Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-09-11 13:17:54 2019-09-11 13:21:41 227 seconds Show Options Show Log
route = internet
procdump = 1
2019-09-11 14:17:55,000 [root] INFO: Date set to: 09-11-19, time set to: 13:17:55, timeout set to: 200
2019-09-11 14:17:55,015 [root] DEBUG: Starting analyzer from: C:\oshee
2019-09-11 14:17:55,015 [root] DEBUG: Storing results at: C:\aPfLRQdtZ
2019-09-11 14:17:55,015 [root] DEBUG: Pipe server name: \\.\PIPE\BwkwTj
2019-09-11 14:17:55,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-11 14:17:55,015 [root] INFO: Automatically selected analysis package "exe"
2019-09-11 14:17:55,436 [root] DEBUG: Started auxiliary module Browser
2019-09-11 14:17:55,436 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 14:17:55,436 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 14:17:56,184 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2019-09-11 14:17:56,184 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 14:17:56,184 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 14:17:56,200 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 14:17:56,200 [root] DEBUG: Started auxiliary module Human
2019-09-11 14:17:56,200 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 14:17:56,200 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 14:17:56,200 [root] DEBUG: Started auxiliary module Usage
2019-09-11 14:17:56,200 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-09-11 14:17:56,200 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-09-11 14:17:56,232 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\1c.jpg" with arguments "" with pid 904
2019-09-11 14:17:56,232 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 14:17:56,232 [lib.api.process] INFO: 32-bit DLL to inject is C:\oshee\dll\uroKkdNk.dll, loader C:\oshee\bin\iUygNem.exe
2019-09-11 14:17:56,293 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\BwkwTj.
2019-09-11 14:17:56,293 [root] DEBUG: Loader: Injecting process 904 (thread 804) with C:\oshee\dll\uroKkdNk.dll.
2019-09-11 14:17:56,293 [root] DEBUG: Process image base: 0x00400000
2019-09-11 14:17:56,293 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\oshee\dll\uroKkdNk.dll.
2019-09-11 14:17:56,293 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00608000 - 0x77110000
2019-09-11 14:17:56,293 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c4 bytes for new import table at 0x00610000.
2019-09-11 14:17:56,293 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 14:17:56,293 [root] DEBUG: Successfully injected DLL C:\oshee\dll\uroKkdNk.dll.
2019-09-11 14:17:56,293 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 904
2019-09-11 14:17:58,306 [lib.api.process] INFO: Successfully resumed process with pid 904
2019-09-11 14:17:58,306 [root] INFO: Added new process to list with pid: 904
2019-09-11 14:17:58,322 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 14:17:58,322 [root] DEBUG: Process dumps enabled.
2019-09-11 14:17:58,384 [root] INFO: Disabling sleep skipping.
2019-09-11 14:17:58,384 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 14:17:58,384 [root] INFO: Disabling sleep skipping.
2019-09-11 14:17:58,384 [root] INFO: Disabling sleep skipping.
2019-09-11 14:17:58,384 [root] INFO: Disabling sleep skipping.
2019-09-11 14:17:58,384 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 904 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 14:17:58,384 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\1c.jpg".
2019-09-11 14:17:58,384 [root] INFO: Monitor successfully loaded in process with pid 904.
2019-09-11 14:18:38,803 [root] DEBUG: set_caller_info: Adding region at 0x036C0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-09-11 14:18:38,803 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-09-11 14:18:38,819 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-09-11 14:18:38,819 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-09-11 14:18:39,148 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2019-09-11 14:18:39,148 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2019-09-11 14:18:39,148 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\netapi32 (0x11000 bytes).
2019-09-11 14:18:39,148 [root] DEBUG: DLL loaded at 0x74980000: C:\Windows\system32\netutils (0x9000 bytes).
2019-09-11 14:18:39,148 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\system32\srvcli (0x19000 bytes).
2019-09-11 14:18:39,148 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\profapi (0xb000 bytes).
2019-09-11 14:18:39,210 [root] DEBUG: DLL unloaded from 0x749B0000.
2019-09-11 14:18:39,210 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-09-11 14:18:39,240 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-09-11 14:18:39,240 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-09-11 14:18:39,256 [root] DEBUG: DLL unloaded from 0x754F0000.
2019-09-11 14:21:20,154 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-09-11 14:21:20,154 [root] INFO: Created shutdown mutex.
2019-09-11 14:21:21,168 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 904
2019-09-11 14:21:21,168 [root] INFO: Terminate event set for process 904.
2019-09-11 14:21:21,168 [root] INFO: Terminating process 904 before shutdown.
2019-09-11 14:21:21,168 [root] INFO: Waiting for process 904 to exit.
2019-09-11 14:21:22,183 [root] INFO: Waiting for process 904 to exit.
2019-09-11 14:21:23,197 [root] INFO: Waiting for process 904 to exit.
2019-09-11 14:21:24,210 [root] INFO: Waiting for process 904 to exit.
2019-09-11 14:21:25,224 [lib.api.process] INFO: Successfully terminated process with pid 904.
2019-09-11 14:21:25,224 [root] INFO: Waiting for process 904 to exit.
2019-09-11 14:21:26,239 [root] INFO: Shutting down package.
2019-09-11 14:21:26,239 [root] INFO: Stopping auxiliary modules.
2019-09-11 14:21:26,239 [root] INFO: Finishing auxiliary modules.
2019-09-11 14:21:26,239 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 14:21:26,239 [root] WARNING: File at path "C:\aPfLRQdtZ\debugger" does not exist, skip.
2019-09-11 14:21:26,239 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 13:17:54 2019-09-11 13:21:40

