MalScore
100/100
MalFamily
Malicious

mrd.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 32/68 Related 2707
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 1541.00 KB (1577984 bytes)
Compile time: 2018-09-21 14:55:40
MD5: 9ae7b6bee225569d83d02ebfcd2116b4
SHA1: f04d749307bbd0dcf674a868288432c11d0275a9
SHA256: 8283317065119d189fa959a17715d96c9e6c9810a411ad7e9f20d3b424d3b5c6
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 4 import resource debug relocation
First submission: 2018-09-22 11:00:04
Last submission: 2018-09-22 11:00:04
Filename detected: - mrd.exe (1)
URL file hosting
hXXp://23.249.161.109/mrd.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-09-22 01:52:18 [32/68] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x10d4c4 1103360 4cc40ef8a401e6f0b92e736e8b06d96c 654b6d3f5413c33ecf13a69b95fcf2adbfc57492
.rsrc 0x110000 0x5a950 371200 85c76c176d51982c6e4044f2c9baba42 5fecf362d28c7395257b3b69e6357cc0c6ca148e
.reloc 0x16c000 0xc 512 66afb8c4b9a7ac641f347964387c2a8e 0a24812f923fcf0a7e3f0c107d5083a17bfa17e1
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x1664e0 16936 LANG_ENGLISH SUBLANG_ENGLISH_US
RT_GROUP_ICON 0x16a708 90 LANG_ENGLISH SUBLANG_ENGLISH_US
RT_MANIFEST 0x16a764 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
No Meta found in this file
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
mscoree.dll
IP Found
No IP detected
URL(s)
No URL found
String too long
PwRuXYsGVkBcoUmcqZDgTjddkKOETKoZoZMHqVRCoeHPbFPeeoVwRbvnXmKScycPIUDltNDdTqIcXhJJJFiYIbBflvCtfieWusimqCOkVeHPhhatVExyojACGwPHfsaLexVqotferAqbSjDHATcbiVayMeNfsPw
ydPOUPjzadriSzfmqOlwrDYEoqNfRgWIiFDsFgXJYhyfbFdYsKsQvnEgeUISgfeVoUNKZGMPrtbPcCvDfbrEZgWcddzIkEstUUhJaxJCDjKtSFbvvNzmkiyJTyxJtNqznnAkAcgrBRMynqtvhAEmNw
wiwBApOogomGNHCMMeCLjAVHZcyHVgGnsUESNAtjRRQeBeIrWlUxwcbxAsAJMTSyTaKtBkMYlRvVrBzUCnAGXogTrWaUSuIeowogbfCByliUdeiuWAcdhNFwyGnHaDeuXVZHaodBrdTXEduhqtRMEDohpbXZyieinURZDVnzqckKRNjFzbxoxNXIKiVuufpxKm
SMBxjWoeqdDUjlvhocpZKHrHcsjEBUpFZZQWGGdCBrtANAMCfVYscWfhHzAGjXjuNnPsrMuaApsQDXoPAInHeHIRKugqzAsngVAGzPIHulxxqlthUcTGWXJifZvTyjjiydYHUdFAeEoQrTYkvK
