MalScore
100/100
MalFamily
Bitcoinminer

PTS.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 44/61 Related 2581
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 132.50 KB (135680 bytes)
Compile time: 2013-11-23 08:24:52
MD5: f05d8e8e663b1d3787c78c9342e02601
SHA1: 6303820efa9a4c7a64f001bebf4d7865f0c79782
SHA256: 5e1e164978d7fa4c9462a8e8c415944e2958e9bb804a021d28c97c081cec47b7
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 4 import resource debug relocation
First submission: 2016-01-04 10:32:13
Last submission: 2016-01-04 10:32:13
Filename detected: - PTS.exe (1)
URL file hosting
hXXp://spreadingcnw.de/PTS.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2017-03-21 04:16:44 [44/61] VirusTotal
PE Sections 1 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x20704 133120 e7ac4d4942279dc18cebca0660a9cb58 07914430bde25cfefbb601932b5158686d828516
.rsrc 0x24000 0x4c8 1536 430d48c882e9a2efedbdaa03dbfd7105 f5fa2adc2702b8191483b23974a188349d243b4e
.reloc 0x26000 0xc 512 7eeaee0d31cfaa55e9710eca88ebe7b2 a4b069ae5420651e8f5dd15c0abe53c1ebb3e2ce
PE Resources
Name Offset Size Language Sublanguage Data
RT_VERSION 0x240a0 564 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x242d8 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright:
Assembly Version: 0.0.0.0
InternalName: PTS.exe
FileVersion: 0.0.0.0
FileDescription:
Translation: 0x0000 0x04b0
OriginalFilename: PTS.exe
ProductVersion: 0.0.0.0
XOR
8 1562
1 1562
2 1562
4 1562
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
KERNEL32.dll
mscoree.dll
USER32.dll
WS2_32.DLL
IP Found
No IP detected
URL(s)
http://poolurl.com:10034
http://
http://ypool.net
C+_Ik
VarFileInfo
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PTS Software
h(((( H
PTS.run.exe
@jj
PTS.Properties.Resources
\PTS
InternalName
PTS.exe
0.0.0.0
KERNEL32.DLL
StringFileInfo
Translation
H
Assembly Version
Ah@
FileVersion
VS_VERSION_INFO
A(null)
((((( H
000004b0
ProductVersion
FileDescription
\run.exe
OriginalFilename
LegalCopyright
Ajjjh
-o ypool.net -u karstenhauger.silent -p x -m256
mscoree.dll
\PTS.exe
?(?\?h?w?
M S3
5!5)525;5G5S5`5g5r5z5
t$\3
GetStdHandle
KERNEL32
DOMAIN error
9(9<9P9
l$H3
t1SW
T$4#
j hh
] )u
get_ExecutablePath
%d.%d.%d.%d
80t.
3E4g4
.cctor
R6019 - unable to open console device
[^]3
j?^;
Launching miner...
E V3
L$D#
0 1*141d1 3
mscorlib
FVSj
Registry
j hH
\$ #
Y__^[
979U9
j h@
GAIsProcessorFeaturePresent
_^][3
HHt
\$@3
GetCPInfo
3System.Resources.Tools.StronglyTypedResourceBuilder
HMXB
GetSystemTimeAsFileTime
j h0
#t$03
CopyTo
jv.
j h(
|$ #
QueryPerformanceCounter
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> </requestedPrivileges> </security> </trustInfo> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
j h
Ts e
File
uaVj
-m12u
-o, -O The miner will connect to this url
< t < t
TlsGetValue
teh9
1 1 1
s 9U
RunIt
@tH9
7,8;8D8h8
4L6]6e6k6p6v6
PTS.Properties
?5|
GetUserObjectInformationA
HeapAlloc
Rich
t&:a
#\$T3
8`;t;
R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information.
+Yo,
u VW
U>c{
1#SNAN
^[_2
^[_3
@PWSS
CultureInfo
Culture
-u The username (workername) used for login
g))
set_WindowStyle
current
T$$Rh~f
T$T#
Missing password after -p option
RuntimeTypeHandle
1#QNAN
K<5}
R6008 - not enough space for arguments
_CorExeMain
>If90t
0(0B0a0y0
BF:
616=6P6Y6q6{6
v$;5
;*;6;B;N;Z;f;
Object
l$ S
9]$SS
p09Y
T$(3
path
xptPacketbuffer_writeData(): String is longer than maxStringLength
T$ 3
DecodePointer
5c6i6 7
T$(;
SetPriorityClass
3|$<3
=E>_>h>
Stream
0K;]
0"1(1-131:1L1h1
Tuesday
t!PV
l$4#l$0
SetEnvironmentVariableA
Y_^[]
4&444D4V4^4h4z4
3|$<#
4!5P5
author: jh
runtime error
;t$,v-
VW|[; @*B
CompilerGeneratedAttribute
t VV
HeapFree
6M7b7
l$03
, <Xw
R 9Q
3l$$
Exit
TlsAlloc
#T$$
GetProcAddress
L$$3
GetCommandLineA
August
@PWV
VW}
\$$3
June
xptPacketbuffer_readString(): End of data in string
3 3<3@3`3
L$H3
t SSSSS
Uh<
o^0f
\$$#
For most efficient mining, set to number of CPU cores
GetSystemInfo
j RP
October
Default
#L$43
GetLastActivePopup
^_[3
Wednesday
R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
v WSV
CompareStringA
#L$4#
<xt <Xt
#|$(3
Pj
u,9E
u K^;
#T$43
9csm
|6*)
Default is 256mb, allowed constants are:
>=Yt1j
Bu jd
9} t$9}
T$H3
xu j
`*B
9M u H
E jP
>+?1?
9] tx
+D$
hp]A
GeneratedCodeAttribute
#T$4#
0D1V1c1o1y1
#l$\
S99t
#\$X#
.NET Framework 4
u,9E t'9
4#4'4+4/43474D4
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
bitclient_calculateMerkleRoot: Too many transactions, numberOfTx set to 32
System.ComponentModel
System.CodeDom.Compiler
<O=a=y=
uL9=
L$ 3|$<
FlsFree
#Strings
FileMode
5&525?5_5
u 9p
t$83
onPf
VVVVVQRSSj
System.Threading
DebuggingModes
r 8^
GetACP
2"2.2y2
rx9=
#T$$3
GetEnvironmentStrings
F @t
SQRP
CONOUT$
!This program cannot be run in DOS mode. $
PADPADP