File Details

File Name 1c.jpg
File Size 1389232 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 213c61e2bade76ec0e58b31d355a025a
SHA1 3582c92de55cc10196d6debca1dfd6acf883b4c1
SHA256 0586988c09f3b3047caecd776efc8d21b8285b2fe919c321ee8b4bc593249774
SHA512 c5b1f7a1dc7be16c6ca0c40533e2d4b3a99be9ce2bbffc4c81a412e912d34dca3eff05730260d82f11c52c1ab42228219fe498ec8da8e90c72ab22bfba3997cb
CRC32 4EEE3317
Ssdeep 24576:htPLf3UeTgLPgOzwUi9ERQm85EKXqKi7b:h1fUeTwPJzk98e7i7b
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/mknjht34tfserdgfwGetProcAddress
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryExA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHELL32.dll/SHGetMalloc
DynamicLoader: USER32.dll/CharUpperA
DynamicLoader: WS2_32.dll/
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/CreatePipe
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/SetHandleInformation
DynamicLoader: kernel32.dll/PeekNamedPipe
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalMemoryStatusEx
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/FreeEnvironmentStringsA
DynamicLoader: kernel32.dll/GetEnvironmentStrings
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetConsoleCtrlHandler
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/GetTimeFormatA
DynamicLoader: kernel32.dll/GetDateFormatA
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/WriteConsoleA
DynamicLoader: kernel32.dll/GetConsoleOutputCP
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CompareStringA
DynamicLoader: kernel32.dll/CompareStringW
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/GlobalMemoryStatus
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/FlushConsoleInputBuffer
DynamicLoader: kernel32.dll/VerSetConditionMask
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/VerifyVersionInfoA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/FormatMessageA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateIoCompletionPort
DynamicLoader: kernel32.dll/PostQueuedCompletionStatus
DynamicLoader: kernel32.dll/ReleaseSemaphore
DynamicLoader: kernel32.dll/CreateSemaphoreA
DynamicLoader: kernel32.dll/GetQueuedCompletionStatus
DynamicLoader: kernel32.dll/GetFileInformationByHandle
DynamicLoader: kernel32.dll/MoveFileA
DynamicLoader: kernel32.dll/LockFile
DynamicLoader: kernel32.dll/UnlockFile
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetSystemDirectoryA
DynamicLoader: kernel32.dll/GetCurrentDirectoryA
DynamicLoader: kernel32.dll/GetFullPathNameA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/GetDriveTypeA
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/SetConsoleMode
DynamicLoader: kernel32.dll/ReadConsoleInputA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: ADVAPI32.dll/DeregisterEventSource
DynamicLoader: ADVAPI32.dll/RegisterEventSourceA
DynamicLoader: ADVAPI32.dll/ReportEventA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHELL32.dll/SHGetMalloc
DynamicLoader: SHELL32.dll/SHGetSpecialFolderLocation
DynamicLoader: SHELL32.dll/SHGetSpecialFolderPathA
DynamicLoader: SHELL32.dll/SHGetPathFromIDListA
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/CharUpperA
DynamicLoader: USER32.dll/CharLowerW
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: USER32.dll/GetDesktopWindow
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/CharUpperW
DynamicLoader: WS2_32.dll/freeaddrinfo
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/GetWindowsDirectoryW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/MoveFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/DeviceIoControl
DynamicLoader: kernel32.dll/GetShortPathNameW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/CreatePipe
DynamicLoader: kernel32.dll/SetHandleInformation
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/PeekNamedPipe
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/SHGetKnownFolderPath
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: USER32.dll/GetDesktopWindow
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetDC
DynamicLoader: USER32.dll/DrawTextW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/CharUpperW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/CreateCompatibleBitmap
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: GDI32.dll/CreateBrushIndirect
DynamicLoader: GDI32.dll/SetTextColor
DynamicLoader: GDI32.dll/SetBkColor
DynamicLoader: GDI32.dll/GetCurrentObject
DynamicLoader: GDI32.dll/GetObjectA
DynamicLoader: GDI32.dll/CreateFontIndirectA
DynamicLoader: GDI32.dll/CreateDIBSection
DynamicLoader: GDI32.dll/BitBlt
DynamicLoader: GDI32.dll/ExtFloodFill
DynamicLoader: netapi32.dll/NetServerGetInfo
DynamicLoader: netapi32.dll/NetApiBufferFree
DynamicLoader: netapi32.dll/NetWkstaGetInfo
DynamicLoader: kernel32.dll/SetProcessDEPPolicy
DynamicLoader: netapi32.dll/NetStatisticsGet
DynamicLoader: netapi32.dll/NetApiBufferFree
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: 1c.jpg/_OPENSSL_isservice
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: USER32.dll/GetQueueStatus
Reads data out of its own binary image
self_read: process: 1c.jpg, pid: 904, offset: 0x00000000, length: 0x001532b0
Performs some HTTP requests
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
data: "C:\ProgramData\Windows\csrss.exe"
Collects information about installed applications
Program: Adobe Reader 9
Program: Microsoft Office Home and Business 2010
Program: Python 2.7.6
Program: Microsoft Office Single Image 2010
Program: Update for Microsoft OneNote 2010
Program: Adobe AIR
Program: Microsoft Office Excel MUI 2010
Program: Microsoft Outlook Social Connector \xc2\xaa\xc2\xba\xc2\xa7\xc3\xb3\xc2\xb7s
Program: Microsoft Office Publisher MUI 2010
Program: Microsoft Office Shared MUI 2010
Program: Microsoft Office PowerPoint MUI 2010
Program: Microsoft Office Outlook MUI 2010
Program: Update for Microsoft Office 2010
Program: Definition update for Microsoft Office 2010
Program: Java 7
Program: Microsoft Office Proof 2010
Program: Python 2.7 PIL-1.1.7
Program: Microsoft Office Access MUI 2010
Program: Microsoft Office Access Setup Metadata MUI 2010
Program: Security Update for Microsoft Publisher 2010
Program: Security Update for Microsoft Word 2010
Program: Java Auto Updater
Program: Update for Microsoft Outlook Social Connector
Program: Microsoft Office Word MUI 2010
Program: Java SE Development Kit 7
Program: Microsoft Office Shared Setup Metadata MUI 2010
Program: Microsoft Office Proofing 2010
Program: Acrobat.com
Program: Security Update for Microsoft Office 2010
Program: Microsoft Office OneNote MUI 2010
Creates a hidden or system file
file: C:\ProgramData\Windows\
Network activity detected but not expressed in API logs
Creates a copy of itself
copy: C:\ProgramData\Windows\csrss.exe
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
N 93.184.221.240 [VT] Europe
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT] CNAME cs11.wpc.v0cdn.net [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME wu.ec.azureedge.net [VT]
CNAME hlb.apr-52dd2-0.edgecastdns.net [VT]
CNAME wu.wpc.apr-52dd2.edgecastdns.net [VT]
CNAME wu.azureedge.net [VT]
A 93.184.221.240 [VT]

