MalScore
100/100

ORDER.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 25/67 Related 2476
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 260.00 KB (266240 bytes)
Compile time: 2018-05-02 14:06:37
MD5: d9edbfddad6c8e3614651445203bcb48
SHA1: 3aac073da40b452dca961640fb19c18d8b6bcd44
SHA256: 00273a4718e630b9cc060da5b07d9321fc9b0bc29b161d292c84a4ef20ece846
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 3 import resource relocation
First submission: 2018-05-03 16:33:06
Last submission: 2018-05-03 16:33:06
Filename detected: - ORDER.exe (1)
URL file hosting
hXXp://23.249.161.153/ORDER.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-05-03 04:34:42 [25/67] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x1f144 127488 1069dff00008a96e4a864b23070bed0b 315afa7bcf7cbeef848bca37c7c04ab90218cf3a
.rsrc 0x22000 0x21956 137728 a602fe845d41fbc56b5c79b6e0ad4cb3 8a843ba8a4d5511c75705de3573273c839c75419
.reloc 0x44000 0xc 512 42721def6bc401ca4cf261fbc7a56832 655389b9026b729d8015afb7e72dd58a7d947709
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x22178 16936 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x263a0 20 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x263b4 636 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_HTML 0x26630 119098 LANG_GERMAN SUBLANG_GERMAN
RT_MANIFEST 0x4376c 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright:
Assembly Version: 0.0.0.0
InternalName: SrbaeAv2rudfsJ2b.Euro.exe
FileVersion: 0.0.0.0
FileDescription:
Translation: 0x0000 0x04b0
OriginalFilename: SrbaeAv2rudfsJ2b.Euro.exe
ProductVersion: 0.0.0.0
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
mscoree.dll
IP Found
No IP detected
URL(s)
No URL found
String too long
=
AFqgtqN
wvlkfJ
hUNAzY
XbXEgE
GYDkAo
XaxrQgY
VoQuaZ
jCGytVo
yyCCNU
GPnwYH
InternalName
bbyvRHx
lld.tnemeganaM.metsyS
bNbnnG
CgHDGh
tcytzQA
bRbJyuT
Translation
AyaCtG
oxlEqV
UnDjLoc
GXCOOeE
StringFileInfo
KvuSzRi
MwQUEiD
sZxtnO
hJnIQM
LegalCopyright
UKRnpQ
iCGvJP
XNVhnR
bmqPPm
mKaySi
ynsCex
BcXIAM
QjiRLsF
VarFileInfo
VSvvumEKFoYb
MDaDwa
ppzUbSK
FileVersion
jgQNUQm
JvGKEpj
bXCnUlB
WrHkTU
cwJXGQe
HTxHfQb
;Zq
IXvjrW
lahjRVc
qMOpvbh
heoiCxf
tkJJJeV
tYOEuV
LaLVjCu
WCvthv
gNqsMNE
FqiqcN
lld.eroC.metsyS
BhFNxw
FEvqEY
foIrnVR
haRzbd
PMFwagu
#ssap#
kOimMnW
QBBrsuP
BEvmXD
SqaQHO
rEsOxMi
xbvtxZ
XYySkRg
zoUztDe
PfEqQd
rMsQRIT
yFKNdT
nACcvp
xrsolu
nsplcY
lld.metsyS
UFqNvhs
vNCMziV
NrhOWMc
OkcvZaO
zTfDQkX
IHHIDl
dyLuVbM
lggNpCA
bYrTFI
QIgidzO
lld.gniwarD.metsyS
bQAQzr
RIcCkxY
PIeagm
YHQTXiy
zfpSkb
OilHjk
BiqKcA
cuUKBm
Assembly Version
tjiHtvu
UufuDYu
SMBggY
LxcTAeN
PVPBBd
SlenlHCmHuEP
#emanser#
=
PZhDguE
scYtHzd
oXnMuZp
xpqyaV
sxASht
FzffdlM
TghjTHA
EHBuwlK
czihmG
VS_VERSION_INFO
loiUVC
NMwMyy
pTkaPx
aCLBQs
SrqBxxQ
eJckLf
EAudxRp
YQlzXj
HTejkhF
fmHzWpc
PNRbYsu
000004b0
PqFoFOS
ProductVersion
FileDescription
gJfpWC
SrbaeAv2rudfsJ2b.Euro.exe
0.0.0.0
OriginalFilename
LlHyZMr
exeniw:tegrat/ +gubed/ 68X:mroftalp/ +ezimitpo/
yTLitVi
FBWFrUR
CKePnb
CuQiDnu
xcMOII
UcEmXzN
z K
Tb*Wm'
\\\$[[[
4'Wf
e;F_}:F
gQr `
IHTMLDOMNode
U#6tj
a^P-
8Wmi
6CKb
Int32
taR
<caK
Qw[-
k2lt
lG`P4
h0+o
^G?`F,<v
"nGLO
f Th
="SV
SingleTypeInfo
jC7C
^fM$
*v(
bF50r
DeploymentProgressChangedEventHandler
X89[z
(r&L
Zmrx
2z ]
I$YV.
ZUW)K/
kZ6x
t@nD#HF
CF+y
tZ2D
MidpointRounding
u0K6N
DGfx
MonitorEnumProc
uM0<a
PKHr
bAJ
RuuFa
wXB/
L[o,
X509Certificate2Enumerator
$aviJ4
bUqBwI
PNG
WXjT4
=s%*+
p<xn
8uD
mn; =4
}N4@4
g3c=
5Bc4
gN 0"
K_]F
ZNa_
ztk;z-
$$)2X
