRT.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\dnsapi.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll", "api-ms-win-core-synch-l1-2-0", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "AdvApi32.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll", "bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "user32", "OLEAUT32.DLL", "SspiCli.dll", "advapi32.dll", "ole32.dll", "SHLWAPI.dll", "CRYPTSP.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll", "gdi32.dll", "kernel32.dll", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll", "shell32.dll", "uxtheme.dll", "OLEAUT32.dll", "shell32", "SHELL32.dll", "dnsapi.dll", "psapi.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "VERSION.dll", "mscoree.dll", "RpcRtRemote.dll", "api-ms-win-core-fibers-l1-1-1", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll", "shfolder.dll", "SXS.DLL", "ADVAPI32.dll", "advapi32", "user32.dll", "ws2_32.dll" ], "file_opened": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" ], "file_copied": [ [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "C:\\Program Files (x86)\\SAAS Host\\saashost.exe" ] ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\VBA\\Monitors", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE", "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064", "HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87", "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global", "HKEY_CURRENT_USER\\Control Panel\\International", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\219e9581\\26d19501", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\219e9581\\292d2ab", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\4ecde57e\\31d9ddbb", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\a054161\\46043f61", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a" ], "command_line": [ "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host Task\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp\"", "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp\"", "\u0001C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin\" " ], "resolves_host": [ "snooper112.ddns.net" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\SAAS Host\\saashost.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp", "C:\\Program Files (x86)\\SAAS Host\\saashost.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin:Zone.Identifier" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SurveillanceExClientPlugin.resources.dll", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Lzma#.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ClientPlugin\\ClientPlugin.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\catalog.dat", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.exe", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ClientPlugin\\ClientPlugin.exe", "C:\\Windows\\System32\\C_932.NLS", "C:\\Windows\\Globalization\\en-us.nlp", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ClientPlugin.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SurveillanceExClientPlugin.resources.dll", "C:\\Windows\\System32\\C_950.NLS", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SurveillanceExClientPlugin.resources.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Lzma#\\Lzma#.exe", "C:\\Windows\\System32\\mscoree.dll.local", "C:\\Users", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SurveillanceExClientPlugin.resources.exe", "C:\\Users\\cuck\\AppData\\Roaming", "C:\\Windows\\System32\\C_936.NLS", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\settings.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin.config", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Exceptions\\1.2.2.0", "C:\\Users\\cuck", "C:\\Program Files (x86)\\SAAS Host", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\storage.dat", "C:\\Windows\\Globalization\\en.nlp", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\settings.bak", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.dll", "C:\\Program Files (x86)\\SAAS Host\\saashost.exe", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Lzma#.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ClientPlugin.exe", "C:\\Windows\\System32\\C_949.NLS", "C:\\Program Files (x86)", "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Lzma#\\Lzma#.dll" ], "guid": [ "{2faba4c7-4da9-4013-9697-20cc3fd40f85}", "{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll", "HKEY_CURRENT_USER\\Control Panel\\International\\sYearMonth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\BBF9E2E8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\SAAS Host", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SAAS Host", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4" ], "directory_enumerated": [ "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI", "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI", "C:\\Windows", "C:\\Windows\\winsxs", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\SAAS Host" ] }
