Advanced File Analysis System

File Name: 176928788.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: aa45509ac9b2d11e55784eddc52f966444d77099

MD5: a47573d164d84977ae6adf3db7119c4e

Download Kill Chain Report

Accessed Files

C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Users\user\AppData\Local\Temp\netmsg.dll
C:\Windows\System32\netmsg.dll
C:\Users\user\AppData\Local\Temp\aa45509ac9b2d11e55784eddc52f966444d77099.exe
C:\Users\user\AppData\Local\Temp
- C:\Users\user\AppData\Local\Temp\is-7GR0E.tmp
- C:\Users\user\AppData\Local\Temp\is-7GR0E.tmp\aa45509ac9b2d11e55784eddc52f966444d77099.tmp
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Users\user\AppData\Local\Temp\is-7GR0E.tmp\netmsg.dll
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\_isetup
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\_isetup\_setup64.tmp
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\license.key
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\license.ENU
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\license.ENU.DLL
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\license.EN
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\license.EN.DLL
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\*
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\_isetup\*
Show More 16

Read Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\A2D5EDFB
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegFiles0000
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegSvcs0000
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegProcs0000
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\JSCount
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\ESCount
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RRCount
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Reliability\ShutdownIgnorePredefinedReasons
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
Show More 41

Modified Files

C:\Users\user\AppData\Local\Temp\is-7GR0E.tmp\aa45509ac9b2d11e55784eddc52f966444d77099.tmp
C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\_isetup\_setup64.tmp
C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\license.key

Resolved APIs

kernel32.dll.SetDllDirectoryW
kernel32.dll.SetSearchPathMode
kernel32.dll.SetProcessDEPPolicy
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.Wow64RevertWow64FsRedirection
- kernel32.dll.GetUserDefaultUILanguage
- comctl32.dll.RegisterClassNameW
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- dwmapi.dll.DwmIsCompositionEnabled
- uxtheme.dll.EnableThemeDialogTexture
- advapi32.dll.UnregisterTraceGuids
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- gdi32.dll.GetFontAssocStatus
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GdiIsMetaPrintDC
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- uxtheme.dll.OpenThemeData
- uxtheme.dll.CloseThemeData
- uxtheme.dll.DrawThemeBackground
- uxtheme.dll.DrawThemeText
- uxtheme.dll.GetThemeBackgroundContentRect
- uxtheme.dll.GetThemePartSize
- uxtheme.dll.GetThemeTextExtent
- uxtheme.dll.GetThemeTextMetrics
- uxtheme.dll.GetThemeBackgroundRegion
- uxtheme.dll.HitTestThemeBackground
- uxtheme.dll.DrawThemeEdge
- uxtheme.dll.DrawThemeIcon
- uxtheme.dll.IsThemePartDefined
- uxtheme.dll.IsThemeBackgroundPartiallyTransparent
- uxtheme.dll.GetThemeColor
- uxtheme.dll.GetThemeMetric
- uxtheme.dll.GetThemeString
- uxtheme.dll.GetThemeBool
- uxtheme.dll.GetThemeInt
- uxtheme.dll.GetThemeEnumValue
- uxtheme.dll.GetThemePosition
- uxtheme.dll.GetThemeFont
- uxtheme.dll.GetThemeRect
- uxtheme.dll.GetThemeMargins
- uxtheme.dll.GetThemeIntList
- uxtheme.dll.GetThemePropertyOrigin
- uxtheme.dll.SetWindowTheme
- uxtheme.dll.GetThemeFilename
- uxtheme.dll.GetThemeSysColor
- uxtheme.dll.GetThemeSysColorBrush
- uxtheme.dll.GetThemeSysBool
- uxtheme.dll.GetThemeSysSize
- uxtheme.dll.GetThemeSysFont
- uxtheme.dll.GetThemeSysString
- uxtheme.dll.GetThemeSysInt
- uxtheme.dll.IsThemeActive
- uxtheme.dll.IsAppThemed
- uxtheme.dll.GetWindowTheme
- uxtheme.dll.IsThemeDialogTextureEnabled
- uxtheme.dll.GetThemeAppProperties
- uxtheme.dll.SetThemeAppProperties
- uxtheme.dll.GetCurrentThemeName
- uxtheme.dll.GetThemeDocumentationProperty
- uxtheme.dll.DrawThemeParentBackground
- uxtheme.dll.EnableTheming
- user32.dll.NotifyWinEvent
- shell32.dll.SHCreateItemFromParsingName
- shell32.dll.SHPathPrepareForWriteA
- kernel32.dll.VerSetConditionMask
- kernel32.dll.VerifyVersionInfoW
- kernel32.dll.GetNativeSystemInfo
- kernel32.dll.IsWow64Process
- kernel32.dll.GetSystemWow64DirectoryA
- advapi32.dll.RegDeleteKeyExA
- shell32.dll.SHGetKnownFolderPath
- user32.dll.DisableProcessWindowsGhosting
- advapi32.dll.CheckTokenMembership
- user32.dll.ShutdownBlockReasonDestroy
- user32.dll.ShutdownBlockReasonCreate
- shfolder.dll.SHGetFolderPathA
- rstrtmgr.dll.RmStartSession
- rstrtmgr.dll.RmRegisterResources
- rstrtmgr.dll.RmGetList
- rstrtmgr.dll.RmShutdown
- rstrtmgr.dll.RmRestart
- rstrtmgr.dll.RmEndSession
- bcryptprimitives.dll.GetHashInterface
- kernel32.dll.GetDiskFreeSpaceExA
- oleaut32.dll.VariantChangeTypeEx
- oleaut32.dll.VarNeg
- oleaut32.dll.VarNot
- oleaut32.dll.VarAdd
- oleaut32.dll.VarSub
- oleaut32.dll.VarMul
- oleaut32.dll.VarDiv
- oleaut32.dll.VarIdiv
- oleaut32.dll.VarMod
- oleaut32.dll.VarAnd
- oleaut32.dll.VarOr
- oleaut32.dll.VarXor
- oleaut32.dll.VarCmp
- oleaut32.dll.VarI4FromStr
- oleaut32.dll.VarR4FromStr
- oleaut32.dll.VarR8FromStr
- oleaut32.dll.VarDateFromStr
- oleaut32.dll.VarCyFromStr
- oleaut32.dll.VarBoolFromStr
- oleaut32.dll.VarBstrFromCy
- oleaut32.dll.VarBstrFromDate
- oleaut32.dll.VarBstrFromBool
- ws2_32.dll.WSAIoctl
- ws2_32.dll.__WSAFDIsSet
- ws2_32.dll.closesocket
- ws2_32.dll.ioctlsocket
- ws2_32.dll.WSAGetLastError
- ws2_32.dll.WSAStartup
- ws2_32.dll.WSACleanup
- ws2_32.dll.accept
- ws2_32.dll.bind
- ws2_32.dll.connect
- ws2_32.dll.getpeername
- ws2_32.dll.getsockname
- ws2_32.dll.getsockopt
- ws2_32.dll.htonl
- ws2_32.dll.htons
- ws2_32.dll.inet_addr
- ws2_32.dll.inet_ntoa
- ws2_32.dll.listen
- ws2_32.dll.ntohl
- ws2_32.dll.ntohs
- ws2_32.dll.recv
- ws2_32.dll.recvfrom
- ws2_32.dll.select
- ws2_32.dll.send
- ws2_32.dll.sendto
- ws2_32.dll.setsockopt
- ws2_32.dll.shutdown
- ws2_32.dll.socket
- ws2_32.dll.gethostbyaddr
- ws2_32.dll.gethostbyname
- ws2_32.dll.getprotobyname
- ws2_32.dll.getprotobynumber
- ws2_32.dll.getservbyname
- ws2_32.dll.getservbyport
- ws2_32.dll.gethostname
- ws2_32.dll.getaddrinfo
- ws2_32.dll.freeaddrinfo
- ws2_32.dll.getnameinfo
- license.key.itd_setoption
- license.key.itd_downloadfile
- kernel32.dll.DeleteFileA
- kernel32.dll.SetFileAttributesA
- kernel32.dll.GlobalAlloc
- kernel32.dll.Sleep
- user32.dll.FindWindowA
- ntdll.dll.RtlMoveMemory
- kernel32.dll.ReadFile
- kernel32.dll.CloseHandle
- kernel32.dll.SetFilePointer
- kernel32.dll.CreateFileA
- kernel32.dll.GetFileSize
- kernel32.dll.WriteFile
- kernel32.dll.CreateMutexA
- user32.dll.ShowWindow
- dnsapi.dll.DnsApiFree
- oleaut32.dll.#500
- user32.dll.BuildReasonArray
- user32.dll.DestroyReasons
Show More 175