Replace
!?@:
5GOt%
RM t
l)L
B92>.
pYG4=
IManifestParseErrorCallback
DxNG
Nullable`1
<Gc.
DNnaa.1
+Q#
i_En
EnumChildren
NameObjectCollectionBase
,O@Us
m{Zql
CZ$O
Qn
Write
(|]
.N?'Y
-~l7
t om
R#ge
K&${
YS <
>f<pf
<ReverseIterator>d__74`1
:7}9Y
T^l-S
4IKJ
JX>C
} TC HYA
K`7
-4T9|
\o,7
hZ{v
$)Y
Format
IlK'/
XmlSchemaAttributeGroupRef
j,K 6
fX [
(sI2
'+iaL
RangeEnumerator
P;#i
qG T
UriParser
Q7T{
i]u+
}L6dW
b;$X
{>[5
rnfz
FromBase64String
v3Ju
,t-Cn1
xIR5
lW/<d
v_2:
oih}
JG0kr
SrbaeAv2rudfsJ2b.Euro.exe
izbd
l$xEf
t'/h
?=Lx
~Ho]Yz?
:W3>9
#Blob
v>G"\G
(P`<
Bnbq{g
_evk
LiJ4f
s<r.
GetAttributesEvent
9^]^J_s|Mpg
ikm;S
@oD<DH
=zP
v-_w
La^:9
L pt8
olJ^zg
AppDomainSortingSetupInfo
o,d)
kM$x
Q.<;T
<]Md
kU*3JH
aAI
(j^p
M,QC
wf ;_
XXX
mZUWR
^v<
GetValueOrDefault
Yx*~
G\>P
ChunkParser
leq
p 59wm*x
x|e
ukJ`-~
_MethodBuilder
Sw9 9
TextShadowType
I 'h*
DMw1
.q9,
RIag
-R%3J
:._u
iQ5P-
<.
9?s*
Q.h}
<|nm
T B+
:&#)
XCx_
K x
1Xkl
^" V
Z L2
/3Wsc
$N)U
O=y-V'
di 5
^#oXx
SqlDataReaderSmi
6`,2
MemberRelationshipService
gIoCVY*Hu
.text
5R}
GetString
4--Y
*^ k
&pO1T
_Sk7
^?9r
z1=9;
ObkvU
'&@.
Convert
!?C_H
@)+ !
tyFKf)
i%DP
W V`
Fj3@g
oCXO
o`e|
:uGn?< ?9Ft
dy1L
>x F
_"4A"
{8eR
W[NH
p>:
q~[V6
|AOp
qJ"z
d @b
P:@wo
)<65
!!e~
q|\#
w. ]z
f{ MA
t 24
%M)L
: ZT&qCm
r v
{3i'
9)l
UnaryNode
thf+
symbmask_t
RmPB
=J;'
tg=3
0"cB
:`'z
MessageAttributes
ThreadInterruptedException
Dc 0V%
t{ T
m0/6
\\\o[[[
I,U5^k
n9[C
Com2PropertyPageUITypeEditor
F.{V`
y9yz%q-
6q{>s
$\**
=sxd[<
5v~0^
4e/-^C
Mlr
yY^=td
pkh:
y/<
=|hVEqF8
= ^5S
zTg 0
wXq
nk>r
EnumUInt32TypeInfo`1
w5l{
>=4
cwG
tg\>
(.1U^
!i {
EHeY
#c=c
NCryptBufferDesc
Jx2U
mNl3
Y=7(
LUm*
DVX!mUY
B|+0/
+ #
*-5;
StringCollection
dg,W7
SnoS
V_I)2
2W(&\C@
s[BT
r= ^
T+Hbv
&1?`
Fob 4'N
6WrM
$N8O
%j#=:
MethodInvoker
"?@2
nb]p
2Hsur
D p.
,+4I
cC|j
[}WQ
#6Kk
ReadAllBytes
>J@
P!f?
` WM
<CloseAsyncCore>d__56
SettingsProperty
L;8 $
_EnumBuilder
XAA8
iVk6
3gsW
(07h:
cA~n
& r
`&,g
ko
ITypeLib
System.IO
`>xgv2
WrapNonExceptionThrows
iIqMX
(Xb O
&*^r
eA P
Console
M!6b
-?1A
lE[]
:ZSH8
/^tx
D1"Y
;*3'w
GpGV
G|^ g^
\K y
kMmf
S[v3
IHDR
ifKD
z=hb
}O 3
t26 L
\#l<
Z?K*
i*4:
*8 j
K4n
}
!qA[A
oO}w
17xp
&3x&dh
Microsoft.CSharp
9Ud~0
=FOq
M)mW
&r!
&r%
&r9
T=7
&r1
x= ;A~Lu
OfR]
qB1~F_
w.o
SystemSounds
uz#9
&rQ
tbWU_G
MethodBase
#Strings
2zVR
d) I.
~ueP_
1+b}
&ra
{5Pf
&rq
wL*K
!q!<
E3tjz
I72=E
]x[:a
Environment
?p}[
+;vZ
StateConverter
CajR
&7>r
7x$z
q4z.
get_EntryPoint
?gOz
v(+_
+(\6
System
K}gK
qAs}K
1.KtUei
System.Diagnostics
"~ep
rj-T(
ZZZ"\\\
eQm:
3I,P
`D4qm
n[ |
IDtdAttributeListInfo
i,"}
VqnK)b
}Eiw
s0
*kt!V
b,Z\
}S"} w
F.lPfH
/ p
IEventBindingService
GSU#k
Xi/L
<K:7
0Xmj
Vc*$
5i<a
}s]3
mZmQS
["g9
Double
P9g=
MACTripleDES
CompilerResults
"J^V
6*[\d
*cMk
C.0sS
6)8'
I_>9
D_mfd
xa.i
8`N0
8,4.
S76{
CodeTypeParameterCollection
ArgumentProviderOps
Et?"
c=](
get_UTF8
RIZYZ
<>c__DisplayClass32_0
fW%T8
eSu
zp#0A[
SoundPlayer
$6H
i:F8
DataObjectAttribute
Mn9T
XL |
}uQ;
_8@
KG=+
q]gsz
L_Sr}
*qS{
QT`2
a~0z
gYkV*{
Bg^S
@_`U
o)Gy
rIsDn-
/TI1
B'WU\g
Z;kzB
o^ +
_ Y
\8ul
q_/X
n&1d
*S~m
X#Yf_/
*\Fp
ConsoleKeyInfo
UTF32Encoding
/#~>
ArrayModel
Pc *
j+4TC!
QoS{z
O+Fg
s:6'
i^dyc8
TQE~.
dyh
Tk 'Y;
>Soob
F 6WC
*Ci[1
MEC4+
HFY/4
&r]
*;[i
-?V*
p\Eq
c?|e
ly!'
+ZC)
+277U
[q=z
~]n{s g
n^3[
Vhgw
[tjhK
=Vxi
y,LM
s;Y1
;Jku:
Round
UXSy
gNp"
xTyhN
Y9I}N
IChannelReceiverHook
yVy|
Fo-d
E?`;
g'GB
=u P`
> +$#
ZZZ"[[[
J-b[!
|V+<
CompileAssemblyFromSource
@un{
/^><
System.CodeDom.Compiler
J\(<
(. =B
No@S
P@<=
ToLower
Tanh
m ,G
CheckedContext
#viO
.'#
_W ]