ryuVPrQQqIZcYutHgGlgzhLBvrqvFGiWhEBmcTwNNRfcynzDsMAxOythHXlgNvzIcplBRiXruRhpQZJFhuRkwBUeNzoymryohBVIqbbpwyknPbSedDBFkJqGpZFWLvOTguKTfpckTzvtzWGkgldFqvTbtgUEiDgNdmEZirYthHDiALWjB
<XklOiuzQrCkgkQgOZlTJIAgyjfKzrIiNCdImrVGhlwXhzFfELkRdmxvtKVaRTCfPFEKLeStfHmVtknJrAiUbxvMMVEFLKxOnBpdyRytHeKkxDHtbbqSJLIjUqrnwATuJfnSbFYRUSjdRKqYNjZOhgMaUGLwrGdkQbKUhGxnZoVDMgbzPgRpYIXqgbHoqAqsEDHftOExEmocNLqUMkMviSSqRuwDzDbFB>b__0
dBJqtMqcncJNsVTIRgZfBazxqOPpsPasDwnJRUKQMCMWFJObwbSxCOwiWECbTaLQEfPVvhhlUZUNmsoQFGcxCLnrhnSkUhKLnpxEddtJGJiPqPPddVTMSueCoYwwWPyEyyFGwvFcMPrtSfTElRpOdxYfjTpuuqgWoKaLdAECbdhiGdRUejopeLQXlIlMvzTSoStHCVHNaMznQWPMMDybsKLbCpIAyAUsdBJqtMqcncJNsVTIRgZfBazxqOPpsPasDwnJRUKQMCMWFJObwbSxCOwiWECbTaLQEfPVvhhlUZUNmsoQFGcxCLnrhnSkUhKLnpxEddtJGJiPqPPddVTMSueCoYwwWPyEyyFGwvFcMPrtSfTElRpOdxYfjTpuuqgWoKaLdAECbdhiGdRUejopeLQXlIlMvzTSoStHCVHNaMznQWPMMDybsKLbCpIAyAUs
XklOiuzQrCkgkQgOZlTJIAgyjfKzrIiNCdImrVGhlwXhzFfELkRdmxvtKVaRTCfPFEKLeStfHmVtknJrAiUbxvMMVEFLKxOnBpdyRytHeKkxDHtbbqSJLIjUqrnwATuJfnSbFYRUSjdRKqYNjZOhgMaUGLwrGdkQbKUhGxnZoVDMgbzPgRpYIXqgbHoqAqsEDHftOExEmocNLqUMkMviSSqRuwDzDbFB
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
dBJqtMqcncJNsVTIRgZfBazxqOPpsPasDwnJRUKQMCMWFJObwbSxCOwiWECbTaLQEfPVvhhlUZUNmsoQFGcxCLnrhnSkUhKLnpxEddtJGJiPqPPddVTMSueCoYwwWPyEyyFGwvFcMPrtSfTElRpOdxYfjTpuuqgWoKaLdAECbdhiGdRUejopeLQXlIlMvzTSoStHCVHNaMznQWPMMDybsKLbCpIAyAUs
qvMpvhTRzqkejvRuMNQrYoJyTmmRTLHmclVbxXddFkGHJvPHCrVpKiDrqvTrvFzgaxcdpOfupYkAwWTIiUbJRTDRVvahzwaLtfFDDASABKmpXnHncLPWwZSpqpQNXvrMHUMgcbFCxvOEmrfnynLimCERcnzkqXhFWDDyVPHFIWecbQTnNweEkjkRvRXNCkDLrnpBDhARieXgGxcwScyHAGbfSsPGCNmm
qvMpvhTRzqkejvRuMNQrYoJyTmmRTLHmclVbxXddFkGHJvPHCrVpKiDrqvTrvFzgaxcdpOfupYkAwWTIiUbJRTDRVvahzwaLtfFDDASABKmpXnHncLPWwZSpqpQNXvrMHUMgcbFCxvOEmrfnynLimCERcnzkqXhFWDDyVPHFIWecbQTnNweEkjkRvRXNCkDLrnpBDhARieXgGxcwScyHAGbfSsPGCNmmqvMpvhTRzqkejvRuMNQrYoJyTmmRTLHmclVbxXddFkGHJvPHCrVpKiDrqvTrvFzgaxcdpOfupYkAwWTIiUbJRTDRVvahzwaLtfFDDASABKmpXnHncLPWwZSpqpQNXvrMHUMgcbFCxvOEmrfnynLimCERcnzkqXhFWDDyVPHFIWecbQTnNweEkjkRvRXNCkDLrnpBDhARieXgGxcwScyHAGbfSsPGCNmm
