What is Driver_chek.exe?
Driver_chek.exe is usually located in the 'c:\users\%USERNAME%\appdata\local\microsoft\' folder.
Some of the anti-virus scanners at VirusTotal detected Driver_chek.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
Driver_chek.exe is not signed.
VirusTotal report
32 of the 71 anti-virus programs at VirusTotal detected the Driver_chek.exe file. That's a 45% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| AegisLab | Riskware.Win32.Agent.1!c |
| Alibaba | RiskWare:Win32/Autoit.932e4547 |
| Antiy-AVL | Trojan/Win32.Wacatac |
| APEX | Malicious |
| BitDefenderTheta | Gen:NN.ZexaF.34122.BEW@aWmbv1n |
| Bkav | HW32.Packed. |
| CrowdStrike | win/malicious_confidence_90% (W) |
| Cybereason | malicious.f48001 |
| Cylance | Unsafe |
| Cyren | W32/Trojan.ZJOA-8036 |
| eGambit | Unsafe.AI_Score_99% |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Packed.Autoit.AB suspicious |
| FireEye | Generic.mg.e9746d061feff3c6 |
| Fortinet | Riskware/Agent |
| Invincea | heuristic |
| K7AntiVirus | Trojan ( 005370421 ) |
| K7GW | Trojan ( 005370421 ) |
| Kaspersky | not-a-virus:RiskTool.Win32.Agent.bjal |
| MaxSecure | Trojan.Malware.1728101.susgen |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.vc |
| Microsoft | Trojan:Win32/Occamy.C |
| Paloalto | generic.ml |
| Qihoo-360 | Win32/Virus.RiskTool.846 |
| Rising | Trojan.Occamy!8.F1CD (CLOUD) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Generic PUA LE (PUA) |
| TrendMicro-HouseCall | TROJ_GEN.R03BH07E820 |
| Zillya | Trojan.VBKrypt.Win32.314664 |
| ZoneAlarm | not-a-virus:RiskTool.Win32.Agent.bjal |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"file_recreated": [
"\\??\\nul",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Updates",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask"
],
"dll_loaded": [
"COMDLG32.dll",
"NTDLL",
"C:\\Windows\\System32\\mswsock.dll",
"urlmon.dll",
"DNSAPI.dll",
"SHELL32.dll",
"kernel32.dll",
"UxTheme.dll",
"GDI32.dll",
"dwmapi.dll",
"ntdll.dll",
"C:\\Windows\\system32\\napinsp.dll",
"ntmarta.dll",
"URLMON.DLL",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"SspiCli.dll",
"WININET.dll",
"WSOCK32.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"PSAPI.DLL",
"comctl32",
"ole32.dll",
"USERENV.dll",
"USER32.dll",
"MPR.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\SysWOW64\\oleaut32.dll",
"wininet.dll",
"XmlLite.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"DHCPCSVC.DLL",
"C:\\Windows\\System32\\winrnr.dll",
"CLBCatQ.DLL",
"COMCTL32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"SXS.DLL",
"WINMM.dll",
"KERNEL32.dll",
"ws2_32",
"VERSION.dll",
"ADVAPI32.dll",
"WS2_32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Windows\\System32\\netmsg.dll",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"\\Device\\NamedPipe\\",
"C:\\Windows\\System32\\msxml3.dll",
"\\Device\\NamedPipe",
"C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Windows\\system32\\cmd.exe \/c schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'"
],
"connects_host": [
"akaka158560920.3utilities.com"
],
"regkey_opened": [
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\http\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler",
"HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
"HKEY_CURRENT_USER\\Adodb.Stream",
"HKEY_CURRENT_USER\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_DISABLE_LEGACY_COMPRESSION",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\International",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\msxml2.xmlhttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocServer32",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\TreatAs",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\winmgmts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_CURRENT_USER\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ADODB.Stream\\CLSID",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
"HKEY_CURRENT_USER\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\Feature_Enable_Compat_Logging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Ranges\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.XMLHTTP\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Pre Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_BROWSER_EMULATION",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\*\\",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_DISABLE_LEGACY_COMPRESSION",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Ranges\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\Progid",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\UA Tokens",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Ranges\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\TreatAs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.DOMDocument\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\\",
"HKEY_CURRENT_USER\\Msxml2.DOMDocument",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\Progid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Network\\Location Awareness",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UrlMon Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler"
],
"resolves_host": [
"wpad",
"cuckpc",
"akaka158560920.3utilities.com",
"localhost"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
],
"connects_ip": [
"127.0.0.1"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2"
],
"mutex": [
"IESQMMUTEX_0_208",
"Local\\ZonesCacheCounterMutex",
"Local\\ZoneAttributeCacheCounterMutex",
"Local\\ZonesCounterMutex",
"Local\\ZonesLockedCacheCounterMutex"
],
"file_failed": [
"C:\\Windows\\System32\\msxml3.dll\\1",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2"
],
"wmi_query": [
"Select * from AntiVirusProduct"
],
"guid": [
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{00020400-0000-0000-c000-000000000046}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{0000011a-0000-0000-c000-000000000046}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{f6d90f16-9c73-11d3-b32e-00c04f990bb4}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}",
"{172bddf8-ceea-11d1-8b05-00600806d9b6}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{f6d90f11-9c73-11d3-b32e-00c04f990bb4}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{00000566-0000-0010-8000-00aa006d2ea4}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}",
"{275c23e1-3747-11d0-9fea-00aa003f8646}",
"{7c857801-7381-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\System32\\msxml3.dll",
