MalScore
100/100
MalFamily
Ispy

KYC-INQUIRY0718.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 48/68 Related 2238
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 457.03 KB (468000 bytes)
Compile time: 2018-07-02 15:35:27
MD5: 09e836d94778ef15f0bebabd9814ed79
SHA1: b12e5a8702ddc592604fcbfcaa4d04af9757cb83
SHA256: b298c706c7769618a6417651ee88f9e6bfe0c370f89f476301fdd8f525d65e88
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 3 import resource relocation
First submission: 2018-07-09 22:57:05
Last submission: 2018-07-09 22:57:05
Filename detected: - KYC-INQUIRY0718.exe (1)
URL file hosting
hXXp://timmason2.com/demoami/demoami/KYC-INQUIRY0718.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-07-09 16:58:00 [48/68] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x1dd44 122368 0d0fbbd5b8cdc40a03f42cfe21805985 e883713071daf4c55aeaa6f6ca09710a723b64bd
.rsrc 0x20000 0x10dc8 69120 a8b445c6f2004292fcee631b16a23b0e a6f402b209fb8e9fb5996f719c38a01ea2570337
.reloc 0x32000 0xc 512 fe20cfc0e5d88677ba751ffaa9b8ef1a a90db2280131c96088b25212aa0b2ca53e42b5ee
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x20398 67624 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x30bc0 20 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x20130 612 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x30bd8 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright:
Assembly Version: 0.0.0.0
InternalName: KYC-INQUIRY0718.exe
FileVersion: 0.0.0.0
FileDescription:
Translation: 0x0000 0x04b0
OriginalFilename: KYC-INQUIRY0718.exe
ProductVersion: 0.0.0.0
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
mscoree.dll
IP Found
No IP detected
URL(s)
No URL found
VarFileInfo
VS_VERSION_INFO
32dfddfafc354ff4b129d2f49cc692a3
\Service.exe
InternalName
Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
Resource.reflect
Software\Microsoft\Windows\CurrentVersion\Run
Translation
KYC-INQUIRY0718.exe
LOdk
Assembly Version
FileVersion
Windows
StringFileInfo
000004b0
0.0.0.0
a371682b811a46cf897fc6dd8bc3f1bb
FileDescription
68C689D5F7D0C0A1BBB4CEFB717AE7F8
@3QJV}
e19d0039a40c486c939e1179274eacbd
OriginalFilename