vupDlxCCGwDJLZiDhQqKURGCrDpAOCPxZNSDxzWIhMUcqsBJNVREBzripVYeiYWZXWGZHsoQutlbMAmcCYvueiiwQKnfYLHYxyqavGycgamlJNRvPcFQySeqjENsaqiwDPWdfvGPfxoDVjHANNcnPpWoYMasxUSVQMyijmXKObEqiQTcgedbnCofvdWmAPspoAUITzegJIAXqCajwnBqhBJusjfKtZNW
vkUqjDQqplwwmtSmTTwZfnPAhrYYqkUdpHCGJPeFoMVATIaprQCwXtakCqlOZPjvvvDcIfPtDAETDkJnSvLYJUGzMnFOCKwIGKdaBqwSbLnJNgfOfdoTGdHXamwqJWyAUxVTBOFkJlxEjRnkWQUKFMVjUEkyjkCmiTyPuXrANlezfrCgOZHhSjRHUqnrCXpwOBpDlzFciTzNwKqmIygqJyYZoNMratbS
BFABF
BF"
Xb~
BF'
PwRuXYsGVkBcoUmcqZDgTjddkKOETKoZoZMHqVRCoeHPbFPeeoVwRbvnXmKScycPIUDltNDdTqIcXhJJJFiYIbBflvCtfieWusimqCOkVeHPhhatVExyojACGwPHfsaLexVqotferAqbSjDHATcbiVayMeNfsPw
!B"9BFi
BF.
BF,
ydPOUPjzadriSzfmqOlwrDYEoqNfRgWIiFDsFgXJYhyfbFdYsKsQvnEgeUISgfeVoUNKZGMPrtbPcCvDfbrEZgWcddzIkEstUUhJaxJCDjKtSFbvvNzmkiyJTyxJtNqznnAkAcgrBRMynqtvhAEmNw
JhxPkdvrWzMR
wiwBApOogomGNHCMMeCLjAVHZcyHVgGnsUESNAtjRRQeBeIrWlUxwcbxAsAJMTSyTaKtBkMYlRvVrBzUCnAGXogTrWaUSuIeowogbfCByliUdeiuWAcdhNFwyGnHaDeuXVZHaodBrdTXEduhqtRMEDohpbXZyieinURZDVnzqckKRNjFzbxoxNXIKiVuufpxKm
SMBxjWoeqdDUjlvhocpZKHrHcsjEBUpFZZQWGGdCBrtANAMCfVYscWfhHzAGjXjuNnPsrMuaApsQDXoPAInHeHIRKugqzAsngVAGzPIHulxxqlthUcTGWXJifZvTyjjiydYHUdFAeEoQrTYkvK
ryuVPrQQqIZcYutHgGlgzhLBvrqvFGiWhEBmcTwNNRfcynzDsMAxOythHXlgNvzIcplBRiXruRhpQZJFhuRkwBUeNzoymryohBVIqbbpwyknPbSedDBFkJqGpZFWLvOTguKTfpckTzvtzWGkgldFqvTbtgUEiDgNdmEZirYthHDiALWjB
<XklOiuzQrCkgkQgOZlTJIAgyjfKzrIiNCdImrVGhlwXhzFfELkRdmxvtKVaRTCfPFEKLeStfHmVtknJrAiUbxvMMVEFLKxOnBpdyRytHeKkxDHtbbqSJLIjUqrnwATuJfnSbFYRUSjdRKqYNjZOhgMaUGLwrGdkQbKUhGxnZoVDMgbzPgRpYIXqgbHoqAqsEDHftOExEmocNLqUMkMviSSqRuwDzDbFB>b__0
**+
@.reloc
dBJqtMqcncJNsVTIRgZfBazxqOPpsPasDwnJRUKQMCMWFJObwbSxCOwiWECbTaLQEfPVvhhlUZUNmsoQFGcxCLnrhnSkUhKLnpxEddtJGJiPqPPddVTMSueCoYwwWPyEyyFGwvFcMPrtSfTElRpOdxYfjTpuuqgWoKaLdAECbdhiGdRUejopeLQXlIlMvzTSoStHCVHNaMznQWPMMDybsKLbCpIAyAUsdBJqtMqcncJNsVTIRgZfBazxqOPpsPasDwnJRUKQMCMWFJObwbSxCOwiWECbTaLQEfPVvhhlUZUNmsoQFGcxCLnrhnSkUhKLnpxEddtJGJiPqPPddVTMSueCoYwwWPyEyyFGwvFcMPrtSfTElRpOdxYfjTpuuqgWoKaLdAECbdhiGdRUejopeLQXlIlMvzTSoStHCVHNaMznQWPMMDybsKLbCpIAyAUs
QbHBIejPGucrJwwY