"C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld\\IETldVersionLow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\International\\AcceptLanguage",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.DOMDocument\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ConnectTimeOut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ReceiveTimeOut",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_DISABLE_LEGACY_COMPRESSION\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\Flags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\hkCmds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld\\IETldVersionHigh",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Platform",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableUTF8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocServer32\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\Flags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Compatible",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ReceiveTimeOut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SendTimeOut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_DISABLE_LEGACY_COMPRESSION\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK\\*",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_BROWSER_EMULATION\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER\\*",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld\\IETldDllVersionLow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1A10",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.XMLHTTP\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_BROWSER_EMULATION\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ADODB.Stream\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\HttpUploadBufferSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SendTimeOut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\Flags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld\\IETldDllVersionHigh",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\HttpUploadBufferSize",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ConnectTimeOut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Updates",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Compatible",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Version",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Windows\\System32\\ras\\*.pbk",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users",
"C:\\Python27\\schtasks.*",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Python27\\schtasks",
"C:\\Windows\\System32\\schtasks.exe",
"C:\\Users\\cuck",
"C:\\Python27\\Scripts\\schtasks",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\schtasks",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Python27\\Scripts\\schtasks.*",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Windows\\System32\\schtasks.COM",
"C:\\Windows\\System32\\schtasks.*",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\schtasks.*"
]
}Dropped
[
{
"yara": [],
"sha1": "b44d9a5f4800155716c56fa61e9648a91f593f79",
"name": "87eb78fe1b77059d_87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131",
"urls": [],
"crc32": "E1E8C687",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8359\/files\/87eb78fe1b77059d_87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"ssdeep": null,
"size": 2545664,
"sha512": "0c637ea9a970170aa46a345c98f0ed61640d6d68ab65e0cdc63c8f30c7d8bc82bde39872cb9c72d48c5a9c043a48e60b6e2620c7656d0297967f9c34c639bd33",
"pids": [
2952
],
"md5": "e9746d061feff3c6b22a17af3cb080f6"
},
{
"yara": [],
"sha1": "186ce252870a54740ff30298570f7121179cc3db",
"name": "38c308d2e186c130_dudyegc",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"type": "ASCII text, with very long lines, with no line terminators",
"sha256": "38c308d2e186c1308ee22c532dffe771a34f0a5bf925d21098667df936ad3772",
"urls": [],
"crc32": "D9EF8BAA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8359\/files\/38c308d2e186c130_dudyegc",
"ssdeep": null,
"size": 2504098,
"sha512": "fd11bc70d22c150349e0ae307638db9b90b7cee807727c114a1a29d8efcd4e16d90feff8a8720fb9defc51200ee24ae8d3aeeb4b93efd3fd2274725734c9e8d4",
"pids": [
2420
],
"md5": "abbb547501692c1a10a61025a056a2aa"
},
{
"yara": [],
"sha1": "926b82f70da7b67b42fc7dbc5e9a6226fafbca96",
"name": "31aed22179345275_aut5AC6.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"type": "data",
"sha256": "31aed2217934527523120af74e249bff6c76b938e6b87eb6b366b5c175474cfd",
"urls": [],
"crc32": "7EC06113",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8359\/files\/31aed22179345275_aut5AC6.tmp",
"ssdeep": null,
"size": 884938,
"sha512": "0c248d5ac7a33cc1e57696e35e7487992187029e48ac5fbd5bff9d75df24d024ca0ef32a5de5bfb6ab73fd30118785143ddeff37fdac1e06d1379e0b32a7bc42",
"pids": [
2420
],
"md5": "4f507156c05f0fb1363748492da2b6f1"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"process_name": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"pid": 2952,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
],
"file_recreated": [
"\\??\\nul"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Updates",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"
],
"dll_loaded": [
"SXS.DLL",
"DNSAPI.dll",
"ADVAPI32.dll",
"kernel32.dll",
"UxTheme.dll",
"OLEAUT32.dll",
"dwmapi.dll",
"comctl32",
"CLBCatQ.DLL"
],
"file_opened": [
"\\Device\\NamedPipe",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"\\Device\\NamedPipe\\",
"C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ADODB.Stream\\CLSID",
"HKEY_CURRENT_USER\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\TreatAs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.XMLHTTP\\CLSID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\Progid",
"HKEY_CURRENT_USER\\Adodb.Stream",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_CURRENT_USER\\msxml2.xmlhttp",
"HKEY_CURRENT_USER\\winmgmts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
"HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run",
"HKEY_CURRENT_USER\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocHandler32",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0"
],
"resolves_host": [
"localhost"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Windows\\system32\\cmd.exe \/c schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2"
],
"wmi_query": [
"Select * from AntiVirusProduct"
],
"guid": [
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{00000566-0000-0010-8000-00aa006d2ea4}",
"{172bddf8-ceea-11d1-8b05-00600806d9b6}",
"{0000011a-0000-0000-c000-000000000046}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{f6d90f16-9c73-11d3-b32e-00c04f990bb4}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{00020400-0000-0000-c000-000000000046}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.XMLHTTP\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ADODB.Stream\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00000566-0000-0010-8000-00AA006D2EA4}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Updates",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\(Default)"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1594756434.233999,
"ppid": 2420
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"process_name": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"pid": 1996,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"dll_loaded": [
"COMDLG32.dll",
"KERNEL32.dll",
"UxTheme.dll",
"GDI32.dll",
"dwmapi.dll",
"ntdll.dll",
"WININET.dll",
"CLBCatQ.DLL",
"WINMM.dll",
"WSOCK32.dll",
"comctl32",
"PSAPI.DLL",
"COMCTL32.dll",
"USER32.dll",
"MPR.dll",
"IPHLPAPI.DLL",
"OLEAUT32.dll",
"SHELL32.dll",
"ole32.dll",
"USERENV.dll",
