MalScore
100/100

csrvc.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 39/67 Related 2600
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 55.50 KB (56832 bytes)
Compile time: 2017-11-20 06:59:10
MD5: b0838808c1d7eebbe4143bbac3b2e9cd
SHA1: 9dd5ff320488fca99bf02dd8681d5b8b766c99af
SHA256: 1b1e48f2ee9940c1965c00ee1226fd7c3b9ee9c179ba29b9aeb586c6211cb223
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 4 .text .sdata .rsrc .reloc
Directories 4 import resource debug relocation
First submission: 2017-11-30 13:09:17
Last submission: 2017-11-30 13:09:17
Filename detected: - csrvc.exe (1)
URL file hosting
hXXp://hitechnovation.com/Extra/Downloads/csrvc.exeVirusTotal
hXXp://hitechnovation.com/Downloads/DList.txtVirusTotal
hXXp://hitechnovation.com/thankyou.txtVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2017-11-30 00:57:24 [39/67] VirusTotal
PE Sections 1 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0xbd44 48640 269cbce985b86852a920dac915a30d60 39cfafacf99dd47c54bf83e33ae8c91b92f94d52
.sdata 0xe000 0x138 512 b9aebb1639e4a58d14bf0baf677d5605 d63e87bda8cdaf783db24af22cabfa3b1d6044d9
.rsrc 0x10000 0x1670 6144 c93dba2001012ad9ed4a1c1375c9a1e3 fb7615e212d7b7ebd41206c6495b44e2a870b8b5
.reloc 0x12000 0xc 512 63ec898e0b15716900eb4bbbf1f89976 d9aa917ca0f8d694dee0736e494ac3c6e99f64e2
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x103c0 4264 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x11468 20 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x10130 656 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x11480 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: Copyright \xa9 2017
Assembly Version: 1.0.0.0
InternalName: csrvc.exe
FileVersion: 1.0.0.0
FileDescription: csrvc
OriginalFilename: csrvc.exe
Translation: 0x0000 0x04b0
ProductVersion: 1.0.0.0
ProductName: csrvc
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Text
\Report.txt
http://hitechnovation.com/Extra/dlist.txt
FIle type: Library
WTSAPI32.dll
USERENV.dll
ADVAPI32.dll
KERNEL32.dll
mscoree.dll
IP Found
182.50.133.109
URL(s)
http://hitechnovation.com/Extra/dlist.txt
http://freegeoip.net/xml
http://ipinfo.io/ip
Banner_Act
Software\Microsoft\Windows\CurrentVersion\Uninstall\
TopBrnAd
Installation_IP
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
InstalationDateTime
iVd
InternalName
Shell
TollFree_No
',RAM = '
starshine
',Tasklist = '
Custom_URL_Key
Translation
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
RegionName
KC_Code
SELECT * from TollFreeNo WHERE [Username]='
',ShowingNo = '
root\CIMV2
',Computer_Name = '
' ,Manufacturer = '
Restarter
RightBnrCODE
DTA_Tbl_User
KU_URL
SELECT * FROM Win32_NetworkAdapterConfiguration where IPEnabled = true
legalnoticetext
IsMastered
LegalCopyright
False
UUID
KF_Code
CountryName
MAC
Windows Warning !!
BottomBnrCODE
Dversion
PopUp_Color
Service1
',SoftwareVersion = '
LLYY
i}n
WindowsBrnAd
DisplayName
CreateProcessAsUser Error: {0}
ScreenShot
VarFileInfo
2.9
2.8
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
manufacturer
iSd