Summary

C:\
C:\Users\user\AppData\Local\Temp\1c.jpg
C:\ProgramData\System32\xmail
C:\Users\user\AppData\Roaming\System32\xmail
C:\Users\user\AppData\Local\Temp\6893A5D897\
C:\ProgramData\System32\xVersion
C:\Users\user\AppData\Local\Temp\6893A5D897
C:\Users\user\AppData\Roaming\System32\xVersion
C:\ProgramData\Windows\
C:\*
C:\Windows\*
\??\PIPE\wkssvc
C:\Windows\SoftwareDistribution\*
C:\Windows\SoftwareDistribution\SelfUpdate\*
C:\Windows\SoftwareDistribution\SelfUpdate\Handler\*
C:\Windows\SoftwareDistribution\Download\*
C:\Windows\SoftwareDistribution\DataStore\*
C:\Windows\SoftwareDistribution\DataStore\Logs\*
C:\Windows\SoftwareDistribution\AuthCabs\*
C:\Windows\ShellNew\*
C:\ProgramData\Windows\csrss.exe
C:\DosDevices\pipe\
\??\PIPE\srvsvc
C:\Windows\winsxs\*
C:\ProgramData\System32\xmail
C:\Users\user\AppData\Roaming\System32\xmail
C:\ProgramData\System32\xVersion
C:\Users\user\AppData\Roaming\System32\xVersion
\??\PIPE\wkssvc
C:\Users\user\AppData\Local\Temp\1c.jpg
\??\PIPE\srvsvc
\??\PIPE\wkssvc
C:\ProgramData\Windows\csrss.exe
\??\PIPE\srvsvc
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CLASSES_ROOT\Interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\
HKEY_CURRENT_USER\SOFTWARE\System32\Configuration\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\xi
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\xmail
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\xVersion
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77DCDCE3-2DED-62F3-8154-05E745472D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{77DCDCE3-2DED-62F3-8154-05E745472D07}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{77DCDCE3-2DED-62F3-8154-05E745472D07}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{E966C940-CC8C-4EC0-8D84-ED27AC20D53C}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{E966C940-CC8C-4EC0-8D84-ED27AC20D53C}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{E966C940-CC8C-4EC0-8D84-ED27AC20D53C}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{E966C940-CC8C-4EC0-8D84-ED27AC20D53C}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{1D1A4F08-2F17-475B-BA72-476CE5992FEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{1D1A4F08-2F17-475B-BA72-476CE5992FEE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{1D1A4F08-2F17-475B-BA72-476CE5992FEE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{1D1A4F08-2F17-475B-BA72-476CE5992FEE}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{556146F7-74AE-4E0A-B64F-5B8B93469F61}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{556146F7-74AE-4E0A-B64F-5B8B93469F61}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{556146F7-74AE-4E0A-B64F-5B8B93469F61}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{556146F7-74AE-4E0A-B64F-5B8B93469F61}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{6C845127-B949-4D76-A732-BCB396AD9AA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{6C845127-B949-4D76-A732-BCB396AD9AA5}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{6C845127-B949-4D76-A732-BCB396AD9AA5}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{6C845127-B949-4D76-A732-BCB396AD9AA5}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{75F91382-920C-4AE1-B9E6-FFFCEDA797E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{75F91382-920C-4AE1-B9E6-FFFCEDA797E8}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{75F91382-920C-4AE1-B9E6-FFFCEDA797E8}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{75F91382-920C-4AE1-B9E6-FFFCEDA797E8}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{86B7A074-265D-420C-9E1E-7A920EF0ECA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{86B7A074-265D-420C-9E1E-7A920EF0ECA7}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{86B7A074-265D-420C-9E1E-7A920EF0ECA7}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{86B7A074-265D-420C-9E1E-7A920EF0ECA7}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A6D422EE-1196-45EE-B9AE-6B5B64975E8B}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A6D422EE-1196-45EE-B9AE-6B5B64975E8B}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A6D422EE-1196-45EE-B9AE-6B5B64975E8B}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A6D422EE-1196-45EE-B9AE-6B5B64975E8B}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B5516874-E926-4BFD-B412-D0E70112F244}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B5516874-E926-4BFD-B412-D0E70112F244}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B5516874-E926-4BFD-B412-D0E70112F244}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B5516874-E926-4BFD-B412-D0E70112F244}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{C3C277D5-36E3-4B1A-926A-175B2BC019CF}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{C3C277D5-36E3-4B1A-926A-175B2BC019CF}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{C3C277D5-36E3-4B1A-926A-175B2BC019CF}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{C3C277D5-36E3-4B1A-926A-175B2BC019CF}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D6CE7280-6EE3-419A-8F47-DB111C040B1B}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D6CE7280-6EE3-419A-8F47-DB111C040B1B}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D6CE7280-6EE3-419A-8F47-DB111C040B1B}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D6CE7280-6EE3-419A-8F47-DB111C040B1B}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F134C2C6-30B3-4169-A325-58482B4CE6FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F134C2C6-30B3-4169-A325-58482B4CE6FC}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F134C2C6-30B3-4169-A325-58482B4CE6FC}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F134C2C6-30B3-4169-A325-58482B4CE6FC}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\WindowsInstaller