"VERSION.dll",
"NTDLL",
"kernel32.dll",
"ws2_32",
"SXS.DLL",
"ADVAPI32.dll"
],
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Windows\\System32\\msxml3.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocServer32",
"HKEY_CURRENT_USER\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.DOMDocument\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_CURRENT_USER\\Msxml2.DOMDocument"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"file_failed": [
"C:\\Windows\\System32\\msxml3.dll\\1"
],
"guid": [
"{f6d90f11-9c73-11d3-b32e-00c04f990bb4}",
"{00020400-0000-0000-c000-000000000046}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\System32\\msxml3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut1AAB.tmp"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.DOMDocument\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ftedahi",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users"
]
},
"first_seen": 1594756435.749626,
"ppid": 2952
},
{
"process_path": "C:\\Windows\\SysWOW64\\schtasks.exe",
"process_name": "schtasks.exe",
"pid": 2636,
"summary": {
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"guid": [
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"ADVAPI32.dll",
"VERSION.dll",
"kernel32.dll",
"XmlLite.dll",
"SspiCli.dll"
]
},
"first_seen": 1594756435.890249,
"ppid": 2792
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2792,
"summary": {
"dll_loaded": [
"kernel32.dll"
],
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"command_line": [
"schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Python27\\schtasks",
"C:\\Python27\\Scripts\\schtasks.*",
"C:\\Python27\\Scripts\\schtasks",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\System32\\schtasks.exe",
"C:\\Windows\\System32\\schtasks.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Python27\\schtasks.*",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\schtasks.*",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\schtasks",
"C:\\Windows\\System32\\schtasks.COM",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1594756435.718374,
"ppid": 2952
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"process_name": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"pid": 2420,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp"
],
"dll_loaded": [
"COMDLG32.dll",
"KERNEL32.dll",
"UxTheme.dll",
"GDI32.dll",
"dwmapi.dll",
"ntdll.dll",
"WININET.dll",
"CLBCatQ.DLL",
"WINMM.dll",
"WSOCK32.dll",
"comctl32",
"PSAPI.DLL",
"COMCTL32.dll",
"USER32.dll",
"MPR.dll",
"IPHLPAPI.DLL",
"OLEAUT32.dll",
"SHELL32.dll",
"ole32.dll",
"USERENV.dll",
"VERSION.dll",
"NTDLL",
"kernel32.dll",
"ws2_32",
"SXS.DLL",
"ADVAPI32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Windows\\System32\\msxml3.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"C:\\Windows\\SysWOW64\\stdole2.tlb"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocServer32",
"HKEY_CURRENT_USER\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.DOMDocument\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_CURRENT_USER\\Msxml2.DOMDocument"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
],
"file_failed": [
"C:\\Windows\\System32\\msxml3.dll\\1"
],
"guid": [
"{f6d90f11-9c73-11d3-b32e-00c04f990bb4}",
"{00020400-0000-0000-c000-000000000046}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\aut5AC6.tmp",
"C:\\Windows\\System32\\msxml3.dll"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.DOMDocument\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dudyegc",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1594756386.578125,
"ppid": 2736
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"process_name": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"pid": 984,
"summary": {
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask"
],
"dll_loaded": [
"C:\\Windows\\System32\\mswsock.dll",
"urlmon.dll",
"DNSAPI.dll",
"kernel32.dll",
"UxTheme.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"ntmarta.dll",
"URLMON.DLL",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"comctl32",
"ole32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"C:\\Windows\\SysWOW64\\oleaut32.dll",
"wininet.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"DHCPCSVC.DLL",
"C:\\Windows\\System32\\winrnr.dll",
"CLBCatQ.DLL",
"C:\\Windows\\system32\\NLAapi.dll",
"SXS.DLL",
"VERSION.dll",
"ADVAPI32.dll",
"WS2_32.dll"
],
"file_opened": [
"C:\\Windows\\System32\\netmsg.dll",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\System32\\msxml3.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb"
],
"connects_host": [
"akaka158560920.3utilities.com"
],
"regkey_opened": [
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\http\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_DISABLE_LEGACY_COMPRESSION",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\International",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\msxml2.xmlhttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocServer32",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\winmgmts",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
"HKEY_CURRENT_USER\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\Feature_Enable_Compat_Logging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Ranges\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.XMLHTTP\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Pre Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_BROWSER_EMULATION",
"HKEY_CLASSES_ROOT\\PROTOCOLS\\Name-Space Handler\\*\\",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_DISABLE_LEGACY_COMPRESSION",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Ranges\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\UA Tokens",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Ranges\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\TreatAs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Network\\Location Awareness",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UrlMon Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_MIME_HANDLING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler"
],
"resolves_host": [
"wpad",
"cuckpc",
"akaka158560920.3utilities.com",
"localhost"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
],
"connects_ip": [
"127.0.0.1"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2"
],
"mutex": [
"IESQMMUTEX_0_208",
"Local\\ZonesCacheCounterMutex",
"Local\\ZoneAttributeCacheCounterMutex",
"Local\\ZonesCounterMutex",
"Local\\ZonesLockedCacheCounterMutex"
],
"file_failed": [
"C:\\Windows\\System32\\msxml3.dll\\1",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\winmgmts:\\localhost\\root\\SecurityCenter2"
],
"wmi_query": [
"Select * from AntiVirusProduct"
],
"guid": [
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{172bddf8-ceea-11d1-8b05-00600806d9b6}",