<(.|\n)*?>
MacAddress
' ,Model = '
/F /IM explorer.exe
Copyright
izn
explorer.exe
1.0.0.0
CMD_Calling_Key
SELECT * from Users WHERE [Email]='
LogMeIn_Support_Key
' and [Guid] ='
',UID_Os = '
True
ProductName
',Last_IP = '
KU_Code
UPDATE Client SET Restarter = '
SELECT * from Client WHERE [Username] ='
DuplicateTokenEx Error: {0}
LocalDateTime
UPDATE Client SET MAC = '
BottumBrnAd
',InstallList = '
Logo_Url
LeftBrnAd
000004b0
\\.\root\cimv2
csrvc.exe
' and [Country] ='
Logo
Message
TaskKill
.exe
registry
UserName
Windows Security Warning !!
Show_BannerAd
WindowsBnrCODE
DTA_Tbl_Version
FileDescription
',State = '
SOFTWARE\Microsoft\Windows\CurrentVersion\csrvc
ActivateCommand
shutdown
Online
taskm
ihd
csrvc
csrvc.Resources
OpenProcessToken Error: {0}
config "{0}" start=auto
http://freegeoip.net/xml
Windows has encountered an unexpected error 0xc0000e9. Your computer is missing .dll files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure.
taskkill
failure "{0}" reset= 0 actions= restart/60000
config "{0}" type= interact type= own
VS_VERSION_INFO
SELECT * FROM Win32_ComputerSystem
TollFreeNo
',Last_Seen = '
SELECT * FROM Win32_PhysicalMedia
KM_Code
TopBnrCODE
',LastKey_Type = '
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
yyyy-MM-dd hh:mm:ss tt
Assembly Version
RegRead
FileLocation
-r -t 00
',Name_OS = '
Master_Key
Temporary_Key
' ,Country = '
2017
Adfly_Urls
FileVersion
________1
Data Source=182.50.133.109;Initial Catalog=lillysoft_it_;Persist Security Info=True;User ID=scvhost;Password=scvhost_123
LeftBnrCODE
ivn
SerialNumber
ddd, dd MMM yyyy HH:mm:ss 'GMT'
ProductVersion
http://ipinfo.io/ip
' ,FileLocation = '
Cversion
GUID
DisabledHotkeys
KT_Code
' WHERE [Username] ='
CreateEnvironmentBlock Error: {0}
WScript.Shell
Price
',SysUsername = '
',OnlineStatus = '
', ActivateCommand = '
StringFileInfo
\Report.txt
userinit.exe
Username
explorer
Userinit
KL_Code
Country
SELECT * FROM Win32_ComputerSystemProduct
Custom_URL
' ,SysUsername = '
PopUp_Act
',TaskKill = '
http://hitechnovation.com/Extra/dlist.txt
date
model
OriginalFilename
FastSupport_Key
RigthBrnAd
',HDD_SerialNo = '
',LocalDateTime = '
SYSTEM
strt
',Processor = '
',ActivateStatus = '
WasOffline
legalnoticecaption
$ee3bd8ae-7e3e-45c2-b9af-b7c5ff151d26
code
TollFree_No
hProfile
DateTime
GetBytes
GENERIC_ALL_ACCESS
nLength
Int32
.cctor
GetMd5
Object
ftpusername
mscorlib
XAttribute
DataRow
WebServices
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
get_User
RegistryValueKind
set_csrvcinstlr
CreateEnvironmentBlock
ComVisibleAttribute
GetInstance
3System.Resources.Tools.StronglyTypedResourceBuilder
ManagementObject
GeoLoc
ftpuri
GetSytemInfo
MsgBoxStyle
csrvc.My
ServiceProcessInstaller
get_LocalName
get_OSFullName
LayoutKind
set_Capacity
_machine
m_UserObjectProvider
Substring
IEnumerator`1
Kill
get_IsAlive
PopUp_Color
Select
Wtsapi32.dll
,%r
System.ComponentModel.Design
GetDriveSerialNumber
) N
, s\
+(+
State
ManagementBaseObject
CryptoStream
CultureInfo
get_Count
g*PN
DebuggerStepThroughAttribute
set_WindowStyle
1.0.0.0