Deleted Files

C:\Users\user\AppData\Local\Temp\is-7GR0E.tmp\aa45509ac9b2d11e55784eddc52f966444d77099.tmp
C:\Users\user\AppData\Local\Temp\is-7GR0E.tmp
C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\license.key
C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\_isetup\_setup64.tmp
C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\_isetup

Deleted Registry Keys

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner

Registry Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\aa45509ac9b2d11e55784eddc52f966444d77099.tmp
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
- HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\A2D5EDFB
- HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
- HKEY_CURRENT_USER\Software\Borland\Locales
- HKEY_LOCAL_MACHINE\Software\Borland\Locales
- HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegFiles0000
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegSvcs0000
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RegProcs0000
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\JSCount
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\ESCount
- HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\RRCount
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Reliability
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Reliability\ShutdownIgnorePredefinedReasons
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Reliability\UserDefined\1033
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Reliability\UserDefined
Show More 72

Executed Commands

"C:\Users\user\AppData\Local\Temp\is-7GR0E.tmp\aa45509ac9b2d11e55784eddc52f966444d77099.tmp" /SL5="$E01A2,140401,58744,C:\Users\user\AppData\Local\Temp\aa45509ac9b2d11e55784eddc52f966444d77099.exe"
"shutdown.exe" -r -f -t 0

Read Files

C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\System32\netmsg.dll
C:\Users\user\AppData\Local\Temp\aa45509ac9b2d11e55784eddc52f966444d77099.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\_isetup\_setup64.tmp
- C:\Users\user\AppData\Local\Temp\is-2I3F7.tmp\license.key
Show More 3

Mutexes

CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Inno

Modified Registry Keys

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence

Loading...