u 9E
InterlockedIncrement
T$hR
Too many transaction hashes
t!SS
98t^
;-;8;R;^;f;v;
OpenSubKey
hh]A
L$L#
E 9U
l$43
The miner is configured to use a different algorithm.
\$(#
656?6R6v6
2#2'2@2
\$ 3
l$4#
WriteConsoleA
|$ #|$83|$<
#l$\3
GetCurrentProcess
March
|$H
GetConsoleMode
M QSWVj
~,WPV
+t HHt
vRQ>
#\$8#
HeapSize
WVS3
3 3$3(3,3
-p The password used for login
E 9X t
:;:H:M:[:6;Y;d;
k UQPXY]Y[
SUVW3
#Blob
Environment
Copy
3!3K3Y3_3
#\$<3
PVVRV
:0o0
T$ #T$
VVhU
abcdefghijklmnopqrstuvwxyz
Y_^[
G @SV
D$TP3
.rsrc
Example usage:
IsDebuggerPresent
Au jd
`h`hhh
FlushFileBuffers
Missing URL after -o option
BSJB
GetModuleFileNameA
D$\3
Type
resourceCulture
8-u5
@9E w
;O<U<e<
l$D3
4.0.0.0
D$DPB
#t$0
0A@@Ju
jhProtominer.exe -o http://poolurl.com:10034 -u workername.pts_1 -p workerpass -t 4
L$l3
MultiByteToWideChar
R6030 - CRT not initialized
#t$$
:/;D;
#t$
#T$<
GetManifestResourceStream
T$,#
5`+B
set_Culture
#T$4
(null)
get_ResourceManager
WSj0
6k6x6
8-ue
t\VV
SetUnhandledExceptionFilter
>4>D>
Resources
E PV
t 9E
WSj
#T$
0(0H0h0
_^][
GetConsoleCP
September
9] SS
=@*B
0t0
oV f
L$ W+
e+000
resourceMan
576U6{6
Pf95
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
L$P3
SetHandleCount
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
u`9] t$9
@@f9
GetOEMCP
#l$<#
=8*B
GetTickCount
Au jd
xptPacketbuffer_readString(): Stringlength invalid
ueSj
RtlUnwind
#D$0
uBhY
Monday
set_FileName
GetModuleHandleW
3#353E3S3g3
wIVSP
*B
Options:
-m51u
RegistryKey
GetFolderPath
]_^[
8STs e
PTS.Properties.Resources.resources
0Fjd
EditorBrowsableState
Exists
u+9u
;3;};
L$PQ
l$T3
<program name unknown>
T$@3
H ;M
9&929>9J9V9b9n9z9
L$,3
#D$X
TlsSetValue
Microsoft Visual C++ Runtime Library
GetCurrentThreadId
<8=u
Y;=x
l$83
jdRP
mscoree.dll
5`*B
[_^]
4-575O5V5`5h5u5|5
R6002 - floating point support not loaded
HeapCreate
-t parameter out of range
#T$83T$<
;B<K< =
-m32u
11.0.0.0
6%6D627
Message from server: %s
R6028 - unable to initialize heap
VVVVj
GetEnvironmentStringsW
o~pf
j X]
Main
.text
-m<amount> Defines how many megabytes of memory are used per thread.
575F5r5
L$p3
GetCurrentProcessId
VVVVV
0\0t0
l$4#l$
Missing thread number after -t option
`.rdata
tVPV
L$43
PVj
u6j
v4.0.30319
^SSSSS
<+t(<-t$:
8D9I9
>:u8FV
F SU
SetFilePointer
tNVSP
c:\GitHub\jhProtominer\src\Release\jhProtominer.pdb
1#IND
USER32.DLL
ov`f
GetTypeFromHandle
u8SS3
7 8$888[8h8t8|8
E F3
jhProtominer (v0.1d)
.:3q
System.Reflection
of@f
IsValidCodePage
D$PP
T$`R
< tK< tG
LwH'
?/L[
t f
L$<#
#\$@#
9] u
768U8
D$P@
Saturday
034383<3@3D3H3L3T3X3\3`3d3h3l3p3x3
3,3>3b3
=]=c=t=U>
t{~Bj
GetConsoleOutputCP
#|$4#
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
dddd, MMMM dd, yyyy
U Rh
@.reloc
-helu
ProcessStartInfo
PTS.run.exe
EncodePointer
Runtime Error! Program:
#|$43
CreateDirectory
L$T#
t)j XP
#t$0#
Connection attempt failed, retry in 45 seconds
8csm
4:5n5t5
5@*B
Usage: jhProtominer.exe [options]
PTS.exe
xppwpp
6 7 7,797@7w7
CompilationRelaxationsAttribute
F @u^V
t/9U
SpecialFolder
folder
181T1X1t1x1
LCMapStringW
-m25u
R6009 - not enough space for environment
GetStringTypeA
R6016 - not enough space for thread data
System.Runtime.CompilerServices
HHtXHHt
WriteFile
T$D3
@ @u]P
VirtualFree
9&9=9V9r9{9
?$?*?0?6?q?
6%7B7_7
HeapReAlloc
SVW3
July
l$X3
Process
l$<3
MM/dd/yy
L$03
System.Diagnostics
`.rsrc
=W?b?j?}?
xpt: Logged in with %s
3P5a5
|-;E
#L$ 3
\$P3
SetLastError
ApplicationSettingsBase
#L$\3
;H s
9=@*B
get_Default
xptServer_receiveData(): Packet exceeds 2mb size limit
Share found!
#HcSnI
?Zd;
Fh=p
7 898h8
Connected to server using x.pushthrough(xpt) protocol
\$p3
<@<L<^<
Program
8!8'858<8A8J8W8]8w8
<(<8<\<h<l<p<t<x<
9+989M9Z9
700PP
958*B
.ctor
?sjj
LCMapStringA
Cannot resolve '%s'. Is it a valid URL?
UnhandledExceptionFilter
TerminateProcess
NKeb
4h4s4}4
e:\PTS\scr\obj\x86\Debug\PTS.pdb
GetActiveWindow
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
\$(3
r"9U
System.Windows.Forms
Settings
CreateThread
RSDS:
= *B
CreateFileA
D$dUP
Y[_^
Directory
|$4#|$8
get_StartInfo
757:7I7R7_7j7|7
FrameworkDisplayName
j"^SSSSS
9]$u
Wj0V
Synchronized
0WhT
InterlockedDecrement
CurrentUser
4)4/454A4G4o4w4
-m512 -m256 -m128 -m32 -m8
R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application.
3M E
Missing username/workername after -u option
@.data
t @8
zc%C1
$o,
|$ #|$8
Friday
} Uo
FileStream
#\$$3
} Ut]
RuntimeCompatibilityAttribute
010F0l0
t"SS9]
FlsSetValue
Unknown memory mode
: :&:/:6:X:
--heu
v N+D$
Connection to server lost - Reconnect in 45 seconds
GetStartupInfoA
Assembly
<v8V
t VP
t$h4
QSVW
PSj?
t$4#
u VSj
586=6O6m6
GetProcessWindowStation
D$t@R
Concat
1m3z3
?(?/?G?S?Y?e?t?z?
l$\3
T$X3
2#2(2,202Q2{2
.NETFramework,Version=v4.0
D?$?
`h````
UVWS
xpt: Failed to log in with %s
425D5
<i=y=
TargetFrameworkAttribute
t$l3