"{0000011a-0000-0000-c000-000000000046}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{f6d90f16-9c73-11d3-b32e-00c04f990bb4}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{275c23e1-3747-11d0-9fea-00aa003f8646}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{00020400-0000-0000-c000-000000000046}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\System32\\msxml3.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld\\IETldVersionLow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\International\\AcceptLanguage",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MIME_HANDLING\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ConnectTimeOut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ReceiveTimeOut",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_DISABLE_LEGACY_COMPRESSION\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\Flags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\hkCmds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld\\IETldVersionHigh",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\*",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Platform",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableUTF8",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\Flags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Compatible",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ReceiveTimeOut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SendTimeOut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_DISABLE_LEGACY_COMPRESSION\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK\\*",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\\InProcServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_BROWSER_EMULATION\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Platform",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER\\*",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld\\IETldDllVersionLow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1A10",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Msxml2.XMLHTTP\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_BROWSER_EMULATION\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPERSERVER\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_MAXCONNECTIONSPER1_0SERVER\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\HttpUploadBufferSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SendTimeOut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\Flags",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IETld\\IETldDllVersionHigh",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\HttpUploadBufferSize",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ConnectTimeOut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Updates",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Compatible",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Version"
],
"directory_enumerated": [
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Users\\cuck",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users",
"C:\\Windows\\System32\\ras\\*.pbk",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1594756482.593374,
"ppid": 1996
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1594756386.3125,
"ppid": 376
}
]Signatures
[
{
"markcount": 19,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756434.780999,
"tid": 2384,
"flags": {}
},
"pid": 2952,
"type": "call",
"cid": 478
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756434.827999,
"tid": 2384,
"flags": {}
},
"pid": 2952,
"type": "call",
"cid": 526
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756434.842999,
"tid": 2384,
"flags": {}
},
"pid": 2952,
"type": "call",
"cid": 530
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756436.140249,
"tid": 956,
"flags": {}
},
"pid": 2636,
"type": "call",
"cid": 39
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756483.062374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 468
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756483.078374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 516
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756483.078374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 520
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756491.156374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 2649
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756491.171374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 2689
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756491.171374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 2693
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756496.203374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 3492
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756496.218374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 3532
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756496.218374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 3536
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756501.249374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 4335
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756501.249374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 4375
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756501.249374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 4379
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756506.265374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 5177
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756506.281374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 5217
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1594756506.281374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 5221
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 6,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1594756386.671125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 7
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1594756387.343125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 779
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1594756434.327999,
"tid": 2384,
"flags": {}
},
"pid": 2952,
"type": "call",
"cid": 67
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1594756435.812626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 7
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1594756436.468626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 774
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1594756482.734374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 67
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 2,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": ".Tmp0",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".Tmp1",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 8,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 5435988,
"edi": 5438008,
"eax": 1447909480,
"ebp": 5438048,
"edx": 22104,
"ebx": 0,
"esi": 5438036,
"ecx": 10
},
"exception": {
"instruction_r": "ed 68 4f 95 ef 0f 8d 64 24 04 0f 86 fb 5c 00 00",
"instruction": "in eax, dx",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0xc0000096",
"offset": 5547358,
"address": "0x18ca55e"
}
},
"time": 1594756386.671125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 2
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 5435988,