G#q[
F6d7
qx47
/ F
x__}I
d~/
"ho_
48M
V]IYm
MxsA|
ProgList
bYuR
h@w
-%TK
a.wi
-m)m\
<EatWhitespacesAsync>d__573
Datatype_fixed
jx1-
1FIe
:?Fm
9gxV
~h u
AJ'}
I^[
ToString
l AV
gU di
O_'s
~! =
)zo/
]]]7[[[
P+jqp
U,^G
\? D}i
IzmW
G#gp
hQEA
}:My
p/Ti
z"(h
Y;}9
A-Y KI a
J7|C
o6$x
ObjectProgress
-n96
*[AQ
L` b
G#\M
IIlH"
H-> +3#
<5+AD P0
ba?D
G~%H
eC +
e=p7
args
)"xQ
Xx;]i
A}<s
ZQ g
EM M
#3333@m
OlYd
&e*0
dX%%.GX
oW#<
Asin
< EK{l
A^%V
Smartie
o5
p,k
\c2N
kM6a
4%&7
ISupportOleDropSource
kZ8Lx
\!\S
,gnPq9
``,BwY
MkO D
$]BE ?[
IDATx^
MSl\
uc^m6
#1C.
&B-7
AuthenticationManager2
5
@Ei%
<pA7
zm&\
&}C-f
SrbaeAv2rudfsJ2b.Euro
.0e%ZZ
<r-xzF
9@>Y
pHYs
.ctor
L*lc
VersioningHelper
?pntH
8,4 +
P{^^*M
g-"~
a ~9h
DeviceContextType
Invoke
'@U/<
)H\P2&
Z'-v
Wu8M
method_0
.eAS
^Lc\>9
nfP@
IK.'
v4.0.30319
079f
tw8@',4[ :
`<Pc!%E]P
}k;C
x&%BT
H:C;
9f>Y
E9H0E
#\m>
ZVck
:2W4
_8Aht
rNJYC]
dX'<
@.reloc
> ~>
~ os
%?(^
_#^$D
FW`S
GAW"p
rkkU
*o;|
{v>I4
&)M~
VPiJq
k<n8JM
DataGridViewColumnEventHandler
XJWW5{
SpecialFolder
deIN
Xpab
__$\
ZOHp
9.,m
Uc)2
8+f
)rNx
9jRr
) ?
6x^
y {E~Y
DbConnectionClosedBusy
g D4G
_W^c
C+ J)
W$<U~L
N8@]
&aY=x6
16iV
wnQB
Z2M'
D yk
",O|
gd;P
US2r>!
y&|gu
*U:=9
uo6,
y~0wV*?
0gFhM3
A2}~
0tB (
RUkMC
(?b
t8st
RegexCharClass
qK;`]
&z6C"
Jazs=j
^gR5I
# @g.1ui
joL(7
oiVH<=
8c.3
EPLZa
VB D
AtNg
*zWt
|ob]
b7sW
?,;j
get_CompiledAssembly
n_:u
[[[x[[[
}U~ D[J%
omCo
K:+,
*>P9
GnY,
RuntimeCompatibilityAttribute
# '7
~?>v
LabelScopeInfo
%oV_
QfdJ
Truncate
I?JG
c\~*3
dYu
cd{c[
&
n|iUrH
<NodesBeforeSelf>d__22
S[]8
9]Ye
&]lu
91Y
7@tZ
& @
>r.;
Fkx#
L*/H{
+}aI
?J+/*\
;E]kK
a*TQ
@Vb7T
[w/95
ToCharArray
!?{7k
q< 0c
s\=)?N
Sbo.
=)"$5IL?
_$x~
W0?s
kh0zu
'7xX
cvBp
5n @8
JE;LT
/t=J
&# H
JaYgl0
uw~L
06w?3V,
sGgl
pjW
][4_
D1ya
8I.S
$d^"uv?
92y')
{GQZ
37({9D
b Vy
Txox
}5n `Z
$1>[
4F@F
BfN$
JfhY
WL/j
R 2"
5_'p
5`0f
d"n$RK_
UniversalCryptoTransform
.6UA/
get_ReferencedAssemblies
}BnI
Hm*^
?pV#;
@'X
-!!
fnSb
sz_\
K!"(l
WSdPf
gF l
&-;/
(gS Ex
Reverse
>~ q>j
GAhE^
0F0L.
!gIc
"XhX
\0.~Sp
\\\@[[[
sS--
}1 #
d;4n
VI 'q
U dT6V+
Q#(KWo.P
CodeDomProvider
Ws^m]
OC5n
\Sm6
?R]{
dj!lF
1.5;/
g[2M
\\\l
up<?
TreeViewCompareCallback
\\\u
\kQ@
6;KL
Hgnv
}b.5G
3 J!
meS/z%
E "[
;DN^
Nb5eJDq
_ $
e2Mu
5@EI
1&Po
4LHM
+,J'XF
"mvK
YD$T
>w5A
xe=6v
<Module>
QdD#
,w\P5
Z1:i
ow8bo=N
ZE r= |
nWOs
\tF4
*Eu
4S>(2
TT5$
q8O=
(#$
_<r#d
fsnroD-
5PJ(
zbBHq
& #
R\Vj
^f($
L:QJ2
|_K"
;gwt88C
xI_!x
*#|b|}
SysButton
Jo`4Kq>
< w]N3R!
*vr
04) B
