'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-06-13 17:49:31.146825 2018-06-13 17:51:35.487209 124 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-06-13 17:49:32 2018-06-13 17:51:35

File Details

File name c5dc07a5d68c720b7e967148901201450a58e093.zip
File size 15525957 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 B6443740
MD5 b133ed3ddb0a71a1e05c30a81dbfff29
SHA1 c5dc07a5d68c720b7e967148901201450a58e093
SHA256 9a52dcc042a0f65bde5a811ae99a7e14fc3256a1ecf9acb70ffbf35eed7a9d9e
SHA512 e567a5542f7413fa7c4aa90292b80fe8bca933a87a6799af18d4be02c71ad6f0235be96176baeedb1227b4058465cc81140e2efe77621b9014ee4ef031c5898e
Ssdeep None
PEiD None matched
Yara
  • shellcode (Matched shellcode byte patterns)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1528926759]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
Deep_Freeze_Console_Loadin_Installer.exe: Str_Win32_Http_API

Signatures

antivm_queries_computername details
antivm_memory_available details
openprocess_nonchild details
allocates_rwx details
antivm_disk_size details
privilege_luid_check details
nolookup_communication details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

e3b0c44298fc1c14__MSI5166._IS

aafe66ee77078317_~1FAE.tmp

9063d8ffa56e4cf2_MSI5CC7.tmp

fd7e62c080f82b5b_0x0407.ini

91ca80fec0fc362f_0x0416.ini

cf4d9dd8a5fed0e8_faronics deep freeze loadin.msi

7996a8ff79c78153_0x0411.ini

d104ba9acd03109f__ismsidel.ini

cceacd4d8dd0fe49_0x040c.ini

82213854c4da8900_1033.mst

97737f83b1cb81ac_0x040a.ini

2a5eb805543b141d_0x0409.ini

2119909b93535470_0x0804.ini

Deep_Freeze_Console_Loadin_Installer.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Faronics Deep Freeze Loadin.msi
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\_ISMSIDEL.INI
  • C:\Users\Harry Dresden\AppData\Local\Temp\~1FAE.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Setup.INI
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x0409.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\Deep_Freeze_Console_Loadin_Installer.exe
  • C:\Windows\SysWOW64\mscoree.dll
  • C:\Windows\Fonts\staticcache.dat
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x0407.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x0416.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x0411.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\_ISMSIDEL.INI
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x040c.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\1033.MST
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x040a.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\~1FAE.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Setup.INI
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x0409.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Faronics Deep Freeze Loadin.msi
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x0804.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSI5CC7.tmp
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\_MSI5166._IS
  • C:\Users\Harry Dresden\AppData\Local\Temp\~1FAE.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSI5CC7.tmp
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Faronics Deep Freeze Loadin.msi
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\_ISMSIDEL.INI
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\Harry Dresden\AppData\Local\Temp\~1FAE.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Setup.INI
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\0x0409.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\Deep_Freeze_Console_Loadin_Installer.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\1033.MST
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll
  • C:\Windows\SysWOW64\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Windows\SysWOW64\mscoree.dll
  • C:\Windows\SysWOW64\sxs.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Faronics Deep Freeze Loadin.msi
  • C:\Windows\AppPatch\msimain.sdb
  • C:\Windows\SysWOW64\msimsg.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSI5CC7.tmp
  • C:\Windows\SysWOW64\en-US\sxs.DLL.mui
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\
Directory-Enumerated
  • C:\Users\Harry Dresden
  • C:\Windows\Microsoft.NET\Framework\*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\1033.MST
  • C:\Windows\SysWOW64\*
  • C:\Windows\SysWOW64\*.*
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\SysWOW64\mscoree.dll
  • C:\Windows
  • C:\Users
  • C:\Windows\SysWOW64
  • C:\Users\Harry Dresden\AppData
  • C:\Users\Harry Dresden\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Faronics Deep Freeze Loadin.msi
  • C:\Users\Harry Dresden\AppData\Local\Temp
Registry Key-Opened
  • HKEY_CURRENT_USER\Software\InstallShield\ISWI\7.0\SetupExeLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Deep_Freeze_Console_Loadin_Installer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\D72DE1353F1E1F34A8FFA6A895950C78
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\D72DE1353F1E1F34A8FFA6A895950C78
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\D72DE1353F1E1F34A8FFA6A895950C78
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\F60730A4A66673047777F5728467D401
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\91915B2EA702BE34EA8737F3C976792C
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FaronicsCoreService
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\TreatAs
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\9040580900063D11C8EF10054038389C
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\68AB67CA408033019195008142126436
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00006109C80000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_CURRENT_USER\Interface\{000C1025-0000-0000-C000-000000000046}
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\96F071321C0420729002000010000000
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00002159F30090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\96F071321C0420729002000010000000
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\4EA42A62D9304AC4784BF230120776FF
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00006109F80000000100000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\4EA42A62D9304AC4784BF230120776FF
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1025-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_CURRENT_USER\Interface\{000C101C-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\6414876250E69FF3395387C6C7F05BEB
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00002159F30090400000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\9040580900063D11C8EF10054038389C
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\68AB67CA408033019195008142126436
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\68AB67CA7DA73301B744BA0000000010
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\9040580900063D11C8EF10054038389C
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\D72DE1353F1E1F34A8FFA6A895950C78
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00006109C80090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Registry Keys
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\D72DE1353F1E1F34A8FFA6A895950C78
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\F60730A4A66673047777F5728467D401
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\91915B2EA702BE34EA8737F3C976792C
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00004159FA0090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\96F071321C0420729002000010000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\MSIEXEC.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\68AB67CA7DA73301B744BA0000000010