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7\SystemComponent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7\ParentKeyName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7\WindowsInstaller
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\xmail
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\xVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.SingleImage\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217000FF}\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0170000}\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{77DCDCE3-2DED-62F3-8154-05E745472D07}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{77DCDCE3-2DED-62F3-8154-05E745472D07}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{E966C940-CC8C-4EC0-8D84-ED27AC20D53C}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{E966C940-CC8C-4EC0-8D84-ED27AC20D53C}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{E966C940-CC8C-4EC0-8D84-ED27AC20D53C}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{1D1A4F08-2F17-475B-BA72-476CE5992FEE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{1D1A4F08-2F17-475B-BA72-476CE5992FEE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{1D1A4F08-2F17-475B-BA72-476CE5992FEE}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{556146F7-74AE-4E0A-B64F-5B8B93469F61}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{556146F7-74AE-4E0A-B64F-5B8B93469F61}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{556146F7-74AE-4E0A-B64F-5B8B93469F61}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{6C845127-B949-4D76-A732-BCB396AD9AA5}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{6C845127-B949-4D76-A732-BCB396AD9AA5}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{6C845127-B949-4D76-A732-BCB396AD9AA5}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{75F91382-920C-4AE1-B9E6-FFFCEDA797E8}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{75F91382-920C-4AE1-B9E6-FFFCEDA797E8}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{75F91382-920C-4AE1-B9E6-FFFCEDA797E8}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{86B7A074-265D-420C-9E1E-7A920EF0ECA7}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{86B7A074-265D-420C-9E1E-7A920EF0ECA7}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{86B7A074-265D-420C-9E1E-7A920EF0ECA7}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A6D422EE-1196-45EE-B9AE-6B5B64975E8B}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A6D422EE-1196-45EE-B9AE-6B5B64975E8B}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A6D422EE-1196-45EE-B9AE-6B5B64975E8B}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B5516874-E926-4BFD-B412-D0E70112F244}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B5516874-E926-4BFD-B412-D0E70112F244}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B5516874-E926-4BFD-B412-D0E70112F244}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{C3C277D5-36E3-4B1A-926A-175B2BC019CF}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{C3C277D5-36E3-4B1A-926A-175B2BC019CF}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{C3C277D5-36E3-4B1A-926A-175B2BC019CF}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D6CE7280-6EE3-419A-8F47-DB111C040B1B}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D6CE7280-6EE3-419A-8F47-DB111C040B1B}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D6CE7280-6EE3-419A-8F47-DB111C040B1B}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F134C2C6-30B3-4169-A325-58482B4CE6FC}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F134C2C6-30B3-4169-A325-58482B4CE6FC}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F134C2C6-30B3-4169-A325-58482B4CE6FC}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-0000-0000000FF1CE}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-0000-0000000FF1CE}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\SystemComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\ParentKeyName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\WindowsInstaller
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7\DisplayName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7\SystemComponent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7\ParentKeyName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PIL-py2.7\WindowsInstaller
HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\xi
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\xVersion
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.SetErrorMode
kernel32.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAlloc
kernel32.dll.SetFilePointer
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.VirtualProtect
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetModuleHandleA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.VirtualFree
kernel32.dll.GetTempPathA
kernel32.dll.CreateFileA
kernel32.dll.LoadLibraryA
kernel32.dll.ExitProcess
advapi32.dll.RegCloseKey
oleaut32.dll.#6
shell32.dll.SHGetMalloc
user32.dll.CharUpperA
ws2_32.dll.#1
kernel32.dll.Sleep
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.OpenProcess
kernel32.dll.CreatePipe
kernel32.dll.CreateProcessA
kernel32.dll.GetExitCodeProcess
kernel32.dll.SetHandleInformation
kernel32.dll.PeekNamedPipe
kernel32.dll.LocalFree
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.CreateFileMappingA
kernel32.dll.InitializeCriticalSection
kernel32.dll.InterlockedDecrement
kernel32.dll.ReadFile
kernel32.dll.CreateFileW
kernel32.dll.GetLastError
kernel32.dll.TerminateProcess
kernel32.dll.GetCurrentProcess
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.IsDebuggerPresent
kernel32.dll.GetCommandLineA
kernel32.dll.GetStartupInfoA
kernel32.dll.RaiseException
kernel32.dll.RtlUnwind
kernel32.dll.GetModuleHandleW