LegalCopyright
5xsOc
WindowsUpdate
ProductVersion
^**(
sLIe
T=<U
\KGp5
R =
[i0yw
G`g#O[JI
]i$r
J722
@f{`Z
m]<`V
@<)
`-|J
Ed->
1i*h
yjJL
Jgx(
WxB
! A=
^%$ N
V%xBi
DX*%
y{7g
0dUe~5
Oz,~
Iv>Kf
GMf6v
k:pQ
8]qW
CryptoStream
{fpz
8fM
B%~'
QqGj
rM
@73`XSL
#sO@
{T=I
HX7h\
gG0I
6"L!
f*ly>
fC;K-,
uU 1
WKQa
tn_kk!+
|'w;h
_key
H zP
iQh'h +
c,3I
2U0
fpD
UIj
mP3t
`g$C
nCu|r
k'Vu
2&TW
Mi~*wys{
`25v]
_-1!m
;(g4
\~`(
r(1.
@.pm
:&-%*u$
xNt
-5t,
^? b
Ou+f*
Write
75y:
=:+N
y&NK;o
vQKcH
F.SI
Q. o
G_0Sq
IWI@
HHQa
\ F O
;Gp<hNO
mw"_
$os%
ebY*
+ (
Cb+\
mw"~
kb*;
6Xf(
o~*k
JOxpO
?qF?g|
_salt
g]+h
'YY/{
_=
5G ;n
@r E
+VE
TYG2}
~#v[ 8
y,g{
=:tQ
PADPADP
E&<I>
`>.)
m#t`.
D}b
OpenSubKey
,x#B
.(=\
]?RM"}
9{<x
/mYr
89Lw9
3&A'g
N3K#
GetStuff
AunXN
+yf*
S Mw8
~/p{
'4H=
wl:}
^Fin
v74;
Zw/W
.wIn
+UcB}
"TPH$
2kjRRd
X@_)
2]?#
,Aa1
^\3nf
xi 2
=IrP
HF81
cX[
1g"Wy/!
'<v=p
Type
m3|9
w:3(
G@y
g>{|
6 #JR
r= v*
>uqs
get_ExecutablePath
IP0m*atCp=
G'Xg
"-Qz
m; 8P&
O wX
AfqE
dU8`
o(\
0li&g0
H((k
!'ep;
I5l]4
nyBNg
O)hh
h&G^
q}(l
i!hH:
`(/2
XG['P
]IZZ
4qt}
t^E~90
%^nU
bR0Q
=%Im]
8:Y`
r|.-5
dVi/<jFP
K_`:
V*Tq
^l= @
9rME
D5st
'` d
.1+}
WrapNonExceptionThrows
;4rwV
.text
W |Q
f:VO
+{ s
;. _
%8h*CFo</
FL&]
GetObject
!c/8
E]~/
4l%R
+u>[
J#tG
dRU
ir#%h
% op,
x T
gameBind
>lT6 Y=p
9io'
;;`e
'C[3
pHJ`
Zr%P
YVS
<Ajv
<@8U
(=2qznv
QF
bt;U
5i,T
DOM
%<JHeU
XKF0
e,2Hl
%'}u
|Lg
0*a
qyzn
4ui-l4g
18
i iM
d~e:<
eSL^
Z:<7JS
\={}
fD/|
>'[$( .Qs7
z@`z
9 GCaU
iuF
pq*g
eJGo
i7*Mi
{D<w
Ng(bt
_}? Y
zPg
xw>L
85#=A
`.rsrc
)!{+
`f^y
y~>3
Q|ZY
FKO3
bl =
?0v}(=7
'>TY
CreateDecryptor
:Onu
Py^`
9$=>
SvAN
TaskMan
b Tn
MX9{7
B/APg
C,3
?Y)/
filename
mj%"y
CscQ
x%d5
-r`>
\Lqb
<x#_
}wY}]/
GDP8
dJ&n
`Rut
"&]H
yUNDuS
:nE(
]Bb%YC
,#}Zi
Dth_'C
F[g@
YkId.
|W4d
/p3
~*3p
w#3:0B^
Load
.v9
{=JH
oVyl
h0df
k56:^
\5u{LJf
e k?
Y}4i
2W6VV
nqsHu.
3?81oW
)EJ>7
TIIM
};[|
Ng?@
*\ViJ7
$ "u
*n-J
Nih|
GetBytes
j%H*
3?<v_F
kjpu
?u]>3
!v,>z
<-$Rk
4]$D`
nCQ%
JHwrC
[%RE
y:eV
a371682b811a46cf897fc6dd8bc3f1bb.resources
D-w,
8W >
t8+t
NsTGO4
_ jTh
+Cg
\IAz
=7gt
{qqu
wdf:
0(5F
s&bA
5 tY
SR<}3!
[AMQ
0{+:2
Invoke
. *'3
System.IO
ja$B
imC,-(0
D9H9
?#}4{
B| )
TNud
KK<
(7mK
e=`
Q L4
M 8K
m-c6
-5@n
wo+6
:"MN
gck>x
Br_;
LqWj
?b%n