STARTUPINFO
hStdOutput
wtsapi32.dll
RuntimeTypeHandle
System.Core
args
_CorExeMain
XNamespace
DebuggableAttribute
ManagementScope
LocalDateTime
LOGO_URL
Marshal
Stream
csrvcPinstlr
inScopePrefixes
Mytik1
csrvc.exe
get_Unicode
Adfly_Urls
Append
ProcessStartInfo
Style
RegistryKeyPermissionCheck
dwYSize
get_StartInfo
op_Explicit
Rfc2898DeriveBytes
System.ServiceProcess
(N
,$~O
Exit
,A
RunInstallerAttribute
rB
csrvc
csrvc.My.Resources
.%(M
DesiredAccess
Enum
GetEnvironmentBlock
get_FirstAttribute
SECURITY_ATTRIBUTES
BottumBrnAd
get_Culture
StreamReader
Registry
AssemblyDescriptionAttribute
hStdInput
Default
NetworkCredential
m_AppObjectProvider
ClearProjectError
SetAttributeValue
DataTable
FileLocation
ToUInt32
Math
TokenHandle
AddAnnotation
passwordEncrypt
userenv.dll
AssemblyCompanyAttribute
Contains
CryptoStreamMode
set_ServiceName
phNewToken
WebHeaderCollection
get_Computer
uPdateYa
CreateAttribute
TokenType
Format
ValueType
OpenProcessToken
Zero
System.CodeDom.Compiler
AttributeValue
GuidAttribute
AssemblyCopyrightAttribute
GetLastWin32Error
LocalMachine
Enumerable
DuplicateTokenEx
System.Configuration.Install
ToLower
KL_Code
System.Threading
get_TotalPhysicalMemory
CompareString
Installer
= S
Model
get_NamespaceName
Trim
Exists
= o
set_Username
!This program cannot be run in DOS mode. $
PADPADP
KM_Code
File
bInheritHandles
WasOffline
Fill
OpenSubKey
GetMacAddress
pMessage
Dispose
_classLocker
get_Application
DownloadFile
GetHashCode
MinValue
Match
AssemblyTrademarkAttribute
get_Current
pResponse
ProjectInstaller
Byte
csrvc.WindowsServiceLauchingExe
!o
value__
KC_Code
get_MachineName
Restarter
ToString
get_Name
get_Installers
KU_URL
GetValue
Func`2
#Blob
TokenImpersonation
name
get_GetInstance
set_StartInfo
OnStart
Parse
Microsoft.VisualBasic.ApplicationServices
createTable
+a~)
+ +++#
lpProcessInformation
WindowsBrnAd
EnableTaskManager
.rsrc
ServiceBase
SetProjectError
Split
BSJB
Type
resourceCulture
My.Settings
Username
My.User
op_Implicit
DebuggerHiddenAttribute
lpTitle
lpProfilePath
IEnumerable
MatchCollection
gs_EXPLORER
ICryptoTransform
System.Text
Report
HelpKeywordAttribute
ShowingNo
Copyright
set_Culture
get_ResourceManager
AssemblyTitleAttribute
STARTF_USESHOWWINDOW
10.0.0.0
ActivateStatus
LateGet
IntPtr
!%(M
LeftBrnAd
My.Computer
get_AttributeValue
Char
lpSecurityDescriptor
PROCESS_INFORMATION
RemoveNamespaceAttributes
installWinSysHero
System.Security.Cryptography
LoadReg
WindowsApi
set_ConnectionString
Create__Instance__
DTA_Tbl_Version
System.Collections.Specialized
InternalXmlHelper
SettingsBase
HDD_SerialNo
SecurityImpersonation
Start
set_Item
csrvcinstlr
bInheritHandle
ServiceAccount
dwXSize
System.Runtime.Versioning
HashAlgorithm
TOKEN_DUPLICATE
set_FileName
get_NextAttribute
DbDataAdapter
lpReserved
serviceName
FTPDownloadFile
InvalidOperationException
strt
Create
_csrvcinstlr
RegistryKey
Exception
ServiceInstaller
&(N
DownloadData
WTSGetActiveConsoleSessionId
lpDefaultPath
MTAThreadAttribute
EditorBrowsableState
get_ASCII
Download_Version
StandardModuleAttribute