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.InterlockedIncrement
kernel32.dll.SetLastError
kernel32.dll.GetCurrentThreadId
kernel32.dll.HeapSize
kernel32.dll.GetStdHandle
kernel32.dll.GetModuleFileNameA
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.GetEnvironmentStrings
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.SetHandleCount
kernel32.dll.GetFileType
kernel32.dll.DeleteCriticalSection
kernel32.dll.HeapCreate
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetTickCount
kernel32.dll.GetCurrentProcessId
kernel32.dll.SetEvent
kernel32.dll.GetACP
kernel32.dll.DeleteFileA
kernel32.dll.IsValidCodePage
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.GetConsoleCP
kernel32.dll.GetConsoleMode
kernel32.dll.FlushFileBuffers
kernel32.dll.MultiByteToWideChar
kernel32.dll.LCMapStringA
kernel32.dll.LCMapStringW
kernel32.dll.HeapReAlloc
kernel32.dll.SetConsoleCtrlHandler
kernel32.dll.FreeLibrary
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.GetLocaleInfoA
kernel32.dll.GetStringTypeA
kernel32.dll.GetStringTypeW
kernel32.dll.GetTimeFormatA
kernel32.dll.GetDateFormatA
kernel32.dll.SetStdHandle
kernel32.dll.WriteConsoleA
kernel32.dll.GetConsoleOutputCP
kernel32.dll.WriteConsoleW
kernel32.dll.GetTimeZoneInformation
kernel32.dll.SetEndOfFile
kernel32.dll.CompareStringA
kernel32.dll.CompareStringW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.GetSystemInfo
kernel32.dll.OpenEventA
kernel32.dll.ResetEvent
kernel32.dll.ResumeThread
kernel32.dll.SystemTimeToFileTime
kernel32.dll.WaitForMultipleObjects
kernel32.dll.SetWaitableTimer
kernel32.dll.CreateWaitableTimerA
kernel32.dll.GetVersion
kernel32.dll.GlobalMemoryStatus
kernel32.dll.GetVersionExA
kernel32.dll.FlushConsoleInputBuffer
kernel32.dll.VerSetConditionMask
kernel32.dll.SleepEx
kernel32.dll.VerifyVersionInfoA
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.FormatMessageA
kernel32.dll.MapViewOfFile
kernel32.dll.GetFileSize
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
kernel32.dll.ReleaseSemaphore
kernel32.dll.CreateSemaphoreA
kernel32.dll.GetQueuedCompletionStatus
kernel32.dll.GetFileInformationByHandle
kernel32.dll.MoveFileA
kernel32.dll.LockFile
kernel32.dll.UnlockFile
kernel32.dll.GetModuleFileNameW
kernel32.dll.LoadLibraryW
kernel32.dll.CreateDirectoryA
kernel32.dll.GetOEMCP
kernel32.dll.WaitForSingleObject
kernel32.dll.GetCPInfo
kernel32.dll.CreateEventA
kernel32.dll.GetSystemDirectoryA
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.GetFullPathNameA
kernel32.dll.FindFirstFileA
kernel32.dll.GetDriveTypeA
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.FindClose
kernel32.dll.SetConsoleMode
kernel32.dll.ReadConsoleInputA
kernel32.dll.CreateThread
kernel32.dll.ExitThread
kernel32.dll.VirtualQuery
advapi32.dll.DeregisterEventSource
advapi32.dll.RegisterEventSourceA
advapi32.dll.ReportEventA
advapi32.dll.RegQueryValueExA
advapi32.dll.RegOpenKeyExA
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptGenRandom
oleaut32.dll.#9
oleaut32.dll.#2
shell32.dll.SHGetSpecialFolderLocation
shell32.dll.SHGetSpecialFolderPathA
shell32.dll.SHGetPathFromIDListA
user32.dll.MessageBoxA
user32.dll.CharLowerW
user32.dll.GetUserObjectInformationW
user32.dll.GetDesktopWindow
user32.dll.GetProcessWindowStation
user32.dll.CharUpperW
ws2_32.dll.freeaddrinfo
ws2_32.dll.getaddrinfo
ws2_32.dll.#17
ws2_32.dll.#55
ws2_32.dll.#54
ws2_32.dll.#13
ws2_32.dll.#8
ws2_32.dll.#14
ws2_32.dll.#57
ws2_32.dll.#52
ws2_32.dll.#10
ws2_32.dll.#19
ws2_32.dll.#18
ws2_32.dll.#151
ws2_32.dll.#5
ws2_32.dll.WSAIoctl
ws2_32.dll.#4
ws2_32.dll.#111
ws2_32.dll.#9
ws2_32.dll.#15
ws2_32.dll.#20
ws2_32.dll.#22
ws2_32.dll.#6
ws2_32.dll.#21
ws2_32.dll.#16
ws2_32.dll.#2
ws2_32.dll.#23
ws2_32.dll.#112
ws2_32.dll.#3
ws2_32.dll.#7
ws2_32.dll.#115
ws2_32.dll.#116
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.GetComputerNameW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.GetVolumeInformationW
kernel32.dll.GetDriveTypeW
kernel32.dll.GetSystemDirectoryW
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.GetWindowsDirectoryW
kernel32.dll.GetTempPathW
kernel32.dll.FindFirstFileW
kernel32.dll.FindNextFileW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetFileAttributesW
kernel32.dll.MoveFileW
kernel32.dll.CreateDirectoryW
kernel32.dll.DeleteFileW
kernel32.dll.CopyFileW
kernel32.dll.DeviceIoControl
kernel32.dll.GetShortPathNameW
kernel32.dll.GetVersionExW
kernel32.dll.CreateProcessW
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.Wow64RevertWow64FsRedirection
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegSetValueExW
advapi32.dll.RegCreateKeyExW
advapi32.dll.RegDeleteValueW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.GetUserNameW
shell32.dll.SHGetFolderPathW
shell32.dll.ShellExecuteW
shell32.dll.SHGetKnownFolderPath
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoCreateInstance
ole32.dll.CoInitializeSecurity
ole32.dll.CoSetProxyBlanket
ole32.dll.CoTaskMemFree
oleaut32.dll.VariantClear
user32.dll.GetWindowRect
user32.dll.GetDC
user32.dll.DrawTextW
user32.dll.SystemParametersInfoW
user32.dll.GetForegroundWindow
gdi32.dll.CreateCompatibleDC
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.SelectObject
gdi32.dll.DeleteObject
gdi32.dll.DeleteDC
gdi32.dll.CreateBrushIndirect
gdi32.dll.SetTextColor
gdi32.dll.SetBkColor
gdi32.dll.GetCurrentObject
gdi32.dll.GetObjectA
gdi32.dll.CreateFontIndirectA
gdi32.dll.CreateDIBSection
gdi32.dll.BitBlt
gdi32.dll.ExtFloodFill
netapi32.dll.NetServerGetInfo
netapi32.dll.NetApiBufferFree
netapi32.dll.NetWkstaGetInfo
kernel32.dll.SetProcessDEPPolicy
netapi32.dll.NetStatisticsGet
advapi32.dll.CryptAcquireContextW
advapi32.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
cryptsp.dll.CryptReleaseContext
user32.dll.GetCursorInfo
user32.dll.GetQueueStatus