FromBase64String
j*.+
AJhTvqOfSoKGvlQW
XklOiuzQrCkgkQgOZlTJIAgyjfKzrIiNCdImrVGhlwXhzFfELkRdmxvtKVaRTCfPFEKLeStfHmVtknJrAiUbxvMMVEFLKxOnBpdyRytHeKkxDHtbbqSJLIjUqrnwATuJfnSbFYRUSjdRKqYNjZOhgMaUGLwrGdkQbKUhGxnZoVDMgbzPgRpYIXqgbHoqAqsEDHftOExEmocNLqUMkMviSSqRuwDzDbFB
Int32
*2+
j*>+
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
Object
CompilationRelaxationsAttribute
axIUBGeyUrztagQI
CFLLyLJiVuMPKHFA
mscorlib
KdKKOCtrlEslEdMT
BmdYQuUHbddDILlo
cZbsNSvmeTxEKxpb
Byte
get_Chars
gMATQMRGAjOnssXa
*R+
TGHXLGopyFHxJvLf
dcjtjMqwdczdJQJZoh
xSQWrYDcOojDXVPF
IqHdcFVsFSQPohjA
System.Runtime.CompilerServices
lOEsuZKwtDQxqEdw
WdEvzQYFdGxcvckp
WoXW J
DEbwdmZrzUmAqSIW
vZGwnyEeLcBmpyqH
Func`2
System.Net
#Blob
YHeuhSDtNyvtMLiq
lKjgKeMIMvJAFLLl
Encoding
hrwAzJmwBtnoFOvb
tQVxqEdvpvEDjsSe
`.rsrc
eWRUNHpPYOFlGDXe
Substring
ploHKtRhNIwsgwHi.pdb
CfDlKxSONDxVzElo
MejiPpuGNweUmwgT
Select
uADRPNrMdjFzHBHV
EnCQNDfCjPvzVlOR
OJNItsUURzohbjeU
QotJwKrfypVJoFux
dBJqtMqcncJNsVTIRgZfBazxqOPpsPasDwnJRUKQMCMWFJObwbSxCOwiWECbTaLQEfPVvhhlUZUNmsoQFGcxCLnrhnSkUhKLnpxEddtJGJiPqPPddVTMSueCoYwwWPyEyyFGwvFcMPrtSfTElRpOdxYfjTpuuqgWoKaLdAECbdhiGdRUejopeLQXlIlMvzTSoStHCVHNaMznQWPMMDybsKLbCpIAyAUs
SHLoVzibktfMzkqW
System
MPyoTKfRHbdLozGK
MethodInfo
dByrfGgoLtLlAzdq
BSJB
AZtveNqrxWAbOiNp
feaYPFlazCVfmXfp
XonlYtVjQwaYzWCW
NMouDzGAUkTqhMRc
zqYbPgAcNiCzSdCm
String
ojuZlfLawedkdJqE
_CorExeMain
JfrUHRMgQuNSYwQd
dXZRmhOOZCjTEEVP
System.Core
*>+
args
YbBfkBocebvymJct
qvMpvhTRzqkejvRuMNQrYoJyTmmRTLHmclVbxXddFkGHJvPHCrVpKiDrqvTrvFzgaxcdpOfupYkAwWTIiUbJRTDRVvahzwaLtfFDDASABKmpXnHncLPWwZSpqpQNXvrMHUMgcbFCxvOEmrfnynLimCERcnzkqXhFWDDyVPHFIWecbQTnNweEkjkRvRXNCkDLrnpBDhARieXgGxcwScyHAGbfSsPGCNmm
sZnFtcjJqrGxaaxE
liTFLgNaWkVVlwNU
DebuggingModes
WWLSPxtEYQDrIIWI
.cctor
MethodBase
#Strings
NOGvARPOBXAuSqRx
IntPtr
ijrfGpJMDEuZnfcQ
tWSXRPMjTEBzFMvy
gVPBIRHNomOfhSpo
ploHKtRhNIwsgwHi.exe