DestroyEnvironmentBlock
.ctor
Connect
set_AttributeValue
GetTypeFromHandle
Convert
Manufacturer
Settings
Last_Seen
XObject
DllImportAttribute
Container
add_Elapsed
GetEnumerator
SymmetricAlgorithm
System.Linq
~P
CreateObject
elem
Machine
SW_SHOW
CreateNamespaceAttribute
D:\LillySoft\Freelancer Projects\Applications\Windows Services\Malware2\csrvc\csrvc\obj\Debug\csrvc.pdb
getLoadFreshData
SizeOf
GetInstallList
.text
List`1
KT_Code
r
System.Timers
Price
SW_SHOWMAXIMIZED
get_IsNamespaceDeclaration
WTSSendMessage
SaveReg
,
v4.0.30319
m_inScopePrefixes
set_Key
inText
System.Configuration
lpTokenAttributes
W d } "!u
MyApplication
Enter
Processor
System.Reflection
lpCommandLine
hExistingToken
RigthBrnAd
ElementAtOrDefault
.NETFramework,Version=v4.0
SqlCommand
TOKEN_TYPE
dwYCountChars
ToBase64String
,C
EnableWinKey
Task_List
get_ProcessName
GetIP
WrapNonExceptionThrows
strToWrite
csrvc.ProjectInstaller.resources
inScopeNs
Monitor
set_Account
set_csrvcPinstlr
@.reloc
CREATE_UNICODE_ENVIRONMENT
lpPolicyPath
Matches
ServerComputer
get_ExitCode
WithEventsValue
Resources
MsgBoxResult
r
SqlDataAdapter
get_Capacity
CompilationRelaxationsAttribute
GetProcessesByName
get_WebServices
advapi32.dll
WeakReference
o
ComputerInfo
System.Data.Common
DesignerGeneratedAttribute
MemoryStream
set_AutoReset
MoveNext
WaitForExit
System.Runtime.CompilerServices
Value
hServer
HttpWebRequest
System.Net
TOKEN_QUERY
restart
Conversions
r}
UnmanagedType
KF_Code
f 9
NewLateBinding
ftppassword
get_csrvcPinstlr
LastIndexOf
4.0.0.0
IFormatProvider
Attribute
,
-
ServiceStartMode
get_DateTimeFormat
InAttribute
get_Default
ScreenShot
SetIntractWithDesktop
kernel32.dll
lpThreadAttributes
DateTimeStyles
csrvcinstlr
XContainer
ProcessObject
HideModuleNameAttribute
DeleteValue
ProcessHandle
OnStop
hProcess
Info
RSDS
Microsoft.VisualBasic
KU_Code
lpServerName
Flush
get_Rows
RegexOptions
NameValueCollection
get_InvariantCulture
IDisposable
SECURITY_IMPERSONATION_LEVEL
UpdateDBStatus
TOKEN_ASSIGN_PRIMARY
ElapsedEventHandler
#%(M
EnableExplorer
ConsoleApplicationBase
Computer
attributes
TaskKill
get_Item
Regex
Show_BannerAd
CreateSubKey
FileStream
SysUsername
GetTaskList
op_Equality
lpDesktop
RuntimeCompatibilityAttribute
dwDesiredAccess
m_MyWebServicesObjectProvider
_csrvcPinstlr
My.Application
get_Headers
dwFillAttribute
GetProcesses
downloadpath
AssemblyProductAttribute
Assembly
Pi_Token
ImpersonationLevel
Equals
hStdError
CreateProcessAsUserW
get_csrvcinstlr
WebRequest
get_Handle
<Module>
DownloadString
Concat
getUsername
NativeMethods
ThreadSafeObjectProvider`1
StringBuilder
ReferenceEquals
TargetFrameworkAttribute
Computer_Name
ComputeHash
Round
ReadToEnd
dwXCountChars
11.0.0.0
WTSQueryUserToken
InstallerCollection
Process
dwThreadId
OnlineStatus
value
Culture
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
8d
m_attributes
2017
m_inScopeNs
Open
CompilerGeneratedAttribute
DataRowCollection
phToken
System.Runtime.InteropServices
lpProcessAttributes
bWait
lpCurrentDirectory
Write
SessionId
GUID
STARTF_FORCEONFEEDBACK
Main
get_Assembly
