'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-11-08 16:38:24.632712 2016-11-08 16:41:00.618698 155 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-11-08 16:38:26 2016-11-08 16:41:00

File Details

File name 2164297f6f3499cb1e67689d7a059b106b53eb10.exe
File size 1952732 bytes
File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32 DF915661
MD5 9847b871dbbb757934fee7032859fb22
SHA1 2164297f6f3499cb1e67689d7a059b106b53eb10
SHA256 d1fc4c75d9711308af5aff5b48f2964327fefb0132810c5d72ddcc4acdafdcd6
SHA512 4dbd14637567d7a0c24c947a95054f425f99ff36aacd0c6ceec593ef49de3098dd590c9fbf20fc95efa57283060b07232dbeec3be5eb94073611f55e5a0c5244
Ssdeep 49152:DILSNcF7NUf/do++9JRmb8K9H+RC6vCcM:DESY7c/m++jRmb9oCYM
PEiD None matched
Yara
  • Str_Win32_Http_API (Match Windows Http API call)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1478623309]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
6eab76e9c30c6076_2164297f6f3499cb1e67689d7a059b106b53eb10.exe: Str_Win32_Http_API

Signatures

has_pdb details
antivm_memory_available details
Long_Alphanum_Exe_Name details
dropper details
antisandbox_idletime details
antisandbox_mouse_hook details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