~%9M
7{8q9y9,:
UVWh
D7q/;M
|$4#
value
475<5]5b5
RPSW
bitclient_calculateMerkleRoot: Error generating merkleRoot hash
uNSW
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
GetFileType
|$43
90tV
%<*B
0-121<1v1{1
#l$D
SetStdHandle
#l$L
p1t1x1|1
t<Vj
#l$T
TLOSS error
#|$@3
9} w
xptPacketbuffer_writeData(): Packetbuffer too small
d .
#|$4
ReferenceEquals
2%2@2G2_2
#|$0
9U t @f
get_Assembly
#|$8
8X9u9~9
ProcessWindowStyle
You can specifiy an port after the url using -o url:port
&\8!
#|$
A @t
FlsAlloc
#|$X3
<(=:=
#GUID
collisions/min: %.4lf Shares total: %d
T$\3
#|$P
2F3Q3l3s3x3|3
TlsFree
GetModuleHandleA
#\$H#
defaultInstance
3&3<3G3L3W3\3g3l3y3
URPQQhX5A
^WWWWW
Y|R9
0SSSSS
#|$H
System.Resources
\$8#
SVWj
SUVW
ypool.net
D$,P
System.IO
kU'9
WrapNonExceptionThrows
Invalid share
;u u
WriteConsoleW
;u r
t+Ht
HH:mm:ss
Server message: %s
u.j ^9
L$ u
#L$$
R6032 - not enough space for locale information
L$ UQ
9M u
#L$4
Sunday
FlsGetValue
Using %d threads
FreeEnvironmentStringsA
DeleteCriticalSection
D8 P
u$Wh
SSS+
GetLocaleInfoA
D$ 3
#L$83L$<
l$ #l$
l$@
? ?(?,?0?4?
.tls
FreeEnvironmentStringsW
T$<#
: :-:::F:d:
_VVVVV
SVWUj
2C2a2h2l2p2t2x2|2
@Y@PW
L*~e
STAThreadAttribute
2#2m2t2
1D2^2
WideCharToMultiByte
t$L#
[j@j
7%717A7H7W7c7p7
#D$$3
System.Runtime.Versioning
@_^[
T$\#
System.Globalization
L$83
SetValue
j [f
;Y }C
ResourceManager
;W;7=
l$P3
j<SW
1 1$1(1,10141~1
http://ypool.net
90s
D$ h
SING error
2#2*21282?2F2M2U2]2e2q2z2
Yj YJ
9u ~
T$P3
R6024 - not enough space for _onexit/atexit table
2 212:2A2J2
InitializeCriticalSection
;D$ v
PPPPPPPP
GetExecutingAssembly
l$0#
System
JanFebMarAprMayJunJulAugSepOctNovDec
Application
\$l3
Using %d megabytes of memory per thread
6'727S7
j@j ^V
_^[]
t+WWVPV
=`>f>q>}>
String
R6025 - pure virtual function call
http://
DebuggerNonUserCodeAttribute
QQSV3
('8PW
Make sure you miner login details are correct
0 1:1B1H1T1d1m1|1
<Module>
?#?1?9?F?d?n?w?
set_CreateNoWindow
QVj
1#INF
#\$L#
t%HHt
>"u&
RSDS
System.Configuration
S;uD
Reason: %s
DirectoryInfo
700WP
u Wj
CorExitProcess
December
T$|3
L$ #L$
>V>r>
jd_Fj
R6018 - unexpected heap error
t VVVVV
z?aUY
Microsoft.Win32
D$ ;
t$,3
D$ 3
u 9E
?q=
EditorBrowsableAttribute
T$0#
Fpt"
jhProtominer v0.1c
KERNEL32.dll
Wj$h
LoadLibraryA
SVWh,
( 8PX
T$03
4 4j4p4t4x4|4
Share submission failed - No connection to server
#\$\
t)9]
Thread
233V3
#\$D
WVU3
t Ht
WSAIoctl
L$@3
-64OS
073-454
November
R6026 - not enough space for stdio initialization
:!:4:<:B:O:\:i:v:
xpxxxx
l$(#
;E t
#\$4
This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
H 9H
;$<,<l<v<
January
VW9]
WWWWW
WWWWV
#\$$
* qW
\$\3
SunMonTueWedThuFriSat
R6017 - unexpected multithread lock error
L$`3
#\$,