STAThreadAttribute
e>RtjFc
^M~ 6_0A
fA]$[X
Vhh'DTW}
Y Ot
OpenFileDialog
j%;,
zk:L
`pfS/
A 5 W
-wP&
.)cf
z\{w
~ 8_
||yQi
;J~{A3
0SXI
H{Z|i
^(|PD
System
Application
)/tO
a)*L
SSA%
vXB_
|orBn
j{qc
w T%
3Ov+
(j#O
ugbP$V
.>n[*
l"k
mIlG
aSw])
CW_W
MethodBase
~zlj)p
5Qw2
<~*x
m,zS
9(X^
GFU*
!LM
_(~
,IZ.a
Kdy?!
^ 1l
p0]HA
BX]d*
+QgC
,4.6
RBKxQL6
Environment
_Hide
AuG(
="W)
[+5s
Ch:h
@(.o
4NOA
iUt8s
(leFS
'k O
d*oTTL
Ce:%f
L!"|
2zv d
z+bR
^3IT
7qpve`
sqx#
# o4%
>|Zm
? jn
$L}E`
&`2|
k3Kj
n8}I^uL
B[
1Mm =
&/\Fp
Ax*4u
6.e*6
-+|D
f.@)
^WS@
'r]}
bt+t
<uu{%
NmI{e
8ndG
GI0;v
fe;?
0 T^xa!\
GetType
SwRc
L%k
? IX
z?,M
8j)/_xMm
0' `
q>[+
.\0v
oZp0
$59#
63?Z!f>k
W Ou
%\F
q/v?
6^qK
Ie(u
E`ML
61pY!h[
v_ `-
z7<x,6~F
1SI
O|(
!mAf
]P/e@
CgGa<
WOaLYu
mr_8\
@yaW_AiXg
`o\+
-'I@
/ PR
)U8
*8?Y
.$HM
r]OR
sMw_
#OAB
1+-||
{'UA
L ^k)
idQk.vM
6SpSB?
h\``
< V#
~49
4%'l
!^9
[ie;
S!T)+
Hnw!
tj1a
mLAW>
0j&
V"|w
b6[.
e9 Ax
BbO"\
System.Core
|/4^5
oeq\
~] +
\O5o
Nlrh
{* 0<
_W-
Gfg%
mBC=
D9#P
AJPZ
_-^G
s;`n
n@I~>/
:Qt7
i;4P
^*<8:
C;'1.
cttb
Z5Wf
MV<bS
`S'"
XN>>
#*\#0
rW9<Q
X# C
<<.|:
RwG.
'WOI
Q?=8
#Strings
vj%L
T0f
3#fZ
e'"@F+
ip,{
-h,=
;|!Me2k
K WCC{v<
&<4s
zvTr L
nu.F
-\`}
eps1
hidef
*FLZl
OlG<;
)5^{
@C;L
`dm4E
07gP
]KC"
cj{
b=?:
3}R7%Zh
G"QZ
<[fDM
(BteH
E;mn
WBvL
H:w({
E.
fsr
\~N%
qpy#/[S5
b`i
(tYI
zPc0
f4)(F
B^5
/tw@
,-<_bi
4lez
"3Qm
k]bN
kcY1
]u%"w
T6,e
zp)Lue
@ %G
S~n `jK
"S4@
V~YSu
KKKH
7aClS
}$MN
VgmuA
.`YRo
UWy\9
Z,y+C
?Y '
]7eUg
6#V
/M
[5em
:5yI
q^] U
#:OQ
Y/4Da
,IO<
+6Lm
x t"L/
ufaA
7]Gcn
m#]p
#~gR
s}9O
@S&l
ICryptoTransform
Q46BRMQ
args
m|@Z
CGlX
G)o{+
I{?L
1?"[}
& Fk3
fQX?
Fr1NY
=m1O
'9} s
S`&y
System.Security.Cryptography
g&`
.7Xc'
-6:;
<s;
_o}j(
j\B"
leQ^
kPkCp;
Wr &
o'
icsTCkh
UI0V
!'Cix
,G (O,
31>(
~sm_r
RegistryKey
uccD
'Lj@
GetFolderPath
,$i<
xYzk
~/Vq
CCZR
7B_B
-Zn% E
Q+u,
[$PI
=?dQ
?pM
.ctor
NTWj
ifU;
f q^
<nb K
sCOx
mscoree.dll
]U+E
<p.*
E{G"}a
TN-x
a8[/
o%t8
Main
1)M6
TFfq
ZKN-
r~2q
iL\/d
SR(
`&Oj
*6,rE
Ll{
7l[;
v4.0.30319
)BFA%6u[
4`ZB
<0t"
C"\k
M4wy
OK:G
$^Fga
1 7W{D
]vP,=
G0>\'
jl4dp4
fhTr
'cEj
a:S
UyW;r
@.reloc
xoK!Xf
"do`
w=GI
yj16
F u-/
SpecialFolder
5TQ-
Byte
[8^
CryptoStreamMode
7#r
"#is
'Jq)
~sb"
D:`;%
0vnI
Vdx9
fRD)if]
<${