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00406d9b
Reported Checksum 0x0015e653
Actual Checksum 0x0015466a
Minimum OS Version 5.0
Compile Time 2019-08-29 08:12:31
Import Hash 39bc5cee818f36aa107b1062d5a11d2f

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000be0e 0x0000c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 4.83
.rdata 0x0000d000 0x00141214 0x00141400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.25
.data 0x0014f000 0x00001c5c 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.05
.rsrc 0x00151000 0x000b6328 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.62

Overlay

Offset 0x00151e00
Size 0x000014b0

Imports

Library KERNEL32.dll:
0x40d054 FindResourceExW
0x40d058 FindResourceW
0x40d05c FlushFileBuffers
0x40d060 FormatMessageA
0x40d06c FreeLibrary
0x40d070 GetACP
0x40d074 GetCPInfo
0x40d078 GetCommandLineA
0x40d07c GetCommandLineW
0x40d080 GetConsoleCP
0x40d084 GetConsoleMode
0x40d088 GetCurrentProcess
0x40d08c GetCurrentProcessId
0x40d090 GetCurrentThreadId
0x40d094 GetDiskFreeSpaceA
0x40d0a4 GetFileAttributesA
0x40d0ac GetFileType
0x40d0b0 GetLastError
0x40d0b4 GetLocalTime
0x40d0b8 GetLocaleInfoA
0x40d0bc GetModuleFileNameA
0x40d0c0 GetModuleFileNameW
0x40d0c4 GetModuleHandleA
0x40d0c8 GetModuleHandleExW
0x40d0cc GetModuleHandleW
0x40d0d0 GetOEMCP
0x40d0dc GetProcAddress
0x40d0e0 GetProcessHeap
0x40d0e8 GetProfileSectionW
0x40d0ec GetStartupInfoA
0x40d0f0 GetStartupInfoW
0x40d0f4 GetStdHandle
0x40d0f8 GetStringTypeA
0x40d0fc GetStringTypeW
0x40d100 GetSystemDirectoryA
0x40d104 GetSystemInfo
0x40d10c GetThreadPriority
0x40d110 GetTickCount
0x40d114 GetUserDefaultLCID
0x40d118 GetVersionExA
0x40d11c GlobalAddAtomW
0x40d120 GlobalHandle
0x40d124 HeapAlloc
0x40d128 HeapCreate
0x40d12c HeapDestroy
0x40d130 HeapFree
0x40d134 HeapReAlloc
0x40d138 HeapSize
0x40d140 InitializeSListHead
0x40d148 InterlockedExchange
0x40d14c IsDBCSLeadByteEx
0x40d150 IsDebuggerPresent
0x40d158 IsValidCodePage
0x40d15c LCMapStringA
0x40d160 LCMapStringW
0x40d168 FindNextFileW
0x40d16c LoadLibraryExW
0x40d170 LoadModule
0x40d174 LoadResource
0x40d178 LocalFree
0x40d17c LocalSize
0x40d180 LocalUnlock
0x40d184 LockResource
0x40d188 MoveFileA
0x40d18c MulDiv
0x40d190 MultiByteToWideChar
0x40d194 OutputDebugStringA
0x40d198 OutputDebugStringW
0x40d19c PeekNamedPipe
0x40d1a4 RaiseException
0x40d1ac RtlUnwind
0x40d1b0 RtlZeroMemory
0x40d1b8 SetConsoleCP
0x40d1bc SetFileApisToANSI
0x40d1c0 SetFilePointer
0x40d1c4 SetFilePointerEx
0x40d1c8 SetHandleCount
0x40d1cc SetLastError
0x40d1d0 SetStdHandle
0x40d1d4 SetTapeParameters
0x40d1d8 SetThreadLocale
0x40d1dc SetThreadUILanguage
0x40d1e0 SetTimerQueueTimer
0x40d1e8 SizeofResource
0x40d1ec TerminateProcess
0x40d1f0 TlsAlloc
0x40d1f4 TlsFree
0x40d1f8 TlsGetValue
0x40d1fc TlsSetValue
0x40d208 UnlockFile
0x40d20c VirtualAlloc
0x40d210 VirtualAllocEx
0x40d214 VirtualFree
0x40d218 VirtualProtect
0x40d21c VirtualQuery
0x40d220 WideCharToMultiByte
0x40d224 WriteConsoleW
0x40d228 WriteFile
0x40d234 lstrcatA
0x40d238 lstrcpyA
0x40d23c lstrcpyW
0x40d240 lstrcpynW
0x40d244 lstrlenW
0x40d24c Sleep
0x40d250 FindNextFileA
0x40d254 FindFirstFileExW
0x40d258 FindClose
0x40d25c FindAtomW
0x40d260 ExitProcess
0x40d264 EnumDateFormatsW
0x40d26c DeviceIoControl
0x40d270 DeleteFileA
0x40d278 DecodePointer
0x40d27c CreateSemaphoreW
0x40d280 CreateSemaphoreA
0x40d284 CreateHardLinkA
0x40d288 CreateFileW
0x40d28c CreateDirectoryA
0x40d290 CopyFileW
0x40d294 CloseHandle
0x40d298 CallNamedPipeA
0x40d29c LoadLibraryA
0x40d2a0 AreFileApisANSI
Library USER32.dll:
0x40d2b0 IMPSetIMEW
0x40d2b4 IntersectRect
0x40d2b8 InvalidateRect
0x40d2bc IsCharLowerA
0x40d2c0 IsDialogMessage
0x40d2c4 KillTimer
0x40d2c8 LoadAcceleratorsW
0x40d2cc LoadCursorW
0x40d2d0 LoadIconW
0x40d2d4 LoadMenuW
0x40d2d8 LoadStringW
0x40d2dc LockWindowUpdate
0x40d2e0 MapWindowPoints
0x40d2e4 MessageBoxW
0x40d2e8 ModifyMenuA
0x40d2ec MonitorFromRect
0x40d2f0 MoveWindow
0x40d2f4 OpenWindowStationW
0x40d2f8 PeekMessageW
0x40d2fc PostMessageW
0x40d300 PostQuitMessage
0x40d304 PtInRect
0x40d308 RealGetWindowClassA
0x40d30c RegisterClassW
0x40d310 ReleaseCapture
0x40d314 ReleaseDC
0x40d318 ScreenToClient
0x40d31c IMPSetIMEA
0x40d320 SetActiveWindow
0x40d324 SetCapture
0x40d328 SetDlgItemInt
0x40d32c SetDlgItemTextW
0x40d330 SetMenu
0x40d338 SetRect
0x40d33c SetTimer
0x40d344 ShowWindow
0x40d354 TranslateMessage
0x40d358 UnhookWindowsHookEx
0x40d35c UnregisterClassW
0x40d360 UpdateLayeredWindow
0x40d364 UpdateWindow
0x40d368 WinHelpW
0x40d36c wsprintfW
0x40d370 LoadIconA
0x40d374 GetMonitorInfoA
0x40d378 GetMessageW
0x40d37c GetMessageTime
0x40d380 GetMenuItemRect
0x40d388 GetKeyboardLayout
0x40d38c GetSystemMetrics
0x40d390 SendMessageW
0x40d394 GetDlgItemTextW
0x40d398 GetDlgItemInt
0x40d39c GetDlgItem
0x40d3a0 GetDesktopWindow
0x40d3a4 GetDC
0x40d3a8 GetClassNameA
0x40d3ac GetAltTabInfoW
0x40d3b0 EnumPropsW
0x40d3b4 EnumDisplayMonitors
0x40d3b8 EndPaint
0x40d3bc EndDialog
0x40d3c0 DrawTextA
0x40d3c4 DrawMenuBar
0x40d3c8 DrawFocusRect
0x40d3cc DlgDirListComboBoxW
0x40d3d0 DispatchMessageW
0x40d3d4 DialogBoxParamW
0x40d3dc DestroyIcon
0x40d3e0 DefWindowProcW
0x40d3e4 CreateWindowExW
0x40d3f0 CheckMenuItem
0x40d3f4 CharUpperBuffW
0x40d3f8 CharNextW
0x40d400 BeginPaint
0x40d404 GetSysColor
Library GDI32.dll:
0x40d048 GetStockObject
0x40d04c PathToRegion
Library ADVAPI32.dll:
0x40d000 RegQueryValueExW
0x40d004 RegOpenKeyExA
Library SHELL32.dll:
0x40d2a8 ShellAboutW
Library COMCTL32.dll:
0x40d00c _TrackMouseEvent
0x40d010 ImageList_Duplicate
0x40d014 ImageList_AddMasked
0x40d018 ImageList_Create
0x40d01c ImageList_Destroy
0x40d020 ImageList_Draw
0x40d024 ImageList_DrawEx
0x40d028 ImageList_GetIcon
0x40d038 ImageList_Remove