[ { "yara": [], "sha1": "4366f312a6fd45e554dd028d2bba61920adc31d9", "name": "39a6a8eb6b564a5e_tmpC23A.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp", "type": "XML 1.0 document, ASCII text, with CRLF line terminators", "sha256": "39a6a8eb6b564a5e6598c9b3b7525fef913933300dc0f72dcaf65969387bb60d", "urls": [], "crc32": "8A23BC09", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5922\/files\/39a6a8eb6b564a5e_tmpC23A.tmp", "ssdeep": null, "size": 1364, "sha512": "60a7cfca35ffd61a9e26d77d1d6585f15baa8f1935ac10a4ee2c77a4b18d05761edc314c3e904f649f774787b9443c2f56cac156b3d1a88393f4358970f9b597", "pids": [], "md5": "4f14cd6b3b3f90e48cba7c857ac448dc" }, { "yara": [], "sha1": "d1532d9eb1e47e41e8115259ad24b85feb0a5822", "name": "49bd801cf83f464a_tmpC374.tmp", "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp", "type": "XML 1.0 document, ASCII text, with CRLF line terminators", "sha256": "49bd801cf83f464a549aae01bc3bcda633ab04713296f53d0dcb476586e8a78b", "urls": [], "crc32": "0D2F17F3", "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5922\/files\/49bd801cf83f464a_tmpC374.tmp", "ssdeep": null, "size": 1308, "sha512": "9629c9824072365e473a58319608a1bb23bacc4c5aaed492c6c986cbb39a3ac9c5c12a3a1cb747d59a47b604d63f8842867ba9f5f98a4367a3e180a70c74e6e5", "pids": [], "md5": "c3878377b5757c255c1ccda54b9862e7" } ]
[ { "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "process_name": "f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "pid": 2816, "summary": { "command_line": [ "\u0001C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin\" " ], "file_exists": [ "C:\\Windows\\System32\\C_949.NLS", "C:\\Windows\\System32\\C_932.NLS", "C:\\Windows\\System32\\C_950.NLS", "C:\\Windows\\System32\\C_936.NLS" ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\VBA\\Monitors", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions", "HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\BBF9E2E8", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession" ], "dll_loaded": [ "kernel32", "SXS.DLL", "ntdll", "RpcRtRemote.dll", "user32", "OLEAUT32.DLL", "shell32", "dwmapi.dll", "CRYPTSP.dll" ] }, "first_seen": 1583614384.6875, "ppid": 2016 }, { "process_path": "C:\\Windows\\SysWOW64\\schtasks.exe", "process_name": "schtasks.exe", "pid": 2184, "summary": { "file_opened": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" ], "guid": [ "{2faba4c7-4da9-4013-9697-20cc3fd40f85}", "{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" ], "dll_loaded": [ "VERSION.dll", "kernel32.dll", "SspiCli.dll" ] }, "first_seen": 1583614412.296125, "ppid": 344 }, { "process_path": "C:\\Windows\\SysWOW64\\schtasks.exe", "process_name": "schtasks.exe", "pid": 1500, "summary": { "file_opened": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" ], "guid": [ "{2faba4c7-4da9-4013-9697-20cc3fd40f85}", "{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}" ], "file_read": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" ], "dll_loaded": [ "VERSION.dll", "kernel32.dll", "SspiCli.dll" ] }, "first_seen": 1583614412.608625, "ppid": 344 }, { "process_path": "C:\\Windows\\System32\\lsass.exe", "process_name": "lsass.exe", "pid": 476, "summary": {}, "first_seen": 1583614384.34375, "ppid": 376 }, { "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "process_name": "f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "pid": 344, "summary": { "directory_created": [ "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs", "C:\\Program Files (x86)\\SAAS Host", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs\\cuck" ], "dll_loaded": [ "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll", "kernel32", "ntdll", "api-ms-win-core-localization-l1-2-1", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll", "KERNEL32.dll", "MSVCRT.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\dnsapi.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll", "dwmapi.dll", "ntdll.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll", "api-ms-win-core-synch-l1-2-0", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll", "bcrypt.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll", "user32", "AdvApi32.dll", "advapi32.dll", "ole32.dll", "SHLWAPI.dll", "CRYPTSP.dll", "gdi32.dll", "kernel32.dll", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll", "ADVAPI32.dll", "uxtheme.dll", "OLEAUT32.dll", "shell32", "SHELL32.dll", "dnsapi.dll", "psapi.dll", "C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll", "ws2_32.dll", "mscoree.dll", "api-ms-win-core-fibers-l1-1-1", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll", "shfolder.dll", "shell32.dll", "advapi32", "user32.dll" ], "command_line": [ "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host Task\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp\"", "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp\"" ], "file_copied": [ [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "C:\\Program Files (x86)\\SAAS Host\\saashost.exe" ] ], "regkey_opened": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\4ecde57e\\31d9ddbb", "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80", "HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a", "HKEY_CURRENT_USER\\Control Panel\\International", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a", "HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\219e9581\\292d2ab", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\219e9581\\26d19501", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5", "HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default", "HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Users|cuck|AppData|Local|Temp|f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\a054161\\46043f61", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064" ], "resolves_host": [ "snooper112.ddns.net" ], "file_deleted": [ "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\SAAS Host\\saashost.