[e,z
1r'#K
Hdg;
lqhh
WMnl
V1V% ~
f_Ko
J`K+J0
k![a
R57+
6OkZ
j?8.
G9Q+|
|/Jef
]}uF
6du@
get_Location
.iu{
YXK
O}y
^Q*R
1dH
t^VT
>\4|
T<|x
|x
h-mR
;n^|{
CurrentUser
fTaE
h&lUM}IZ
){j}
rz:6
DU_F!g
RuntimeCompatibilityAttribute
<%#>D}1
1Es2s
2F3'.
Assembly
6X:P
&Lm}
*4g(
P(KG
&bj
/3V
I&9 2
yTK;W~!
SIKJ
[4|
TrEo
R<n
Y?;>a5
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
(`!
O#8N
X"d8e
[p6q
Sso:
eV0E
dF|e<>c<
Jw+!
KYC-INQUIRY0718
(Sq
@)S \5i
M#xp
@n!u
I8jy%-
yFL44ct
5J _
T_=y
}`@
v[H{}
\m2|
*0und
:ASH
c$!o
-EH2
|Xs|
TN$Nl
s=%s
t ]
AEjTTgiG,
!-DM
|M4]
mWL6
jgq
w-u
l/>j
(qF].8CD6
S8VZ
x.vL
C0[
~yLy
59.
`R]_
#Blob
"\ l
\T0D
jplB
H*C,
5ZU
ResourceManager
r N
GetExecutingAssembly
>`N*
g"y#
{AaV?
2tky`
b@)s#
<N!(
Ud+`
1<p?
2y^2
kuH(
v&9
GJX]
n}4+
bG\H$%;^#+{f
n;O`
(xmZ
"2+h
baC1
'[WZ
Oo{8
~lQ0
TDP8%
>:
vg&UZ
get_BlockSize
(2;@?
<ScFn
mgAf
K:*r
i>AV$l.+
_US\"
Y <j
,W B43
'qPN
ZbuH
vsn
;[L4
/^FRa
`A U
)nb|
,$}'
c~Jd
X
HMfs!
7! I
6L=)
C:+1
sX::
>#[
=7O5
.Y?K
rBEM
+mIF
"ygA
5&)s
?-;e0
6^)(
8~b[
# ][{
c [$.
MMnx
MethodInfo
BSJB
~4 P8
>h9 =7
*O]5
?qI!]o
7z"S
Console
EB>[M
tfB
Ezz8P@>
^}5B
:6e
<\ B^
4AzmE#
\V |
H<9-
\OE
7 7G
S6eC
"T~U
ZZ3D
|wpAHJ
`+Bhi
ocT,
vH{O
K% B
)d`cnwM
] %w
O3 [V
I-Ei
5 @My
I4Fz
)T/ X\
m 2'
d.zD
FileSystemInfo
E C;
mscorlib
Broodje_Mexicano
u3i>
j.J/
HMmz
-7TD
(gHv
GetMethod
Ot3>
qZQb%,u#
N0hn
\ l*
onm|^+
eplI
9; _L8
g6Vhb.)
dw}h
; /|
\'9J
[N5!kbp}d
DeriveBytes
xq'y
NhUA
E=G4
v*W(
n[fE'
qfU4 Jp
qMK8
e9ydJsaHm
/ Vf]
hy:z
s*4>
Y,cX
?h@Z
System.Reflection
AesManaged
:?y7
i!pO
5rdg]
&J;h&
g:&jQ
/,fa u^
, B2
ubdV+$
v1H
k;$a
, RdP
bP1h'H:
=&T|:
YF %
FAI
~'?L
'7)C^
L66tk
QZT=
#Xa'
&Z>.
Pj h
IR5u
kwcD
*X x
_7^wK
rhhl~6X
mlT6J
(<OX
mv.d
TFyza
14S
JvmY
5 '
W:/OTsD%
g#J]`
.kG[
`aId
SwDN
t<%6(
d@vY
vXWBdT
_<b'z
Fmh{2h
mNI+
:(E._
?AOC+Y
Yb [Q
3BsR
f%0.
k`#=
XzWF
aI_-
(B=r
- 8KEY
BgFt
^2<W=$
0"W
"=dt
vjs6
D"sY
[0lP
x7Xt
XEY9
LO(]
q347
=U _xYFk
]@u
td\8
SpPF
/'z-
get_Message
!This program cannot be run in DOS mode. $
z%8b
JaXD
1<Y
y{xo
C?(n
HJb
File
]Ik/
qGj3i
wjlc'
l; `
jp|O
6AKo
~1Qz
5&&4)
m&&t
get_UTF8
^!dig
*,t @
KD\~
ckeC
\d {
Uu(W
rOV`
Nz,d
)Q=w
fileAttributes
*Idr
V&@a
{rEY
z8=
PxK_
He{C
"Ou~\
A Y
K]h'q
