What is sjhitgnd_005.exe?
sjhitgnd_005.exe is part of EasyLook and developed by EasyLook according to the sjhitgnd_005.exe version information.
sjhitgnd_005.exe's description is "EasyLook Setup "
sjhitgnd_005.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected sjhitgnd_005.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on sjhitgnd_005.exe:
| Property | Value |
|---|---|
| Product name | EasyLook |
| Company name | EasyLook |
| File description | EasyLook Setup |
| Comments | This installation was built with Inno Setup. |
| Legal copyright | |
| Product version | 1.0.0.3 |
| File version |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | EasyLook .. |
| Company name | EasyLook .. |
| File description | EasyLook Setup .. |
| Comments | This installation was built with Inn.. |
| Legal copyright | .. |
| Product version | 1.0.0.3 |
| File version |
Digital signatures [?]
sjhitgnd_005.exe is not signed.
VirusTotal report
34 of the 68 anti-virus programs at VirusTotal detected the sjhitgnd_005.exe file. That's a 50% detection rate.
| Scanner | Detection Name |
|---|---|
| AegisLab | Trojan.Win32.Agent.4!c |
| Alibaba | TrojanDownloader:Win32/Agent.53c6a67a |
| Avast | Win32:Malware-gen |
| AVG | Win32:Malware-gen |
| Avira | HEUR/AGEN.1033044 |
| CAT-QuickHeal | TrojanDownloader.Agent |
| Comodo | Malware@#9ymcub1j0usc |
| CrowdStrike | win/malicious_confidence_60% (W) |
| Cybereason | malicious.9b9a03 |
| Cyren | W32/Delf.IB.gen!Eldorado |
| DrWeb | Trojan.DownLoader27.8143 |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Agent.DZZ |
| F-Prot | W32/Delf.IB.gen!Eldorado |
| F-Secure | Heuristic.HEUR/AGEN.1033044 |
| GData | Win32.Trojan.Agent.FSDRBT |
| Ikarus | Trojan-Downloader.Win32.Agent |
| Invincea | heuristic |
| Kaspersky | Trojan-Downloader.Win32.Agent.xxxzlp |
| Malwarebytes | Trojan.Downloader |
| MAX | malware (ai score=100) |
| MaxSecure | Trojan.Malware.1728101.susgen |
| McAfee | Artemis!04752A73F18C |
| McAfee-GW-Edition | BehavesLike.Win32.AdwareFileTour.fc |
| Microsoft | Trojan:Win32/Tiggre!rfn |
| NANO-Antivirus | Trojan.Win32.Generic.feiqzd |
| Panda | Trj/CI.A |
| Qihoo-360 | Win32/Trojan.Downloader.3e6 |
| Sophos | Mal/Generic-S |
| Symantec | ML.Attribute.HighConfidence |
| Tencent | Win32.Trojan-downloader.Agent.Een |
| VBA32 | Trojan.Downloader |
| Zillya | Downloader.Agent.Win32.354665 |
| ZoneAlarm | Trojan-Downloader.Win32.Agent.xxxzlp |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_RegDLL.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_shfoldr.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp"
],
"dll_loaded": [
"C:\\Windows\\SysWOW64\\NETAPI32.DLL",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\SysWOW64\\SHLWAPI.DLL",
"msimg32.dll",
"C:\\Windows\\SysWOW64\\OLE32.DLL",
"C:\\Windows\\syswow64\\MSCTF.dll",
"Msi.DLL",
"kernel32.DLL",
"OLEAUT32.DLL",
"comctl32",
"ole32.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"IMM32.dll",
"C:\\Windows\\system32\\shlwapi.dll",
"shell32.dll",
"uxtheme.dll",
"OLEAUT32.dll",
"COMCTL32",
"rpcrt4.DLL",
"C:\\Windows\\SysWOW64\\SAGE.DLL",
"comctl32.dll",
"C:\\Windows\\system32\\shell32.dll",
"SXS.DLL",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"C:\\Windows\\SysWOW64\\TSAPPCMP.DLL",
"C:\\Windows\\SysWOW64\\msi.dll",
"shfolder.dll",
"C:\\Windows\\SysWOW64\\KERNEL32.DLL",
"ADVAPI32.dll",
"Ntdll.dll"
],
"file_opened": [
"C:\\Windows\\System32\\imageres.dll",
"C:\\Windows\\System32\\shell32.dll",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\System32\\msimsg.dll",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\System32"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
"HKEY_CURRENT_USER\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Interface\\{000C101D-0000-0000-C000-000000000046}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Interface\\{000C101C-0000-0000-C000-000000000046}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WbemScripting.SWbemLocator\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\Progid",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Installer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{953786D0-1287-4729-9826-DCFADF0860E3}_is1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101D-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
"HKEY_CURRENT_USER\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InprocHandler32",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocHandler",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CURRENT_USER\\Interface\\{027947E1-D731-11CE-A357-000000000001}",
"HKEY_CURRENT_USER\\Software",
"HKEY_CURRENT_USER\\CLSID\\{000C103E-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
"HKEY_CLASSES_ROOT\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion",
"HKEY_CURRENT_USER\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{953786D0-1287-4729-9826-DCFADF0860E3}_is1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\Progid",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\WBEMScripting.SWBEMLocator",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\FileSystem",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocHandler32"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp\" \/SL5=\"$60262,54272,54272,C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin\" "
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_RegDLL.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_shfoldr.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_setup64.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\RunTongJi.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_RegDLL.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_shfoldr.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_setup64.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"mutex": [
"Global\\_MSIExecute"
],
"file_failed": [
"C:\\Windows\\SysWOW64\\http:\\dl.kanshimei.cn\\m\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c964.jpg"
],
"guid": [
"{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