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp", "C:\\Program Files (x86)\\SAAS Host\\saashost.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp", "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin:Zone.Identifier" ], "file_exists": [ "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SurveillanceExClientPlugin.resources.dll", "C:\\Users\\cuck\\AppData", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs", "C:\\Users\\cuck\\AppData\\Local\\Temp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Lzma#.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ClientPlugin\\ClientPlugin.dll", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\catalog.dat", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.exe", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ClientPlugin\\ClientPlugin.exe", "C:\\Windows\\Globalization\\en-us.nlp", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ClientPlugin.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SurveillanceExClientPlugin.resources.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SurveillanceExClientPlugin.resources.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Lzma#\\Lzma#.exe", "C:\\Windows\\System32\\mscoree.dll.local", "C:\\Users", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en-US\\SurveillanceExClientPlugin.resources.exe", "C:\\Users\\cuck\\AppData\\Roaming", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\settings.bin", "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin.config", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Exceptions\\1.2.2.0", "C:\\Users\\cuck", "C:\\Program Files (x86)", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\storage.dat", "C:\\Windows\\Globalization\\en.nlp", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\settings.bak", "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs\\cuck", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.exe", "C:\\Users\\cuck\\AppData\\Local\\Temp\\en\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.dll", "C:\\Program Files (x86)\\SAAS Host\\saashost.exe", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Lzma#.dll", "C:\\Users\\cuck\\AppData\\Local\\Temp\\ClientPlugin.exe", "C:\\Program Files (x86)\\SAAS Host", "C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme", "C:\\Users\\cuck\\AppData\\Local\\Temp\\Lzma#\\Lzma#.dll" ], "regkey_read": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName", "HKEY_CURRENT_USER\\Control Panel\\International\\sYearMonth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\SAAS Host", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SAAS Host", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4" ], "directory_enumerated": [ "C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI", "C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll", "C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI", "C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI", "C:\\Windows", "C:\\Windows\\winsxs", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll", "C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI", "C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" ], "regkey_written": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\SAAS Host" ] }, "first_seen": 1583614398.780499, "ppid": 2816 } ]
[ { "markcount": 3, "families": [], "description": "Queries for the computername", "severity": 1, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1583614412.874499, "tid": 2792, "flags": {} }, "pid": 344, "type": "call", "cid": 1901 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1583614412.389125, "tid": 2648, "flags": {} }, "pid": 2184, "type": "call", "cid": 39 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "GetComputerNameW", "return_value": 1, "arguments": { "computer_name": "CUCKPC" }, "time": 1583614412.718625, "tid": 2728, "flags": {} }, "pid": 1500, "type": "call", "cid": 39 } ], "references": [], "name": "antivm_queries_computername" }, { "markcount": 1, "families": [], "description": "Checks if process is being debugged by a debugger", "severity": 1, "marks": [ { "call": { "category": "system", "status": 0, "stacktrace": [], "last_error": 0, "nt_status": -1073741700, "api": "IsDebuggerPresent", "return_value": 0, "arguments": {}, "time": 1583614411.858499, "tid": 2792, "flags": {} }, "pid": 344, "type": "call", "cid": 657 } ], "references": [], "name": "checks_debugger" }, { "markcount": 2, "families": [], "description": "Command line console output was observed", "severity": 1, "marks": [ { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "SUCCESS: The scheduled task \"SAAS Host\" has successfully been created.\n", "console_handle": "0x00000007" }, "time": 1583614412.483125, "tid": 2648, "flags": {} }, "pid": 2184, "type": "call", "cid": 51 }, { "call": { "category": "misc", "status": 1, "stacktrace": [], "api": "WriteConsoleW", "return_value": 1, "arguments": { "buffer": "SUCCESS: The scheduled task \"SAAS Host Task\" has successfully been created.