"edi": 5438008,
"eax": 412321370,
"ebp": 5438048,
"edx": 5793,
"ebx": 0,
"esi": 5438036,
"ecx": 10
},
"exception": {
"instruction_r": "90 68 b9 72 fb fe c6 04 24 fc c7 04 24 b7 f6 69",
"instruction": "nop",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0x80000004",
"offset": 3352667,
"address": "0x16b285b"
}
},
"time": 1594756386.671125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 3
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 5435988,
"edi": 5438008,
"eax": 329443,
"ebp": 5438048,
"edx": 126614527,
"ebx": 2048,
"esi": 5438036,
"ecx": 3738837515
},
"exception": {
"instruction_r": "90 60 c6 44 24 04 6e c7 44 24 1c b0 b6 69 84 89",
"instruction": "nop",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0x80000004",
"offset": 5425301,
"address": "0x18ac895"
}
},
"time": 1594756386.671125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 4
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 5435984,
"edi": 3221244493,
"eax": 0,
"ebp": 5438048,
"edx": 126614527,
"ebx": 0,
"esi": 3221243463,
"ecx": 3738837515
},
"exception": {
"instruction_r": "cc 9d 56 e9 09 85 03 00 89 44 24 04 f6 d4 f7 d0",
"instruction": "int3",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0x80000003",
"offset": 5323730,
"address": "0x1893bd2"
}
},
"time": 1594756386.671125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 20
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 6090852,
"edi": 6092872,
"eax": 1447909480,
"ebp": 6092912,
"edx": 22104,
"ebx": 0,
"esi": 6092900,
"ecx": 10
},
"exception": {
"instruction_r": "ed 68 4f 95 ef 0f 8d 64 24 04 0f 86 fb 5c 00 00",
"instruction": "in eax, dx",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0xc0000096",
"offset": 5547358,
"address": "0x18da55e"
}
},
"time": 1594756435.812626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 2
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 6090852,
"edi": 6092872,
"eax": 350695212,
"ebp": 6092912,
"edx": 5832,
"ebx": 0,
"esi": 6092900,
"ecx": 10
},
"exception": {
"instruction_r": "90 68 b9 72 fb fe c6 04 24 fc c7 04 24 b7 f6 69",
"instruction": "nop",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0x80000004",
"offset": 3352667,
"address": "0x16c285b"
}
},
"time": 1594756435.812626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 3
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 6090852,
"edi": 6092872,
"eax": 329443,
"ebp": 6092912,
"edx": 126614527,
"ebx": 2048,
"esi": 6092900,
"ecx": 3738837515
},
"exception": {
"instruction_r": "90 60 c6 44 24 04 6e c7 44 24 1c b0 b6 69 84 89",
"instruction": "nop",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0x80000004",
"offset": 5425301,
"address": "0x18bc895"
}
},
"time": 1594756435.812626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 4
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 6090848,
"edi": 3221244493,
"eax": 0,
"ebp": 6092912,
"edx": 126614527,
"ebx": 0,
"esi": 3221243463,
"ecx": 3738837515
},
"exception": {
"instruction_r": "cc 9d 56 e9 09 85 03 00 89 44 24 04 f6 d4 f7 d0",
"instruction": "int3",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0x80000003",
"offset": 5323730,
"address": "0x18a3bd2"
}
},
"time": 1594756435.812626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 20
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 96,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 581632,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x01381000"
},
"time": 1594756386.703125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2420,
"type": "call",
"cid": 28
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x77d20000"
},
"time": 1594756387.140125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 654
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 18,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e00000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 660
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e10000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 661
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e20000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 662
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e30000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 663
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e40000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 664
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e50000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 665
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e60000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 666
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e70000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 667
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e80000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 668
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75e90000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 669
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75ea0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 670
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75eb0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 671
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75ec0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 672
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75ed0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 673
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75ee0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 674
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75ef0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 675
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f00000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 676
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f10000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 677
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f20000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 678
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f30000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 679
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f40000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 680
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f50000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 681
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f60000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 682
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f70000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 683
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f80000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 684
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75f90000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 685
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75fa0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 686
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75fb0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 687