,%(M
CreateEncryptor
DisableWinKey
get_Message
ProcessWindowStyle
get_Id
ExecuteNonQuery
System.Management
#GUID
MySettings
AssemblyFileVersionAttribute
(, r^
IContainer
System.Data.SqlClient
defaultInstance
lpEnvironment
pTitle
hToken
Install_List
ObjectQuery
GetPrimaryToken
My.WebServices
GetEnd
System.Resources
get_Settings
Synchronized
wShowWindow
KillExplorer
cbReserved2
System.IO
lpApplicationName
get_Now
hObject
components
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
SecurityAnonymous
m_ComputerObjectProvider
XName
dwProcessId
TokenPrimary
SetRecoveryOptions
TopBrnAd
AccessedThroughPropertyAttribute
Component
ManagementObjectSearcher
SoftwareVersion
ApplicationSettingsBase
tmr1
CreateProcessAsUser
GetOS_UID
System.Xml.Linq
getInstance
instance
Last_IP
__ENCAddToList
Pi_ProcessId
source
SecurityDelegation
get_Info
ExtensionAttribute
Annotation
WebClient
Launch
TimeStamp
GetResponseStream
Microsoft.VisualBasic.Devices
DTA_Tbl_User
MyTemplate
StructLayoutAttribute
vl#
System.Globalization
IsMastered
SetValue
LaunchProcess
ResourceManager
Encoding
DateTimeFormatInfo
UID_Os
.NET Framework 4
GetResponse
GeneratedCodeAttribute
set_Connection
InternetCon
I%(M
Capture
IEnumerable`1
ProcessXElement
WebResponse
set_IV
System
EventArgs
WriteToFile
Application
Current_Version
GetObjectValue
& U s
String
CheckForSyncLockOnValueType
MyGroupCollectionAttribute
DebuggerNonUserCodeAttribute
TitleLength
Debugger
&r;
Double
LaunchProcessAsUser
Interaction
Mytik
CreateInstance
Timer
dwFlags
DebuggingModes
StreamWriter
set_CommandText
SecurityIdentification
#Strings
pr^
System.Collections
set_Credentials
Replace
MessageLength
System.ComponentModel
Microsoft.VisualBasic.CompilerServices
RemoveRange
m_ThreadStaticValue
Pi_EnvBlock
Message
hThread
ManagementObjectCollection
ToArray
System.Text.RegularExpressions
Name_OS
EditorBrowsableAttribute
MarshalAsAttribute
MyWebServices
+G~
ActivateCommand
SqlConnection
Environment
mscoree.dll
MyComputer
set_StartType
set_Interval
Operators
Ps_CmdLine
User
`.sdata
PROFILEINFO
csrvc.Resources.resources
p ~}
set_Value
OutAttribute
System.Data
dwSize
4System.Web.Services.Protocols.SoapHttpClientProtocol
XElement
htmlWinBr
resourceMan
ObjectFlowControl
MyProject
STARTUPINFOW
System.Collections.Generic
Timeout
p (N
6 C Q
System.Diagnostics
IEnumerator
GetType
ManagementObjectEnumerator
GetComputerDetails
Close
MsgBox
CurrentUser
ThreadStaticAttribute
bInherit
{ o
lpReserved2
lpUserName
Activator
set_Enabled
dwCreationFlags
Microsoft.Win32
Dispose__Instance__
StartupFile
GetProcessById
RemoveNamespaceAttributesClosure
GetSubKeyNames
ParseExact
FrameworkDisplayName
p ~}
set_Password
rT
disposing
CurrentConfig
p ~}
InitializeComponent
Country
SetAuto
get_Value
Remove
Element
set_Arguments
Cast
__ENCList
CloseHandle
MySettingsProperty
DisableTaskManager
ProjectData
RuntimeHelpers
ICredentials
prk
AddRange
+G~
lpStartupInfo
sU
csrvcPinstlr
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven03b_64 Seven03b_64 VirtualBox 2017-11-30 13:02:32 2017-11-30 13:05:24 172