#GUID
>Wb|
Microsoft.Win32
U /\
aO/J$
Yoa:^
D v}
' D B
qEzu
1 >,
tg G
wf=U,
hJ1SMH
;\6.
TyRGXNd
D$I`
'$pc4
AW IyP-%
rSCt
#dfI
-?\N
tWi^Xa
yR8~0
8G>4
A0eYs
#Lyt!6
e O
LM<-
jl'J
EsCV#
U\ *
yy (y
~vk!
<J0 ~
|R[+
F }gCsw
uNdD
Xfr
}Fb4
nuPg
:- $
OL&9
\2,)
Xp ]
`r9p
A]FZP
[ w~
lZp0
~wW_
Y_Zd
$jc@
F""
FileInfo
frPU
CDbb
x AX
UWIa
AppBooth
x"=Ym
cf&Z
t $1
`)J
t-/=MK
4{M8
w =y
[d`n
I^{D
j#21
HC"-G
;_Xm
X';G
:4o%0
|p_KQ!s
CjG"
V&yT
;xHrT
"Tn]
$>5~
6>I&
nna[
Pe`&
P\c5
set_Key
%'={
"_~yF
x_Ll
z7|?
vcSV
cGgg
7TJe
FXH:@
Yr[pT
mLlQ
Boolean
ff:W
#eNp-
zl,Q
7`Q[
')q;
Jr0
;D S ei'`3]
/ _H44
Zc9$
JQ.lK
{Xmb
3> 76
J/a|
/w\bm:
@/<`
O=HL*
MemoryStream
)uk\y
7[}_
6NvtDcX
Z/m;
[xJA
]zk
$?TZ
@qD[
j}n
YJQY
ct6K
g@kv
#q98
_uq/
f}RH
I.Hs
B-|.y
VIU
QN~d
:}Kob
.7T_
8m",=Q~
`q*RP
1{}<;C
$0pxP
$i ?1
PasswordDeriveBytes
@K @
jP7v
] 0<
@x*E
,8&k
w`s+
6-4_P
-}}C
n3[W
jHY}
Pol+\*j
-_r?
XvthU
f=A
+=+C
_4>(
J3S_
N~(O0
jR#H
q=!~
Concat
M6yX
)cg@a
l\%
)!;V
OBs#X0
k#fX
7|<?
,xA;
biT1)
'bUP
Booth
_#&}j
yaf,
CxLZQ
9C:?(
|l90$
kXN@
F}p7b~Z
4_,2
:<Z\
BZGb
|FQGP
P%7^p
,]p_
%ZBc
`-<f
]f"
Copy
G{v|b
Xncw
_Sc\
M&yn
"*yU
0*o-H
System.Text
{?yv
fW8 0
)Q
O"?Q
72\[
@N|P
^6!w
System.Resources
e|:R
z-%R14`
CpG#
j[ ?]
6W8QY
=pP<
zNOsT-
m5R5
PdE.
CompilationRelaxationsAttribute
*kiJ
o] 8
NKI+
8 ;.
I|4fp
Bp a
^G"?
CEgg
n4AFQ
[fT_g5
m+EU<
"b1N
Hne z3
<gh
} v
>u 45
K:k5bn'+
5@AYK
tE"T
*b|?H=
]&#)
s=5p:S
%iOID5#9
[U}2b2X
zn6+
tk*<
5H]P1u
Y5D5r
|:*X
'4W'
jPWOzf5
eBhR
String
yd E
?SSh
yDIhA
_CorExeMain
xRXV
svQ%
ZYd$i
w7hX
8{#@mA
Qu_0
l5|Rx|
)i O;
Q0W
jk }
/Hq[
d!l6
!(J
ToArray
|>8.n
h:)H
}#04
\f3qH
%daf
Dzox
/"Duk
set_Attributes
\E:s
i'2[
aN&H
j@^X
o" 5
a;}:
Af,L
z}4jH%=
R{v2
q)]2{b
MusicPlayer
Gw"6
#SJuru
;dCj
v@F9
X4p89
A>=;
!l6*DKR
f"gQR
H.yf
U?W5
:)>y X
Mqtr
m" V
pwP)
wSe>2@
{Q$
M!)>
ACq&
_;J
-=z
eA!p
tb$i
G(1|4
KYC-INQUIRY0718.exe
cakx z
^1;hR
'KBk
>qtw
"NZ`
L)rl
zOp_
*t7U
-jhj@
K1Cl%C@d
yCzA
es &o
c(+z
}]n~
m6|f
g23Q[iM=
Object
5wqs
4d~
jqcA
Registry
R]Me
*|E_M
s~a,c
ZDfu
get_KeySize
,<b:
i1X)
nWKt
nMJp
g? [4
a;K`
BMx
x'vft
4RlU!`
N8uH
xq W0
F=k:
"vjg
x7c
U5 49
C4Hu=
8N_+
<}5<
ojld>
;:6fS
9N#k
HAUT
r1f}F
xUZ t
HV[A
%!vM
wl/2mY&
std
Stream
| oQ|:-
R]3 "p
r9nw'
lF9 x7^