.text
`.rdata
@.data
.rsrc
YQPVh
SVWUj
{s$!2
*WKXY;
,aB.I
?Z>Rla\K
zNPMQ
4V60-
Vxn.y
/`j`.U
p<Gp%G
cey72
hVPg
^%Lu5
LZ7F0
S%GD|08
-6CKt
J@P85p
NX<&9
Qg1y<?g
$"M`X
pgK'|:
r["KY
rtAL#
c1vI'7
tEL}c
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
AreFileApisANSI
CallNamedPipeA
CloseHandle
CopyFileW
CreateDirectoryA
CreateFileW
CreateHardLinkA
CreateSemaphoreA
CreateSemaphoreW
DecodePointer
DeleteCriticalSection
DeleteFileA
DeviceIoControl
EnterCriticalSection
EnumDateFormatsW
ExitProcess
FindAtomW
FindClose
FindFirstFileExW
FindNextFileA
FindNextFileW
FindResourceExW
FindResourceW
FlushFileBuffers
FormatMessageA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileAttributesExW
GetFileType
GetLastError
GetLocalTime
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetPrivateProfileIntW
GetPrivateProfileStringW
GetProcAddress
GetProcessHeap
GetProcessShutdownParameters
GetProfileSectionW
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadPriority
GetTickCount
GetUserDefaultLCID
GetVersionExA
GlobalAddAtomW
GlobalHandle
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeSListHead
InterlockedDecrement
InterlockedExchange
IsDBCSLeadByteEx
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadModule
LoadResource
LocalFree
LocalSize
LocalUnlock
LockResource
MoveFileA
MulDiv
MultiByteToWideChar
OutputDebugStringA
OutputDebugStringW
PeekNamedPipe
QueryPerformanceCounter
RaiseException
ReadConsoleOutputCharacterW
RtlUnwind
RtlZeroMemory
ScrollConsoleScreenBufferW
SetConsoleCP
SetFileApisToANSI
SetFilePointer
SetFilePointerEx
SetHandleCount
SetLastError
SetStdHandle
SetTapeParameters
SetThreadLocale
SetThreadUILanguage
SetTimerQueueTimer
SetUnhandledExceptionFilter
SizeofResource
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
UnlockFile
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
VirtualQuery
WideCharToMultiByte
WriteConsoleW
WriteFile
WritePrivateProfileSectionA
WritePrivateProfileStructA
lstrcatA
lstrcpyA
lstrcpyW
lstrcpynW
lstrlenW
KERNEL32.dll
BeginPaint
ChangeDisplaySettingsA
CharNextW
CharUpperBuffW
CheckMenuItem
CopyAcceleratorTableW
CreateAcceleratorTableA
CreateWindowExW
DefWindowProcW
DestroyIcon
DialogBoxIndirectParamA
DialogBoxParamW
DispatchMessageW
DlgDirListComboBoxW
DrawFocusRect
DrawMenuBar
DrawTextA
EndDialog
EndPaint
EnumDisplayMonitors
EnumPropsW
GetAltTabInfoW
GetClassNameA
GetDC
GetDesktopWindow
GetDlgItem
GetDlgItemInt
GetDlgItemTextW
GetKeyboardLayout
GetMenuCheckMarkDimensions
GetMenuItemRect
GetMessageTime
GetMessageW
GetMonitorInfoA
GetSysColor
GetSystemMetrics
IMPSetIMEA
IMPSetIMEW
IntersectRect
InvalidateRect
IsCharLowerA
IsDialogMessage
KillTimer
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadMenuW
LoadStringW
LockWindowUpdate
MapWindowPoints
MessageBoxW
ModifyMenuA
MonitorFromRect
MoveWindow
OpenWindowStationW
PeekMessageW
PostMessageW
PostQuitMessage
PtInRect
RealGetWindowClassA
RegisterClassW
ReleaseCapture
ReleaseDC
ScreenToClient
SendMessageW
SetActiveWindow
SetCapture
SetDlgItemInt
SetDlgItemTextW
SetMenu
SetProcessWindowStation
SetRect
SetTimer
SetUserObjectInformationA
ShowWindow
SystemParametersInfoA
SystemParametersInfoW
TranslateAcceleratorW
TranslateMessage
UnhookWindowsHookEx
UnregisterClassW
UpdateLayeredWindow
UpdateWindow
WinHelpW
wsprintfW
LoadIconA
USER32.dll
GetStockObject
PathToRegion
GDI32.dll
RegOpenKeyExA
RegQueryValueExW
ADVAPI32.dll
ShellAboutW
SHELL32.dll
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
ImageList_Draw
ImageList_DrawEx
ImageList_Duplicate
ImageList_GetIcon
ImageList_GetIconSize
ImageList_GetImageCount
ImageList_GetImageInfo
ImageList_Remove
ImageList_ReplaceIcon
InitCommonControlsEx
_TrackMouseEvent
COMCTL32.dll
Sleep
InterlockedIncrement
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
SetErrorMode
kernel32
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
</trustInfo></assembly>
mscoree.dll
KERNEL32.DLL
VS_VERSION_INFO
StringFileInfo
000004E4
CompanyName
Microsoft Corporation
FileDescription
2007 Microsoft Office component
FileVersion
12.0.6606.1000
InternalName
SetLang
LegalCopyright
2006 Microsoft Corporation. All rights reserved.
LegalTrademarks1
is a registered trademark of Microsoft Corporation.
LegalTrademarks2
is a registered trademark of Microsoft Corporation.
OriginalFilename
SetLang.Exe
ProductName
2007 Microsoft Office system
ProductVersion
12.0.6606.1000
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