8e069b1722a4fc49_mbapreq.wxl

e5b064589d741bdb_bootstrappercore.dll

a64afbd95664554c_mbapreq.wxl

37f402c1ba41e059_expressba.resources.dll

d47a140dcd36d438_mbapreq.wxl

13635769db1f48f0_mbapreq.wxl

13e18c74b4ea3c7d_expressba.dll

a17d2de5cc82a44c_mbapreq.wxl

389cfb2ee4d69723_expressba.resources.dll

106555dd49231ffb_mbapreq.wxl

41d9d93639357027_mbapreq.wxl

57d0af700bbac2ea_expressba.resources.dll

5e7ceffecbd2012c_expressba.resources.dll

96aaeb6c88813a3f_bootstrapperapplicationdata.xml

a2b7f960ba073874_expressba.resources.dll

ba542b28a1482482_expressba.resources.dll

d59bcc48da6ebdda_expressba.resources.dll

501a79b37d52a818_expressba.resources.dll

f3859c757a3122a6_expressba.resources.dll

ff8b6c6ba9a5c180_mbapreq.wxl

9d95b457f864261b_expressba.resources.dll

2d0de8b8161a148f_expressba.resources.dll

bb83f25d42a62161_expressba.resources.dll

f8c3a03f47f0b9b3_mbapreq.thm

ca7cd1bf6d433ae8_mbapreq.wxl

11248f2f2e8fc97f_expressba.resources.dll

8f12b006fad046c1_expressba.resources.dll

189d0cf7bcebec2a_bootstrappercore.config

9ff48acb76f4ebe9_mbapreq.wxl

ae7aa89299f00e43_mbapreq.wxl

6adc2a6b25dea736_mbahost.dll

f944fe7d8473ed6a_mbapreq.wxl

705ae382f2adbc7c_mbapreq.wxl

166801eff4a826bf_mbapreq.wxl

a5fdf1cf8287df43_expressba.resources.dll

f9cece3478625b1e_expressba.resources.dll

43e00163c060a09c_mbapreq.wxl

9216632cdf31c511_mbapreq.dll

a401a225addaf891_mbapreq.png

ebc2bf04a4f378ae_mbapreq.wxl

95352f4140fc364d_expressba.resources.dll

f085df80185ae247_expressba.resources.dll

ae9f8e1a8856b18b_mbapreq.wxl

632ced5010ddc08c_eula_enu.rtf

f7b6da99783d864e_expressba.resources.dll

8dd206277b37eadb_expressba.resources.dll

b6b0e2e6553bc613_expressba.resources.dll

3e1a322b38782858_expressba.resources.dll

bdf44a835be92644_mbapreq.wxl

8a51d41636cc5276_expressba.resources.dll

d6d278a8e23ef53f_expressba.resources.dll

ba1784acd5b7af18_expressba.resources.dll

36f685cd477ccb43_expressba.resources.dll

a72d2160c2d8643c_expressba.resources.dll

09ab644a625157ba_expressba.resources.dll

589b87bd82de4663_expressba.resources.dll

be8e22b102a9a21a_mbapreq.wxl

d4e78d0ef8684f92_expressba.resources.dll

c5f1d0966ef65843_mbapreq.wxl

38696a610c92b2a2_expressba.resources.dll

6eab76e9c30c6076_2164297f6f3499cb1e67689d7a059b106b53eb10.exe

f3c3f48853d283ce_expressba.resources.dll

bd710dd756a4500c_expressba.resources.dll

3dbd6bc3779f577a_mbapreq.wxl

3c4081afb044289e_garmin_express_20161108095513.log

ad4cf22947472ffd_mbapreq.wxl

db9b50a00d9c3243_expressba.resources.dll

942bc3e1ece66f7d_expressba.resources.dll

0dd018ad825d7b4d_expressba.resources.dll

00a5f823904e2d68_mbapreq.wxl

90680e9500a20141_mbapreq.wxl

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\2164297f6f3499cb1e67689d7a059b106b53eb10.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\BootstrapperCore.config
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\f246b71bfd9c1537167b7f6d4f18cd01\System.Xaml.ni.dll.aux
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\b75ba99f72f116d8951b0f2bba8c276a\System.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\232495ea0368dada2d208c51f0e5349c\UIAutomationTypes.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\7ece7799d670cdfc1393b98b0668a046\System.Configuration.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll.aux
  • C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\613fd0f86fc699adfe3184b2e746aa18\PresentationFramework.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\1fd09756ffa6623e208e3b5460f374e9\PresentationFramework.classic.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\668bc5e53fd656dc16c9f40ea15e872e\System.Xml.ni.dll.aux
  • C:\Users\Harry Dresden\AppData\Local\Temp\{E6D85013-859F-4D9C-8C11-5A6E98D438C4}\.cr\2164297f6f3499cb1e67689d7a059b106b53eb10.exe
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\a40acfa4a0c4bb0dbf824ace588583ba\WindowsBase.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\eed4ad7c1049e7cf47606479d68ec1de\PresentationCore.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\e0fea191b75897ec38735bfc31b89fe0\System.Core.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\8cab93eb361220e093cbecce13cc796e\PresentationFramework-SystemCore.ni.dll.aux
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\{E6D85013-859F-4D9C-8C11-5A6E98D438C4}\.cr\2164297f6f3499cb1e67689d7a059b106b53eb10.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\pt\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\EULA_ENU.rtf
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\BootstrapperCore.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\de\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\pl\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\Garmin_Express_20161108095513.log
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1045\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ko\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\uk\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\hu\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ro\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1046\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\cs\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\BootstrapperApplicationData.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ar\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1041\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\lv\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\sl\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\fi\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\hr\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1036\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\lt\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ru\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1043\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1028\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\sv\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ms-my\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1029\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1053\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\mbapreq.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\da\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1051\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\mbapreq.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\no\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\nl\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1040\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\pt-br\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1049\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\BootstrapperCore.config
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\zh-tw\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\tr\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\th\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1030\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1035\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1060\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\id\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1055\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\he\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\sk\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\et\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1032\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1044\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\mbahost.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ExpressBA.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\el\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\2052\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\es\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ja\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\zh-cn\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\sr\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\2070\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\it\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\fr\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1031\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\bg\ExpressBA.resources.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1042\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1038\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\3082\mbapreq.wxl
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\mbapreq.thm
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\2164297f6f3499cb1e67689d7a059b106b53eb10.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\
  • C:\Windows\assembly\pubpol40.dat
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\BootstrapperCore.dll
  • C:\Windows\Fonts\tahoma.ttf
  • C:\Users\Harry Dresden\AppData\Local\Temp\{E6D85013-859F-4D9C-8C11-5A6E98D438C4}\.cr\2164297f6f3499cb1e67689d7a059b106b53eb10.exe
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\1fd09756ffa6623e208e3b5460f374e9\PresentationFramework.classic.ni.dll.aux
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
  • C:\Windows\
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\b75ba99f72f116d8951b0f2bba8c276a\System.ni.dll.aux
  • C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\7ece7799d670cdfc1393b98b0668a046\System.Configuration.ni.dll.aux
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\613fd0f86fc699adfe3184b2e746aa18\PresentationFramework.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\f246b71bfd9c1537167b7f6d4f18cd01\System.Xaml.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll.aux
  • C:\Windows\System32\oleaccrc.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\8cab93eb361220e093cbecce13cc796e\PresentationFramework-SystemCore.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\a40acfa4a0c4bb0dbf824ace588583ba\WindowsBase.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\eed4ad7c1049e7cf47606479d68ec1de\PresentationCore.ni.dll.aux
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\BootstrapperCore.config
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\232495ea0368dada2d208c51f0e5349c\UIAutomationTypes.ni.dll.aux
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ExpressBA.dll
  • C:\Windows\System32\
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\668bc5e53fd656dc16c9f40ea15e872e\System.Xml.ni.dll.aux
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\e0fea191b75897ec38735bfc31b89fe0\System.Core.ni.dll.aux
  • C:\Windows\Globalization\Sorting\sortdefault.nls
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Temp\{E6D85013-859F-4D9C-8C11-5A6E98D438C4}\.cr
  • C:\Users\Harry Dresden\AppData\Local\Temp\{E6D85013-859F-4D9C-8C11-5A6E98D438C4}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\pl\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\2052\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\bg\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\sv\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\lt\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\sr\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ar\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\da\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1029\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\de\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\th\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1042\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\lv\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\zh-tw\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1046\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1040\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\fr\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1044\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\tr\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\et\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ko\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\sk\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1031\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\fi\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ms-my\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1035\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\zh-cn\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1049\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\nl\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\3082\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\cs\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\he\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\pt\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\it\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\sl\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1038\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ru\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\hu\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1060\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\hr\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1041\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1028\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\uk\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1051\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1043\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\no\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1055\
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\es\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1053\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1030\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1045\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1032\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\2070\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\1036\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ro\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\pt-br\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\el\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\id\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B299A765-74C9-4C70-A679-900605F294B1}\.ba\ja\
Directory-Enumerated
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\*
  • C:\Windows\System32\*.*
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\BootstrapperCore\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Users
  • C:\Windows\System32
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\ExpressBA\*
  • C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
  • C:\Users\Harry Dresden
  • C:\Windows\Microsoft.NET\Framework\*
  • C:\Windows
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocServer32
  • HKEY_CURRENT_USER\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WiX\Burn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID
  • HKEY_CURRENT_USER\Msxml2.DOMDocument
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6}
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\C36A0D91BD55D7540994A61CDC6153E4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A021DEAC50F1F8B47BE63AAEC523A88B\InstallProperties
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF44BF80-36DD-4118-B4CF-8B1E3F4FB9CE}\Progid
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\6D162B1DEABE9214E8BF0CE441CDFEA6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089