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75fc0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 688
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75fd0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 689
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75fe0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 690
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x75ff0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 691
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76000000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 692
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76010000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 693
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76020000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 694
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76030000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 695
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76040000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 696
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76050000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 697
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76060000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 698
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76070000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 699
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76080000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 700
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x76090000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 701
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x760a0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 702
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x760b0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 703
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x760c0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 704
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x760d0000"
},
"time": 1594756387.156125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 705
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1996,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 581632,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x01391000"
},
"time": 1594756435.843626,
"tid": 2844,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1996,
"type": "call",
"cid": 28
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1996,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x77d20000"
},
"time": 1594756436.265626,
"tid": 2844,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1996,
"type": "call",
"cid": 649
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 2,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/c schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 1,
"families": [],
"description": "Drops a binary and executes it",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dropper"
},
{
"markcount": 1,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"snapshot_handle": "0x0000013c",
"process_identifier": 2952
},
"time": 1594756434.764999,
"tid": 2384,
"flags": {}
},
"pid": 2952,
"type": "call",
"cid": 437
}
],
"references": [],
"name": "injection_process_search"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 0,
"family": 0
},
"time": 1594756483.546374,
"tid": 1608,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 1855
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.997294044476072,
"section": {
"size_of_data": "0x0026d000",
"virtual_address": "0x002e6000",
"entropy": 7.997294044476072,
"name": ".Tmp1",
"virtual_size": "0x0026ce64"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.9995975855130784,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 1,
"families": [],
"description": "Expresses interest in specific running processes",
"severity": 2,
"marks": [
{
"category": "process",
"ioc": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "process_interest"
},
{
"markcount": 2,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/c schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 1,
"families": [],
"description": "One or more of the buffers contains an embedded PE file",
"severity": 3,
"marks": [
{
"category": "buffer",
"ioc": "Buffer with sha1: 2be965c652f497ebb0f777a6a707bbfc40f60275",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dumped_buffer2"
},
{
"markcount": 2,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2952,
"region_size": 950272,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000140",
"allocation_type": 12288,
"base_address": "0x000a0000"
},
"time": 1594756430.234125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 17706
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 984,
"region_size": 950272,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000140",
"allocation_type": 12288,
"base_address": "0x000a0000"
},
"time": 1594756478.874626,
"tid": 2844,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1996,
"type": "call",
"cid": 17693
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 6,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Updates",
"reg_value": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender",
"reg_value": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"reg_value": "explorer.exe C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
},
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit",
"reg_value": "C:\\Windows\\system32\\userinit.exe,C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin"
},
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\cmd.exe \/c schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 1,
"families": [],
"description": "Executes one or more WMI queries",
"severity": 3,
"marks": [
{
"category": "wmi",
"ioc": "Select * from AntiVirusProduct",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_wmi"
},
{
"markcount": 2,
"families": [],
"description": "Potential code injection by writing to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2952,
"buffer": "\u0000\u0000\u0000\b\u00ff\u00ff\u00ff\u00ff\u0000\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00fb\u00ff(\u0002\u00fc\u00ffP\u0006\u00fd\u00ff\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u009b\u0007m\u00e8\u00ff\u00ff\u0000\u0000\u0010\u0000\u0000 \u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000j\u0003\u0000\u0000H\u00e2\u00fd\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u00b1\u001d\u0000\u0001\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000",
"process_handle": "0x00000140",
"base_address": "0xfffde000"
},
"time": 1594756431.156125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17723
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "\u0000\u0000\u0000\b\u00ff\u00ff\u00ff\u00ff\u0000\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00fb\u00ff(\u0002\u00fc\u00ffP\u0006\u00fd\u00ff\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u009b\u0007m\u00e8\u00ff\u00ff\u0000\u0000\u0010\u0000\u0000 \u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000j\u0003\u0000\u0000H\u00e2\u00fd\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u00b1\u001d\u0000\u0001\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000",