qvMpvhTRzqkejvRuMNQrYoJyTmmRTLHmclVbxXddFkGHJvPHCrVpKiDrqvTrvFzgaxcdpOfupYkAwWTIiUbJRTDRVvahzwaLtfFDDASABKmpXnHncLPWwZSpqpQNXvrMHUMgcbFCxvOEmrfnynLimCERcnzkqXhFWDDyVPHFIWecbQTnNweEkjkRvRXNCkDLrnpBDhARieXgGxcwScyHAGbfSsPGCNmmqvMpvhTRzqkejvRuMNQrYoJyTmmRTLHmclVbxXddFkGHJvPHCrVpKiDrqvTrvFzgaxcdpOfupYkAwWTIiUbJRTDRVvahzwaLtfFDDASABKmpXnHncLPWwZSpqpQNXvrMHUMgcbFCxvOEmrfnynLimCERcnzkqXhFWDDyVPHFIWecbQTnNweEkjkRvRXNCkDLrnpBDhARieXgGxcwScyHAGbfSsPGCNmm
get_Unicode
OoVApvKNCWMbjmsw
TpSifsaJSChhCRLg
ToArray
j*2+
<>c__DisplayClass1
ploHKtRhNIwsgwHi
RuntimeCompatibilityAttribute
IEnumerable`1
OaCUUdbKNylKMldQ
ffXZAbGikqjLPTri
SEXqSDAjAyzqJZGP
Assembly
EBcubRkFVzIcsHnG
System.Linq
OHBETpQvJUzSvDbN
Cookie
*.+
<Module>
get_EntryPoint
TOnToEJoHzuaCTAj
EUogwPTNmSuLGanlal
RSDS
Int64
System.Collections.Generic
KIXOVxxyKNRfTWND
*N+
ZrxbOHYTPrVzdxBwgW
ioJTEtmnEZNZCECt
GetBytes
cqnTrvVvFxtKhmLH
Load
mDgtmEqBETbtDmyi
System.Diagnostics
j**+
eYtKgMqksbTOmJru
XANvOPJhZNnHTGPk
.ctor
vupDlxCCGwDJLZiDhQqKURGCrDpAOCPxZNSDxzWIhMUcqsBJNVREBzripVYeiYWZXWGZHsoQutlbMAmcCYvueiiwQKnfYLHYxyqavGycgamlJNRvPcFQySeqjENsaqiwDPWdfvGPfxoDVjHANNcnPpWoYMasxUSVQMyijmXKObEqiQTcgedbnCofvdWmAPspoAUITzegJIAXqCajwnBqhBJusjfKtZNW
! (
JtzAYAVMvBhZVDwr
vkUqjDQqplwwmtSmTTwZfnPAhrYYqkUdpHCGJPeFoMVATIaprQCwXtakCqlOZPjvvvDcIfPtDAETDkJnSvLYJUGzMnFOCKwIGKdaBqwSbLnJNgfOfdoTGdHXamwqJWyAUxVTBOFkJlxEjRnkWQUKFMVjUEkyjkCmiTyPuXrANlezfrCgOZHhSjRHUqnrCXpwOBpDlzFciTzNwKqmIygqJyYZoNMratbS
CompilerGeneratedAttribute
SjyCHMFbVPYCHmAp
czLjfJIPKvRSlIRoYG
QoSeRSwAVZLlNZRybi
NkWRBclGNsQKDjBx
FIylLnEgORlGCDfo
Main
WlCeHxNxONEJjPRD
.text
Char
IDGqHNjfReKrIxQw
DTceLwnEhVmctmtt
Invoke
Void
DebuggableAttribute
abEtOEuuktezALYb
bmKkGqDwSqDDfojw
Enumerable
#GUID
AZsnKENRKxCwdDgc
v4.0.30319
RGhGpCjMwmxgqkVH
qPmXevPSxvRNtXME
ySysBEixfHtNSdRV
System.Text
nmkVQZoFTwyKTXbM
iVVWeftngbSXkLFe
NhpXJUbkIlDigrsE
JPSlAnZVRrJdqabP
XVrigoqLqGmsWmKQsU
AoIigNkUMAnYGkRc
hSIbwxPZURLVUrfu
kzwqzIIIAKdIhLVX
TeVczZVMCaMTzYBe
System.Reflection
Convert
smTRymPDjhtJyIoI
mscoree.dll
!This program cannot be run in DOS mode. $
WrapNonExceptionThrows
Boolean
ju2o8rrGuA5VDdNIET
sGCdiwHmcpxdwDCE
xiNsBQezamlwDdOk
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven04_64 Seven04_64 VirtualBox 2018-09-22 10:56:18 2018-09-22 10:59:19 181