\n", "console_handle": "0x00000007" }, "time": 1583614412.749625, "tid": 2728, "flags": {} }, "pid": 1500, "type": "call", "cid": 52 } ], "references": [], "name": "console_output" }, { "markcount": 1, "families": [], "description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)", "severity": 1, "marks": [ { "category": "registry", "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid", "type": "ioc", "description": null } ], "references": [], "name": "recon_fingerprint" }, { "markcount": 1, "families": [], "description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available", "severity": 1, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "GlobalMemoryStatusEx", "return_value": 1, "arguments": {}, "time": 1583614412.811499, "tid": 2792, "flags": {} }, "pid": 344, "type": "call", "cid": 1767 } ], "references": [], "name": "antivm_memory_available" }, { "markcount": 0, "families": [], "description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.", "severity": 2, "marks": [], "references": [], "name": "dumped_buffer" }, { "markcount": 6, "families": [], "description": "Allocates read-write-execute memory (usually to unpack itself)", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 28672, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x00610000" }, "time": 1583614384.8905, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 2816, "type": "call", "cid": 239 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "region_size": 67108864, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 12288, "base_address": "0x038c0000" }, "time": 1583614398.6875, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 2816, "type": "call", "cid": 354 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 876544, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x77ba0000" }, "time": 1583614398.6875, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 2816, "type": "call", "cid": 413 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 344, "region_size": 28672, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 4096, "base_address": "0x003e0000" }, "time": 1583614398.843499, "tid": 1616, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT" } }, "pid": 344, "type": "call", "cid": 4 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtAllocateVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 344, "region_size": 67108864, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "protection": 64, "process_handle": "0xffffffff", "allocation_type": 12288, "base_address": "0x027c0000" }, "time": 1583614411.764499, "tid": 1616, "flags": { "protection": "PAGE_EXECUTE_READWRITE", "allocation_type": "MEM_COMMIT|MEM_RESERVE" } }, "pid": 344, "type": "call", "cid": 72 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 344, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 0, "length": 876544, "protection": 64, "process_handle": "0xffffffff", "base_address": "0x77ba0000" }, "time": 1583614411.764499, "tid": 1616, "flags": { "protection": "PAGE_EXECUTE_READWRITE" } }, "pid": 344, "type": "call", "cid": 129 } ], "references": [], "name": "allocates_rwx" }, { "markcount": 2, "families": [], "description": "Creates a suspicious process", "severity": 2, "marks": [ { "category": "cmdline", "ioc": "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host Task\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp\"", "type": "ioc", "description": null }, { "category": "cmdline", "ioc": "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp\"", "type": "ioc", "description": null } ], "references": [], "name": "suspicious_process" }, { "markcount": 2, "families": [], "description": "A process created a hidden window", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "CreateProcessInternalW", "return_value": 1, "arguments": { "thread_identifier": 2648, "thread_handle": "0x00000240", "process_identifier": 2184, "current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp", "filepath": "", "track": 1, "command_line": "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp\"", "filepath_r": "", "stack_pivoted": 0, "creation_flags": 134217728, "process_handle": "0x00000244", "inherit_handles": 1 }, "time": 1583614412.233499, "tid": 2792, "flags": { "creation_flags": "CREATE_NO_WINDOW" } }, "pid": 344, "type": "call", "cid": 1599 }, { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "CreateProcessInternalW", "return_value": 1, "arguments": { "thread_identifier": 2728, "thread_handle": "0x00000240", "process_identifier": 1500, "current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp", "filepath": "", "track": 1, "command_line": "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host Task\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp\"", "filepath_r": "", "stack_pivoted": 0, "creation_flags": 134217728, "process_handle": "0x0000024c", "inherit_handles": 1 }, "time": 1583614412.530499, "tid": 2792, "flags": { "creation_flags": "CREATE_NO_WINDOW" } }, "pid": 344, "type": "call", "cid": 1615 } ], "references": [], "name": "stealth_window" }, { "markcount": 1, "families": [], "description": "Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)", "severity": 2, "marks": [ { "call": { "category": "process", "status": 1, "stacktrace": [], "api": "NtProtectVirtualMemory", "return_value": 0, "arguments": { "process_identifier": 2816, "stack_dep_bypass": 0, "stack_pivoted": 0, "heap_dep_bypass": 1, "length": 24576, "protection": 32, "process_handle": "0xffffffff", "base_address": "0x00530000" }, "time": 1583614384.7815, "tid": 2420, "flags": { "protection": "PAGE_EXECUTE_READ" } }, "pid": 2816, "type": "call", "cid": 18 } ], "references": [], "name": "protection_rx" }, { "markcount": 2, "families": [], "description": "The binary likely contains