1 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven03b_64 Seven03b_64 VirtualBox 2017-11-30 13:02:32 2017-11-30 13:05:24 172

7 Summary items with data

Files

C:\Windows\sysnative\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\*
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\csrvc.exe.config
C:\Users\Seven01\AppData\Local\Temp\csrvc.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\sysnative\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\sysnative\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\sysnative\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\dfbc7990c56e33311eb9af18aa0dedb4\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\dfbc7990c56e33311eb9af18aa0dedb4\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_64\csrvc\*
C:\Users\Seven01\AppData\Local\Temp\csrvc.INI
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_64\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\*
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.INI
C:\Windows\Microsoft.Net\assembly\GAC_64\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\f8a43d0a4b768edf2f7ec0d4712a1a6a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\f8a43d0a4b768edf2f7ec0d4712a1a6a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
C:\Windows\sysnative\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_64
C:\Windows\assembly\GAC_64\System.ServiceProcess.resources
C:\Windows\assembly\GAC_32
C:\Windows\assembly\GAC_32\System.ServiceProcess.resources
C:\Windows\assembly\GAC_MSIL
C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources
C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\*
C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\2.0.0.0_it_b03f5f7f11d50a3a\System.ServiceProcess.resources.dll
C:\Windows\assembly\GAC
C:\Windows\assembly\GAC\System.ServiceProcess.resources
C:\Windows\Microsoft.Net\assembly\GAC_64
C:\Windows\Microsoft.Net\assembly\GAC_64\System.ServiceProcess.resources
C:\Windows\Microsoft.Net\assembly\GAC_32
C:\Windows\Microsoft.Net\assembly\GAC_32\System.ServiceProcess.resources
C:\Windows\Microsoft.Net\assembly\GAC_MSIL
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceProcess.resources
C:\Windows\Microsoft.Net\assembly\GAC
C:\Windows\Microsoft.Net\assembly\GAC_64\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\*
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\VERSION.dll
C:\Windows\Microsoft.Net\assembly\GAC_64\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\*
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\Fonts\staticcache.dat
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SortDefault.nlp

Read Files

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\csrvc.exe.config
C:\Users\Seven01\AppData\Local\Temp\csrvc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\sysnative\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\dfbc7990c56e33311eb9af18aa0dedb4\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\dfbc7990c56e33311eb9af18aa0dedb4\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\assembly\pubpol23.dat
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\f8a43d0a4b768edf2f7ec0d4712a1a6a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\f8a43d0a4b768edf2f7ec0d4712a1a6a\System.ni.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
C:\Windows\sysnative\it-IT\KERNELBASE.dll.mui
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SortDefault.nlp

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\JitTimeLogCsv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\JitFuncInfoLogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\JitELTHookEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\TailCallOpt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\JitVNMapSelBudget
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\csrvc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\9DEB4649
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\csrvc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\HardwareEvents
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\HardwareEvents\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Internet Explorer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Internet Explorer\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Key Management Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Key Management Service\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Media Center
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Media Center\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\OAlerts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\OAlerts\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Windows PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Windows PowerShell\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\MaxSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\AutoBackupLogFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Service1\EventMessageFile
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\JitTimeLogCsv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\JitFuncInfoLogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\JitELTHookEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\TailCallOpt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\JitVNMapSelBudget
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\9DEB4649
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\MaxSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\AutoBackupLogFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Service1\EventMessageFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\AutoBackupLogFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Service1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Service1\EventMessageFile

Delete Keys

Nothing to display

Mutexes

Local\MSCTF.Asm.MutexDefault1
Global\netfxeventlog.1.0

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
ntdll.dll.RtlVirtualUnwind
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocalAlloc
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
advapi32.dll.StartServiceCtrlDispatcherW
kernel32.dll.FormatMessageW
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.CompareStringOrdinal
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
clr.dll.CreateAssemblyNameObject
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
clr.dll.CreateAssemblyEnum
kernel32.dll.ResolveLocaleName
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationA
user32.dll.GetActiveWindow
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
ole32.dll.OleInitialize
ole32.dll.CoRegisterMessageFilter
user32.dll.EnumThreadWindows
user32.dll.GetFocus
user32.dll.MessageBoxW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoUninitialize
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
user32.dll.SendMessageW
kernel32.dll.LocalFree
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.ReleaseMutex
advapi32.dll.CreateWellKnownSid
kernel32.dll.CreateMutexW
kernel32.dll.CloseHandle
kernel32.dll.WaitForSingleObject
kernel32.dll.OpenMutexW
advapi32.dll.RegSetValueExW
advapi32.dll.RegCreateKeyExW
advapi32.dll.RegFlushKey
advapi32.dll.RegisterEventSourceW
advapi32.dll.DeregisterEventSource
advapi32.dll.ReportEventW
advapi32.dll.EventUnregister
oleaut32.dll.#500
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
cryptsp.dll.CryptReleaseContext

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display

#FAKE-Troubleshooting

Davide Baglieri @ 2017-11-30 13:25:24