"process_handle": "0x00000140",
"base_address": "0xfffde000"
},
"time": 1594756479.515626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 17710
}
],
"references": [],
"name": "injection_write_memory"
},
{
"markcount": 5,
"families": [],
"description": "Sets or modifies WPAD proxy autoconfiguration file for traffic interception",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000450",
"value": 1,
"regkey_r": "WpadDecisionReason",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason"
},
"time": 1594756486.109374,
"tid": 1608,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 984,
"type": "call",
"cid": 1868
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000450",
"value": "\u00d0(\u00de\u00f9.Z\u00d6\u0001",
"regkey_r": "WpadDecisionTime",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime"
},
"time": 1594756486.109374,
"tid": 1608,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 984,
"type": "call",
"cid": 1869
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000450",
"value": 3,
"regkey_r": "WpadDecision",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision"
},
"time": 1594756486.109374,
"tid": 1608,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 984,
"type": "call",
"cid": 1870
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x00000450",
"value": "Unidentified network",
"regkey_r": "WpadNetworkName",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName"
},
"time": 1594756486.109374,
"tid": 1608,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 984,
"type": "call",
"cid": 1871
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x0000044c",
"value": "{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"regkey_r": "WpadLastNetwork",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork"
},
"time": 1594756486.140374,
"tid": 1608,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 984,
"type": "call",
"cid": 1938
}
],
"references": [],
"name": "modifies_proxy_wpad"
},
{
"markcount": 4,
"families": [],
"description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2420 called NtSetContextThread to modify thread in remote process 2952",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144",
"registers": {
"eip": 2008678852,
"esp": 6355640,
"edi": 0,
"eax": 819210,
"ebp": 0,
"edx": 0,
"ebx": -139264,
"esi": 0,
"ecx": 0
},
"process_identifier": 2952
},
"time": 1594756431.156125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17727
},
{
"category": "Process injection",
"ioc": "Process 1996 called NtSetContextThread to modify thread in remote process 984",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144",
"registers": {
"eip": 2008678852,
"esp": 8321496,
"edi": 0,
"eax": 819210,
"ebp": 0,
"edx": 0,
"ebx": -139264,
"esi": 0,
"ecx": 0
},
"process_identifier": 984
},
"time": 1594756479.515626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 17714
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_ntsetcontextthread"
},
{
"markcount": 4,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2420 resumed a thread in remote process 2952",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144",
"suspend_count": 1,
"process_identifier": 2952
},
"time": 1594756434.093125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17731
},
{
"category": "Process injection",
"ioc": "Process 1996 resumed a thread in remote process 984",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144",
"suspend_count": 1,
"process_identifier": 984
},
"time": 1594756482.468626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 17718
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 1,
"families": [],
"description": "Attempts to modify Explorer settings to prevent hidden files from being displayed",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "stealth_hiddenfile"
},
{
"markcount": 1,
"families": [],
"description": "Detects VMWare through the in instruction feature",
"severity": 3,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 5435988,
"edi": 5438008,
"eax": 1447909480,
"ebp": 5438048,
"edx": 22104,
"ebx": 0,
"esi": 5438036,
"ecx": 10
},
"exception": {
"instruction_r": "ed 68 4f 95 ef 0f 8d 64 24 04 0f 86 fb 5c 00 00",
"instruction": "in eax, dx",
"module": "87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"exception_code": "0xc0000096",
"offset": 5547358,
"address": "0x18ca55e"
}
},
"time": 1594756386.671125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 2
}
],
"references": [],
"name": "antivm_vmware_in_instruction"
},
{
"markcount": 18,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2384,
"thread_handle": "0x00000144",
"process_identifier": 2952,
"current_directory": "",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Temp\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000140",
"inherit_handles": 0
},
"time": 1594756430.234125,
"tid": 2460,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2420,
"type": "call",
"cid": 17698
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144"
},
"time": 1594756430.234125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17702
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2952,
"region_size": 950272,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000140",
"allocation_type": 12288,
"base_address": "0x000a0000"
},
"time": 1594756430.234125,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2420,
"type": "call",
"cid": 17706
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "2be965c652f497ebb0f777a6a707bbfc40f60275",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2952,
"buffer": "",
"process_handle": "0x00000140",
"base_address": "0x000a0000"
},
"time": 1594756430.531125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17715
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2952,
"buffer": "\u0000\u0000\u0000\b\u00ff\u00ff\u00ff\u00ff\u0000\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00fb\u00ff(\u0002\u00fc\u00ffP\u0006\u00fd\u00ff\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u009b\u0007m\u00e8\u00ff\u00ff\u0000\u0000\u0010\u0000\u0000 \u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000j\u0003\u0000\u0000H\u00e2\u00fd\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u00b1\u001d\u0000\u0001\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000",
"process_handle": "0x00000140",
"base_address": "0xfffde000"
},
"time": 1594756431.156125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17723
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144",
"registers": {
"eip": 2008678852,
"esp": 6355640,
"edi": 0,
"eax": 819210,
"ebp": 0,
"edx": 0,
"ebx": -139264,
"esi": 0,
"ecx": 0
},
"process_identifier": 2952
},
"time": 1594756431.156125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17727
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144",
"suspend_count": 1,
"process_identifier": 2952
},