Start
#\$(
SUj$P
SVW3
#|$ 3
GetTimeZoneInformation
R6027 - not enough space for lowio initialization
get_Culture
tSj=V
0'040:0
GetStringTypeW
9] |
;T$ w
9] v
ExitProcess
9] t
9] u
WS2_32.dll
<(=,=
LeaveCriticalSection
3$3,343<3D3L3T3\3d3p3x386<6@6D6H6L6P6T6X6\6
GetLastError
t$T3
#\$P#
< =I=R=^=
_][^
_][Y
Thursday
=1>=>
6 7T:D;
CompareStringW
PPPPP
W8[Y
ABCDEFGHIJKLMNOPQRSTUVWXYZ
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
SSSSS
DebuggableAttribute
SSSSW
282X2x2
MessageBoxA
tCVV
g&3g
A,rA
CheckFolder
919C9U9g9y9
bitclient_calculateMerkleRoot: Block has zero transactions (not even coinbase)
D$`3
'%s' is an unknown option. Type jhPrimeminer.exe --help for more info
February
=5>>>J>
:#:):
SettingsBase
;9u
516?6E6U6Z6r6x6
set_Arguments
April
-t <num> The number of threads for mining (default 4)
CloseHandle
3|$<
D$`P
T$PR
1*1<1
D$$3
T$TR3
P ;U
HHty+
L$$#L$
T$@Rh
Sleep
@Y@P
#|$4#l$
VirtualAlloc
p>t>x>
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven03_64 Seven03_64 VirtualBox 2017-04-17 18:37:24 2017-04-17 18:40:13 169