encrypted or compressed data indicative of a packer", "severity": 2, "marks": [ { "entropy": 7.707908768781962, "section": { "size_of_data": "0x00087000", "virtual_address": "0x00001000", "entropy": 7.707908768781962, "name": ".text", "virtual_size": "0x00086520" }, "type": "generic", "description": "A section with a high entropy has been found" }, { "entropy": 0.9926470588235294, "type": "generic", "description": "Overall entropy of this PE file is high" } ], "references": [ "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html", "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf" ], "name": "packer_entropy" }, { "markcount": 1, "families": [], "description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege", "severity": 2, "marks": [ { "call": { "category": "system", "status": 1, "stacktrace": [], "api": "LookupPrivilegeValueW", "return_value": 1, "arguments": { "system_name": "", "privilege_name": "SeDebugPrivilege" }, "time": 1583614413.780499, "tid": 2296, "flags": {} }, "pid": 344, "type": "call", "cid": 1971 } ], "references": [], "name": "privilege_luid_check" }, { "markcount": 2, "families": [], "description": "Uses Windows utilities for basic Windows functionality", "severity": 2, "marks": [ { "category": "cmdline", "ioc": "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host Task\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC374.tmp\"", "type": "ioc", "description": null }, { "category": "cmdline", "ioc": "\"schtasks.exe\" \/create \/f \/tn \"SAAS Host\" \/xml \"C:\\Users\\cuck\\AppData\\Local\\Temp\\tmpC23A.tmp\"", "type": "ioc", "description": null } ], "references": [ "http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html" ], "name": "uses_windows_utilities" }, { "markcount": 2, "families": [], "description": "One or more of the buffers contains an embedded PE file", "severity": 3, "marks": [ { "category": "buffer", "ioc": "Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005", "type": "ioc", "description": null }, { "category": "buffer", "ioc": "Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251", "type": "ioc", "description": null } ], "references": [], "name": "dumped_buffer2" }, { "markcount": 1, "families": [], "description": "Installs itself for autorun at Windows startup", "severity": 3, "marks": [ { "type": "generic", "reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\SAAS Host", "reg_value": "C:\\Program Files (x86)\\SAAS Host\\saashost.exe" } ], "references": [], "name": "persistence_autorun" }, { "markcount": 1, "families": [], "description": "Attempts to remove evidence of file being downloaded from the Internet", "severity": 3, "marks": [ { "category": "file", "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7.bin:Zone.Identifier", "type": "ioc", "description": null } ], "references": [], "name": "removes_zoneid_ads" } ]
The Yara rules did not detect anything in the file.
{ "tls": [], "udp": [ { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 546, "time": 3.1412341594696045, "dport": 137, "sport": 137 }, { "src": "192.168.56.101", "dst": "192.168.56.255", "offset": 5226, "time": 9.187943935394287, "dport": 138, "sport": 138 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 7070, "time": 3.0495569705963135, "dport": 5355, "sport": 51001 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 7398, "time": 1.0369811058044434, "dport": 5355, "sport": 53595 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 7726, "time": 3.095258951187134, "dport": 5355, "sport": 53848 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 8054, "time": 1.533653974533081, "dport": 5355, "sport": 54255 }, { "src": "192.168.56.101", "dst": "224.0.0.252", "offset": 8382, "time": -0.09498405456542969, "dport": 5355, "sport": 55314 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 8710, "time": 1.562441110610962, "dport": 1900, "sport": 1900 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 28120, "time": 1.0708341598510742, "dport": 3702, "sport": 49152 }, { "src": "192.168.56.101", "dst": "239.255.255.250", "offset": 36504, "time": 3.1429879665374756, "dport": 1900, "sport": 53598 } ], "dns_servers": [], "http": [], "icmp": [], "smtp": [], "tcp": [], "smtp_ex": [], "mitm": [], "hosts": [], "pcap_sha256": "97f664b1f7c855fc14f680d8b5572e807acf875acfb03e65700785b49cd88624", "dns": [], "http_ex": [], "domains": [], "dead_hosts": [], "sorted_pcap_sha256": "5b085f2f90ba6d0ffe6ae9679c9d677ad7bc7421857a02b490b7aab1af093580", "irc": [], "https_ex": [] }
The instructions below shows how to remove CIC.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the CIC.exe file for removal, restart your computer and scan it again to verify that CIC.exe has been successfully removed. Here are the removal instructions in more detail:
Property | Value |
---|---|
MD5 | 7fd50811d9aab15680a8e02e326b7cc9 |
SHA256 | f7a1dda52f79e872fe0c4e4894fc2a2a0a4266038201eac0422e754e6d9d34b7 |
These are some of the error messages that can appear related to cic.exe:
cic.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
cic.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
cic.exe has stopped working.
End Program - cic.exe. This program is not responding.
cic.exe is not a valid Win32 application.
cic.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
To help other users, please let us know what you will do with CIC.exe:
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.