~)T}
tZ [.qx
;nJD
Exit
:n
$B8=
Rriu
JNb_
o7(%
EvMl+
V|'k
(;
>C`o
a3u|
"l=wQ]?
8FLoUB
--$)
3!*?@m
@Z)31eM
7#8L
}Qr3
flCj
>DP@@
5GGm
oR'b
B>Bs
'GN3r3"
^Uz) 7
--_p
Eg@pW
y}Lu
UkMM
oUl
{7%!o
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
QKTV>
f=\}=
WXNv
O&Ns
pNR#
kWR!r
Xy]$
%/zE
$)rg
>E /
{D&0
]14O
9M.r
.e:*|1P
|j;;c
#$ j
VCHu
.rpd|
+i:<
OjZ/
/gwx'
& kp
`dl
-Qd1
}f3O
u2R\:.
~Qi&K
Rz.Uo2
Wg&Wb
6$mj&
d|{
MJC4+e
iK*F
J#=i
~?)Vse
[Z<Q
6]/4
dG@q}O
6rPj
_GetFunctions
;(TLH.
OL |u|
Dw7"N
2uA^
PgCp
@c{^
?TQ
+p=y
AzM8@$
7Zg/W[
\Vr
w>Jtn
O="w
D4N 7
o9(@Yk
Wl[k
]g7rq\o$
gtji
iok
mM4"Dh
M~\+h
`k5P
f/y'
(OwN
""Aa
6 5p
7+p't
&(
p`~^
Program
=Fao6
/az
#f0/
ep+lHL
tc/wt
U&t
ly)$
$>$G
6aj-
Exception
b>#b$
kAW2)
a$Xi
JkZ\(
gr G
"`9&
}]J>
5r~&
^gx_<_
(+O
p?d
/[2.
E6y}Y
j,}fn
FileAttributes
A#.g
SymmetricAlgorithm
f\Nd
B!|N
+D_
$-6C
kh@W
`wdd3
g#5F
;=;r
r*H E
1JsW
!7^o
azw$$
3m${
j<dA
HY,c
&Xk)
}}b~5
wv~b
8i '
w)@Q
sIbH
-TG@
>4b^
=SIanW^
]j] Y
\ #2
E {p
xefP
$Bj?
xyTxWI
oL:M
n~`W
v'PhPB
:x)RR
%`7z
",~ p
~B Q
4FHk
RP}[y
System.Runtime.CompilerServices
q 5Mxy
0S`
Pf<FP
[j<F
\X7L
w{^UYw2
'fnul
#k/~
."v'
wbZ#
v0Vo
$%SR
1v3C
[2uK
vf+,
9q+u
5bXk
?9XI
-q(]
VDvR
c+(
<C2E
|f_9
o)4F
Close
n5xW
H<#K^uJB1
set_IV
}YVDX
,n/_
2_A}
"RO
3 ?~
CreateSubKey
,b{pXK
eT#G!08
sRI+
7`cj)v
IZu}
K;3.
j>"I
6)40F
_7@K
<Module>
GbBk
_cpd
!u(;
F:4l
dy_t
+#k~
$,y1
x tu{r
!# |h
.dHl
NT2s
&h@zys
h^}Q
>)1#
BFl+R?a
WriteLine
0Wol
E* Zu
YjMY
'uR*
PE"
) ,h
I*=S
P')qx
NET*
LcH:
6T;r
]r<C
mJQY
=""S
yB%]
U eY
oY*O
r#WI8
L%q"B
[*ogRE!
Q`{!*
CpnT
;kBFUMli
=<OkI
'Q%.
rUl^
'Cx6
bWQB
GY7>
#Lr8
*P> U
q'na
K+qUD_
ZODQ
B9% n
dY&$
3 B1
eLf|
4bnb
SetValue
Encoding
cy OR
W4Te;
:mBJl
(>&'
BtGlZ
>R@ p{
9rnc&
nD ]
\whH
x(MHX
?(rKP
SoDB
mzFL@
S.xw
q qt
@Ur}
Jwyf
0=M\
,K.:0
/<Lv
ryBA
B_Ag
re!,
R]\X
cHDw10
`/iP
%B5K
4KqD
mCHj
9'>3]3=#
!K;$
XI1pST
za[y&
xTeZ
2?q-
W#e Q
dQ27
eW,w6
*y52
},"A
+ WTs
W?w,
8 N4?
Zhxa
"K\)
U/w,
L\Sq
""LVIj
4'!)
System.Windows.Forms
x&Hd
$XpH
A|(p
cFmJw
^b8""h{
E J@
zxsH
n^~b
ScqsM
:RCz
(`Fd
q;-0=
fwAfz
?y_jZ
c]
unxr
GCnKt^gy
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven04b_64 Seven04b_64 VirtualBox 2018-07-09 22:52:16 2018-07-09 22:55:09 173