"time": 1594756434.093125,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17731
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1496,
"thread_handle": "0x00000250",
"process_identifier": 2792,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp",
"filepath": "",
"track": 1,
"command_line": "C:\\Windows\\system32\\cmd.exe \/c schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 0,
"process_handle": "0x00000240",
"inherit_handles": 1
},
"time": 1594756435.608999,
"tid": 2384,
"flags": {
"creation_flags": ""
}
},
"pid": 2952,
"type": "call",
"cid": 2277
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2844,
"thread_handle": "0x00000270",
"process_identifier": 1996,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp",
"filepath": "",
"track": 1,
"command_line": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 0,
"process_handle": "0x000001f8",
"inherit_handles": 0
},
"time": 1594756435.655999,
"tid": 2384,
"flags": {
"creation_flags": ""
}
},
"pid": 2952,
"type": "call",
"cid": 2295
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 956,
"thread_handle": "0x00000080",
"process_identifier": 2636,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp",
"filepath": "C:\\Windows\\System32\\schtasks.exe",
"track": 1,
"command_line": "schtasks \/create \/sc minute \/mo 1 \/tn Windows_Defender \/tr 'C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin'",
"filepath_r": "C:\\Windows\\system32\\schtasks.exe",
"stack_pivoted": 0,
"creation_flags": 524288,
"process_handle": "0x00000084",
"inherit_handles": 1
},
"time": 1594756435.796374,
"tid": 1496,
"flags": {
"creation_flags": "EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 2792,
"type": "call",
"cid": 78
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 3012,
"thread_handle": "0x00000144",
"process_identifier": 984,
"current_directory": "",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131.bin",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000140",
"inherit_handles": 0
},
"time": 1594756478.874626,
"tid": 2844,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 1996,
"type": "call",
"cid": 17685
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144"
},
"time": 1594756478.874626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 17689
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 984,
"region_size": 950272,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000140",
"allocation_type": 12288,
"base_address": "0x000a0000"
},
"time": 1594756478.874626,
"tid": 2844,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1996,
"type": "call",
"cid": 17693
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "2be965c652f497ebb0f777a6a707bbfc40f60275",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "",
"process_handle": "0x00000140",
"base_address": "0x000a0000"
},
"time": 1594756479.171626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 17702
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 984,
"buffer": "\u0000\u0000\u0000\b\u00ff\u00ff\u00ff\u00ff\u0000\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00fb\u00ff(\u0002\u00fc\u00ffP\u0006\u00fd\u00ff\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u009b\u0007m\u00e8\u00ff\u00ff\u0000\u0000\u0010\u0000\u0000 \u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000j\u0003\u0000\u0000H\u00e2\u00fd\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u00b1\u001d\u0000\u0001\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000",
"process_handle": "0x00000140",
"base_address": "0xfffde000"
},
"time": 1594756479.515626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 17710
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144",
"registers": {
"eip": 2008678852,
"esp": 8321496,
"edi": 0,
"eax": 819210,
"ebp": 0,
"edx": 0,
"ebx": -139264,
"esi": 0,
"ecx": 0
},
"process_identifier": 984
},
"time": 1594756479.515626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 17714
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000144",
"suspend_count": 1,
"process_identifier": 984
},
"time": 1594756482.468626,
"tid": 2844,
"flags": {}
},
"pid": 1996,
"type": "call",
"cid": 17718
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000003b0",
"suspend_count": 1,
"process_identifier": 984
},
"time": 1594756483.484374,
"tid": 3012,
"flags": {}
},
"pid": 984,
"type": "call",
"cid": 1634
}
],
"references": [],
"name": "injection_runpe"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.196259021759033,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5990,
"time": 12.206992149353027,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7834,
"time": 6.205005168914795,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8162,
"time": 4.15029501914978,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8490,
"time": 6.209222078323364,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8818,
"time": 4.649128198623657,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9146,
"time": 3.0160582065582275,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9474,
"time": 102.12750601768494,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 9794,
"time": 4.693591117858887,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 29204,
"time": 4.1718430519104,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 37588,
"time": 6.260743141174316,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "a36bfb7e7f8caab2c9d0a624ccd57049c63bd8782c753a186bcde346c8f2aef7",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "4c71d0d897179aee2d2ac056245fd6457e88f9643287bba6fa46df1870d97a3c",
"irc": [],
"https_ex": []
}Screenshots
Driver_chek.exe removal instructions
The instructions below shows how to remove Driver_chek.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the Driver_chek.exe file for removal, restart your computer and scan it again to verify that Driver_chek.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate Driver_chek.exe in the scan result and tick the checkbox next to the Driver_chek.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate Driver_chek.exe in the scan result.
c:\users\%USERNAME%\appdata\local\microsoft\Driver_chek.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the Driver_chek.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If Driver_chek.exe still remains in the scan result, proceed with the next step. If Driver_chek.exe is gone from the scan result you're done.
- If Driver_chek.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that Driver_chek.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | e9746d061feff3c6b22a17af3cb080f6 |
| SHA256 | 87eb78fe1b77059decd4b7dd939514ca5b5ce3e8b5ed2befae7f76eaf5f75131 |
Error Messages
These are some of the error messages that can appear related to driver_chek.exe:
driver_chek.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
driver_chek.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
driver_chek.exe has stopped working.
End Program - driver_chek.exe. This program is not responding.
driver_chek.exe is not a valid Win32 application.
driver_chek.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.