14 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven04_64 Seven04_64 VirtualBox 2018-09-22 10:56:18 2018-09-22 10:59:19 181

10 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\mrd.exe.config
C:\Users\Seven01\AppData\Local\Temp\mrd.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\ploHKtRhNIwsgwHi\*
C:\Users\Seven01\AppData\Local\Temp\mrd.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol36.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Seven01\os.exe
C:\Users\Seven01\os.exe:Zone.Identifier
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\system\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\api-ms-win-core-localization-l1-2-1.DLL
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-core-localization-l1-2-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\system\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Users\Seven01\AppData\LocalLow
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\mrd.exe.config
C:\Users\Seven01\AppData\Local\Temp\mrd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol36.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Write Files

C:\Users\Seven01\os.exe
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Delete Files

C:\Users\Seven01\os.exe:Zone.Identifier

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index36
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\os
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\SchemeDllRetrieveEncodedObjectW
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\SchemeDllRetrieveEncodedObjectW
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index36
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\os
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth

Write Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\os

Delete Keys

Nothing to display

Mutexes

ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy42.00

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
shell32.dll.SHGetFolderPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.CopyFileW
kernel32.dll.DeleteFileA
kernel32.dll.WideCharToMultiByte
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
advapi32.dll.RegSetValueExW
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.CreateProcessA
kernel32.dll.GetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64SetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.WriteProcessMemory
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.VirtualAllocEx
kernel32.dll.ResumeThread
ole32.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
advapi32.dll.EventUnregister
kernel32.dll.GetProcessHeap
kernel32.dll.CreateEventA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetModuleHandleW
kernel32.dll.GetTickCount
kernel32.dll.TerminateThread
kernel32.dll.ReadFile
kernel32.dll.WriteFile
kernel32.dll.CreatePipe
kernel32.dll.PeekNamedPipe
kernel32.dll.GetStartupInfoA
kernel32.dll.GetExitCodeProcess
kernel32.dll.SizeofResource
kernel32.dll.QueryDosDeviceW
kernel32.dll.GetVolumeInformationW
kernel32.dll.SetPriorityClass
kernel32.dll.VirtualFree
kernel32.dll.GetCommandLineW
kernel32.dll.GetCurrentProcess
kernel32.dll.lstrlenW
kernel32.dll.GetDiskFreeSpaceW
kernel32.dll.VirtualAlloc
kernel32.dll.TerminateProcess
kernel32.dll.GetModuleFileNameW
kernel32.dll.K32GetModuleFileNameExW
kernel32.dll.Thread32Next
kernel32.dll.GetTempPathW
kernel32.dll.CreateMutexW
kernel32.dll.Thread32First
kernel32.dll.WaitForSingleObject
kernel32.dll.LocalAlloc
kernel32.dll.GetFileAttributesW
kernel32.dll.K32GetProcessImageFileNameW
kernel32.dll.SuspendThread
kernel32.dll.OpenProcess
kernel32.dll.SetFileAttributesW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32NextW
kernel32.dll.K32GetProcessMemoryInfo
kernel32.dll.LockResource
kernel32.dll.GlobalAlloc
kernel32.dll.Process32FirstW
kernel32.dll.GlobalFree
kernel32.dll.GetSystemInfo
kernel32.dll.LoadLibraryW
kernel32.dll.FindResourceExW
kernel32.dll.LoadResource
kernel32.dll.FindResourceW
kernel32.dll.GetPriorityClass
kernel32.dll.GlobalLock
kernel32.dll.LocalFree
kernel32.dll.MoveFileExW
kernel32.dll.ExitProcess
kernel32.dll.GetCurrentProcessId
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.CreateProcessW
kernel32.dll.FreeLibrary
kernel32.dll.GlobalUnlock
kernel32.dll.GetDriveTypeW
kernel32.dll.OpenThread
kernel32.dll.Sleep