"{76a64158-cb41-11d1-8b02-00600806d9b6}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{00000000-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{000c101c-0000-0000-c000-000000000046}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{00020400-0000-0000-c000-000000000046}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\FileSystem\\Win31FileSystem",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101D-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WbemScripting.SWbemLocator\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\ScreenSaverIsSecure",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDVersion"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\*"
]
}Dropped
[
{
"yara": [],
"sha1": "2b55dc4dfe74788ff70da41d1212c7b90a498bf4",
"name": "1844cc58c18e8858_898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "1844cc58c18e88582992882fa25e39dab18a87112b4f7e65bb286defad842400",
"urls": [
"http:\/\/restools.hanzify.org\/",
"http:\/\/www.remobjects.com\/ps",
"http:\/\/www.innosetup.com\/"
],
"crc32": "0DD12613",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4371\/files\/1844cc58c18e8858_898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"ssdeep": null,
"size": 741888,
"sha512": "168fc1fd7b4fe12089b0acd12e2b27c3f5f3668470b69ac1d6c249ce19766bb98775355b0aac9ef89ecb78e0e9e46c861a3efcd691353f03772eca6e7b65280e",
"pids": [
2800
],
"md5": "e653c3432245b7d8e4dc880e9b4acc87"
},
{
"yara": [],
"sha1": "3e89ff837147c16b4e41c30d6c796374e0b8e62c",
"name": "9884e9d1b4f8a873__shfoldr.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_shfoldr.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows",
"sha256": "9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87",
"urls": [],
"crc32": "AE2C3EC2",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4371\/files\/9884e9d1b4f8a873__shfoldr.dll",
"ssdeep": null,
"size": 23312,
"sha512": "9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3",
"pids": [
2588
],
"md5": "92dc6ef532fbb4a5c3201469a5b5eb63"
},
{
"yara": [],
"sha1": "12e2cb05506ee3e82046c41510f39a258a5e5549",
"name": "4dc09bac0613590f__RegDLL.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_RegDLL.tmp",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2",
"urls": [],
"crc32": "2748B2DA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4371\/files\/4dc09bac0613590f__RegDLL.tmp",
"ssdeep": null,
"size": 4096,
"sha512": "a899519e78125c69dc40f7e371310516cf8faa69e3b3ff747e0ddf461f34e50a9ff331ab53b4d07bb45465039e8eba2ee4684b3ee56987977ae8c7721751f5f9",
"pids": [
2588
],
"md5": "0ee914c6f0bb93996c75941e1ad629c6"
},
{
"yara": [],
"sha1": "efe32d504ce72f32e92dcf01aa2752b04d81a342",
"name": "a4c86fc4836ac728__setup64.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_setup64.tmp",
"type": "PE32+ executable (console) x86-64, for MS Windows",
"sha256": "a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81",
"urls": [],
"crc32": "B1C5F7C5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4371\/files\/a4c86fc4836ac728__setup64.tmp",
"ssdeep": null,
"size": 6144,
"sha512": "ba0469851438212d19906d6da8c4ae95ff1c0711a095d9f21f13530a6b8b21c3acbb0ff55edb8a35b41c1a9a342f5d3421c00ba395bc13bb1ef5902b979ce824",
"pids": [
2588
],
"md5": "4ff75f505fddcc6a9ae62216446205d9"
},
{
"yara": [],
"sha1": "bc8f404ffdb1960b50c12ff9413c893b56f2e36f",
"name": "2f6294f9aa09f59a__iscrypt.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc",
"urls": [],
"crc32": "FB05FA3A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4371\/files\/2f6294f9aa09f59a__iscrypt.dll",
"ssdeep": null,
"size": 2560,
"sha512": "e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63",
"pids": [
2588
],
"md5": "a69559718ab506675e907fe49deb71e9"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin",
"process_name": "898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin",
"pid": 2800,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp"
],
"dll_loaded": [
"dwmapi.dll",
"kernel32.dll",
"UxTheme.dll",
"shell32.dll",
"comctl32.dll",
"C:\\Windows\\system32\\uxtheme.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp\" \/SL5=\"$60262,54272,54272,C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin\" "
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
]
},
"first_seen": 1576709585.59375,
"ppid": 2924
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1576709585.34375,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"process_name": "898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"pid": 2588,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_RegDLL.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_shfoldr.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_setup64.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp"
],
"dll_loaded": [
"C:\\Windows\\SysWOW64\\NETAPI32.DLL",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\SysWOW64\\SHLWAPI.DLL",
"msimg32.dll",
"C:\\Windows\\SysWOW64\\OLE32.DLL",
"C:\\Windows\\syswow64\\MSCTF.dll",
"Msi.DLL",
"kernel32.DLL",
"OLEAUT32.DLL",
"comctl32",
"ole32.dll",
"IMM32.dll",
"C:\\Windows\\system32\\shlwapi.dll",
"shell32.dll",
"uxtheme.dll",
"OLEAUT32.dll",
"COMCTL32",
"rpcrt4.DLL",
"C:\\Windows\\SysWOW64\\SAGE.DLL",
"comctl32.dll",
"C:\\Windows\\system32\\shell32.dll",
"SXS.DLL",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"C:\\Windows\\SysWOW64\\TSAPPCMP.DLL",
"C:\\Windows\\SysWOW64\\msi.dll",
"shfolder.dll",
"C:\\Windows\\SysWOW64\\KERNEL32.DLL",
"ADVAPI32.dll",
"Ntdll.dll"
],
"file_opened": [
"C:\\Windows\\System32\\imageres.dll",
"C:\\Windows\\System32\\shell32.dll",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\System32\\msimsg.dll",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\System32"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
"HKEY_CURRENT_USER\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Interface\\{000C101D-0000-0000-C000-000000000046}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Interface\\{000C101C-0000-0000-C000-000000000046}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WbemScripting.SWbemLocator\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\Progid",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Installer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{953786D0-1287-4729-9826-DCFADF0860E3}_is1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101D-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