1c.jpg, PID: 904, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\1c.jpg
Command Line: "C:\Users\user\AppData\Local\Temp\1c.jpg"

Hosts

Direct IP Country Name
N 93.184.221.240 [VT] Europe
Y 8.8.8.8 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49160 93.184.221.240 www.download.windowsupdate.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.download.windowsupdate.com [VT] CNAME cs11.wpc.v0cdn.net [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME wu.ec.azureedge.net [VT]
CNAME hlb.apr-52dd2-0.edgecastdns.net [VT]
CNAME wu.wpc.apr-52dd2.edgecastdns.net [VT]
CNAME wu.azureedge.net [VT]
A 93.184.221.240 [VT]

HTTP Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt
GET /msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name csrss.exe
Associated Filenames
C:\ProgramData\Windows\csrss.exe
File Size 1389232 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 213c61e2bade76ec0e58b31d355a025a
SHA1 3582c92de55cc10196d6debca1dfd6acf883b4c1
SHA256 0586988c09f3b3047caecd776efc8d21b8285b2fe919c321ee8b4bc593249774
CRC32 4EEE3317
Ssdeep 24576:htPLf3UeTgLPgOzwUi9ERQm85EKXqKi7b:h1fUeTwPJzk98e7i7b
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 98.744 seconds )

  • 92.287 BehaviorAnalysis
  • 1.932 Static
  • 1.667 Strings
  • 1.321 CAPE
  • 0.649 Dropped
  • 0.646 TargetInfo
  • 0.175 TrID
  • 0.032 NetworkAnalysis
  • 0.029 Deduplicate
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 11.377 seconds )

  • 4.414 stealth_timeout
  • 3.983 api_spamming
  • 2.866 decoy_document
  • 0.022 antiav_detectreg
  • 0.009 stealth_file
  • 0.008 infostealer_ftp
  • 0.007 ransomware_files
  • 0.005 infostealer_im
  • 0.004 antianalysis_detectreg
  • 0.003 antivm_generic_disk
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_mail
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 bootkit
  • 0.002 Doppelganging
  • 0.002 antiemu_wine_func
  • 0.002 mimics_filetime
  • 0.002 reads_self
  • 0.002 dynamic_function_loading
  • 0.002 virus
  • 0.002 antivm_vbox_keys
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 exploit_getbasekerneladdress
  • 0.001 recon_programs
  • 0.001 betabot_behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 infostealer_browser_password
  • 0.001 cerber_behavior
  • 0.001 kovter_behavior
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 geodo_banking_trojan
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_fingerprint

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 90414
Mongo ID 5d78f61beac9b18670632fc3
Cuckoo release 1.3-CAPE
Delete