kernel32.dll.Beep
kernel32.dll.SetStdHandle
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.GetCommandLineA
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.FindNextFileA
kernel32.dll.FindFirstFileExA
kernel32.dll.GetTimeZoneInformation
kernel32.dll.EnumSystemLocalesW
kernel32.dll.DeleteCriticalSection
kernel32.dll.IsValidLocale
kernel32.dll.GetTimeFormatW
kernel32.dll.GetDateFormatW
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.FlushFileBuffers
kernel32.dll.FreeLibraryAndExitThread
kernel32.dll.ExitThread
kernel32.dll.CreateThread
kernel32.dll.GetACP
kernel32.dll.WriteConsoleW
kernel32.dll.GetModuleHandleExW
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetFileType
kernel32.dll.GetStdHandle
kernel32.dll.LoadLibraryExW
kernel32.dll.InterlockedPushEntrySList
kernel32.dll.RtlUnwind
kernel32.dll.AreFileApisANSI
kernel32.dll.DeviceIoControl
kernel32.dll.SetFilePointerEx
kernel32.dll.SetEndOfFile
kernel32.dll.RemoveDirectoryW
kernel32.dll.GetFileTime
kernel32.dll.HeapAlloc
kernel32.dll.CloseHandle
kernel32.dll.HeapReAlloc
kernel32.dll.SetEvent
kernel32.dll.GetLastError
kernel32.dll.MultiByteToWideChar
kernel32.dll.HeapSize
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.HeapFree
kernel32.dll.FindNextFileW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.DeleteFileW
kernel32.dll.CreateFileW
kernel32.dll.FormatMessageA
kernel32.dll.SystemTimeToFileTime
kernel32.dll.CreateWaitableTimerA
kernel32.dll.SetWaitableTimer
kernel32.dll.OpenEventA
kernel32.dll.WaitForMultipleObjectsEx
kernel32.dll.ReleaseSemaphore
kernel32.dll.OutputDebugStringW
kernel32.dll.GetCurrentThreadId
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetStartupInfoW
kernel32.dll.IsDebuggerPresent
kernel32.dll.ReadConsoleW
kernel32.dll.InitializeSListHead
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.WaitForSingleObjectEx
kernel32.dll.ResetEvent
kernel32.dll.GetCPInfo
kernel32.dll.GetLocaleInfoW
kernel32.dll.LCMapStringW
kernel32.dll.CompareStringW
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.TlsFree
kernel32.dll.TlsSetValue
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.SwitchToThread
kernel32.dll.CreateEventW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.SetLastError
kernel32.dll.GetStringTypeW
kernel32.dll.GetUserDefaultLCID
kernel32.dll.HeapDestroy
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.QueryServiceStatusEx
advapi32.dll.EnumServicesStatusW
advapi32.dll.OpenServiceW
advapi32.dll.RegDeleteValueW
advapi32.dll.QueryServiceConfigW
advapi32.dll.StartServiceW
advapi32.dll.ControlService
advapi32.dll.DeleteService
advapi32.dll.RegCreateKeyExW
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.OpenSCManagerW
advapi32.dll.CloseServiceHandle
advapi32.dll.RegDeleteKeyExW
advapi32.dll.GetCurrentHwProfileW
advapi32.dll.AdjustTokenPrivileges
dnsapi.dll.DnsQuery_A
gdi32.dll.DeleteObject
gdi32.dll.BitBlt
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.SaveDC
gdi32.dll.SelectObject
gdi32.dll.CreateDIBSection
gdi32.dll.CreateCompatibleDC
gdi32.dll.StretchBlt
gdi32.dll.GetDeviceCaps
gdi32.dll.GetObjectW
gdi32.dll.SetStretchBltMode
gdi32.dll.RestoreDC
gdi32.dll.DeleteDC
gdiplus.dll.GdipBitmapUnlockBits
gdiplus.dll.GdipCloneImage
gdiplus.dll.GdipAlloc
gdiplus.dll.GdipGetImageEncoders
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdiplusStartup
gdiplus.dll.GdipDisposeImage
gdiplus.dll.GdipGetImagePixelFormat
gdiplus.dll.GdipCreateHBITMAPFromBitmap
gdiplus.dll.GdipScaleWorldTransform
gdiplus.dll.GdipFree
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipGetImageGraphicsContext
gdiplus.dll.GdipGetImageEncodersSize
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipCreateBitmapFromFile
gdiplus.dll.GdipSaveImageToStream
gdiplus.dll.GdipCreateBitmapFromScan0
gdiplus.dll.GdipDrawImageI
gdiplus.dll.GdipCreateBitmapFromHBITMAP
gdiplus.dll.GdipGetImageWidth
iphlpapi.dll.SetTcpEntry
ole32.dll.CoCreateInstance
ole32.dll.CoSetProxyBlanket
ole32.dll.CoInitialize
ole32.dll.CreateStreamOnHGlobal
ole32.dll.CoInitializeSecurity
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#7
pdh.dll.PdhOpenQueryA
pdh.dll.PdhGetFormattedCounterValue
pdh.dll.PdhCollectQueryData
shell32.dll.ShellExecuteW
shell32.dll.SHGetFileInfoW
shell32.dll.ShellExecuteExW
shlwapi.dll.#213
shlwapi.dll.#184
shlwapi.dll.#214