f&~|d
'&IF
ZZZU
m'Q
tyfA
?oowW
PM8@
u @e
<jZ6
gAMA
4ry944
{lS5~
Lz}#
W5hr[$
Ceiling
!qgp
q?RiY
ozS=3|
mscorlib
&WEir
\\\/[[[
RMfa
L^`v
{#:k
/WWXl
:u.2?
?nm- y9N
set_IncludeDebugInformation
N\MU
wn!
Wm(2w4
rh_
Pz+AKg
+# 1
P@?>
GregorianCalendar
?.M.58n
69No $
Wuo<
(Gn?
So
w!en
> +$#
[%&U1
.:41
<System-Collections-Generic-IEnumerable<T>-GetEnumerator>d__21
System.Reflection
3- p|
A 39>
['^:o8
#6@dn
PKZv
(?''
WBMs
wWzB
/O`N6
Onl$
set_GenerateExecutable
/cr>
[p~
S@OHv
bD r
[0$y
6G%}
|odbFc
InteriorNode
\ wy
IFontEndPoint
,V6A
L0{g
>!>@o
c :'
WAVEFORMATEX
lC^M
#n; 2O
w~X2 3]M
}T=N
string_0
more
<AcceptWebSocketAsyncCore>d__17
Z+'X
=TGf7
\dXh\d
HP_[
E'Qm
K>~+
xQI:
Acos
&+ti
()
0gW"
yr'3
\\\/\\\=[[[
qz6[
bn")o
j`jO48
ToolboxComponentsCreatingEventHandler
ReadLine
>vmD
r]wZ
JsS&
B7/
l0h5
EN .
AggregateException
jJI8
P$w-
#!pe
xnp,D
X~:n
Yki;
<+sLr
mscoree.dll
!This program cannot be run in DOS mode. $
0ci&
File
pW34
BindingManagerBase
|49aT
2/=W)
8VEm
/ <`
$Rd
_!
?YQX
set_GenerateInMemory
IEEERemainder
H&!b
_2"%q
,3wj
")R
2+Ru
.jf0
{mrP
=l 8
DebugHandleTracker
8!@xGH
;;#H
K3z
Y2?37#F
q J
@60:t
ZZZn
BSJB
SqlAes256CbcFactory
tr|B
>]3gEyI
ZZZG
e8fq~
"G,P
[[[8[[[
:LR#z
e'z'
)@/2r
XmlStringConverter
X:xdD:
{3;*
CYKai
X7)%
Js }
'F5@"
3(5Y*
vR6}@0
BcYvp1
);4m
ZZZt^^^
h'VZ
=T3_=[S
System.Collections.Specialized
_AppDomain
`@q8
tkpk
RfG3
>]_o
-O
syo2
z;)>RKs
s\2Y
DropDownHolder
0SlP
ZlkL:
azA4,u
-]4-
EUCJPEncoding
H7ff
k0/$
peX
5YLE
cj4R
}<6z
BSXU
^zN.O
xWbq
|`$&
't q
[[[h[[[
npHF
H#n+
"~9d
!_p#:V
G0}r
`qDwC2
89@Y
pHuA-
< `5t
TiLF
%+=I
6>L'r k
]]])
Q )_
=K\X_
w c 1
}78g.<
YCI
\$^W
//=Nb
>{r,
1E3"j
r$O2
[wIPy\1
<4kF
:Sve/T
fff [[[
hM%r
A~oke~
^bKO
FKqqsE
frBj
#=bbgC
Cosh
IYJV
+3,3)K+
vf `%
(OdG
sPZXV
DoubleStorage
]NVZ
)`w8tGf
w^z(
DbiSourceLine
znP1J{$
j[ZM
MethodInfo
E1q;
WZel2o'
kl
SecureCredential
UCOMIEnumVARIANT
Atan
CompilationRelaxationsAttribute
Z3Dl
ePBY3m
m+=U
ZSES
[@Iz
HV&z
A`lTt
i+9~
b? l
Random
3GNU
VhR5
V2~g<
|`7/hmy
OpenWriteCompletedEventHandler
T~|i
TG,T
)YY3
IEnumSTORE_ASSEMBLY
#lAz
Rm)\L
DependentOSMetadataEntry
v63
XsdValidatingReader
please
Q/ +
~KkR02
*T g
\\\N[[[
B?@<
-u O$
zbnf
\\\u[[[
= mv_
zJ_.d
sK-t
FL_>a
G^|o8
rvq8
[J5b~
+9Og
>d-5
e6$P
(-5@
vQN1W|
'T6\
fS|r
DataGridViewRowPrePaintEventArgs
*f'|
c?,w
>}2O
[Umf
&XgU4)+
Ed c
$A1X#
Q[hx
Q`@-
As&h
K3Jl[o
_b?k v
'<HlPb D
jz0o
Zp5*q
p3-n
2Mvn~
k+Qf
~Xf4
vex*):
s1
nE.d?
CSharpCodeProvider
U{4zTc
T 1I
>Hp:
w$%{