8 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven03_64 Seven03_64 VirtualBox 2017-04-17 18:37:24 2017-04-17 18:40:13 169

8 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\PTS.exe.config
C:\Users\Seven01\AppData\Local\Temp\PTS.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\PTS\*
C:\Users\Seven01\AppData\Local\Temp\PTS.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Users\Seven01\AppData\Roaming\PTS\PTS.exe
C:\Users\Seven01\AppData\Roaming\PTS
C:\Users\Seven01\AppData\Roaming
C:\Users\Seven01\AppData\Roaming\PTS\run.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
\??\MountPointManager
C:\Users\Seven01\AppData\Roaming\PTS\PTS.exe.config
C:\Users\Seven01\AppData\Roaming\PTS\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Roaming\PTS\PTS.INI

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\PTS.exe.config
C:\Users\Seven01\AppData\Local\Temp\PTS.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c7dd43f20550205c8b37ec91b5f2bec7\System.Windows.Forms.ni.dll
C:\Users\Seven01\AppData\Roaming\PTS\run.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Seven01\AppData\Roaming\PTS\PTS.exe.config
C:\Users\Seven01\AppData\Roaming\PTS\PTS.exe

Write Files

C:\Users\Seven01\AppData\Roaming\PTS\PTS.exe
C:\Users\Seven01\AppData\Roaming\PTS\run.exe

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PTS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PTS Software
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3512230a-fb0b-11e5-b945-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3512230a-fb0b-11e5-b945-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3512230a-fb0b-11e5-b945-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122306-fb0b-11e5-b945-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122306-fb0b-11e5-b945-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122306-fb0b-11e5-b945-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122307-fb0b-11e5-b945-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122307-fb0b-11e5-b945-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122307-fb0b-11e5-b945-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\PTS.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\46AFBE0F
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PTS Software
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3512230a-fb0b-11e5-b945-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3512230a-fb0b-11e5-b945-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122306-fb0b-11e5-b945-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122306-fb0b-11e5-b945-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122307-fb0b-11e5-b945-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{35122307-fb0b-11e5-b945-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\46AFBE0F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PTS Software

Delete Keys

Nothing to display

Mutexes

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
shell32.dll.SHGetFolderPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.CreateDirectoryW
kernel32.dll.CopyFileW
kernel32.dll.CreateFileW
kernel32.dll.CloseHandle
kernel32.dll.GetFileType
kernel32.dll.WriteFile
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
advapi32.dll.RegSetValueExW
kernel32.dll.LocalAlloc
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
kernel32.dll.LocalFree
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
cryptsp.dll.CryptReleaseContext
advapi32.dll.EventUnregister
kernel32.dll.IsProcessorFeaturePresent

Execute Commands

C:\Users\Seven01\AppData\Roaming\PTS\PTS.exe 
C:\Users\Seven01\AppData\Roaming\PTS\run.exe -o ypool.net -u karstenhauger.silent -p x -m256

Started Services

Nothing to display

Created Services

Nothing to display

#Ransomware #Zerolocker

Davide Baglieri @ 2016-06-21 11:59:19

Detected family: #Bitcoinminer

TheSystem Itself @ 2017-04-17 18:44:01