"HKEY_CURRENT_USER\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InprocHandler32",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocHandler",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CURRENT_USER\\Interface\\{027947E1-D731-11CE-A357-000000000001}",
"HKEY_CURRENT_USER\\Software",
"HKEY_CURRENT_USER\\CLSID\\{000C103E-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
"HKEY_CLASSES_ROOT\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion",
"HKEY_CURRENT_USER\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{953786D0-1287-4729-9826-DCFADF0860E3}_is1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\Progid",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\WBEMScripting.SWBEMLocator",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\FileSystem",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocHandler32"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_RegDLL.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_shfoldr.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_setup64.tmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_RegDLL.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\RunTongJi.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_shfoldr.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_setup64.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"mutex": [
"Global\\_MSIExecute"
],
"file_failed": [
"C:\\Windows\\SysWOW64\\http:\\dl.kanshimei.cn\\m\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c964.jpg"
],
"guid": [
"{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
"{76a64158-cb41-11d1-8b02-00600806d9b6}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{00000000-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{000c101c-0000-0000-c000-000000000046}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{00020400-0000-0000-c000-000000000046}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.bin",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\EditionID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101C-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\FileSystem\\Win31FileSystem",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{000C103E-0000-0000-C000-000000000046}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{000C101D-0000-0000-C000-000000000046}\\DllVersion\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{000C101D-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WbemScripting.SWbemLocator\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{76A64158-CB41-11D1-8B02-00600806D9B6}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\ScreenSaverIsSecure",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CSDVersion"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\*"
]
},
"first_seen": 1576709585.828125,
"ppid": 2800
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameA",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1576709586.422125,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 1658
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1576709586.516125,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 1874
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1576709585.71875,
"tid": 2816,
"flags": {}
},
"pid": 2800,
"type": "call",
"cid": 264
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 3,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": "CODE",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "DATA",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "BSS",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 4,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00400000"
},
"time": 1576709585.67175,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2800,
"type": "call",
"cid": 71
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 40960,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00401000"
},
"time": 1576709585.67175,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2800,
"type": "call",
"cid": 73
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2800,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 20480,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x0040f000"
},
"time": 1576709585.67175,
"tid": 2816,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2800,
"type": "call",
"cid": 75
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2588,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00510000"
},
"time": 1576709585.922125,
"tid": 2500,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2588,
"type": "call",
"cid": 176
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 5,
"families": [],
"description": "Foreign language identified in PE resource",
"severity": 2,
"marks": [
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00011ccc",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000008a8"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00011ccc",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000008a8"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00011ccc",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000008a8"
},
{
"name": "RT_ICON",
"language": "LANG_CHINESE",
"offset": "0x00011ccc",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000008a8"
},
{
"name": "RT_GROUP_ICON",
"language": "LANG_CHINESE",
"offset": "0x0001303c",
"filetype": "MS Windows icon resource - 4 icons, 16x16, 16 colors",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x0000003e"
}
],
"references": [],
"name": "origin_langid"
},
{
"markcount": 4,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_shfoldr.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_RegDLL.tmp",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-ME751.tmp\\_isetup\\_iscrypt.dll",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 16,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeShutdownPrivilege"
},
"time": 1576709586.594125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2113