dki -
g#6@
DataKey
tiu&
WWCW
,.
>K@H
SmtpFailedRecipientsException
aBnQm
StackParser
`7p;
e Mcm
0 /B
1e;H
h{uC
A' f@
OIy#vV
@l*3V
Jyk s
System.Text
!nw8
|tc#
/$2M
S_j(
M Jo^
(S+[
i4j3a|~9 $
n)5eh
QIYp
_9jE
iT+
f$R#
fO 6@
()
Z(VI
$2#`U
EvtPublisherMetadataPropertyId
<SelectManyIterator>d__20`3
!_I
67h-
tEuS
.Oc`G
=@tF
5fkj
9}IP
< sE
9w#>,
[H\PA
_}uq
9n D_-
h{KSt E
lCw4
Weh[
pe7+5
=haY4
StructLayoutAttribute
aY\
fa(*
{,lT
sNv>
>q` s
'xDJC
\[UYR1
l>]3M
/{]=
IEyh
R53k
Ef*4[
N^d}
O4AN
!k-mF
Fh }
EventWaitHandle
*.;N,
v|9+
_CorExeMain
WXaRk
K\[t
n(<v
e0 I
5CxA
O,P?
#.FOm
_`Y@
-P<O8
DebuggingModes
V@Y{
0qs
0_r6
y~o
@)i=eq
O-OmD
kN;@ov
`H)iI_
5YjY[
2|X8
ASao
zKz"
6K\za}
3@l.d
Z O)
v]:t@
gO q$
v}P=a
T^ z
~_FO
CompilerParameters
85;pFz
B!I
]]] ZZZ
<Hr.
O?u6
L&0Z
op~S
9l$G
?UX>N
9l (PL
TypeUnion
3R:0
] fm
<h9
MethodImplAttributes
+PB8
Mx?J#nn
07aU`Fx
`]=a
FontDialog
Xz_3
Pmd_
S4[?
=[ |
IW?F
5A .
59 d
ic?=R
QjP5
:`d
)YB
>PW.$
bQ:>
DKH;
!ioO
DebuggableAttribute
2&B
TSR!
K P'g
7a,`$W
]]
jN
dl`i"/G_
R%jH]
of~v
Ljf4
g,TV
nd=>
}e3#a
YuL1]
i8xu
D, )&
=|(z/o]nk
J qy
BSVC
muUM
\M~\@
#\ b
_Y~b
VV*'q
X[
StickyLabel
Object
7 t&
L@/9
{Hu
ev/7
B>sR
:$<(
5N/B
2z'gz
M5]^
Nnwi
|2~fE
<G8@
^)s{
)U\-
&5~i
ToolboxItemFilterType
VY+2%-
Datatype_dateTimeBase
83^U
ResourceSet
tcWz
49!Vt
o sTZ
&*f(
mI w
05*o
=lU 5
j9y"o'
StructCache
V 8s
0iC=P #8
G.:a
A8 y
MPcBx
?Jp5
R/GC
oKe0
ZkZf:
@Qt8$y
Lx$
Ri,WW
D:y0
RecommendedAsConfigurableAttribute
Ei#6@dn
sRGB
A;cR
~]#9
`-tva
1Hn3
Exit
17bu
T K-
w=yt
Y Aa
$@('
%fOXFEZ
yAY\
{ }G
mK?e
RightChildResultsRecipient`1
5.1P#p
,;9~
Bma]
IfyR
G.1C
|o Es]
&z c
?=+>+
Y?AD
SiteMembershipCondition
UQG<
O@.cl
|p 4^i
3z; O
sB>o
oPEM]
hN4m
X.tx
QpHv
[[[b
whm[
<GetSafeEnumerable>d__e`1
W #/
g D8
tEO0_
!xyi
r ymE-U
p?A~
GC F
Ha?[
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
AXEditMode
aej(w
d{ s#L~x
jr;x
+ I6f
b)Lm
Ak$+o
m+4T)
<,4,i
-0T +
Aa q
n>LD
4#jr
dZ(hZ
}P6yU
?$vp
>S\7
1QM*
9Dk%d
`{Wpu
Pcls
Sinh
& +k
v_~d
:WIb
XmlEscaper
." o
Fe,H
76E/
`j5 e
Pe1wh
9@8Y/
{6 m
`H\
A[i-k
SwitchLabel
}HZv
`.rsrc
V<pex
BV0p]^a
Next
Bn@8
D /<
%;w:
8[:^A0r
|vo..R
(
Blx&0
'|a-K
{ 6x
w);5J'
jX3
@Op/
tH"a