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00006109C80000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00004159FA0090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00006109C80090400000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00006109C80090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00004159FA0090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D72DE1353F1E1F34A8FFA6A895950C78\InstallProperties
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00006109C80000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\68AB67CA7DA73301B744BA0000000010
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll
  • HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1033-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Relative Files
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00006109F80000000100000000F01FEC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InprocServer32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\4EA42A62D9304AC4784BF230120776FF
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00006109F80000000100000000F01FEC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\91915B2EA702BE34EA8737F3C976792C
  • HKEY_CURRENT_USER\CLSID\{000C103E-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\D72DE1353F1E1F34A8FFA6A895950C78
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\F60730A4A66673047777F5728467D401
  • HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6414876250E69FF3395387C6C7F05BEB
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\68AB67CA408033019195008142126436
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00002159F30090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Faronics\Faronics Core 3 Console
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\6414876250E69FF3395387C6C7F05BEB
  • HKEY_CURRENT_USER\Interface\{000C1033-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\91915B2EA702BE34EA8737F3C976792C\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\com
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF230120776FF\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\FxsTmp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\LogFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Macromed
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142126436\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wdi
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\6414876250E69FF3395387C6C7F05BEB\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\.
  • HKEY_CURRENT_USER\Control Panel\International\LocaleName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Wat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOrganization
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\..
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109C80090400000000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00004159FA0090400000000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\DriverStore
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\restore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\F60730A4A66673047777F5728467D401\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF230120776FF\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Tasks
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109C80000000000000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\91915B2EA702BE34EA8737F3C976792C\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\migwiz
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Msdtc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\inetsrv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\GroupPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420729002000010000000\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sppui
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\catroot2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\slmgr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142126436\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\InstallShield
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00002159F30090400000000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744BA0000000010\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Speech
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109C80090400000000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109C80000000000000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420729002000010000000\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\9040580900063D11C8EF10054038389C\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1025-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\migration
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\9040580900063D11C8EF10054038389C\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\NetworkList
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\AdvancedInstallers
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\GWX
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1033-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\winrm
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00002159F30090400000000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109F80000000100000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\spp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\config
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\GroupPolicyUsers
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\NDF
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\icsxml
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\oobe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Printing_Admin_Scripts
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\manifeststore
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Recovery
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Dism
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\catroot
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\WindowsPowerShell
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Target Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\99E80CA9B0328e74791254777B1F42AE\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wbem
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\WCN
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\IME
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\F60730A4A66673047777F5728467D401\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\MUI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\0409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744BA0000000010\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\99E80CA9B0328e74791254777B1F42AE\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ras
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109F80000000100000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\drivers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOwner
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\6414876250E69FF3395387C6C7F05BEB\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00004159FA0090400000000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sysprep
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\Deep_Freeze_Console_Loadin_Installer.exe" PID: 3448, Parent PID: 2160

MSIEXEC.EXE /i "C:\Users\HARRYD~1\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\Faronics Deep Freeze Loadin.msi" TRANSFORMS="C:\Users\HARRYD~1\AppData\Local\Temp\{988D8C82-B957-485F-920B-B585F3BAEE5F}\1033.MST" SETUPEXEDIR="C:\Users\Harry Dresden\AppData\Local\Temp" PID: 3408, Parent PID: 3448

Volatility

Nothing to display.