urlmon.dll.URLOpenBlockingStreamW
urlmon.dll.URLDownloadToFileW
user32.dll.GetIconInfo
user32.dll.EnumDisplayMonitors
user32.dll.GetDC
user32.dll.GetWindowRect
user32.dll.GetLastInputInfo
user32.dll.SetForegroundWindow
user32.dll.SendMessageW
user32.dll.SetWindowsHookExW
user32.dll.EnumWindows
user32.dll.TranslateMessage
user32.dll.FindWindowW
user32.dll.SetFocus
user32.dll.PeekMessageW
user32.dll.GetSystemMetrics
user32.dll.GetForegroundWindow
user32.dll.SetWindowTextW
user32.dll.GetKeyboardLayout
user32.dll.DispatchMessageW
user32.dll.CallNextHookEx
user32.dll.GetKeyState
user32.dll.GetMessageW
user32.dll.GetWindowThreadProcessId
user32.dll.GetWindowTextW
user32.dll.SendInput
user32.dll.SetCursorPos
user32.dll.VkKeyScanW
user32.dll.GetKeyboardState
user32.dll.SetKeyboardState
user32.dll.GetDesktopWindow
user32.dll.DrawIconEx
user32.dll.SetClipboardData
user32.dll.GetWindowDC
user32.dll.keybd_event
user32.dll.MapVirtualKeyW
user32.dll.EmptyClipboard
user32.dll.ToUnicodeEx
user32.dll.GetWindowPlacement
user32.dll.GetClipboardData
user32.dll.GetClassNameW
user32.dll.CloseClipboard
user32.dll.UnhookWindowsHookEx
user32.dll.OpenClipboard
user32.dll.GetCursorInfo
user32.dll.GetMonitorInfoW
user32.dll.ShowWindow
wininet.dll.HttpOpenRequestW
wininet.dll.InternetReadFile
wininet.dll.DeleteUrlCacheEntryW
wininet.dll.InternetConnectW
wininet.dll.InternetCloseHandle
wininet.dll.HttpSendRequestW
wininet.dll.InternetOpenW
winmm.dll.waveInAddBuffer
winmm.dll.waveInStart
winmm.dll.waveInOpen
winmm.dll.waveInUnprepareHeader
winmm.dll.waveInPrepareHeader
winmm.dll.waveInClose
winmm.dll.waveInGetDevCapsW
winmm.dll.waveInGetNumDevs
wlanapi.dll.WlanHostedNetworkSetSecondaryKey
wlanapi.dll.WlanHostedNetworkInitSettings
wlanapi.dll.WlanHostedNetworkQueryStatus
wlanapi.dll.WlanRegisterVirtualStationNotification
wlanapi.dll.WlanHostedNetworkForceStart
wlanapi.dll.WlanOpenHandle
wlanapi.dll.WlanHostedNetworkSetProperty
wlanapi.dll.WlanFreeMemory
wlanapi.dll.WlanRegisterNotification
wlanapi.dll.WlanCloseHandle
wlanapi.dll.WlanHostedNetworkForceStop
ws2_32.dll.#52
ws2_32.dll.#115
ws2_32.dll.#11
ws2_32.dll.#12
ws2_32.dll.#57
ws2_32.dll.#116
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateSemaphoreW
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
api-ms-win-core-synch-l1-2-0.dll.InitializeConditionVariable
api-ms-win-core-synch-l1-2-0.dll.SleepConditionVariableCS
api-ms-win-core-synch-l1-2-0.dll.WakeAllConditionVariable
ntdll.dll.RtlEqualUnicodeString
kernel32.dll.CreateHardLinkW
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
ntdll.dll.RtlGetVersion
kernel32.dll.GetProductInfo
advapi32.dll.GetUserNameW
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
shlwapi.dll.UrlGetPartW
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpCrackUrl
shlwapi.dll.StrCmpNW
cryptbase.dll.SystemFunction001
cryptbase.dll.SystemFunction002
cryptbase.dll.SystemFunction003
cryptbase.dll.SystemFunction004
cryptbase.dll.SystemFunction005
cryptbase.dll.SystemFunction028
cryptbase.dll.SystemFunction029
cryptbase.dll.SystemFunction034
cryptbase.dll.SystemFunction040
cryptbase.dll.SystemFunction041
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
sechost.dll.ConvertSidToStringSidW
profapi.dll.#104
winhttp.dll.WinHttpSendRequest
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.#6
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpQueryDataAvailable
ws2_32.dll.#22
winhttp.dll.WinHttpReadData
ws2_32.dll.#3
winhttp.dll.WinHttpCloseHandle
rpcrt4.dll.RpcBindingFree
kernel32.dll.SetWaitableTimerEx

Execute Commands

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven04_64 Seven04_64 VirtualBox 2018-09-22 10:56:18 2018-09-22 10:59:19 181

9 Host(s) detected

IP Address Hostname Reverse DNS
91.239.100.100 Denmark anycast.censurfridns.dk.
89.233.43.71 Denmark unicast.censurfridns.dk.
77.88.8.8 Russian Federation dns.yandex.ru.
180.76.76.76 China public-dns-a.baidu.com.
139.175.55.244 Taiwan
123.125.81.6 China
114.114.114.114 China public1.114dns.com.
101.226.4.6 China
1.2.4.8 China public1.sdns.cn.

Host(s) by Country

Hosts Country 4
5 China China
2 Denmark Denmark
1 Taiwan Taiwan
1 Russian Federation Russian Federation

#infosec #automation

TheSystem Itself @ 2018-09-22 11:00:06

Detected family: #Malicious

TheSystem Itself @ 2018-09-22 11:06:05