ZZZ][[[
rYcL
/Ey
&asm
^_. V 2
S/RD'
0OO&
M\I Y
@ |~B.
O$ x
V&3U
&(
f;,W
<>c__DisplayClass28_1
igv@
G:V?
kC 2
JprX
@_C%
:@wN
PTPt
HH;S
\Jy'
RQd}>
2^!x
9; ,
a9O5<-
`'o t
vV.s
aUP7
Le`Np"
(MUw
h!vB
Z|^n
ICommandAdapterHelpers
LyCQi)Y
T:To
ZKY}
t8 kp
@]POEg|ofW
.{,u
*xA2
_ jxQ
G'qn
hpTP
*E5ksD]2b
&*vr
_oIq
H\/
2de.
I[hZY
)om0
)g2z`'
#_8E
fMvKi
;K8@U
(=2+
x"rY
!XgZ
nS/c
h9}
iqU"}v
\e6c
5 Q
<[ |
}B M
[[[{[[[
|-'#77
f| b<
ye!^
\S<=
yi[Gv
IDAT
x|48s
NMB8
=4D6Yj
Math
&3;3
'X'?
ReadKey
ApplicationState
W'{9s
C3#=>
<-lhU
k ] zw
System.Runtime.CompilerServices
yNK
& o5
|,5(
.r=a
1@ V
W;`,
>p`V
IEND
{-xj
6csVR-
&iU!T@
set_CompilerOptions
8`>$
( `2
P7$;(
sX>
XlXiD
ResourceDirectoryUser
-R,,>#
WZ7P
Naqs
Bhg.
>O?T
V Kv
PS m
2u^"
DropDown
}*xE
i?oZJl
H6+P{4
Ao@M^
UnsharingRowEnumerator
^pcA
CATEGORY
$,a
DeflateStreamAsyncResult
;z!0
ToolBarButtonClickEventArgs
i?f|
If:<{}
wd~
Ex?u|
(3iU
n(om2y
CS'io
Pw]0]
Sk$Q
6n",O
7MPr)
p5fi
@5gV
k}R
3uo 7c=/
]kyd
JRl
ihGm
Y:
Uj,$
nx0 )
6>
ZY@+
}:C
lZa1'
@.
ez:.9H
D]4Q
-E-%*
_(l
r^rWi
<>c__DisplayClass124_0
'7Il
WP[-
xCS9g;
ha-;{
gmVw
@ +F#
=wrc
ImplicitConversion
#GUID
8>?q
c;p_
drink
Bi~
JLjC
NeE
*k-/
] %<"1
<SendAsyncCore>d__47
X~~~Q~Q
fO^|;
2=J
9/ pl
*KY.e
0 4bX
odS14
ZUuk
r3bN
j@]
@8A-
;q<i
InternalParseStateE
4~ U
M V;<
a]aGv
N?`
yMUY
w@RY
q@>`
BwQ:
DesignerSerializationVisibility
f |e
get_HasValue
'ZaU@
. z G
B+%.
=4)J)
my D
zN]-
=zb(
[8_ N
Dy|qb
G'F2
g^n]
Y%iP
CodeCompiler
IStore_BindingResult
CheckBox
xfZP
oR8%L
Y&!z
-8+I
IYWg
iUqv
E |O
3RjF
;v0a
7hoSUSO
{/C(
;f:/Z
0GSbN
siGud
yjY y
3m$o~m]
X+kUV}
G!Zl
[[[5
>X#
") 7
QzT~{
]u_#
[[[F
[[[Q
SSol
StrongNameHelpers
[[[T
EjQ^
VAN]%T
2`y|
O zx
| OoJ
8N KO
^_?at9-`
[[[s
[[[p
MonthNameStyles
bbb
|9;T
]{8R[x
tX%\v
Sqrt
nX7_
~k E
[[[s[[[
*^r
=U2[
2Orbc?
bH2p`
K\B
'7>r
?6HI
*N(~
Zy_#
]'Y ;
~>ve
Pr/Y
t C +
2CQA
un[ 2
U-J5g
mgH_
{qHy
BSo\
'8(
EqKE
%xY6c}
"]}yA>
*xmF
+ 6Ac\I
WriteLine
f])N
dk=T
NOZVv,
i,&
y9SZ
B+g:
wyL:
1aK
JYX'
4,oU
F= D
(XQ
Z,Pg3i
OS @
@c\m2
J55z
&*f
,O's
dYe^}
Xe5g
qt2
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven02_64 Seven02_64 VirtualBox 2018-05-03 16:31:32 2018-05-03 16:34:22 170