8 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven04b_64 Seven04b_64 VirtualBox 2018-07-09 22:52:16 2018-07-09 22:55:09 173

8 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\KYC-INQUIRY0718.exe.config
C:\Users\Seven01\AppData\Local\Temp\KYC-INQUIRY0718.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\KYC-INQUIRY0718\*
C:\Users\Seven01\AppData\Local\Temp\KYC-INQUIRY0718.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\KYC-INQUIRY0718.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\KYC-INQUIRY0718.resources\KYC-INQUIRY0718.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\KYC-INQUIRY0718.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it-IT\KYC-INQUIRY0718.resources\KYC-INQUIRY0718.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Seven01\AppData\Local\Temp\it\KYC-INQUIRY0718.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it\KYC-INQUIRY0718.resources\KYC-INQUIRY0718.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it\KYC-INQUIRY0718.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it\KYC-INQUIRY0718.resources\KYC-INQUIRY0718.resources.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Seven01\AppData\Roaming\Service.exe

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\KYC-INQUIRY0718.exe.config
C:\Users\Seven01\AppData\Local\Temp\KYC-INQUIRY0718.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp

Write Files

C:\Users\Seven01\AppData\Roaming\Service.exe

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KYC-INQUIRY0718.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|KYC-INQUIRY0718.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|KYC-INQUIRY0718.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|KYC-INQUIRY0718.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\KYC-INQUIRY0718.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E7454A3D
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E7454A3D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

Delete Keys

Nothing to display

Mutexes

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.CompareStringOrdinal
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.ResolveLocaleName
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptCreateHash
bcrypt.dll.BCryptGetFipsAlgorithmMode
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.CopyFileW
advapi32.dll.RegSetValueExW
ole32.dll.CoWaitForMultipleHandles
advapi32.dll.EventUnregister
cryptsp.dll.CryptReleaseContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW

Execute Commands

"C:\Users\Seven01\AppData\Local\Temp\KYC-INQUIRY0718.exe"

Started Services

Nothing to display

Created Services

Nothing to display

#infosec #automation

TheSystem Itself @ 2018-07-09 22:57:21

Detected family: #Ispy

TheSystem Itself @ 2018-07-09 23:06:02