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeCreateTokenPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2164
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeAssignPrimaryTokenPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2165
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeMachineAccountPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2169
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeTcbPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2170
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeSecurityPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2171
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeTakeOwnershipPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2172
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeLoadDriverPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2173
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeBackupPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2180
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeRestorePrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2181
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeShutdownPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2182
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2183
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeRemoteShutdownPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2187
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeEnableDelegationPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2190
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeManageVolumePrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2191
},
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeCreateGlobalPrivilege"
},
"time": 1576709586.625125,
"tid": 1424,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 2193
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 2,
"families": [],
"description": "Queries for potentially installed applications",
"severity": 2,
"marks": [
{
"call": {
"category": "registry",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "RegOpenKeyExA",
"return_value": 2,
"arguments": {
"access": "0x00000101",
"base_handle": "0x80000001",
"key_handle": "0x00000000",
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{953786D0-1287-4729-9826-DCFADF0860E3}_is1",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{953786D0-1287-4729-9826-DCFADF0860E3}_is1",
"options": 0
},
"time": 1576709586.406125,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 1511
},
{
"call": {
"category": "registry",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "RegOpenKeyExA",
"return_value": 2,
"arguments": {
"access": "0x00000101",
"base_handle": "0x80000002",
"key_handle": "0x00000000",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{953786D0-1287-4729-9826-DCFADF0860E3}_is1",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{953786D0-1287-4729-9826-DCFADF0860E3}_is1",
"options": 0
},
"time": 1576709586.406125,
"tid": 2500,
"flags": {}
},
"pid": 2588,
"type": "call",
"cid": 1512
}
],
"references": [],
"name": "queries_programs"
},
{
"markcount": 1,
"families": [],
"description": "Deletes executed files from disk",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\is-BAQI7.tmp\\898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9.tmp",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "deletes_executed_files"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.195935964584351,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 6638,
"time": 12.195712089538574,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8482,
"time": 5.971086025238037,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8802,
"time": 4.1336259841918945,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9130,
"time": 6.1277220249176025,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9458,
"time": 4.635252952575684,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9786,
"time": 3.0262680053710938,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10114,
"time": 6.139966011047363,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 10442,
"time": 4.154942035675049,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 29852,
"time": 4.155214071273804,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 38236,
"time": 6.241904973983765,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "270d29b1c85a2eedd943a82470adc7e5f60b6427df54a0485ae5c7eee563642b",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "3121c8195d0959efb56af181c575a6cde6dda8e804330f29376327f61cfc2e1d",
"irc": [],
"https_ex": []
}Screenshots
sjhitgnd_005.exe removal instructions
The instructions below shows how to remove sjhitgnd_005.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the sjhitgnd_005.exe file for removal, restart your computer and scan it again to verify that sjhitgnd_005.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate sjhitgnd_005.exe in the scan result and tick the checkbox next to the sjhitgnd_005.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate sjhitgnd_005.exe in the scan result.
c:\downloads\sjhitgnd_005.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the sjhitgnd_005.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If sjhitgnd_005.exe still remains in the scan result, proceed with the next step. If sjhitgnd_005.exe is gone from the scan result you're done.
- If sjhitgnd_005.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that sjhitgnd_005.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 04752a73f18c060bacfbd4af310fe9a7 |
| SHA256 | 898acc8207d02e55d70c101a3ff9bae44f28378f762e207b2b6a1478f7b205c9 |
Error Messages
These are some of the error messages that can appear related to sjhitgnd_005.exe:
sjhitgnd_005.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
sjhitgnd_005.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
EasyLook Setup has stopped working.
End Program - sjhitgnd_005.exe. This program is not responding.
sjhitgnd_005.exe is not a valid Win32 application.
sjhitgnd_005.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.