8 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven02_64 Seven02_64 VirtualBox 2018-05-03 16:31:32 2018-05-03 16:34:22 170

10 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\ORDER.exe.config
C:\Users\Seven01\AppData\Local\Temp\ORDER.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\SrbaeAv2rud46f16a48#\*
C:\Users\Seven01\AppData\Local\Temp\ORDER.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol21.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.tmp
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.0.cs
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.dll
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.out
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.err
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.pdb
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Users\Seven01\AppData\Local\Temp\ORDER.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_64
C:\Windows\assembly\GAC_64\mscorlib.resources
C:\Windows\assembly\GAC_32
C:\Windows\assembly\GAC_32\mscorlib.resources
C:\Windows\assembly\GAC_MSIL
C:\Windows\assembly\GAC_MSIL\mscorlib.resources
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\*
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\assembly\GAC
C:\Windows\assembly\GAC\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_64
C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_32
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_MSIL
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Local\Temp\System.Management.dll
C:\Windows
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Users\Seven01\AppData\Local\Temp\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Users\Seven01\AppData\Local\Temp\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Users\Seven01\AppData\Local\Temp\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Users\Seven01\AppData\Local\Temp\CSCA1B55FF26FB64737A0CCB2DDF34DAB26.TMP
C:\Users\Seven01\AppData\Local\Temp\RESA77B.tmp
C:\Windows\System32\tzres.dll
C:\Users\Seven01\AppData\Roaming
C:\Users\Seven01\AppData\Roaming\remcos
C:\Users\Seven01\AppData\Roaming\remcos\logs.dat

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\ORDER.exe.config
C:\Users\Seven01\AppData\Local\Temp\ORDER.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol21.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.dll
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.pdb
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.0.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Users\Seven01\AppData\Local\Temp\CSCA1B55FF26FB64737A0CCB2DDF34DAB26.TMP
C:\Users\Seven01\AppData\Local\Temp\RESA77B.tmp
C:\Windows\System32\tzres.dll

Write Files

C:\Users\Seven01\AppData\Local\Temp\fjndixtv.tmp
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.0.cs
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.dll
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.cmdline
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.out
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.err
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.pdb
C:\Users\Seven01\AppData\Local\Temp\CSCA1B55FF26FB64737A0CCB2DDF34DAB26.TMP
C:\Users\Seven01\AppData\Local\Temp\RESA77B.tmp
C:\Users\Seven01\AppData\Roaming\remcos\logs.dat

Delete Files

C:\Users\Seven01\AppData\Local\Temp\fjndixtv.out
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.cmdline
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.dll
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.pdb
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.0.cs
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.err
C:\Users\Seven01\AppData\Local\Temp\fjndixtv.tmp
C:\Users\Seven01\AppData\Local\Temp\RESA77B.tmp
C:\Users\Seven01\AppData\Local\Temp\CSCA1B55FF26FB64737A0CCB2DDF34DAB26.TMP

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ORDER.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index21
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\ORDER.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B204B4C2
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
HKEY_CURRENT_USER\Software\xcsfsghsyfgghsgsgrfwwije-9KE18L\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_CURRENT_USER\Software\xcsfsghsyfgghsgsgrfwwije-9KE18L\EXEpath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winsat\PrimaryAdapterString

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index21
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B204B4C2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winsat\PrimaryAdapterString

Write Keys

HKEY_CURRENT_USER\Software\xcsfsghsyfgghsgsgrfwwije-9KE18L\
HKEY_CURRENT_USER\Software\xcsfsghsyfgghsgsgrfwwije-9KE18L\EXEpath

Delete Keys

Nothing to display

Mutexes

Remcos_Mutex_Inj
xcsfsghsyfgghsgsgrfwwije-9KE18L

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.GetTempPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.GetFullPathNameW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
kernel32.dll.GetFileAttributesExW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.GetStdHandle
kernel32.dll.GetEnvironmentStrings
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.CreateProcessW
kernel32.dll.DuplicateHandle
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.DeleteFileW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.FindResourceA
kernel32.dll.SizeofResource
kernel32.dll.LoadResource
kernel32.dll.LockResource
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
shell32.dll.SHGetFolderPathW
kernel32.dll.CompareStringOrdinal
clr.dll.CreateAssemblyNameObject
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
clr.dll.CreateAssemblyEnum
kernel32.dll.ResolveLocaleName
kernel32.dll.LoadLibraryA
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CreateProcessA
kernel32.dll.GetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64SetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.WriteProcessMemory
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.VirtualAllocEx
kernel32.dll.ResumeThread
ole32.dll.CoUninitialize
oleaut32.dll.#500
advapi32.dll.EventUnregister
gdiplus.dll.GdipDisposeImage
cryptsp.dll.CryptReleaseContext
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
kernel32.dll.GetProcessPreferredUILanguages
kernel32.dll.GetUserDefaultUILanguage
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
version.dll.VerQueryValueA
alink.dll.CreateALink
mscoree.dll.CLRCreateInstance
mscoreei.dll.CLRCreateInstance
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
clr.dll.DllGetClassObjectInternal
clr.dll.StrongNameTokenFromPublicKey
clr.dll.StrongNameFreeBuffer
clr.dll.CompareAssemblyIdentityWithConfig
clr.dll.CreateAssemblyConfigCookie
clr.dll.DestroyAssemblyConfigCookie
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
mscorpehost.dll.InitializeSxS
mscorpehost.dll.CreateICeeFileGen
mscorpehost.dll.DestroyICeeFileGen
ole32.dll.CoCreateGuid
diasymreader.dll.DllGetClassObject
rpcrt4.dll.UuidCreate
kernel32.dll.NlsGetCacheUpdateCount
ole32.dll.CreateStreamOnHGlobal
mscoree.dll.CorExitProcess
mscoreei.dll.CorExitProcess
user32.dll.GetCursorInfo
user32.dll.GetLastInputInfo
kernel32.dll.GetConsoleWindow
psapi.dll.GetModuleFileNameExA
psapi.dll.GetModuleFileNameExW
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.IsWow64Process
kernel32.dll.GetComputerNameExW
shell32.dll.IsUserAnAdmin
kernel32.dll.SetProcessDEPPolicy

Execute Commands

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Seven01\AppData\Local\Temp\fjndixtv.cmdline"
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Seven01\AppData\Local\Temp\RESA77B.tmp" "c:\Users\Seven01\AppData\Local\Temp\CSCA1B55FF26FB64737A0CCB2DDF34DAB26.TMP"

Started Services

Nothing to display

Created Services

Nothing to display

#infosec #automation

TheSystem Itself @ 2018-05-03 16:33:10